This report contains forward-looking statements that involve risks and uncertainties. Our actual results could differ materially from those discussed in the forward-looking statements. The statements contained in this report that are not purely historical are forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended (the “Securities Act”), and Section 21E of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). Forward-looking statements are often identified by the use of words such as, but not limited to, “anticipate,” “believe,” “can,” “continue,” “could,” “estimate,” “expect,” “intend,” “may,” “plan,” “project,” “seek,” “should,” “strategy,” “target,” “will,” “would” and similar expressions or variations intended to identify forward-looking statements. These statements are based on the beliefs and assumptions of our management based on information currently available to management. For example, statements in this Form 10-K regarding the potential future impact of the COVID-19 pandemic on the Company’s business and results of operations are forward-looking statements. Such forward-looking statements are subject to risks, uncertainties and other important factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by such forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, those identified below and those discussed in the section titled “Risk Factors” included under Part I, Item 1A below. Furthermore, such forward-looking statements speak only as of the date of this report. Except as required by law, we undertake no obligation to update any forward-looking statements to reflect events or circumstances after the date of such statements.
VARONIS SYSTEMS, INC.
PART I
We were incorporated under the laws of the State of Delaware on November 3, 2004 and commenced operations on January 1, 2005. Our principal executive offices are located at 1250 Broadway, 29th Floor, New York, NY 10001. For convenience in this report, the terms “Company,” “Varonis,” “we” and “us” may be used to refer to Varonis Systems, Inc. and/or its subsidiaries, except where indicated otherwise. Our telephone number is (877) 292-8767.
Overview
Varonis is a pioneer in data security and analytics, fighting a different battle than conventional cybersecurity companies. We are pioneers because over a decade ago, we recognized that enterprise capacity to create and share data far exceeded its capacity to protect it. We believed the vast movement of information from analog to digital mediums combined with increasing information dependence would change both the global economy and the risk profiles of corporations and governments. Since then our focus has been on using innovation to address the cyber-implications of this movement, creating software that provides new ways to track, alert and protect data wherever it is stored.
Data continues to amass in new and existing data stores both on premises and in the cloud, a trend we have seen accelerate as companies around the world embark on a wave of digital transformation initiatives. As these data stores grow, the relationships between the data they hold and the users that collaborate with it grow more complex, making those relationships difficult to visualize, understand and control without automation. Because enterprises now use many different combinations of data stores and require different levels of protection, our offering provides coverage flexibility through software licensing. We aim to keep pace with the relentless growth and complexity of data, starting in 2005 with a single license, offering ten licenses at the time of our initial public offering in 2014, and today offering more than 25 integrated licenses across the most common on premises and cloud data stores. We plan to continue investing in product development to deliver new products in the future.
Our software specializes in data protection, threat detection and response and compliance. Varonis software enables enterprises to protect data stored on premises and in the cloud: sensitive files and emails; confidential personal data belonging to customers, patients and employees; financial records; strategic and product plans; and other intellectual property. Recognizing the complexities of securing data, we have built a singlean integrated platform for security and analytics to simplify and streamline security and data management.
The Varonis Data Security Platform, built on patented technology, helps enterprises protect data against insider threatscyberattacks from both internal and cyberattacks.external threats. Our products enable enterprises to analyze data, account activity and user behavior to detect attacks. Our Data Security Platform prevents or limits unauthorized use of sensitive information, prevents potential cyberattacks and limits others by automatically locking down sensitivedata, allowing access to those who need it and automating the removal of stale data.data when it is no longer useful. Our products efficiently sustain a secure state with automation and address additional important use cases including data protection, data governance, zero trust, compliance, data privacy, classification and threat detection and response. Our Data Security Platform is driven by a proprietary technology, our Metadata Framework, that extracts critical metadata, or data about data, from an enterprise’s information technology ("IT") infrastructure. Our Data Security Platform uses this contextual information to map functional relationships among employees, data objects, systems, content and usage.
The revolution in internet search occurred when search engines began to mine internet metadata, such as the links between pages, in addition to page content, thereby making the internet’s content more usable and consequently more valuable. Similarly, our Data Security Platform creates advanced searchable data structures out of available content and metadata, providing real-time intelligence about an enterprise’s massive volumes of data, making it more secure, accessible and manageable.
We believe that the technology underlying our Data Security Platform is our primary competitive advantage. The strength of our solution is driven by several proprietary technologies and methodologies that we have developed, coupled with how we have combined them into our highly versatile platform. Our belief in our technological advantage stems from us having developed a way to do each of the following:
•analyze the relationships between users and data and related metadata utilizingwith sophisticated algorithms, including cluster analyses and machine learning;
•visualize and depict the analyses in an intuitive manner, including simulating contemplated changes and automatically executing tasks that are normally manually intensivebecoming increasingly more complex for IT and business personnel;
•identify and automatically classify the data as sensitive, critical, private or regulated;
•automate changesremediation to directory service objects and access controls on large file systems;systems to safely ensure a least privilege model;
•profile users, devices and data to detect suspicious account behavior and unusual file and email activity using deep analysis of metadata, machine learning and user behavior analytics;
•generate meaningful, actionable alerts when security-related incidents are detected;
•enable security teams to investigate and respond to cyber threats more efficientlyquickly and conclusively;
•automatically respond to severe incidents like ransomware to limit potential impact and reduce recovery times;
•determine relevant metadata and security information to capture;capture without impacting the enterprise's computing and network infrastructure;
capture that metadata without imposing strains or latencies on the enterprise’s computing infrastructure;
•modify and enrich that metadata in a way that makes it comparable and analyzable despite it having originated from disparate IT systems;
systems, and create supplemental metadata, as needed, when the existing IT infrastructure’s activity logs are not sufficient;insufficient;
•decipher the key functional relationships of metadata, the underlying data, and its creators; and
•use those functional relationships to create a graphical depiction, or map, of the data that will endure as enterprises continuously add large volumes of data to their network and storage resources on a daily basis.resources.
The broad applicability of our technology has resulted in our customers deploying our platform for numerous use cases. These use cases include: automatic discovery and classification of high-risk, sensitive data; automated remediation of over-exposed data; centralized visibility intoand risk analysis of enterprise data and monitoring of user behavior and file activity; security monitoring and risk reduction; data breach, insider threat, malware and ransomware detection; automatic response to ransomware and other severe incidents to limit exposure and reduce recovery times; data ownership identification;identification, assignment, and automatic involvement; forensics, reporting and auditing with searchable logs; meeting security policy and compliance regulation; automatic data migration; intelligent archiving; and intelligent archiving.automated indexing for data subject requests related to privacy and compliance requirements.
We sell substantially all of our products and services to channel partners, including distributors and resellers, which sell to end-user customers, which we refer to in this report as our customers. We believe that our sales model, which combines the leverage of a channel sales model with our highly trained and professional sales force, has and will continue to play a major role in our ability to grow and to successfully deliver our unique value proposition for enterprise data. While our products serve customers of all sizes, in all industries and all geographies, the marketing focus and majority of our sales focus is on targeting organizations with 1,000 users or more who can make larger initial purchases with us and, over time, have a greater potential lifetime value. As of December 31, 2019, we had approximately 7,100Our customers spanningspan leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, technology, media and entertainment and education sectors. We believe our existing customers represent significant future revenue opportunities for us. We will continue our focus on targeting organizations with 1,000 users or more who can make larger purchases with us initially and over time.
Prior to 2019, an insignificant amount of our revenues had been soldgenerated pursuant to on-premises, subscription-based license arrangements ("subscription licenses"). In these arrangements, the customer has the right to use the software over a designated period of time. In the first quarter of 2019, we announced our transition to a subscription-based business model, and, as we have substantially completed our transition, our subscription revenues have significantly increased, a trend we expect to continue, ultimately leading to subscription revenues becoming the majoritynow account for almost all of our total license revenues.
COVID-19
In March 2020, the World Health Organization (”WHO”) declared the novel coronavirus COVID-19 (including any variants and mutations, "COVID-19") a global pandemic. The pandemic, which has continued to spread, has adversely affected workforces, economies, and financial markets globally, leading to an economic downturn, as well as, continued economic uncertainty and is expected to disrupt general business operations until the virus is contained. We believe that the impact of COVID-19 on the way organizations operate and its long-lasting effects has increased our long-term opportunity to help our customers protect their data and detect threats, as well as achieve regulatory compliance. Nevertheless, in the early stages of the pandemic, we experienced a negative impact on our results of operations in the last two weeks of the first quarter, as we believe our customers’ focus turned primarily to the safety of their employees and to immediately position themselves to operate under a work-from-home environment. However, since that time, we have seen companies become more focused on the elevated risks associated with having a highly distributed workforce collaborating on multiple platforms. Companies around the world now have employees working remotely from potentially vulnerable home networks, accessing critical on-premises data stores and infrastructure through VPNs and sharing information in cloud data stores like Office 365 and Microsoft Teams. We believe this trend is likely to continue in the long-term and that we are well positioned to capitalize on the opportunity ahead. Specifically, crises create optimal conditions for cybercrime, and we can help protect data and infrastructure against hackers and rogue employees. As companies and organizations understand that a data-centric approach to security is critical and that these elevated risks are expected to be here for the long-term, we have seen continued customer engagement and inbound interest, with some of this interest converting into new business or the expansion of existing business.
The extent to which the COVID-19 pandemic impacts our business going forward will depend on numerous evolving factors that we cannot reliably predict, including the duration and scope of the pandemic; efficiency of available vaccines and the availability of such vaccines to the worldwide population; governmental, business, and individuals' actions in response to the pandemic; and the impact on economic activity including the possibility of recession or financial market instability. The uncertainty associated with the COVID-19 pandemic could affect management’s accounting estimates and assumptions, which in turn could result in greater variability with forward-looking guidance. For a discussion of certain risks associated with the COVID-19 pandemic, please refer to Risk Factors (Part I, Item 1A of this Form 10-K).
Acquisitions
In the fourth quarter of 2020, we completed the acquisition of Polyrize Security Ltd. (“Polyrize”), a private company which developed software that maps and analyzes the relationships between users and data across a number of cloud applications and services, including Google Drive, Salesforce, Okta, GitHub, Slack, Amazon Web Services ("AWS"), Jira and others, making it simple for security teams to control access to cloud data and infrastructure and analyze cloud activity.
Size of Our Market Opportunity
The International Data Corporation’s Data Age 2025: The Digitization of the World from Edge to Core study (the "Study") estimates that the amount of data created in the world will grow from 3345 Zettabytes in 20182019 to 175 Zettabytes (or 175 trillion gigabytes) in 2025, representing an approximately 27% compound annual growth rate. Every enterprise will almost certainly2025. The Study was updated in 2020 showing that data created in 2019 grew more than 35% year over year. We expect this trend is likely to continue as more enterprises require technologies to protect and manage their data and centralize data management, analytics, data security and privacy.
We believe that the diverse functionalities offered by our platform position us at the intersection of several powerful trends in the digital enterprise data universe. We further believe that the business intelligence and functionalities delivered by our platform define a new market, andmarket. Although we are not aware of any third party studies that accurately define our addressable market. Themarket, the functionality of our software platform overlaps with portions of several established and growing enterprise software markets as defined by Gartner, Inc. in 2019,2020, including security software ($36.343.2 billion), IT operations management ($28.330.9 billion), infrastructure software ($16.119.8 billion), storage management ($14.514.1 billion), data integration ($5.5 billion) and data integrationcloud access and cloud workload protection software ($5.32.4 billion). Further, the security software market, which we believe is our largest opportunity, has grown at a compound annual growth rate of 35% since 2018. We believe that our comprehensive product offering will attract a meaningful portion of this overall spend, estimatingand we estimate that our total addressable market is approximately 20% of these combined markets, orwith the remainder coming from content services and other application software. We have attempted to measure our total addressable market by utilizing estimates from Forrester on the number of companies in North America and Europe that fit our target criteria, and then assuming that each customer purchases the double digit number of licenses that we aim to sell to all of our customers. In both the “top-down” approach utilizing Gartner industry spend estimates, and the “bottoms-up” approach utilizing Forrester customer estimates, we calculate a total addressable market of more than $20.0$25.0 billion. Lastly, we believe that the acquisition of Polyrize in the fourth quarter of 2020, which we expect will allow us to expand our platform to support cloud applications and data stores that we do not currently cover, has the potential to meaningfully expand the addressable market described above through the introduction of new licenses in the future.
Our Technology
Our proprietary technology extracts critical information about an enterprise’s data and its supporting infrastructure, and uses this contextual information, or metadata, to create a functional map of an enterprise’s data and underlying file systems. Our Metadata Framework
technology has been architected to process large volumes of enterprise data and the related metadata at a massive scale with minimal demands on the existing IT infrastructure. All of our products utilize our Data Security Platform and a core single codebase, thereby streamlining our product development initiatives as well as deployment to customers.
Key Benefits of Our Technology
Data Protection
Comprehensive Solution for Managing and Protecting Enterprise Data. Our products enable a broad range of functionality, including data governance, least privilege and zero trust, as well as intelligent retention, all from one core technology platform.retention. Moreover, our platformsolution is applicable across most major enterprise data stores (Windows, UNIX/Linux, Intranets, Intranets, email systems, Office365Microsoft 365, including SharePoint Online and OneDrive for Business, Salesforce, AWS, Google Drive and Box).
Actionable Insight and Automation. Our products help customers identify and prioritize risks to their data and automatically remediate exposures so that they are less vulnerable to internal and external threats, more compliant and consistently followingfollow a least privilege model. Because of the complexity present in even modest enterprises, effective remediation is impossible at scale without intelligent automation.
Visibility and Data Monitoring Capabilities All in One Place. Our solutions focus on protecting enterprise datasolution combines analysis from disparate on-premises and in the cloud stores and infrastructure and presents them in a single view. Asview, even as data storage becomesand user access become more fragmented, functioningdispersed and complex in a hybrid space, our Data Security Platform provides customers with a single pane of glass to monitor and protect enterprise data regardless of where it is stored.environments.
Fast Time to Value and Low Total Cost of Ownership. Our solutions do not require custom implementations or long deployment cycles. Our Data Security Platform can be installed and ready for use within hours and allows customers to realize real value once used. We designed our platform to operate on commodity hardware on premises or in the cloud, with standard operating systems, further reducing the cost of ownership of our product.
Ease of Use. While we utilize complex data structures and algorithms in our data engine, we abstract that complexity to provide a sleek, intuitive interface. Our software is accessible through either a local client or a standard web browser and requires limited training, saving time and cost and making it accessible to a broader set of non-technical users.
Highly Scalable and Flexible Data Engine. Our metadata analysis technology is built to be highly scalable and flexible, allowing our customers to analyze vast amounts of enterprise data. Moreover, our proprietary Metadata Framework is built with a modular architecture, allowing customers to grow into the full capabilities of our solutions over time.
Threat Detection and Response
Threat Detection and Response with User, Data and System Context. Our solutions combine classification and data access governance with User and Entity Behavior Analytics (UEBA) on data stores, cloud applications, directory services and
perimeter devices, including DNS, VPN and web proxy, for accurate detection and risk reduction. Our solutions reduce risk relating to unauthorized use and cyberattacks.cyberattacks and reduce time to detection (TTD) and time to resolution (TTR) for incidents.
Protect Data from Insider Threats, Data Breaches, Malware and Cyberattacks. Our solutions analyze how employee accounts, service accounts and admin accounts use and access data, profile employees’ roles and file contents, baseline “normal” behavior patterns, and alert on significant deviations from profiled behaviors. Our customers are able to detect advanced persistent threats, cybercriminals, rogue insiders, attackers that have compromised internal systems and employee accounts, malware, ransomware and other significant threats.
Compliance
Discover and Identify Regulated Data. Our solutions automatically discover, identify and classify sensitive, critical and regulated data to help meet compliance requirements.
Monitor and Detect Security Vulnerabilities. Our solutions analyze, monitor, detect and report on potential security vulnerabilities: helping companies achieve compliance by enablingcreating full audit trails, achieving a least privilege model and locking down sensitive data to only those who need it, and facilitate breach notification and security investigations. By ensuring least privilege, monitoring all access and alerting on potential misuse, Varonis enables privacy-by-design on data stores containing sensitive and regulated information.
Fulfill Data Subject Access Requests and Protect Consumer Data. Our solutions help fulfill data subject access requests.requests from file systems on premises and in the cloud. Customers can easily find relevant files, pinpoint who has access and enforce policies to move and quarantine regulated data.
Our Growth Strategy
Our objective is to be the primary vendor to which enterprises turn to protect their data. In the first quarter of 2019, we made theannounced our strategic shift to a subscription-based business model, which should allowallows our customers to better unleash the power of our platform through faster adoption of our integrated products. That transition has since been completed and, for the year ended December 31, 2020, 99% of our licenses revenues are subscriptions and 97% of our totals revenues are recurring in nature. As of December 31, 2020, 63% of our customers with 500 employees or more had purchased four or more licenses, compared to 54% a year ago, and 30% purchased six or more licenses, compared to 20% a year ago. The following are key elements of our growth strategy.
Extend Our Technological Capabilities Through Innovation.Innovation and Strategic Transactions. We intend to increase, in absolute dollars, our current level of investment in product development in order to enhance existing products to address new use cases and deliver new products. We believe that the flexibility, sophistication and broad applicability of our Metadata Framework will allow us to use this framework as the core of numerous future products built on our same core technology. Our ability to leverage our research and development resources has enabled us to create a new product development engine that we believe can proactively identify and solve enterprise needs and help us further penetrate and grow our addressable markets. Additionally, in October 2020, in order to expand the Varonis Data Security Platform to cover additional cloud applications and infrastructure, we acquired a provider of software that maps and analyzes relationships between users and data across a number of cloud applications and services. We plan to incorporate these capabilities into our platform in order to accelerate product development and allow us to more quickly introduce new licenses, which we believe will in turn expand our addressable market. We will continue to seek additional opportunities to extend our technological capabilities and grow our business, from continued organic investments in our research and development efforts to technological tuck-in acquisitions.
Grow Our Customer Base. The unabated rise in enterprise data, ubiquitous reliance on digital collaboration and increased cybersecurity concerns will continue to drive demand for data protection, compliance and threat detection and response solutions. We intend to capitalize on this demand by targeting new customers, verticalunderpenetrated markets and use cases for our solutions. Our solutions address the needs of customers of all sizes, ranging from small and medium businesses to large multinational companies with hundreds of thousands of employees and petabytes of data. Although our solutions are applicable to organizations of all sizes, we will continue our focus on targeting larger organizations who can make larger purchases with us initially and over time.
Increase Sales to Existing Customers. We believe significant opportunities exist to further expand relationships with existing customers. Data growth (and subsequent security concerns) continues across all data stores, and enterprises want to standardize solutions that help them manage, protect and extract more value from their data, wherever it is stored. We will continue to cultivate incremental sales from our existing customers by driving increased use of our software within our installed
base by expanding footprint and usage. We currently have six product families, consisting of DatAdvantage, DatAlert, Data Classification Engine, DataPrivilege, Data Transport Engine and asDatAnswers with over twenty-five licenses under these product families. As of December 31, 2019, approximately 76%2020, 63% of our customers with 500 employees or more had purchased twofour or more product familieslicenses and approximately 45% of our customers had30% purchased threesix or more product families.licenses. We believe our existing customer base serves as a strong source of incremental revenues given theour broad platform of products, we have and thetheir growing volumesvolume and complexity of enterprise data that our customers have.and the associated security concerns. As we innovate and expand our product offering, we expect to have an even broader suite of products to offer our customers. Our perpetual license maintenance renewal rate for the year ended December 31, 2020 continued to be over 90%. Our key strategies to ensure a high subscription license renewal rate and maintain our high maintenance renewal rate include focusing on the quality and reliability of our customer service and support teams to ensure our customers receive value from our products and providing software upgrades and enhancements when and if they are available.
Grow Sales From Our Newer Licenses.Licenses and Functionality. We continue to introduce additional licenses and enhancements to existing products to support new functionalities. In the second quarter of 2020, we introduced a Remote Work Update to our platform to increase visibility into potential security issues related to remote work, including dashboards for unusual VPN, DNS and Web usage; comprehensive Microsoft Teams visibility; out-of-the-box reports for pinpointing exposed cloud data; and more threat models for Office 365. We also announced the acquisition of Polyrize in October 2020, which we expect will allow us to extend our platform to cover additional cloud data stores and applications that we do not currently support. In 2019, we announced Version 7 of our Data Security Platform, which included new dashboards to assess compliance and Active Directory riskand GDPR security risks so that customers can more easily identify critical risk in their hybrid environments, including vulnerable user accounts, at-risk cloud data and potential compliance violations, as well as performance enhancements, such as the usage of SOLR, for faster, more scalable event retrieval and investigation. We also added classification functionality to identify personalhelp enterprises automatically discover and classify data that falls under data covered by the California Consumer Privacy Act, or CCPA, prompting usCCPA. We added threat intelligence to rename our GDPR Patterns product to Data Classification Policy Pack.security insights, built incident response playbooks directly into the UI and made usability and performance improvements. In 2018, we releasedintroduced Varonis Edge, which analyzes perimeter devices like DNS, VPN and Web Proxiesweb proxy to detect attacks like malware, APT intrusion and data exfiltration. Varonis Edge enablesexfiltration, and enable enterprises to correlate events and alerts to track potential data leaks and spot vulnerabilities at the point of entry. We also released support for Box events and Data Classification Labels, integrating with Microsoft Information Protection (MIP) to help enterprises better classify, track and secure files across enterprise data stores.storesand to address additional compliance requirements from new data privacy laws and standards. We added classification categories to the Data Classification Engine, to better identify and analyze regulated data related to GDPR, PII, PCI and PHI. We enhanced DatAnswers to address data privacy and compliance use cases, enabling customers to fulfill data subject access requests and protect personally identifiable information. We have enhanced our products to provide even more value to our customers including: an updated user interface for DataPrivilege, additional data store support, new geolocation support, enhanced threat detection and security monitoring and new threat models to protect sensitive and regulated data against security breaches, malware, ransomware and insider threats.threats, and optimizations to make DatAlert faster and more intuitive for security investigations. We believe these new additions to our product offering can be a meaningful contributor to our growth.
Expand Our Sales Force. Continuing to expand our salesforcesales force will be essential to achieving our customer base expansion goals. The salesforcesales force and our approach to introducing products to the market have been key to our successful growth in the past and will be central to our growth plan in the future. While our products serve customers of all sizes, in all industries and all geographies, the marketing focus and majority of our sales focus is on targeting organizations with 1,000 users or more who can make larger initial purchases with us and, over time, generate a greater potential lifetime value. The ability ofOur customers span leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, media and entertainment and education sectors. We also believe our existing customers represent significant future revenue opportunities for us. We believe that our sales teamsmodel, which combines the leverage of a channel sales model with our highly trained and professional sales force and their ability to support our channel partners to efficiently identify leads, perform risk assessments and convert them to satisfied customers, has and will continue to impactplay a major role in our ability to grow.grow and to successfully deliver our unique value proposition for enterprise data. We intend to expand our sales capacity by adding headcount throughout our sales and marketing department.
Establish Our Data Security Platform as the Industry Standard. We have worked with several of the leading providers of network attached storage, or NAS, hybrid cloud storage, including Dell/EMC, IBM, NetApp, HP, Hitachi and Nasuni in order
to expand our market reach and deliver enhanced functionality to our customers. We have worked with these vendors to assure compatibility with their product lines. Through the use of application programming interfaces, or APIs, and other integration work, our solutions also integrate with many providers of solutions in the ecosystem. We will continue to pursue such collaborations wherever they advance our strategic goals, thereby expanding our reach and establishing our product user interface as the de facto industry standard when it comes to enterprise data.
Continue International Expansion. We believe there is a significant opportunity for our platform in international markets to address the need for data protection and threat detection and response, as well as to comply with regulations such as the
European Union's ("EU") General Data Protection Regulation ("GDPR"). Revenues from Europe, the Middle East and Africa (“EMEA") accounted for approximately 30%26% of our revenues in 2019.2020. Europe represented the substantial majority of revenues outside the United States. Although quarterly growth rates have fluctuated over the last few years in our European market, we believe that international expansion will be a key component of our growth strategy, and we will continue to market our products and services overseas.
Our Products
We haveOur integrated platform of products currently contains six product families, in our platformmost of products that utilizewhich contain multiple licenses. Each license utilizes our core Metadata Framework technology to deliver features and functionality that allow enterprises to fully understand, secure and benefit from the value of their data. This architecture gives our clients the flexibilityability to select the features they require for their business needs and the flexibility to expand their usage simply by adding a license. Thelicense, and the fully-integrated nature of our products allows individual products to enhance the functionality of the others. At the same time, the ease of consumption under a subscription-based model has allowed us to deliver on customer demand for a greater number of our licenses, providing our customers value more quickly while leading to substantial future license upsell and cross-sell opportunities.
| |
• | •DatAdvantage. DatAdvantage, our flagship product family, launched in 2006, builds on our Metadata Framework and captures, aggregates, normalizes and analyzes every data access event for every user on Windows and UNIX/Linux servers, storage devices, email systems and Intranet servers, without requiring native operating system auditing functionalities or impacting performance or storage on file systems. Through an intuitive graphical interface, DatAdvantage presents insights from massive volumes of data using normal computing infrastructure. It is also our presentation layer for IT departments, which provides an interactive map of relevant users, groups and data objects, usage and content, facilitating analysis from multiple vectors. IT departments can pinpoint areas of interest starting with any metadata object, simulate changes measuring potential impact against historical access patterns, and easily execute changes on all data stores through a unified interface. DatAdvantage identifies where users have unnecessary access based on user behavior and machine learning. The DatAdvantage product family currently contains 11 licenses, including:
◦Individual DatAdvantage licenses for on premises data stores and infrastructure (Windows, Directory Services, Sharepoint, Unix/Linux and Exchange) and cloud data stores (OneDrive, Sharepoint Online, Exchange Online, Azure Active Directory and Box). ◦ DatAdvantage, our flagship product, launched in 2006, builds on our Metadata Framework and captures, aggregates, normalizes and analyzes every data access event for every user on Windows and UNIX/Linux servers, storage devices, email systems and Intranet servers, without requiring native operating system auditing functionalities or impacting performance or storage on file systems. Through an intuitive graphical interface, DatAdvantage presents insights from massive volumes of data using normal computing infrastructure. It is also our presentation layer for IT departments, which provides an interactive map of relevant users, groups and data objects, usage and content, facilitating analysis from multiple vectors. IT departments can pinpoint areas of interest starting with any metadata object, simulate changes measuring potential impact against historical access patterns, and easily execute changes on all data stores through a unified interface. DatAdvantage identifies where users have unnecessary access based on user behavior and machine learning. |
The Automation Engine, a module introduced in 2017, which automatically repairs broken file systems and safely remediates exposures, helps customers accelerate the enforcement of a least privilege model by limiting broad access without substantial manual effort. It automatically repairseffort or resources.
•DatAlert. Introduced in 2013, DatAlert profiles users and maintains filedevices and their associated behaviors with respect to systems helping reduce customers’and data, detects and alerts on meaningful deviations that indicate compromise, provides a web-based dashboard and investigative interface and seamlessly integrates with security information and event management systems (SIEM). DatAlert helps enterprises quickly detect suspicious activity, prevents data breaches and cyberattacks, performs security forensics, visualizes risk profiles and decreasing their overheadprioritizes and resources required to achieve a least privilege model.
| |
• | DatAlert. Introduced in 2013, DatAlert profiles users and their behaviors with respect to systems and data, detects and alerts on meaningful deviations to established baselines, and provides a web-based dashboard and investigative interface. DatAlert helps enterprises detect suspicious activity, prevents data breaches and cyberattacks, performs security forensics, visualizes risk and prioritizes investigation.
|
accelerates investigation. In addition, the DatAlert product family contains Varonis Edge, which was introduced in 2018,2018. Edge analyzes perimeter devices like DNS, VPN and Web Proxyweb proxy to expand user and device profiles to detect attacks like malware, APT intrusion and data exfiltration and enables enterprises to correlate events and alerts at the perimeter with alerts and events concerning data to better spot attacks at the point of entry and egress.egress, reducing time to detection and time to resolution for security incidents.
| |
• |
•Data Classification Engine. As the volume of an enterprise’s information grows, enterprises struggle to find and tag different types of sensitive data, such as intellectual property, regulated content, including Personally Identifiable Information, and medical records. Furthermore, content by itself does not provide adequate context to determine ownership, relevance, or protection requirements. Introduced in 2009, Data Classification Engine identifies and tags data based on criteria set in multiple metadata dimensions and provides business and IT personnel with actionable intelligence about this data, including a prioritized list of folders and files containing the most sensitive data and with the most inadequate permissions. For the identified folders and files, it also identifies who has access to that data, who is using it, who owns it, and recommendations for how to restrict access without disrupting workflow. Data Classification Engine provides visibility into the content of data across file systems and Intranet sites and combines it with other metadata, including usage and accessibility. The Data Classification Engine product family currently contains six licenses, including:
◦Individual Data Classification Engine licenses for on premises data stores and infrastructure (Windows/SharePoint and Unix) and cloud data stores (OneDrive and Sharepoint Online).
◦ As the volume of an enterprise’s information grows, enterprises struggle to find and tag different types of sensitive data, such as intellectual property, regulated content, including Personally Identifiable Information, and medical records. Furthermore, content by itself does not provide adequate context to determine ownership, relevance, or protection requirements. Data Classification Engine identifies and tags data based on criteria set in multiple metadata dimensions and provides business and IT personnel with actionable intelligence about this data, including a prioritized list of folders and files containing the most sensitive data and with the most inadequate permissions. For the identified folders and files, it also identifies who has access to that data, who is using it, who owns it, and recommendations for how to restrict access without disrupting workflow. Data Classification Engine provides visibility into the content of data across file systems and Intranet sites and combines it with other metadata, including usage and accessibility. |
Data Classification Policy Pack, introduced as GDPR Patterns in 2017, builds upon the Data Classification Engine with over 400 patterns for identifying and classifying personal information specific to GDPR and CCPA.
◦Data Classification Labels, introduced in 2018, integrates with Microsoft Information Protection (MIP) to protect sensitive data across customer environments regardless of where it lives or how it is shared. Data Classification Labels allows users to automatically apply classification labels and encrypt files that it has identified as sensitive.
| |
• | •DataPrivilege. Introduced in 2006, DataPrivilege was designed for use by business unit personnel and provides a self-service web portal that allows users to request access to data necessary for their business functions, and allows owners to grant access without IT intervention. DataPrivilege enhances data protection and compliance by enabling business users to make access decisions based on queries, user requests and metadata analytics information, rather than static IT policies. DataPrivilege provides a presentation layer for business users to review accessibility, sensitivity and usage of their data assets and grant and revoke access. We currently offer DataPrivilege licenses for Windows and SharePoint.
•Data Transport Engine. Introduced in 2012, Data Transport Engine provides an execution engine that unifies the manipulation of data and metadata, translating business decisions and instructions into technical commands such as data migration or archiving. Data Transport Engine allows both IT and business personnel to standardize and streamline activities for data management and retention, from day-to-day maintenance to complex data store and domain migrations and archiving. Data Transport Engine ensures that data migrations automatically synchronize source and destination data with incremental copying even if the source data is still in use, translates access permissions across data stores and domains and provides reporting capabilities for data migration status. Moreover, it also provides IT personnel the flexibility to schedule recurring migrations to automatically find and move certain types of data such as sensitive or stale data and to perform active migrations, dispositions and archiving safely and efficiently.
•DatAnswers. DatAnswers was introduced in 2014 to provide secure, relevant and timely search functionality for enterprise data. In 2018, we enhanced DatAnswers to help meet growing demands to comply with data privacy regulations and eDiscovery requests, and to facilitate data subject access requests. As data privacy laws are becoming more prevalent across the globe, meeting subject access requests is a primary requirement in data regulation. As companies continue to generate and store data in numerous enterprise data stores, relevant files become harder to find and manage, and compliance officers, controllers, and administrators need to identify and locate relevant content related to a data subject. DatAnswers provides elevated search for compliance and e-discovery, helping solve the growing problem of being able to fulfill subject access requests to meet data privacy laws. We currently offer DatAnswers licenses for Windows, SharePoint, OneDrive and SharePoint Online.
DataPrivilege, introduced in 2006 and designed for use by business unit personnel, provides a self-service web portal that allows users to request access to data necessary for their business functions, and owners to grant access without IT intervention. DataPrivilege enhances data protection and compliance by enabling business users to make access decisions based on queries, user requests and metadata analytics information, rather than static IT policies. DataPrivilege provides a presentation layer for business users to review accessibility, sensitivity and usage of their data assets and grant and revoke access.
|
| |
• | Data Transport Engine. We introduced Data Transport Engine in 2012 to provide an execution engine that unifies the manipulation of data and metadata, translating business decisions and instructions into technical commands such as data migration or archiving. Data Transport Engine allows both IT and business personnel to standardize and streamline activities for data management and retention, from day-to-day maintenance to complex data store and domain migrations and archiving. Data Transport Engine ensures that data migrations automatically synchronize source and destination data with incremental copying even if the source data is still in use, translates access permissions across data stores and domains and provides reporting capabilities for data migration status. Moreover, it also provides IT personnel the flexibility to schedule recurring migrations to automatically find and move certain types of data such as sensitive or stale data and to perform active migrations, dispositions and archiving safely and efficiently.
|
| |
• | DatAnswers. DatAnswers was introduced in 2014 to provide secure, relevant and timely search functionality for enterprise data. In 2018, we enhanced DatAnswers to help meet growing demands to comply with data privacy regulations and eDiscovery requests, and to facilitate Data Subject Access Requests (DSARs). As data privacy laws are becoming more prevalent across the globe, meeting subject access requests is a primary requirement in data regulation. As companies continue to generate and store data in numerous enterprise data stores, relevant files become harder to find and manage, and compliance officers, controllers, and administrators need to identify and locate relevant content related to a data subject. DatAnswers provides elevated search for compliance and e-discovery, helping solve the growing problem of being able to fulfill subject access requests to meet data privacy laws.
|
Our Customers
We currently have approximately 7,100 customers in over 80 countries as of December 31, 2019.85 countries. Our customers span numerous industries and vary greatly in size, ranging from small and medium businesses to large multinational enterprises and government agencies. Our customers include leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, media and entertainment and education sectors, with hundreds of thousands of employees and hundreds of terabytespetabytes of data.
Services
Maintenance and Support of Subscription and Perpetual Licenses
OurPrior to our transition to a subscription-based model, our customers typically purchasepurchased one year of software maintenance and support as part of their initial purchase of our perpetual license products, with an option to renew their maintenance agreements. These maintenance agreements provide customers the right to receive support and unspecified upgrades and enhancements when and if they become available during the maintenance period and access to our technical support services. Today, with the transition to a subscription model complete, the sales of new perpetual licenses are insignificant and therefore, we do not expect maintenance and support of perpetual licenses to grow versus prior year comparisons. Maintenance associated with a subscription contract is included in the Subscriptions revenue line of the income statement.
We maintain a customer support organization that provides all levels of support to our customers. Our customers that purchase maintenance and support services receive guaranteed response times, direct telephonic support and access to online support portals. Our customer support organization has global capabilities with expertise in both our software and complex IT environments and associated third-party infrastructure.
Professional Services
While users can easily download, install and deploy our software on their own, certain enterprises use our professional service team to provide fee-based services, which include training our customers in the use of our products, providing advice on network design, product configuration and implementation, automating and customizing reports and tuning policies and configuration of our products for the particular characteristics of the customer’s environment. Although professional services have always been a small percentage of our total revenues, we have recently seen, and expect to continue to see, that percentage decline as many of our newer licenses can provide remediation in a more automated way and our planned long-term strategy to allow our channel partners to take on more professional services work. As such, our overall maintenance and services revenues is also expected to continue to decline versus prior year comparisons.
Sales and Marketing
Sales
We sell the vast majority of our products and services to a global network of resellers and distributors that we refer to as our channel partners. Our channel partners, in turn, sell the products they purchase from us to customers. In addition, we maintain a highly trained professional sales force that is responsible for overall market development, including the management of the relationships with our channel partners and supporting channel partners in winning customers through operating demonstrations and risk assessments. Our channel partners identify potential sales targets, maintain relationships with customers and introduce new products to existing customers. Sales to our channel partners are generally subject to our standard, non-exclusive channel partner agreement, meaning our channel partners may offer customers the products of several different companies.agreement. These agreements are generally for a term of one year with a one-year renewal term and can be terminated by us or the channel partner for any reason upon 30 days’ notice. A termination of the agreement has no effect on orders already placed. Payment to us from the channel partner is typically due within 30 to 60 calendar days of the invoice date.
Marketing
Our marketing strategy focuses on building our brand and product awareness, increasing customer adoption and demand, communicating advantages and business benefits and generating leads for our channel partners and sales force. We market our software as a Data Security Platform, a solution for securing and managing file systems and enterprise data and transforming that data into actionable intelligence.data. We execute our marketing strategy by leveraging a combination of internal marketing professionals, external marketing partners and a network of regional and global channel partners. Our internal marketing organization is responsible for branding, content generation, demand generation, field marketing and product marketing and works with our business operations team to support channel marketing and sales support programs. We provide one on oneone-on-one and community education and awareness and promote the expanded use of our software. We host in-person or virtual Varonis Connect! customer events annually across sales regions, as well as free, online monthly or bi-weekly technical webinars in multiple regions. We focus our efforts on highly relevant content creation, events, campaigns tools and activities that can be leveraged by our channel partners worldwide to extend our marketing reach, such as, sales tools, information regarding product awards and technical certifications, security training, regional seminars and conferences, webinars, podcasts and various other demand-generation activities. Our marketing efforts also include public relations in multiple regions, analyst relations, customer marketing, account-based marketing, targeted advertising, extensive content development available through our web site and content syndication, and our active blog, “The Inside Out Security Blog.”
Seasonality
See Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations — Seasonality and Quarterly Trends.”blog.
Research and Development
Our research and development efforts are focused primarily on improving and enhancing our existing products, as well as developing new products, features and functionality. Use of our products has expanded from data governance into areas such as data security, privacy, accessibility and retention, and we anticipate that customers and innovation will drive functionality into additional areas. We regularly release new versions of our products which incorporate new features and enhancements to existing ones. We conduct substantially all of our research and development activities in Israel, and we believe this provides us with access to world-class engineering talent. In addition, we continue to seek opportunities to extend our technological capabilities and grow our business from strategic technological tuck-in acquisitions.
Our research and development expense was $99.4 million, $80.8 million and $70.0 million in 2020, 2019 and $47.4 million in 2019, 2018, and 2017, respectively.
Intellectual Property
We rely onattempt to protect our technology and the related intellectual property under patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions to protectprovisions. No single intellectual property right is solely responsible for protecting our technology and the related intellectual property.products. The nature and extent of legal protection of our intellectual
property rights depends on, among other things, its type and the jurisdiction in which it arises. As of January 31, 2020,29, 2021, we had 6974 issued patents and 3128 pending patent applications in the United States. Our issued U.S. patents expire between 2025 and 2039. We also had 3541 patents issued and 7163 applications pending for examination in non-U.S. jurisdictions, and twothree pending Patent Cooperation Treaty (“PCT”) patent applications, all of which are counterparts of our U.S. patent applications. Certain of our patents are owned by our Israeli subsidiary. The claims for which we have sought patent protection relate primarily to inventions we have developed for incorporation into our products. We also license software from third parties for use in developing our products and for integration into our products, including open source software.
DespiteIn addition to patented technology, we rely on our efforts to protect ourunpatented proprietary technologiestechnology and intellectual property rights, unauthorized parties may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information.secrets. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors and customers and generally limit internal and external access to, and distribution of, our proprietary information and proprietary technology through certain procedural safeguards. TheseWe also rely on invention assignment agreements with our employees, consultants and others, to assign to the Company all inventions developed by such individuals in the course of their engagement with the Company.
Moreover, we have registered the “Varonis” name and logo and “DatAdvantage”, “DataPrivilege”, “DatAlert”, “DatAnywhere” and other names in the United States and, as related to some of these names, certain other countries.
In addition to Company-owned intellectual property, we license software from third parties for integration into our solution, including open source software and other software available on commercially reasonable terms. It may not effectively prevent unauthorized usebe necessary in the future to seek or disclosurerenew licenses relating to various aspects of our intellectual property or technologyproducts, processes and may not provide an adequate remedyservices. While we have generally been able to obtain such licenses on commercially reasonable terms in the event of unauthorized use or disclosure of our intellectual property or technology. Wepast, we cannot provide assurance that the steps taken by us will prevent misappropriation of our trade secrets or technology or infringement of our intellectual property. In addition, the laws of some foreign countries do not protect our proprietary rights to as great an extent as the laws of the United States, and many foreign countries do not enforce these laws as diligently as government agencies and private parties in the United States.
Our industry is characterized by the existence of a large number of relevant patents and frequent claims and related litigation regarding patents and other intellectual property rights. From time to time, third-parties have asserted and may assert their patent, copyright, trademark and other intellectual property rights against us, our channel partners or customers. Successful claims of infringement or misappropriation by a third party could prevent us from distributing certain products, performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others, or to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology. Even ifsuch third parties may offer a licensewill maintain such software or continue to their technology, the termsmake it available.
Seasonality
See Item 7, “Management’s Discussion and Analysis of any offered license may not be acceptable,Financial Condition and the failure to obtain a license or the costs associated with any license could cause our business, resultsResults of operations or financial condition to be materiallyOperations — Seasonality and adversely affected. In some cases, we indemnify our channel partners and customers against claims that our products infringe the intellectual property of third parties.Quarterly Trends.”
Competition
While there are some companies which offer certain features similar to those embedded in our solutions, as well as others with which we compete in certain use cases, we believe that we do not currently compete with a company that offers the same breadth of functionalities that we offer in a single integrated solution. Nevertheless, we do compete against a select group of software vendors such as Veritas Technologies LLC and Quest Software, that provide standalone solutions, similar to those found in our comprehensive software suite, in the specific markets in which we operate. We also face direct competition with respect to certain of our products, specifically Data Transport Engine, DatAnswers and DatAdvantage for Directory Services. As we continue to augment our functionality with insider threat detection and user behavior analytics and as we expand our classification capabilities to better serve compliance needs with new regulations, like GDPR, CCPA and other data privacy laws, and as these functionalities continue to be recognized as critical to protect enterprise data, we may face increased perceived and real competition from other security and classification technologies. In the future, as customer requirements evolve and new technologies are introduced, we may experience increased competition if established or emerging companies develop solutions that address the enterprise data market. Furthermore, because we operate in an evolving market, we anticipate that competition will increase based on customer demand for these types of products.
A number of factors influence our ability to compete in the markets in which we operate, including, without limitation: the continued reliability and effectiveness of our products’ functionalities; the breadth and completeness of our solutions’ features; the scalability of our solutions; and the ease of deployment and use of our products. We believe that we generally compete favorably in each of these categories. We also believe that we distinguish ourselves from others by delivering a single, integrated solution and sophisticated automation to address our customers’ needs regarding access, governance, security, privacy and retention with respect to their enterprise data. There can, however, be no assurance that we will remain unique in this capacity or that we will be able to compete favorably with other providers in the future.
If a more established company were to target our market, we may face significant competition. They may have competitive advantages, such as greater name recognition, larger sales, marketing, research and acquisition resources, access to larger customer bases and channel partners, a longer operating history and lower labor and development costs, which may
enable them to respond more quickly to new or emerging technologies and changes in customer requirements or devote greater resources to the development, promotion and sale of their products than we do. Increased competition could result in us failing to attract customers or maintain renewals and licenses at the same rate. It could also lead to price cuts, alternative pricing structures or the introduction of products available for free or a nominal price, reduced gross margins, longer sales cycles and loss of market share.
In addition, our current or prospective channel partners may establish cooperative relationships with any future competitors. These relationships may allow future competitors to rapidly gain significant market share. These developments could also limit our ability to generate revenues from existing and new customers. If we are unable to compete successfully against current and future competitors our business, results of operations and financial condition may be harmed.
Employees and Human Capital Resources
As of December 31, 2019,2020, we had 1,5741,719 employees and independent contractors who developed, marketed, sold and supported our technology solutions, of which 706755 were in the United States, 514601 were in Israel and 354363 were in other countries. Our
We understand that our innovation leadership is ultimately rooted in people. Competition for qualified personnel in the technology space is intense, and our success depends in large part on our ability to recruit, develop and retain a productive and engaged workforce. Accordingly, investing in our employees in France are represented by an internal labor committee which is affiliated with an external trade union. Noneand their well-being, offering competitive compensation and benefits, promoting diversity and inclusion, adopting progressive human capital management practices and community outreach constitute core elements of our other employees is represented by a labor union with respect to his or her employment with us. Employees in certain European countries havecorporate strategy.
•Support Employee Well-being and Engagement. We support the benefitsoverall well-being of collective bargaining arrangements at the national level. We have not experienced any work stoppages, and we consider our relations with our employees from a physical, emotional, financial and social perspective. We also regularly seek input from employees, including through broad employee satisfaction and pulse surveys on specific issues, intended to assess our degree of success in promoting an environment where employees are engaged, satisfied, productive and possess a strong understanding of our business goals. Our global well-being program includes a long-standing practice of remote working arrangements, flexible paid time off, life planning benefits, wellness platforms and employee assistance programs.
•Offer Competitive Compensation and Benefits. We strive to ensure that our employees receive competitive and fair compensation and innovative benefits offerings, tying incentive compensation to both business and individual performance, offering competitive maternal leave policies, providing meaningful retirement and health benefits and maintaining an employee stock purchase plan. In 2020, in response to a salary reduction during the COVID-19 crisis, we also provided broader access to equity compensation to our employees by granting them restricted stock units. As the momentum of the business improved throughout 2020, we informed employees that salaries would be good.returned to original levels in two phases, with the first phase becoming effective in July 2020 and the second in January 2021.
•Promote Sense of Belonging through Diversity and Inclusion Initiatives. We conduct diversity and code of conduct trainings with employees and managers to make clear our views on diversity and promote an inclusive and diverse workplace, where all individuals are respected and feel they belong regardless of their age, race, national origin, gender, religion, disability, sexual orientation or gender identity. We also require managers to participate in unconscious bias training to improve awareness. Our customers are located in over 85 countries and our global workforce operates across cultures, functions, language barriers and time zones to support the challenges faced by customers worldwide. In order to support our customers’ needs we have established an international operation having employees and service providers from all around the world, with different language, culture, age, religious, gender, etc.
•Provide Programs for Employee Recognition. We also offer rewards and recognition programs to our employees, including awards to recognize employees who best exemplify our values and spot awards to recognize employee contributions. We believe that these recognition programs help drive strong employee performance. We conduct semi-annual employee performance reviews, where each employee is evaluated by their personal manager and also conducts a self-assessment, a process which empowers our employees. Employee performance is assessed based on a variety of key performance metrics, including the achievement of objectives specific to the employee’s department or role.
•Create Opportunities for Growth and Development. We focus on creating opportunities for employee growth, development, training and education, including opportunities to cultivate talent and identify candidates for new roles from within the company and management and leadership development programs. Employee training and education
includes online certification, in person certification and new hire training bootcamps. We also conduct manager training programs on an annual basis, which include in-depth managerial and coaching skills, as well as tailored feedback.
•Promote Community Outreach and Support. We believe it is important to give back and promote community outreach and support through corporate giving and employee volunteerism in the communities in which we live and work. We also provide corporate matching of employee charitable donations and flexible volunteering during work time and thereby letting our employees know that we care of the volunteer and charitable efforts that matters to them.
Response to the COVID-19 Pandemic. In response to the COVID-19 pandemic, we have prioritized the safety of our employees and business partners, while continuing to support the needs of our customers and communities during this unprecedented period. We temporarily closed most of our offices around the world and continue to comply with state and local requirements, guidelines and recommendations. We shifted from existing flexible working arrangements to working from home on a regular basis, using digital platforms and virtual collaboration tools to maintain productivity and to remain in contact with one another and our business partners and customers. In addition, we have also limited travel to further support and protect our employees. In April 2020, in light of the disruption and uncertainty created by the global COVID-19 pandemic and resulting impact on business conditions, and in order to avoid reducing our global workforce, we enacted a salary reduction to employees (including management) across the organization. At the time, we combined this with a one-time equity grant to our employees equal to the annualized amount of the salary reduction in order to retain and motivate them and to let our employees know that we are doing everything we can as a company to support them during these unprecedented times. As the momentum of the business improved throughout 2020, the salary reductions were recouped to the original salary pre-reduction in two phases. Additionally, in response to the pandemic, we provided our employees a work-from-home equipment allowance in order to allow them to continue effectively working remotely. Moreover, we enhanced and promoted programs to support our employees' physical and mental well-being. For example, we made available to our employees several virtual workshops to cover various subjects, including helping employees to manage stress. Lastly, in order to increase the morale of our employees, we conducted virtual fun days.
Available Information
Our website is located at www.varonis.com, and our investor relations website is located at http://ir.varonis.com. The information posted on our website is not incorporated into this Annual Report on Form 10-K. Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to reports filed or furnished pursuant to Sections 13(a) and 15(d) of the Exchange Act are available free of charge on our investor relations website as soon as reasonably practicable after we electronically file such material with, or furnish it to, the Securities and Exchange Commission (the “SEC"). You may also access all of our public filings through the SEC’s website at www.sec.gov.
Investors and other interested parties should note that we use our media and investor relations website and our social media channels to publish important information about us, including information that may be deemed material to investors. We encourage investors and other interested parties to review the information we may publish through our media and investor relations website and the social media channels listed on our media and investor relations website, in addition to our SEC filings, press releases, conference calls and webcasts.
Investing in our common stock involves a high degree of risk. You should carefully consider the following risks and all other information contained herein, including our consolidated financial statements and the related notes thereto, before investing in our common stock. The risks and uncertainties described below are not the only ones we face. Additional risks and uncertainties that we are unaware of, or that we currently believe are not material, also may become important factors that affect us. If any of the following risks materialize, our business, financial condition and results of operations could be materially harmed. In that case, the trading price of our common stock could decline, and you may lose some or all of your investment.
Risks Related to Our Business andthe Industry in which we Operate
The market for software that analyzes, secures, governs, manages and migrates enterprise data is new and unproven and may not grow.
We believe our future success depends in large part on the growth of the market for software that enables enterprises to analyze, secure, govern, manage and migrate their data. In order for us to market and sell our products, we must successfully demonstrate to enterprise IT, security and business personnel the potential value of their data and the risk of that data getting
compromised or stolen. We must persuade them to devote a portion of their budgets to a unified platform that we offer to protect, secure, govern, manage and extract value from this resource. We cannot provide any assurance that enterprises will recognize the need for our products or, if they do, that they will decide that they need a solution that offers the range of functionalities that we offer. Software solutions focused on enterprise data may not yet be viewed as a necessity, and accordingly, our sales effort is and will continue to be focused in large part on explaining the need for, and value offered by, our solution. We can provide no assurance that the market for our solution will continue to grow at its current rate or at all. The failure of the market to develop would materially adversely impact our results of operations.
Prolonged economic uncertainties or downturns could materially adversely affect our business.
Our business depends on our current and prospective customers’ ability and willingness to invest in IT services, including cybersecurity projects, which in turn is dependent upon their overall economic health. Negative conditions in the general economy both in the United States and abroad, including conditions resulting from COVID-19, similar to the negative impact on our results of operations we experienced at the early stages of the pandemic in the last two weeks of the first quarter in 2020, changes in gross domestic product growth, potential future government shutdowns, the federal government's failure to raise the debt ceiling, financial and credit market fluctuations, the imposition of trade barriers and restrictions such as tariffs, political deadlock, restrictions on travel, natural catastrophes, warfare and terrorist attacks, could cause a decrease in business investments, including corporate spending on enterprise software in general and negatively affect the rate of growth of our business.
Uncertainty in the global economy makes it extremely difficult for our customers and us to forecast and plan future business activities accurately. This could cause our customers to reevaluate decisions to purchase our product or to delay their purchasing decisions, which could lengthen our sales cycles.
We have a significant number of customers across a variety of verticals, some of which are impacted significantly by the economic turmoil caused by the COVID-19 pandemic. A downturn in any of our leading industries, or a reduction in any revenue-generating vertical, may cause enterprises to react to worsening conditions by reducing their spending on IT. Customers may delay or cancel IT projects, choose to focus on in-house development efforts or seek to lower their costs by renegotiating maintenance and support agreements. To the extent purchases of licenses for our software are perceived by customers and potential customers to be discretionary, our revenues may be disproportionately affected by delays or reductions in general IT spending. In addition, the increased pace of consolidation in certain industries may result in reduced overall spending on our software. If the economic conditions of the general economy or industries in which we operate worsen from present levels, our business, results of operations and financial condition could be adversely affected.
We may face increased competition in our market.
While there are some companies which offer certain features similar to those embedded in our solutions, as well as others with whom we compete in certain tactical use cases, we believe that we do not currently compete with a company that offers the same breadth of functionalities that we offer in a single integrated solution. Nevertheless, we do compete against a select group of software vendors that provide standalone solutions, similar to those found in our comprehensive software suite, in the specific markets in which we operate. We also face direct competition with respect to certain of our products, specifically Data Transport Engine, DatAnswers and DatAdvantage for Directory Services. As we continue to augment our functionality with insider threat detection and user behavior analytics and as we expand our classification capabilities to better serve compliance needs, such as GDPR, CCPA and other data privacy laws, we may face increased perceived and real competition from other security and classification technologies. As we expand our coverage and penetration in the cloud, we may face increased perceived and real competition from other cloud-focused technologies. In the future, as customer requirements evolve and new technologies are introduced, we may experience increased competition if established or emerging companies develop solutions that address the enterprise data market. Furthermore, because we operate in a relatively new and evolving area, we anticipate that competition will increase based on customer demand for these types of products.
In particular, if a more established company were to target our market, we may face significant competition. They may have competitive advantages, such as greater name recognition, larger sales, marketing, research and acquisition resources, access to larger customer bases and channel partners, a longer operating history and lower labor and development costs, which may enable them to respond more quickly to new or emerging technologies and changes in customer requirements or devote greater resources to the development, promotion and sale of their products than we do. Increased competition could result in us failing to attract customers or maintain licenses at the same rate. It could also lead to price cuts, alternative pricing structures or the introduction of products available for free or a nominal price, reduced gross margins, longer sales cycles, lower renewal rates and loss of market share.
In addition, our current or prospective channel partners may establish cooperative relationships with any future competitors. These relationships may allow future competitors to rapidly gain significant market share. These developments could also limit our ability to obtain revenues from existing and new customers.
Our ability to compete successfully in our market will also depend on a number of factors, including ease and speed of product deployment and use, the quality and reliability of our customer service and support, total cost of ownership, return on investment and brand recognition. Any failure by us to successfully address current or future competition in any one of these or other areas may reduce the demand for our products and adversely affect our business, results of operations and financial condition.
We are subject to a number of legal requirements, contractual obligations and industry standards regarding security, data protection and privacy, and any failure to comply with these requirements, obligations or standards could have an adverse effect on our reputation, business, financial condition and operating results.
Privacy and data information security have become a significant issue in the United States and in many other countries where we have employees and operations and where we offer licenses to our products. The regulatory framework for privacy and personal information security issues worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. The U.S. federal and various state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations limiting, or laws and regulations regarding, the collection, distribution, use, disclosure, storage and security of personal information. For example, the CCPA, which went into effect on January 1, 2020, requires, among other things, covered companies to provide new disclosures to California consumers and afford such consumers new abilities to opt-out of certain sales of personal information.
Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. Laws and regulations in these jurisdictions apply broadly to the collection, use, storage, disclosure and security of data that identifies or may be used to identify or locate an individual, such as names, email addresses and, in some jurisdictions, Internet Protocol addresses. These laws and regulations often are more restrictive than those in the United States and are rapidly evolving. For example, the EU data protection regime, the GDPR became enforceable on May 25, 2018. Additionally, the United Kingdom enacted legislation in May 2018 that substantially implements the GDPR, but the United Kingdom’s exit from the EU (which formally occurred on January 31, 2020), commonly referred to as “Brexit," has created uncertainty with regard to the regulation of data protection in the United Kingdom. In particular, it is unclear how data transfers to and from the United Kingdom will be regulated following Brexit. Complying with the GDPR or other laws, regulations or other obligations relating to privacy, data protection or information security may cause us to incur substantial operational costs or require us to modify our data handling practices. Non-compliance could result in proceedings against us by governmental entities or others, could result in substantial fines or other liability and may otherwise adversely impact our business, financial condition and operating results.
Some statutory requirements, both in the United States and abroad, include obligations of companies to notify individuals of security breaches involving particular personal information, which could result from breaches experienced by us or our service providers. Even though we may have contractual protections with our service providers, a security breach could impact our reputation, harm our customer confidence, hurt our sales or cause us to lose existing customers and could expose us to potential liability or require us to expend significant resources on data security and in responding to such breach.
In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that either legally or contractually apply to us. We also expect that there will continue to be new proposed laws and regulations concerning privacy, data protection and information security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, contractual obligations and other obligations may require us to incur additional costs and restrict our business operations. Because the interpretation and application of laws and other obligations relating to privacy and data protection are still uncertain, it is possible that these laws and other obligations may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our software. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our software, which could have an adverse effect on our business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new features could be limited. Any inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business.
Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our products. Privacy and personal information security concerns, whether valid or not valid, may inhibit market adoption of our products particularly in certain industries and foreign countries.
Risks Related to Our Operations
The recent global COVID-19 outbreak has had, and could continue to have, harmful effects on our business and results of operations.
The COVID-19 pandemic and efforts to control its spread have significantly curtailed the movement of people, goods and services worldwide, including in most or all of the regions in which we sell our products and services and conduct our business operations. Internationally and domestically, federal, state, and local governments have taken a variety of actions to contain the spread of COVID-19. Many jurisdictions have required mandatory business closures, or imposed capacity limitations and other restrictions affecting our operations. At the end of the first quarter of 2020, we closed our offices and instructed employees to work remotely as a precautionary measure intended to minimize the risk of the virus to them, our customers, partners and the communities in which we operate. Since that time, we have complied with state and local requirements and have been opening and closing our offices based on these guidelines and recommendations. To the extent there are extended restrictions or closures, this may adversely affect economies and financial markets globally, leading to an economic downturn. Our operations, and the operations of our customers and partners, have been disrupted and may continue to be so for a period of time that cannot currently be predicted.
The move to remote working has not to date materially impacted our business operations and research and development activity; however, if our employees will not be able to continue working effectively as a result of the COVID-19 pandemic, including because of illness, quarantines, office closures, ineffective remote work arrangements or technology failures or limitations, our operations would be adversely impacted. Further, as recently seen in many places around the world, remote work arrangements may increase the risk of cybersecurity incidents, data breaches or cyber-attacks, which could have a material adverse effect on our business and results of operations, due to, among other things, the loss of proprietary data, interruptions or delays in the operation of our business, damage to our reputation and any government imposed penalty. While the move to remote working and virtual-only customer experience has not to date adversely impacted our sales, we have had to postpone or cancel customer and industry events or conduct them virtually, and we cannot predict with certainty the impact these changes may have on our sales.
Corporate expenditures are also subject to elevated scrutiny in the current environment and may lead to longer sales cycles. The pandemic, and its impact on our customers, has also made it more difficult to predict our future performance and we expect it will continue to be more challenging to estimate the pipeline conversion rates due to the economic uncertainty, and there is a greater risk that any guidance we provide to the market may turn out to be incorrect. We therefore cannot predict whether potential decreases in sales will be offset in subsequent periods by increased sales.
Additionally, concerns over the economic impact of COVID-19 have caused extreme volatility in financial and other capital markets which have temporarily adversely impacted, and may in the future adversely impact, our stock price.
Overall, and in addition to other risks discussed in this Form 10-K filing, the COVID-19 pandemic gives rise to a number of risks, including, but not limited to, the following:
•our ability to expand within our existing customer base, including through the adoption of additional licenses;
•reduced economic activity which could lead to a prolonged recession, which could negatively impact consumer discretionary spending and in return could severely impact our business operations, financial condition and liquidity;
•our ability to continue to show the positive trends at the levels we have shown in the last several quarters for certain key performance metrics, such as renewal rates, annual recurring revenues ("ARR") and dollar-based net retention rate;
•negatively affect our customer success efforts, our ability to enter into new markets and our ability to acquire new customers, in part due to potentially lower conversion rates on risk assessments and delay and lengthen our sales cycles due to virtual meetings;
•a reduction in the number of users as customers terminate and furlough employees;
•an increase in bad debt reserves as customers face economic hardship and collectability becomes more uncertain, including the risk of bankruptcies;
•our ability to timely retain, attract and recruit employees;
•a reduction in our operating effectiveness, employee productivity, sales and marketing efforts, as our employees work from home;
•potential negative impact on the health of our personnel and staff, particularly if a significant number of them are impacted, which could result in a deterioration in our ability to ensure business continuity during this disruption;
•our ability to remotely develop new products and enhance existing products; and
•our ability to raise capital.
These factors may make it more difficult for us to gain new customers and to expand within our existing customer base. While our revenues increased for the year ended December 31, 2020 compared to the year ended December 31, 2019, we may face future difficulties in gaining new customers and expanding within our existing customer base, similar to those difficulties we experienced during the last two weeks of the first quarter of 2020.
The full impact of COVID-19 on our business and our future performance is difficult to predict and there is some level of risk that any guidance we provide to the market may turn out to be incorrect. The challenges posed by COVID-19 on our business are uncertain and we will continue to evaluate our financial position in light of future developments, particularly those relating to COVID-19.
Security breaches, cyberattacks or other cyber-risks of our IT and production systems could expose us to significant liability and cause our business and reputation to suffer and harm our competitive position.
Our corporate infrastructure stores and processes our sensitive, proprietary and other confidential information (including as related to financial, technology, employees, marketing, sales, etc.) which is used on a daily basis in our operations. In addition to that, our software involves transmission and processing of our customers' confidential, proprietary and sensitive information. We have legal and contractual obligations to protect the confidentiality and appropriate use of customer data. Being a leading pioneer in the cyber industry, we may be an attractive target for cyber attackers or other data thieves.
High-profile cyberattacks and security breaches have increased in recent years, with the potential for such acts heightened as a result of the number of employees working remotely due to COVID-19. Security industry experts and government officials have warned about the risks of hackers and cyberattacks targeting IT products and enterprise infrastructure. Because techniques used to obtain unauthorized access or to sabotage systems change frequently and often are not recognized until launched against a specific target, we may be unable to anticipate these techniques or to implement adequate preventative measures. As we continue to increase our client base and expand our brand, we may become more of a target for third parties seeking to compromise our security systems and we anticipate that hacking attempts and cyberattacks will increase in the future. We cannot give assurance that we will always be successful in preventing or repelling unauthorized access to our systems. We also may face delays in our ability to identify or otherwise respond to any cybersecurity incident or any other breach. Additionally, we use third-party service providers to provide some services to us that involve the storage or transmission of data, such as SaaS, cloud computing, and internet infrastructure and bandwidth, and they face various cybersecurity threats and also may suffer cybersecurity incidents or other security breaches. Despite our security measures, our IT and infrastructure may be vulnerable to attacks. Threats to IT security can take a variety of forms. Individual and groups of hackers and sophisticated organizations, including state-sponsored organizations or nation-states, continuously undertake attacks that pose threats to our customers and our IT. These actors may use a wide variety of methods, which may include developing and deploying malicious software or exploiting vulnerabilities in hardware, software, or other infrastructure in order to attack our products and services or gain access to our networks, using social engineering techniques to induce our employees, users, partners, or customers to disclose passwords or other sensitive information or take other actions to gain access to our data or our users’ or customers’ data, or acting in a coordinated manner to launch distributed denial of service or other coordinated attacks. Inadequate account security practices may also result in unauthorized access to confidential and/or sensitive data.
Security risks, including, but not limited to, unauthorized use or disclosure of customer data, theft of proprietary information, theft of intellectual property, theft of internal employee’s PII/PHI information, theft of financial data and financial reports, loss or corruption of customer data and computer hacking attacks or other cyberattacks, could require us to expend significant capital and other resources to alleviate the problem and to improve technologies, may impair our ability to provide services to our customers and protect the privacy of their data, may result in product development delays, may compromise confidential or technical business information, may harm our competitive position, may result in theft or misuse of our intellectual property or other assets and could expose us to substantial litigation expenses and damages, indemnity and other contractual obligations, government fines and penalties, mitigation expenses, costs for remediation and incentives offered to affected parties, including customers, other business partners and employees, in an effort to maintain business relationships after a breach or other incident, and other liabilities. We are continuously working to improve our IT systems, together with creating security boundaries around our critical and sensitive assets. We provide advanced security awareness training to our employees and contractors that focuses on various aspects of the cybersecurity world. All of these steps are taken in order to mitigate the risk of attack and to ensure our readiness to responsibly handle any security violation or attack. However, because techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not recognized until successfully
launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures and our products could be harmed, we could lose potential sales and existing customers, our ability to operate our business could be impaired, and we may incur significant liabilities, and we could suffer harm to our reputation and competitive position, and our operating results could be negatively impacted.
Our quarterly results of operations have fluctuated and may fluctuate significantly due to variability in our revenues which could adversely impact our stock price.
Our revenues and other results of operations have fluctuated from quarter to quarter in the past and could continue to fluctuate in the future.future partially due to the front-loaded revenue recognition nature of our business. Additionally, we have a limited operating history under our new subscription model, which makes it difficult to forecast our results. As a result, comparing our revenues and results of operations on a period-to-period basis may not be meaningful, and you should not relybe relied on for any particular past quarter or other period results. Our revenues depend in part on the conversion of enterprises that have undergone risk assessments, which can be and are frequently performed remotely, into paying customers. In this regard, mostcustomers; however, given the spread of COVID-19 and the impact on our prospects, these risk assessments may not be converted at the same historical rates. At the same time, the majority of our sales are typically made during the last three weeks of every quarter. We may fail to meet market expectations for that quarter if we are unable to close the number of transactions that we expect during this short period and closings are deferred to a subsequent quarter.quarter or not closed at all. In addition, our sales cycle from initial contact to delivery of and payment for the software license generally becomes longer and less predictable with respect to large transactions and often involves multiple meetings or consultations at a substantial cost and time commitment to us. The closing of a large transaction in a particular quarter may raise our revenues in that quarter and thereby make it more difficult for us to meet market expectations in subsequent quarters and our failure to close a large transaction in a particular quarter or any renewals may adversely impact our revenues in that quarter. Moreover, we base our current and future expense levels on our revenue forecasts and operating plans, and our expenses are relatively fixed in the short term.short-term. Accordingly, we would likely not be able to reduce our costs sufficiently to compensate for an unexpected shortfall in revenues and even a relatively small decrease in revenues could disproportionately and adversely affect our financial results for that quarter.
The variability and unpredictability of these and other factors, many of which are outside of our control, could result in our failing to meet or exceed financial expectations for a given period. If our revenues or results of operations fall below the expectations of investors or any securities analysts that cover our stock, the price of our common stock could decline substantially.
A failure to hire and integrate additional sales and marketing personnel or maintain their productivity could adversely affect our results of operations and growth prospects.
Our business requires intensive sales and marketing activities. Our sales and marketing personnel are essential to attracting new customers and expanding sales to existing customers, both of which are key to our future growth. We face a number of challenges in successfully expanding our sales force. Following our transition to a subscription-based model and the additional demands involved in selling multiple products, it has become even more difficult to hire and retain qualified sales force members. We must locate and hire a significant number of qualified individuals, and competition for such individuals is intense. In addition, as we expand into new markets with which we have less familiarity and grow existing territories, we will need to recruit individuals who have skills particular to a certain geography or territory, and it may be difficult to find candidates with those qualifications. We may be unable to achieve our hiring or integration goals due to a number of factors, including, but not limited to, the number of individuals we hire, challenges in finding individuals with the correct background due to increased competition for such hires and increased attrition rates among new hires and existing personnel as well as the necessary experience to sell our Data Security Platform rather than individual software products. Furthermore, based on our past experience in mature territories, it often can take up to 12 months before a new sales force member is trained and operating at a level that meets our expectations. We invest significant time and resources in training new members of our sales force, and we may be unable to achieve our target performance levels with new sales personnel as rapidly as we have done in the past due to larger numbers of hires or lack of experience training sales personnel to operate in new jurisdictions. Our failure to hire a sufficient number of qualified individuals, to integrate new sales force members within the time periods we have achieved historically or to keep our attrition rates at levels comparable to others in our industry may materially impact our projected growth rate.
Failure to attract, recruit and retain highly qualified engineers could adversely affect our results of operations and growth prospects.
Our future success and growth depend, in part, on our ability to continue to recruit and retain highly skilled personnel, particularly engineers. Any of our employees may terminate their employment at any time, and we face intense competition for highly skilled engineering personnel, especially in Israel, where we have a substantial presence and need for qualified engineers, from numerous other companies, including other software and technology companies, many of whom have greater financial and other resources than we do. Moreover, to the extent we hire personnel from other companies, we may be subject to allegations that they have been improperly solicited or may have divulged proprietary or other confidential information to us. If we are unable to attract or retain qualified engineers, our ability to innovate, introduce new products and compete would be adversely impacted, and our financial condition and results of operations may suffer.
If the transition to a subscription-based business model we have completed fails to yieldcontinue yielding the benefits that we expect,achieved, our results of operations could be negatively impacted.
We are currently completinghave completed our transition to a subscription-based business model. Itmodel but it is uncertain whether this transitionthe expected benefits will prove successful.continue. Market acceptance of our products is dependent on our ability to include functionality and usability that address certain customer requirements. Additionally, we must optimally price our products in light of marketplace conditions, our costs and customer demand. ThisAt the start of the transition, has had and may continue to havewe suffered a negative revenue and earnings implications,impact, including on our quarterly results of operations. IfSuch negative implications might return if we are unable to respond to these competitive threats, our business could be harmed.achieve the renewals we anticipate, either at all or on a timely basis.
This subscription strategy may give rise to a number of risks, including the following:
•our revenues and cash flows may fluctuate more than anticipated over the short-term as a result of this strategy;
•if newour customers do not renew their subscriptions or current customers desire only perpetual licensesdo not renew them on a timely basis(including due to substantial implication of the economic turmoil caused by the COVID-19 pandemic), our subscription salesrevenues may lag behinddecline and our expectations;business may suffer;
•the shift to a subscription strategy may raise, and has raised, concerns among our customer base, including concerns regarding changes to pricing over time and access to data once a subscription has expired;time;
•we may be unsuccessful in maintaining or implementing our target pricing or new pricing models, product adoption and projected renewal rates, or we may select a target price or new pricing model that is not optimal and could negatively affect our sales or earnings;
•our shiftsales force may struggle with the additional requirements of selling subscription which may lead to a subscription licensing model may result in confusion amongincreased turnover rates and lower headcount;
•if new or existingcurrent customers (which can slow adoption rates), resellersdesire only perpetual licenses our subscription sales may lag behind our expectations; and investors;
if our customers do not renew their subscriptions or do not renew them on a timely basis, our revenues may decline and our business may suffer;
•our relationships with existing partners that resell perpetual license products may be damaged;damaged.
we
We may incur sales compensation costs at a higher than forecasted rate if the pace ofnot be able to predict subscription renewal rates and their impact on our future revenues and operating results.
Although our subscription transitionsolutions are designed to increase the number of customers that purchase our solutions and the number of products purchased by existing and new customers to create a recurring revenue stream that increases and is faster than anticipated;more predictable over time, our customers are not required to renew their subscriptions for our solutions and they may elect not to renew when, or as we expect, or they may elect to reduce the scope of their original purchases or delay their purchase. We cannot accurately predict renewal rates given our varied customer base of enterprise and small and medium size business customers and the number of multiyear subscription contracts. Customer renewal rates may decline or fluctuate due to a number of factors, including offering pricing, competitive offerings, customer satisfaction and reductions in customer spending levels or customer activity due to economic downturns including, but not limited to, the COVID-19 pandemic, the adverse impact of import tariffs or other market uncertainty. If our customers do not renew their subscriptions when or as we expect, or if they choose to renew for fewer subscriptions (in quantity or products) or renew for shorter contract lengths or if they renew on less favorable terms, our revenues and earnings may decline, and our business may suffer.
our sales force may struggle with the transition which may lead to increased turnover rates and lower headcount.
We have been growing and expect to continue to invest in our growth for the foreseeable future. If we fail to manage this growth effectively, our business and results of operations will be adversely affected.
We intend to continue to grow our business and plan to continue to hire new employees.sales employees either for expansion or replacement of existing sales personnel. If we cannot adequately and timely hire new employees and if we fail to adequately train these new employees, including our sales force, engineers and customer support staff, which processes have become more challenging during the COVID-19 period, our sales may not grow at the rates we project and/or our sales productivity might suffer, our customers might decide not to renew or reduce the scope of their original purchases, or our customers may lose confidence in the knowledge and capability of our employees. In addition, we are expanding our current operations, and we intend to make investments to continue our expansion efforts.employees or products. We must successfully manage our growth to achieve our objectives. Although our business has experienced significant growth in the past, we cannot provide any assurance that our business will continue to grow at the same rate, or at all.
Our ability to effectively manage any significant growth of our business will depend on a number of factors, including our ability to do the following:
effectively•adequately and timely recruit, integrate, train, motivate and motivate a large number ofintegrate new employees, including our sales force and engineers, while retaining existing employees, maintaining the beneficial aspects of our corporate culture and effectively executing our business plan;plan, especially during this challenging period of the COVID-19 pandemic;
•satisfy existing customers and attract new customers;
transition•successfully manage and integrate our acquisition and any future acquisitions of businesses, including our recent acquisition, and including, without limitation, the amount and timing of expenses and potential future charges for impairment of goodwill from perpetual licenses to a subscription-based business model;acquired companies;
•successfully introduce new products and enhancements;
•effectively manage existing channel partnerships and expand to new ones;
•improve our key business applications and processes to support our business needs;
•enhance information and communication systems to ensure that our employees and offices around the world are well-coordinated and can effectively communicate with each other and our growing customer base;
•enhance our internal controls to ensure timely and accurate reporting of all of our operations and financial results;
•protect and further develop our strategic assets, including our intellectual property rights; and
•make sound business decisions in light of the scrutiny associated with operating as a public company.company and the increased strain and pressures associated with COVID-19; and
•capitalize on the transition from perpetual licenses to a subscription-based business model.
These activities will require significant investments and allocation of valuable management and employee resources, and our growth will continue to place significant demands on our management and our operational and financial infrastructure. There are no guarantees we will be able to grow our business in an efficient or timely manner, or at all. Moreover, if we do not effectively manage the growth of our business and operations, the quality of our software could suffer, which could negatively affect our brand, results of operations and overall business.
Our failure to continually enhance and improve our technology could adversely affect sales of our products.
The market is characterized by the exponential growth in enterprise data, rapid technological advances, changes in customer requirements, including customer requirements driven by changes to legal, regulatory and self-regulatory compliance mandates, frequent new product introductions and enhancements and evolving industry standards in computer hardware and software technology. As a result, we must continually change and improve our products in response to changes in operating systems, application software, computer and communications hardware, networking software, data center architectures, programming tools, computer language technology and various regulations. Moreover, the technology in our products is especially complex because it needs to effectively identify and respond to a user’s data retention, security and governance needs, while minimizing the impact on database and file system performance. Our products must also successfully interoperate with products from other vendors.
We cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to extend our technological expertise and develop new products or expand the functionality of our current products in a timely manner or at all. Even if we are able to anticipate, develop and introduce new products and expand the functionality of our current products, there can be no assurance that enhancements or new products will achieve widespread market acceptance.
Our product enhancements or new products could fail to attain sufficient market acceptance for many reasons, including:
failure to accurately predict market demand in terms of product functionality and to supply products that meet this demand in a timely fashion;
inability to interoperate effectively with the database technologies and file systems of prospective customers;
defects, errors or failures;
negative publicity or customer complaints about performance or effectiveness; and
poor business conditions, causing customers to delay IT purchases.
If we fail to anticipate market requirements or stay abreast of technological changes, we may be unable to successfully introduce new products, expand the functionality of our current products or convince our customers and potential customers of the value of our solutions in light of new technologies. Accordingly, our business, results of operations and financial condition could be materially and adversely affected.
We may not be able to predict subscription renewal rates and their impact on our future revenues and operating results.
Although our subscription solutions are designed to increase the number of customers that purchase our solutions and create a recurring revenue stream that increases and is more predictable over time, our customers are not required to renew their subscriptions for our solutions and they may elect not to renew when or as we expect or elect to reduce the scope of their original purchases. Customer renewal rates may decline or fluctuate due to a number of factors, including offering pricing, competitive offerings, customer satisfaction and reductions in customer spending levels or customer activity due to economic downturns, the adverse impact of import tariffs or other market uncertainty. If our customers do not renew their subscriptions when or as we expect, or if they renew on less favorable terms, our revenues and earnings may decline, and our business may suffer.
We are dependent on the continued services and performance of our co-founder, Chief Executive Officer and President, the loss of whom could adversely affect our business.
Much of our future performance depends in large part on the continued services and continuing contributions of our co-founder, Chief Executive Officer and President, Yakov Faitelson, to successfully manage our company, to execute on our business plan and to identify and pursue new opportunities and product innovations. The loss of Mr. Faitelson's services could significantly delay or prevent the achievement of our development and strategic objectives and adversely affect our business.
Due to our growth, we have a limited operating history at our current scale, which makes it difficult to evaluate and predict our future prospects and may increase the risk that we will not be successful.
We have a relatively short history operating our business at its current scale. For example, we have increased the number of our employees and have expanded our operations and product offerings. This limits our ability to forecast our future operating results and subjects us to a number of uncertainties, including our ability to plan for and model future growth. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in new
markets that may not develop as expected. Because we depend in part on the market’s acceptance of our products, it is difficult to evaluate trends that may affect our business. If our assumptions regarding these trends and uncertainties, which we use to plan our business, are incorrect or change in reaction to changes in our markets, or if we do not address these risks successfully, our operating and financial results could differ materially from our expectations and our business could suffer. Moreover, although we have experienced significant growth historically, we may not continue to grow as quickly in the future.
Our future success will depend in large part on our ability to, among other things:
complete◦reap the benefits from the transition to a subscription-based model successfully;
◦maintain and expand our business, including our customer base and operations, to support our growth, both domestically and internationally;
hire,◦our ability to successfully manage and integrate trainour acquisition and retain skilled talent, including membersany future acquisitions of our sales force and engineers;businesses;
◦develop new products and services and bring products and services in beta to market;
◦renew subscription and maintenance and support agreements with, and sell additional products to, existing customers;
◦maintain high customer satisfaction and ensure quality and timely releases of our products and product enhancements;
◦increase market awareness of our products and enhance our brand; and
◦maintain compliance with applicable governmental regulations and other legal obligations, including those related to intellectual property, international sales and taxation.taxation; and
◦hire, integrate, train and retain skilled talent, including members of our sales force and engineers.
If we fail to address the risks and difficulties that we face, including those associated with the challenges listed above as well as those described elsewhere in this “Risk Factors” section, our business will be adversely affected, and our results of operations will suffer.
If we are unable to attract new customers and expand sales to existing customers, both domestically and internationally, our growth could be slower than we expect, and our business may be harmed.
Our future growth depends in part upon increasing our customer base, particularly those customers with potentially high customer lifetime values. Our ability to achieve significant growth in revenues in the futuresuccess will depend, in large part, upon the effectiveness ofon our ability to support new and existing customer growth and maintain customer satisfaction. Due to COVID-19, our sales and marketing efforts, both domesticallyteams have avoided in-person meetings and internationally,are increasingly engaging with customers online and through other communications channels, including virtual meetings. While our abilityrevenues increased for the year ended December 31, 2020 compared to attract new customers.the year ended December 31, 2019, there is no guarantee that in the future our sales and marketing teams will be as successful or effective using these other communications channels as they try to build relationships. If we failcannot provide the tools and training to attract new customersour teams to efficiently do their jobs and maintain and expand thosesatisfy customer relationships, our revenuesdemands, we may not be adversely affected, and our business will be harmed.able to achieve anticipated revenue growth as quickly as expected.
Our future growth also depends upon expanding sales of our products to existing customers and their organizations and receiving subscription and maintenance renewals. If our customers do not purchase additional licenses or capabilities, our revenues may grow more slowly than expected, may not grow at all or may decline. There can be no assurance that our efforts would result in increased sales to existing customers ("upsells") and additional revenues. If our efforts to upsell to our customers are not successful, our business would suffer. Additionally, although as a result
Our future growth also depends in part upon increasing our customer base, particularly those customers with potentially high customer lifetime values. Our ability to achieve significant growth in revenues in the future will depend, in large part, upon the effectiveness of our transitionsales and marketing efforts, both domestically and internationally, and our ability to a subscription-based model a majorityattract new customers. Our ability to attract new customers may be adversely affected by newly enacted laws that may prohibit certain sales and marketing activities, such as recent legislation passed in the State of our software is currently licensed and sold under subscription license agreements, we also enter into perpetual license agreements with our customers. DueNew York, pursuant to which, due to the differences in average annual spending perdeclared disaster state of emergency attributed to COVID-19, unsolicited telemarketing sales calls are prohibited. If we fail to attract new customers and maintain and expand those customer applied to perpetual licenses versus subscription sales, shifts in the mix of subscription licenses could produce significant variation in therelationships, our revenues we recognize in a given period.may be adversely affected, and our business will be harmed.
We have a history of losses, and we may not be profitable in the future.
We have incurred net losses in each year since our inception, including a net loss of $94.0 million, $78.8 million $28.6 million and $13.8$28.6 million in each of the years ended December 31, 2020, 2019 and 2018, respectively. Due to our continued investment in the growth of our business, in 2020 our operating expenses increased to $326.8 million compared to $295.0 million and 2017,$271.7 million in 2019 and 2018, respectively. Because the market for our software is rapidly evolving and has still not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to
increase over the next several years as we hire additional personnel, expand and improve the effectiveness of our distribution channels, and continue to develop features and applications for our software.
Prolonged economic uncertainties or downturns could materially adversely affect our business.
Our business depends on our current and prospective customers’ ability and willingness to invest money in information technology services, including cybersecurity projects, which in turn is dependent upon their overall economic health. Negative conditions in the general economy both in the United States and abroad, including conditions resulting from changes in gross domestic product growth, potential future government shutdowns, the federal government's failure to raise the debt ceiling, financial and credit market fluctuations, the imposition of trade barriers and restrictions such In addition, as tariffs, political deadlock, natural catastrophes, warfare and terrorist attacks, could cause a decrease in business investments, including corporate spending on enterprise software in general and negatively affect the rate of growth of our business.
Uncertainty in the global economy, particularly in EMEA, which accounted for approximately 30% of our revenues in 2019, and wherepublic company, we have experienced inconsistent quarterly growth rates over the last few years, makes it extremely difficult for our customersincurred, and uswill continue to forecast and plan future business activities accurately. This could cause our customers to reevaluate decisions to purchase our product or to delay their purchasing decisions, which could lengthen our sales cycles.
We have aincur, significant number of customers in the financial services, public sector, healthcare and industrial industries. A substantial downturn in any of these industries, or a reduction in public sector spending, may cause enterprises to react to worsening conditions by reducing their capital expenditures in general or by specifically reducing their spending on information technology. Customers may delay or cancel information technology projects, choose to focus on in-house development efforts or seek to lower their costs by renegotiating maintenance and support agreements. To the extent purchases of licenses for our software are perceived by customers and potential customers to be discretionary, our revenues may be disproportionately affected by delays or reductions in general information technology spending. In addition, the increased pace of consolidation in certain industries may result in reduced overall spending on our software. If the economic conditions of the general economy or industries in which we operate worsen from present levels, our business, results of operations and financial condition could be adversely affected.
If our technical support, customer success or professional services are not satisfactory to our customers, they may not renew their subscription licenses or maintenance and support agreements or buy future products, which could adversely affect our future results of operations.
Our business relies on our customers’ satisfaction with the technical support and professional services we provide to support our products. Our customers have no obligation to renew their subscription licenses or maintenance and support agreements with us after the initial terms have expired. Our perpetual license customers typically purchase one year of software maintenance and support as part of their initial purchase of our products, with an option to renew their maintenance agreements. In order for us to maintain and improve our results of operations, it is important that our existing customers renew their subscription licenses and maintenance and support agreements, if applicable, when the initial contract term expires. For example, our perpetual license maintenance renewal rate for each of the years ended December 31, 2019, 2018 and 2017 was over 90%. Customer satisfaction will become even more important as most of our licensing has shifted to subscription license agreements.
If we fail to provide technical support services that are responsive, satisfy our customers’ expectations and resolve issues that they encounter with our products and services, then they may elect not to purchase or renew subscription licenses or annual maintenance and support contracts and they may choose not to purchase additional products and services from us. Accordingly, our failure to provide satisfactory technical support or professional services could lead our customers not to renew their agreements with us or renew on terms less favorable to us, and therefore have a material and adverse effect on our business and results of operations.
Breaches in our security, cyberattacks or other cyber-risks could expose us to significant liability and cause our business and reputation to suffer.
Our operations involve transmission and processing of our customers' confidential, proprietary and sensitive information. We have legal, and contractual obligations to protect the confidentiality and appropriate use of customer data. Despite our security measures, our information technology and infrastructure may be vulnerable to attacks as a result of third party action, employee error or misconduct. Security risks, including, but not limited to, unauthorized use or disclosure of customer data, theft of proprietary information, loss or corruption of customer data and computer hacking attacks or other cyberattacks, could expose us to substantial litigation expenses and damages, indemnityaccounting and other contractual obligations, government fines and penalties, mitigation expenses and other liabilities. We are continuously working to improve our information technology systems, together with creating security boundaries around our critical and sensitive assets. We provide advanced security awareness training to our employees and contractors that focuses on various aspects of the cybersecurity world. All of these steps are taken in order to mitigate the risk of attack and to ensure our readiness to responsibly handle any security violation or attack. However, because techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not recognized until successfully launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures and our products could be harmed, we could lose potential sales and existing customers, our ability to operate our business could be impaired, and we may incur significant liabilities.operating expense.
If we are unable to maintain successful relationships with our channel partners, our business could be adversely affected.
We rely on channel partners, such as distribution partners and resellers, to sell licenses and support and maintenance agreements for our software and to perform some of our professional services. In 2019,2020, our channel partners fulfilled substantially all of our sales, and we expect that sales to channel partners will continue to account for substantially all of our revenues for the foreseeable future. Our ability to achieve revenue growth in the future will depend in part on our success in maintaining successful relationships with our channel partners.
Our agreements with our channel partners are generally non-exclusive, meaning our channel partners may offer customers the products of several different companies. If our channel partners do not effectively market and sell our software, choose to use greater efforts to market and sell their own products or those of others, or fail to meet the needs of our customers, including through the provision of professional services for our software, our ability to grow our business, sell our software and maintain our reputation may be adversely affected. Our contracts with our channel partners generally allow them to terminate their agreements for any reason upon 30 days’ notice. A termination of the agreement has no effect on orders already placed. The loss of a substantial number of our channel partners, our possible inability to replace them, or the failure to recruit additional channel partners could materially and adversely affect our results of operations. If we are unable to maintain our relationships with these channel partners, our business, results of operations, financial condition or cash flows could be adversely affected. Finally, even if we are successful, our relationships with channel partners may not result in greater customer usage of our products and professional services or increased revenue.
We are exposed to collection and credit risks, which could impact our operating results.
Our accounts receivable and contract assets are subject to collection and credit risks. These agreements may include purchase commitments for multiple years of subscription-based software licenses and maintenance services, which may be invoiced over multiple reporting periods increasing these risks. For example, our operating results may be impacted by significant bankruptcies among customers, which could negatively impact our revenues and cash flows. Although we have processes in place that are designed to monitor and mitigate these risks, we cannot guarantee these programs will be effective. If we are unable to adequately control these risks, our business, operating results and financial condition could be harmed. Furthermore, as a result of the COVID-19 pandemic, existing customers may attempt to renegotiate contracts and obtain concessions, including, among other things, longer payment terms or modified subscription dates, or may fail to make payments on their existing contracts, which may materially and negatively impact our operating results and financial condition.
If currency exchange rates fluctuate substantially in the future, our results of operations, which are reported in U.S. dollars, could be adversely affected.
Our functional and reporting currency is the U.S. dollar, and we generate the majority of our revenues and incur the majority of our expenses in U.S. dollars. Revenues and expenses are also incurred in other currencies, primarily Euros, Pounds Sterling, Canadian dollars, Australian dollars and New Israeli Shekels ("NIS"). Accordingly, changes in exchange rates may have a material adverse effect on our business, results of operations and financial condition. The exchange rates between the U.S. dollar and foreign currencies have fluctuated substantially in recent years and may continue to fluctuate substantially in the future. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our software and our subscription licenses and maintenance renewals to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows. Volatility in exchange rates may continue in the short-term after the United Kingdom's recent exit from the EU.
We incur expenses for employee compensation and other operating expenses at our non-U.S. locations in local currencies. The weakening of the U.S. dollar against such currencies would cause the U.S. dollar equivalent of such expenses to increase which could have a negative impact on our reported results of operations and our ability to attract employees in such non-U.S. locations due to the actual increase in the compensation to be paid to such employees. We use forward foreign exchange contracts to hedge or mitigate the effect of changes in foreign exchange rates on our operating expenses denominated in certain foreign currencies. However, this strategy might not eliminate our exposure to foreign exchange rate fluctuations and involves costs and risks of its own, such as cash expenditures, ongoing management time and expertise, external costs to implement the strategy and potential accounting implications. Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets and the difference between the interest rates of the currencies being hedged.
Our business is highly dependent upon our brand recognition and reputation, and the failure to maintain or enhance our brand recognition or reputation may adversely affect our business.
We believe that enhancing the “Varonis” brand identity and maintaining our reputation in the IT industry is critical to our relationships with our customers and to our ability to attract new customers. Our brand recognition and reputation is dependent upon:
•our ability to continue to offer high quality, innovative and error- and bug-free products;
•our ability to maintain customer satisfaction with our products;
•our ability to be responsive to customer concerns and provide high quality customer support, training and professional services;
•our marketing efforts;
•any misuse or perceived misuse of our products;
•positive or negative publicity;
•our ability to prevent or quickly react to any cyberattack on our IT systems or security breach of or related to our software;
•interruptions, delays or attacks on our website; and
•litigation or regulatory-related developments.
We may not be able to successfully promote our brand or maintain our reputation. In addition, independent industry analysts often provide reviews of our products, as well as other products available in the market, and perception of our product in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive than reviews about other products available in the market, our brand may be adversely affected. Furthermore, negative publicity relating to events or activities attributed to us, our employees, our channel partners or others associated with any of these parties, may tarnish our reputation and reduce the value of our brand. If we do not successfully enhance our brand and maintain our reputation, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands, and we could lose customers or renewals, all of which would adversely affect our business, operations and financial results. Moreover, damage to our reputation and loss of brand equity may reduce demand for our products and have an adverse effect on our business, results of operations and financial condition. Any attempts to rebuild our reputation and restore the value of our brand may be costly and time consuming, and such efforts may not ultimately be successful.
Moreover, it may be difficult to enhance our brand and maintain our reputation in connection with sales to channel partners. Promoting our brand requires us to make significant expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new markets and geographies and as more sales are generated to our channel partners. To the extent that these activities yield increased revenues, these revenues may not offset the increased expenses we incur.
Our success depends in part on maintaining and increasing our sales to customers in the public sector.
We derive a portion of our revenues from contracts with federal, state, local and foreign governments and government-owned or -controlled entities (such as public health care bodies, educational institutions and utilities), which we refer to as the public sector herein. We believe that the success and growth of our business will continue to depend on our successful procurement of public sector contracts. Selling to public sector entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that our efforts will produce any sales. Government demand and payment for our products and services may be impacted by public sector budgetary cycles, or lack of, and funding authorizations, including in connection with an extended government shutdown, with funding reductions or delays adversely affecting public sector demand for our products and services. Factors that could impede our ability to maintain or increase the amount of revenues derived from public sector contracts include:
•changes in public sector fiscal or contracting policies;
•decreases or elimination of available public sector funding;
•changes in public sector programs or applicable requirements;
•the adoption of new laws or regulations or changes to existing laws or regulations;
•potential delays or changes in the public sector appropriations or other funding authorization processes;
•the requirement of contractual terms that are unfavorable to us, such as most-favored-nation pricing provisions; and
•delays in the payment of our invoices by public sector payment offices.
Furthermore, we must comply with laws and regulations relating to public sector contracting, which affect how we and our channel partners do business in both the United States and abroad. These laws and regulations may impose added costs on our
business, and failure to comply with these or other applicable regulations and requirements, including non-compliance in the past, could lead to claims for damages from our channel partners, penalties, termination of contracts, and temporary suspension or permanent debarment from public sector contracting. Moreover, governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in the government refusing to continue buying our products, which would adversely impact our revenue and results of operations, or institute fines or civil or criminal liability if the audit uncovers improper or illegal activities.
The occurrence of any of the foregoing could cause public sector customers to delay or refrain from purchasing licenses of our software in the future or otherwise have an adverse effect on our business, operations and financial results.
We are subject to governmental export and import controls that could subject us to liability or impair our ability to compete in international markets.
We incorporate encryption technology into certain of our products and these products are subject to U.S. export control. We are also subject to Israeli export controls on encryption technology since our product development initiatives are primarily conducted by our wholly-owned Israeli subsidiary. We have obtained the required licenses to export our products outside of the United States. In addition, the current encryption means used in our products are listed in the “free means encryption items” published by the Israeli Ministry of Defense, which means we are exempt from obtaining an encryption control license. If the applicable U.S. or Israeli legal requirements regarding the export of encryption technology were to change or if we change the encryption means in our products, we may need to apply for new licenses in the United States and may no longer be able to rely on our licensing exception in Israel. There can be no assurance that we will be able to obtain the required licenses under these circumstances. Furthermore, various other countries regulate the import of certain encryption technology, including import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries.
We are also subject to U.S. and Israeli export control and economic sanctions laws, which prohibit the shipment of certain products to embargoed or sanctioned countries, governments and persons. Our products could be exported to these sanctioned targets by our channel partners despite the contractual undertakings they have given us and any such export could have negative consequences, including government investigations, penalties and reputational harm. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Moreover, any new export or import restrictions, new legislation or shifting approaches in the enforcement or scope of existing regulations, or in the countries, persons or technologies targeted by such regulations, could result in decreased use of our products. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations.
Our business in countries with a history of corruption and transactions with foreign governments increase the risks associated with our international activities.
As we operate and sell internationally, we are subject to the Foreign Corrupt Practices Act of 1977, as amended (the "FCPA"), the U.K. Bribery Act of 2010 (the "UK Bribery Act") and other laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental customers in countries known to experience corruption, particularly certain emerging countries in Eastern Europe, South and Central America, East Asia, Africa and the Middle East. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, channel partners or sales agents that could be in violation of various anti-corruption laws, even though these parties may not be under our control. While we have implemented safeguards to prevent these practices by our employees, consultants, channel partners and sales agents, our existing safeguards and any future improvements may prove to be less than effective, and our employees, consultants, channel partners or sales agents may engage in conduct for which we might be held responsible. Violations of the FCPA or other anti-corruption laws may result in severe criminal or civil sanctions, including suspension or debarment from government contracting, and we may be subject to other liabilities, which could negatively affect our business, operating results and financial condition.
Acquisitions could disrupt our business and adversely affect our results of operations, financial condition and cash flows.
As we continue to pursue business opportunities, we may make acquisitions that could be material to our business, results of operations, financial condition and cash flows. Acquisitions involve many risks, including the following:
•an acquisition may negatively affect our results of operations, financial condition or cash flows because it may require us to incur charges or assume substantial debt or other liabilities, may cause adverse tax consequences or unfavorable accounting treatment, including potential write-downs of deferred revenues, may expose us to claims and disputes by third parties, including intellectual property claims and disputes, or may not generate sufficient financial return to offset additional costs and expenses related to the acquisition;
•we may encounter difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel or operations of any company that we acquire, particularly if key personnel of the acquired company decide not to work for us;
•an acquisition may disrupt our ongoing business, divert resources, increase our expenses and distract our management;
•an acquisition may result in a delay or reduction of customer purchases for both us and the company we acquired due to customer uncertainty about continuity and effectiveness of service from either company;
•we may encounter difficulties in, or may be unable to, successfully sell any acquired products;
•an acquisition may involve the entry into geographic or business markets in which we have little or no prior experience or where competitors have stronger market positions;
•challenges inherent in effectively managing an increased number of employees in diverse locations;
•the potential strain on our financial and managerial controls and reporting systems and procedures;
•potential known and unknown liabilities or deficiencies associated with an acquired company that were not identified in advance;
•our use of cash to pay for acquisitions would limit other potential uses for our cash and affect our liquidity;
•if we incur debt to fund such acquisitions, such debt may subject us to material restrictions on our ability to conduct our business as well as financial maintenance covenants;
•the risk of impairment charges related to potential write-downs of acquired assets or goodwill in future acquisitions;
•to the extent that we issue a significant amount of equity or convertible debt securities in connection with future acquisitions, existing stockholders may be diluted and earnings per share may decrease; and
•managing the varying intellectual property protection strategies and other activities of an acquired company.
We may not succeed in addressing these or other risks or any other problems encountered in connection with the integration of any acquired business. Our ability as an organization to successfully acquire and integrate technologies or businesses is unproven. The inability to integrate successfully the business, technologies, products, personnel or operations of any acquired business, or any significant delay in achieving integration, could have a material adverse effect on our business, results of operations, financial condition and cash flows.
Risks Related to Human Capital
A failure to maintain sales and marketing personnel productivity or hire and integrate additional sales and marketing personnel could adversely affect our results of operations and growth prospects.
Our business requires intensive sales and marketing activities. Our sales and marketing personnel are essential to attracting new customers and expanding sales to existing customers, both of which are key to our future growth. We face a number of challenges in successfully expanding our sales force. Our transition to a subscription-based model, and the additional demands involved in selling multiple products, has increased the complexity and to some extent impose new challenges in finding, hiring and retaining qualified sales force members. We must locate and hire a significant number of qualified individuals, and competition for such individuals is intense. In addition, as we expand into new markets with which we have less familiarity and develop existing territories, we will need to recruit individuals who have skills particular to a certain geography or territory, and it may be difficult to find candidates with those qualifications. We may be unable to achieve our hiring or integration goals due to a number of factors, including, but not limited to, the challenge in remotely recruiting employees and adequately training them due to COVID-19, the number of individuals we hire, challenges in finding individuals with the correct background due to increased competition for such hires, increased attrition rates among new hires and existing personnel as well as the necessary experience to sell our Data Security Platform rather than individual software products. Furthermore, based on our past experience in mature territories, it often can take up to 12 months before a new sales force member is trained and operating at a level that meets our expectations, and during the COVID-19 pandemic such training may take even longer. We invest significant time and resources in training new members of our sales force, and we may be unable to achieve our target performance levels with new sales personnel as rapidly as we have done in the past, or at all, due to larger numbers of hires or lack of experience training sales personnel to operate in new jurisdictions or because of the remote hiring and training process. Our failure to hire a sufficient number of qualified individuals, to integrate new sales force members within the time periods we have achieved historically or to keep our attrition rates at levels comparable to others in our industry may materially impact our projected growth rate.
Failure to retain, attract and recruit highly qualified personnel could adversely affect our business, operating results, financial condition and growth prospects.
Our future success and growth depend, in part, on our ability to continue to recruit and retain highly skilled personnel and to preserve the key aspects of our corporate culture. Because our future success is dependent on our ability to continue to enhance and introduce new products, we are particularly dependent on our ability to hire and retain engineers. Any of our employees may terminate their employment at any time, and we face intense competition for highly skilled employees. Competition for qualified employees, particularly in Israel, where we have a substantial presence and need for qualified engineers, from numerous other companies, including other software and technology companies, many of whom have greater financial and other resources than we do, is intense. Moreover, to the extent we hire personnel from other companies, we may be subject to allegations that they have been improperly solicited or may have divulged proprietary or other confidential information to us. In addition, during the COVID-19 pandemic, which is characterized as an unstable period, to some extent it may be more difficult to timely attract and train new employees. If we are unable to timely attract, retain or train qualified employees, particularly our engineers, salespeople and key managers, our ability to innovate, introduce new products and compete would be adversely impacted, and our financial condition and results of operations may suffer. Equity grants are a critical component of our current compensation programs. If we reduce, modify or eliminate our equity programs or if there will be decline in our stock price as a result of which the value of our equity compensation shall be lower, we may have difficulty attracting and retaining employees.
We are dependent on the continued services and performance of our co-founder, Chief Executive Officer and President, the loss of whom could adversely affect our business.
Much of our future performance depends in large part on the continued services and continuing contributions of our co-founder, Chief Executive Officer and President, Yakov Faitelson, to successfully manage our company, to execute on our business plan and to identify and pursue new opportunities and product innovations. The loss of Mr. Faitelson's services could significantly delay or prevent the achievement of our development and strategic objectives and adversely affect our business.
Risks Related to our Technology, Products, Services and Intellectual Property
Our failure to continually enhance and improve our technology could adversely affect sales of our products.
The market is characterized by the exponential growth in enterprise data, rapid technological advances, changes in customer requirements, including customer requirements driven by changes to legal, regulatory and self-regulatory compliance mandates, frequent new product introductions and enhancements and evolving industry standards in computer hardware and software technology. As a result, we must continually change and improve our products in response to changes in operating systems, application software, computer and communications hardware, networking software, data center architectures, programming tools, computer language technology and various regulations. Moreover, the technology in our products is especially complex because it needs to effectively identify and respond to a user’s data retention, security and governance needs, while minimizing the impact on database and file system performance. Our products must also successfully interoperate with products from other vendors.
While we extend our technological capabilities though innovation and strategic transactions, we cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to extend our technological expertise and develop new products or expand the functionality of our current products in a timely manner or at all. Even if we are able to anticipate, develop and introduce new products and expand the functionality of our current products, there can be no assurance that enhancements or new products will achieve widespread market acceptance.
Our product enhancements or new products could fail to attain sufficient market acceptance for many reasons, including:
•failure to accurately predict market demand in terms of product functionality and to supply products that meet this demand in a timely fashion;
•inability to interoperate effectively with the database technologies and file systems of prospective customers;
•defects, errors or failures;
•negative publicity or customer complaints about performance or effectiveness; and
•poor business conditions, causing customers to delay IT purchases.
If we fail to anticipate market requirements or stay abreast of technological changes, we may be unable to successfully introduce new products, expand the functionality of our current products or convince our customers and potential customers of the value of our solutions in light of new technologies. Accordingly, our business, results of operations and financial condition could be materially and adversely affected.
If our technical support, customer success or professional services are not satisfactory to our customers, they may not renew their subscription licenses or maintenance and support agreements or buy future products, which could adversely affect our future results of operations.
Our business relies on our customers’ satisfaction with the technical support and professional services we provide to support our products. Our customers have no obligation to renew their subscription licenses or maintenance and support agreements with us after the initial terms have expired. Our customers who had originally purchased perpetual licenses have an option to renew their maintenance agreements. For us to maintain and improve our results of operations, it is important that our existing customers renew their subscription licenses and maintenance and support agreements, if applicable, when the existing contract term expires. For example, our perpetual license maintenance renewal rate for each of the years ended December 31, 2020, 2019 and 2018 continued to be over 90%. Customer satisfaction will become even more important as almost all of our licensing has shifted to subscription license agreements.
If we fail to provide technical support services that are responsive, satisfy our customers’ expectations and resolve issues that they encounter with our products and services, then they may elect not to purchase or renew subscription licenses or annual maintenance and support contracts and they may choose not to purchase additional products and services from us. Accordingly, our failure to provide satisfactory technical support or professional services could lead our customers not to renew their agreements with us or renew on terms less favorable to us, and therefore have a material and adverse effect on our business and results of operations.
Because we derive substantially all of our revenues and cash flows from sales of licenses from a single platform of products, failure of the products in the platform to satisfy customers or to achieve increased market acceptance would adversely affect our business.
In 2019,2020, we generated substantially all of our revenues from sales of licenses from five of our current product families, DatAdvantage, DatAlert, Data Classification Engine, DataPrivilege and Data Transport Engine. We expect to continue to derive athe majority of our revenues from license sales relating to this platform ofthese products in the future. As such, market acceptance of this platform ofthese products is critical to our continued success. Demand for licenses for our platform of products is affected by a number of factors, some of which are outside of our control, including continued market acceptance of our software by referenceable accounts for existing and new use cases, technological change and growth or contraction in our market. We expect the proliferation of enterprise data to lead to an increase in the data analysis demands, and data security and retention concerns, of our customers, and our software, including the software underlying our Data Security Platform, may not be able to scale and perform to meet those demands. If we are unable to continue to meet customer demands or to achieve more widespread market acceptance of our software, our business, operations, financial results and growth prospects will be materially and adversely affected.
Interruptions or performance problems, including associated with our website or support website or any caused by cyberattacks, may adversely affect our business.
Our continued growth depends in part on the ability of our existing and potential customers to quickly access our website and support website. Access to our support website is also imperative to our daily operations and interaction with customers, as it allows customers to download our software, fixes and patches, as well as open and respond to support tickets and register license keys for evaluation or production purposes. We have experienced, and may in the future experience, website disruptions, outages and other performance problems due to a variety of factors, including technical failures, cyberattacks, natural disasters, infrastructure changes, human or software errors, capacity constraints due to an overwhelming number of users accessing our website simultaneously and denial of service or fraud. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. System failures or outages, including any potential disruptions due to significantly increased global demand on certain cloud-based systems during the COVID-19 pandemic, could compromise our ability to perform our day-to-day operations in a timely manner, which could negatively impact our business or delay our financial reporting. It may become increasingly difficult to maintain and improve the performance of our websites, especially during peak usage times and as our software becomes more complex and our user traffic increases. If our websites are unavailable or if our users are unable to download our software, patches or fixes within a reasonable amount of time or at all, we may suffer reputational harm and our business would be negatively affected.
If our software is perceived as not being secure, customers may reduce the use of or stop using our software, and we may incur significant liabilities.
Our software involves the transmission of data between data stores, and between data stores and desktop and mobile computers, and may in the future involve the storage of data. We have a legal and contractual obligation to protect the confidentiality and appropriate use of customer data. Any security breaches with respect to such data could result in the loss of this information, litigation, indemnity obligations and other liabilities. The security of our products and accompanied services is important in our customers’ decisions to purchase or use our products or services. Security threats are a significant challenge to companies like us whose business is providing technology products and services to others. While we have taken steps to protect the confidential information that we have access to, including confidential information we may obtain through our customer support services or customer usage of our products, we have no direct control over the substance of the content. Security measures might be breached as a result of third-party action, employee error, malfeasance or otherwise. We also incorporate open source software and other third-party software into our products. There may be vulnerabilities in open source software and third-party software that may make our products likely to be harmed by cyberattacks. Moreover, our products operate in conjunction with and are dependent on products and components across a broad ecosystem of third parties. If there is a security vulnerability in one of these components, and if there is a security exploit targeting it, such security vulnerability may adversely impact our product vulnerability and we could face increased costs, liability claims, reduced revenue, or harm to our reputation or competitive position. Because techniques used to obtain unauthorized access or sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures.
There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. While we maintain insurance coverage for some of the above events, the potential liabilities associated with these security breach events could exceed the insurance coverage we maintain.
Any or all of these issues could tarnish our reputation, negatively impact our ability to attract new customers or sell additional products to our existing customers, cause existing customers to elect not to renew their maintenance and support agreements or subject us to third-party lawsuits, regulatory fines or other action or liability, thereby adversely affecting our results of operations.
Our use of open source software could negatively affect our ability to sell our software and subject us to possible litigation.
We use open source software and expect to continue to use open source software in the future. Some open source software licenses require users who distribute open source software as part of their own software product to publicly disclose all or part of the source code to such software product or to make available any derivative works of the open source code on unfavorable terms or at no cost. We may face ownership claims of third parties over, or seeking to enforce the license terms applicable to, such open source software, including by demanding the release of the open source software, derivative works or our proprietary source code that was developed using such software. These claims could also result in litigation, require us to purchase a costly license or require us to devote additional research and development resources to change our software, any of which would have a negative effect on our business and results of operations. In addition, if the license terms for the open source code change, we may be forced to re-engineer our software or incur additional costs. Finally, while we implement policies and procedures, we cannot provide assurance that we have incorporated open source software into our own software in a manner that conforms with our current policies and procedures and we cannot assure that all open source software is reviewed prior to use in our solution, that our programmers have not incorporated open source software into our solution, or that they will not do so in the future.
In addition, our solution may incorporate third-party software under commercial licenses. We cannot be certain whether such third-party software incorporates open source software without our knowledge. In the past, companies that incorporate open source software into their products have faced claims alleging noncompliance with open source license terms or infringement or misappropriation of proprietary software. Therefore, we could be subject to suits by parties claiming noncompliance with open source licensing terms or infringement or misappropriation of proprietary software. Because few courts have interpreted open source licenses, the manner in which these licenses may be interpreted and enforced is subject to some uncertainty. There is a risk that open source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to market or provide our solution. As a result of using open source software subject to such licenses, we could be required to release proprietary source code, pay damages, re-engineer our solution, limit or discontinue sales or take other remedial action, any of which could adversely affect our business.
False detection of security breaches, false identification of malicious sources or misidentification of sensitive or regulated information could adversely affect our business.
Our cybersecurity products may falsely detect threats that do not actually exist. For example, our DatAlert product may enrich metadata collected by our products with information from external sources and third-party data providers. If the information from these data providers is inaccurate, the potential for false positives increases. These false positives, while typical in the industry, may affect the perceived reliability of our products and solutions and may therefore adversely impact market acceptance of our products. As definitions and instantiations of personal identifiers and other sensitive content change, automated classification technologies may falsely identify or fail to identify data as sensitive. If our products and solutions fail to detect exposures or restrict access to important systems, files or applications based on falsely identifying legitimate use as an attack or otherwise unauthorized, then our customers’ businesses could be adversely affected. Any such false identification of use and subsequent restriction could result in negative publicity, loss of customers and sales, increased costs to remedy any problem and costly litigation.
Risks Related to our Tax Regime
Our tax rate may vary significantly depending on our stock price.
The tax effects of the accounting for stock-based compensation may significantly impact our effective tax rate from period to period. In periods in which our stock price is higher than the grant price of the stock-based compensation vesting in that period, we will recognize excess tax benefits that will decrease our effective tax rate, while in periods in which our stock price is lower than the grant price of the stock-based compensation vesting in that period, our effective tax rate may increase. The amount and value of stock-based compensation issued relative to our earnings in a particular period will also affect the magnitude of the impact of stock-based compensation on our effective tax rate. These tax effects are dependent on our stock price, which we do not control, and a decline in our stock price could significantly increase our effective tax rate and adversely affect our financial results.
Multiple factors may adversely affect our ability to fully utilize our net operating loss carryforwards.
A U.S. corporation's ability to utilize its federal net operating loss (“NOL”) carryforwards is limited under Section 382 of the Internal Revenue Code of 1986, as amended (the “Code”), if the corporation undergoes an ownership change.
We have accumulated a $207.8 million NOL since inception. Future changes in our stock ownership, including future offerings, as well as changes that may be outside of our control, could result in a subsequent ownership change under Section 382, that would impose an annual limitation on NOLs. In addition, the cash tax benefit from our NOLs is dependent upon our ability to generate sufficient taxable income. Accordingly, we may be unable to earn enough taxable income in order to fully utilize our current NOLs.
Changes in our provision for income taxes or adverse outcomes resulting from examination of our income tax returns could adversely affect our results.
We are subject to income taxation in the United States, Israel and numerous other jurisdictions. Determining our provision for income taxes requires significant management judgment. In addition, our provision for income taxes could be adversely affected by many factors, including, among other things, changes to our operating structure including a review of our intellectual property ("IP") structure, changes in the amounts of earnings in jurisdictions with different statutory tax rates, changes in the valuation of deferred tax assets and liabilities and changes in tax laws. Significant judgment is required to determine the recognition and measurement attributes prescribed in Accounting Standards Codification 740-10-25 (“ASC 740-10-25”). ASC 740-10-25 applies to all income tax positions, including the potential recovery of previously paid taxes, which if settled unfavorably could adversely impact our provision for income taxes. Our income in certain countries is subject to reduced tax rates provided we meet certain employment and capital investment criteria. Failure to meet these commitments could adversely impact our provision for income taxes.
We are also subject to the regular examination of our income tax returns by the U.S. Internal Revenue Services and other tax authorities in various jurisdictions. Tax authorities may disagree with our intercompany charges, cross-jurisdictional transfer pricing, IP structure or other matters and assess additional taxes. While we regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our provision for income taxes, there can be no assurance that the outcomes from these regular examinations will not have a material adverse effect on our results of operations and cash flows. Further, we may be audited in various jurisdictions, and such jurisdictions may assess additional taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially
different from our historical tax provisions and accruals, which could have a material adverse effect on our results of operations or cash flows in the period or periods for which a determination is made.
The adoption of the U.S. tax reform and the enactment of additional legislation changes could materially impact our financial position and results of operations.
On December 22, 2017, the Tax Cuts and Jobs Act (the "TCJA") that significantly reforms the Code was enacted. The TCJA, among other things, includes changes to U.S. federal tax rates, imposes significant additional limitations on the deductibility of certain expenses, restricts the use of net operating loss carryforwards arising after December 31, 2017, allows for the expensing of capital expenditures. Due to the expansion of our international business activities, any changes in the U.S. taxation of such activities may increase our worldwide effective tax rate and adversely affect our financial position and results of operations. Further, foreign governments may enact tax laws in response to the TCJA that could result in further changes to global taxation and materially affect our financial position and results of operations.
We conduct our operations in a number of jurisdictions worldwide and report our taxable income based on our business operations in those jurisdictions. Therefore, our intercompany relationships are subject to transfer pricing regulations administered by taxing authorities in various jurisdictions. While we believe that we are currently in material compliance with our obligations under applicable taxing regimes, the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions and may seek to impose additional taxes on us, including for past sales. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations.
The Organization for Economic Cooperation and Development (“OECD”) introduced the base erosion and profit shifting project which sets out a plan to address international taxation principles in a globalized, digitized business world (the “BEPS Plan”). During 2018, as part of the BEPS Plan, more than 80 countries chose to implement the Multilateral Convention to Implement Tax Treaty Related Measures to Prevent BEPS (“MLI”). The MLI significantly changes the bilateral tax treaties signed by any country that chose to implement the MLI. In addition, during 2019 the OECD, the EU and individual countries (e.g., France, Austria and Italy) each published an initiative to tax digital transactions executed by a non-resident entity and a local end-user or local end consumer. Under each initiative, the local payer is obligated to withhold a fixed percentage from the gross proceeds paid to the non-resident entity as a tax on executing a digital transaction in that territory, provided the entity’s sales in that territory exceeds a certain threshold (“Digital Service Tax”). As a result of participating countries adopting the international tax policies set under the BEPS Plan, MLI and Digital Service Tax, changes have been and continue to be made to numerous international tax principles and local tax regimes. Due to the expansion of our international business activities, those modifications may increase our worldwide effective tax rate, create tax and compliance obligations in jurisdictions in which we previously had none and adversely affect our financial position.
Risks Related to the 2025 Notes and Credit Facility
We have incurred substantial indebtedness that may decrease our business flexibility, access to capital, and/or increase our borrowing costs, and we may still incur substantially more debt, which may adversely affect our operations and financial results.
In May 2020 we issued $253.0 million aggregate principal amount of 1.25% convertible senior notes due in 2025 (the "2025 Notes"). As of December 31, 2020, we had $253.0 million outstanding aggregate principal amount of 2025 Notes. In addition, on August 21, 2020 we entered into a credit and security agreement with KeyBank National Association and other parties thereto (the “Credit and Security Agreement") for a three-year secured revolving credit facility of $70.0 million, with a letter of credit sublimit of $15.0 million and an accordion feature under which the Company can increase the credit facility to up to $90.0 million (the “Credit Facility”). As of December 31, 2020, we had no outstanding obligations under our credit facility. Our indebtedness may limit our ability to borrow additional funds for working capital, capital expenditures, acquisitions or other general business purposes, limit our ability to use our cash flow or obtain additional financing for future working capital, capital expenditures, acquisitions or other general business purposes, require us to use a substantial portion of our cash flow from operations to make debt service payments, limit our flexibility to plan for, or react to, changes in our business and industry, place us at a competitive disadvantage compared to our less leveraged competitors and increase our vulnerability to the impact of adverse economic and industry conditions.
Our debt obligations may adversely affect our ability to raise additional capital and will be a burden on our future cash resources, particularly if we elect to settle these obligations in cash upon conversion or upon maturity or required repurchase.
Our ability to meet our payment obligations under the 2025 Notes and any outstanding indebtedness under our Credit Facility, depends on our future cash flow performance. This, to some extent, is subject to general economic, financial, competitive, legislative and regulatory factors, as well as other factors that may be beyond our control. There can be no assurance that our business will generate positive cash flow from operations, or that additional capital will be available to us, in an amount sufficient to enable us to meet our debt payment obligations and to fund other liquidity needs. If we are unable to generate sufficient cash flow to service our debt obligations, we may need to refinance or restructure our debt, sell assets, reduce or delay capital investments, or seek to raise additional capital. Our ability to refinance our indebtedness will depend on the capital markets and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. As a result, we may be more vulnerable to economic downturns, less able to withstand competitive pressures and less flexible in responding to changing business and economic conditions. In addition, our Credit Facility limits our ability to incur additional indebtedness under certain circumstances. If we are unable to obtain capital on favorable terms or at all, we may have to reduce our operations or forego opportunities, and this may have a material adverse effect on our business, financial condition and results of operations.
Our credit facility contains restrictive and financial covenants that may limit our operating flexibility.
Our Credit Facility contains certain restrictive covenants that either limit our ability to, or require a mandatory prepayment in the event we, among other things, incur additional indebtedness, issue guarantees, create liens on assets, make certain investments, merge with or acquire other companies, change business locations, pay dividends or make certain other restricted payments, transfer or dispose of assets, enter into transactions with affiliates and enter into various specified transactions. We, therefore, may not be able to engage in any of the foregoing transactions unless we obtain the consent of our lenders or prepay the outstanding amount under our Credit Facility. Our Credit Facility also contains certain financial covenants and financial reporting requirements. Our obligations under our Credit Facility are secured by all of our property, with certain exceptions. We may not be able to generate sufficient cash flow or sales to meet the financial covenants or pay the principal and interest under our Credit Facility. Furthermore, future working capital, borrowings or equity financing could be unavailable to repay or refinance the amounts outstanding under our Credit Facility. In the event of a liquidation, all outstanding principal and interest would have to be repaid prior to distribution of assets to unsecured creditors, and the holders of our common stock would receive a portion of any liquidation proceeds only if all of our creditors, including our lenders, were first repaid in full.
If we are unable to comply with the restrictive and financial covenants in our Credit Facility, there would be a default under the terms of that Credit and Security Agreement, and this could result in an acceleration of payment of funds that have been borrowed.
If we were unable to comply with the restrictive, negative and financial covenants in our Credit Facility, there would be a default under the terms of the Credit and Security Agreement. In such event, there can be no assurance that we would be able to make necessary payments to the lenders or that we would be able to find alternative financing. Even if we were able to obtain alternative financing, there can be no assurance that it would be on terms that are acceptable.
We may issue additional shares of our common stock in connection with conversions of the 2025 Notes, and thereby dilute our existing stockholders and potentially adversely affect the market price of our common stock.
In the event that the 2025 Notes are converted and we elect to deliver shares of common stock, the ownership interests of existing stockholders will be diluted, and any sales in the public market of any shares of our common stock issuable upon such conversion could adversely affect the prevailing market price of our common stock. In addition, the anticipated conversion of the 2025 Notes could depress the market price of our common stock.
The fundamental change provisions of the 2025 Notes may delay or prevent an otherwise beneficial takeover attempt of us.
If the Company undergoes a “fundamental change”, subject to certain conditions, holders may require the Company to repurchase for cash all or part of their 2025 Notes at a fundamental change repurchase price equal to 100% of the principal amount of the 2025 Notes to be repurchased, plus accrued and unpaid interest to, but excluding, the fundamental change repurchase date. In addition, if such fundamental change also constitutes a “make-whole fundamental change”, the conversion rate for the 2025 Notes may be increased upon conversion of the 2025 Notes in connection with such “make-whole fundamental change”. Any increase in the conversion rate will be determined based on the date on which the “make-whole fundamental change” occurs or becomes effective and the price paid (or deemed paid) per share of our common stock in such transaction. Any such increase will be dilutive to our existing stockholders. Our obligation to repurchase the 2025 Notes or
increase the conversion rate upon the occurrence of a make-whole fundamental change may, in certain circumstances, delay or prevent a takeover of us that might otherwise be beneficial to our stockholders.
The accounting method for convertible debt securities that may be settled in cash, such as the 2025 Notes, could have a material effect on our reported financial results.
Under Accounting Standards Codification 470-20, “Debt with Conversion and Other Options” (ASC 470-20), an entity must separately account for the liability and equity components of the convertible debt instruments (such as the 2025 Notes) that may be settled entirely or partially in cash upon conversion in a manner that reflects the issuer’s economic interest cost. The effect of ASC 470-20 on the accounting for the 2025 Notes is that the equity component is required to be included in the additional paid-in capital section of stockholders’ equity on our consolidated balance sheet at the issuance date and the value of the equity component would be treated as debt discount for purposes of accounting for the debt component of the 2025 Notes. As a result, we will be required to record non-cash interest expense through the amortization of the excess of the face amount over the carrying amount of the expected life of the 2025 Notes. We will report larger net losses (or lower net income) in our financial results because ASC 470-20 requires interest to include both the amortization of the debt discount and the instrument’s cash coupon interest rate, which could adversely affect our reported or future financial results, the trading price of our common stock and the trading price of the 2025 Notes.
In addition, under certain circumstances, convertible debt instruments (such as the 2025 Notes) that may be settled entirely or partly in cash may be accounted for utilizing the treasury stock method, the effect of which is that the shares issuable upon conversion of such 2025 Notes are not included in the calculation of diluted earnings per share except to the extent that the conversion value of such 2025 Notes exceeds their principal amount. Under the treasury stock method, for diluted earnings per share purposes, the transaction is accounted for as if the number of shares of common stock that would be necessary to settle such excess, if we elected to settle such excess in shares, are included in the denominator for purposes of calculating diluted earnings per share.
In August 2020, the FASB issued ASU 2020-06, ASC Subtopic 470-20 “Debt—Debt with “ Conversion and Other Options” and ASC subtopic 815-40 “Hedging—Contracts in Entity’s Own Equity” that changes the accounting for the convertible debt instruments described above. Under the new standard, an entity may no longer separately account for the liability and equity components of convertible debt instruments. Additionally, the treasury stock method for calculating earnings per share will no longer be allowed for convertible debt instruments whose principal amount may be settled using shares. Rather, the if-converted method may be required. Application of the “if converted” method may reduce our reported diluted earnings per share. The standard is effective for fiscal years beginning after December 15, 2021, including interim periods within those fiscal years and early adoption is permitted. We cannot be sure whether other changes may be made to the accounting standards related to the 2025 Notes, or otherwise, that could have an adverse impact on our financial statements.
The Capped Call Transactions may affect the value of the 2025 Notes and our common stock.
In connection with the issuance of the 2025 Notes, we entered into Capped Call Transactions with certain financial institutions. The Capped Call Transactions are expected generally to reduce or offset the potential dilution upon conversion of the 2025 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2025 Notes, as the case may be, with such reduction and/or offset subject to an initial cap price of $141.72 (the "Cap Price"), subject to certain adjustments under the terms of the Capped Call Transactions.
From time to time, certain financial institutions (with which we entered into the Capped Call Transactions) or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions prior to the maturity of the 2025 Notes. This activity could also cause or avoid an increase or a decrease in the market price of our common stock.
The potential effect, if any, of these transactions and activities on the price of our common stock or 2025 Notes will depend in part on market conditions and cannot be ascertained at this time. Any of these activities could adversely affect the value of our common stock.
As of December 31, 2020, our stock price was higher than the Cap Price under the Capped Call Transactions, hence, as of December 31, 2020, and as long as our common stock price shall be higher than $141.72, the incremental amount by which the stock price exceeds the Cap Price is not protected under the Capped Call Transactions.
We are subject to counterparty risk with respect to the Capped Call Transactions.
All or some of the financial institutions (which are counterparties to the capped call transactions) might default under the Capped Call Transactions. Our exposure to the credit risk of the counterparties will not be secured by any collateral. Past global economic conditions have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If an option counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at the time under the capped call transactions with such option counterparty. Our exposure will depend on many factors but, generally, an increase in our exposure will be correlated to an increase in the market price and in the volatility of our common stock. In addition, upon a default by an option counterparty, we may suffer adverse tax consequences and more dilution than we currently anticipate with respect to our common stock. We can provide no assurance as to the financial stability or viability of the option counterparties.
Risks Related to our Operations in Israel
Conditions in Israel may limit our ability to develop and sell our products, which could result in a decrease of our revenues.
Our principal research and development facility, which also houses a portion of our support and general and administrative teams, is located in Israel. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring countries, as well as incidents of terror activities and other hostilities, and a number of state and non-state actors have publicly committed to its destruction. Political, economic and security conditions in Israel could directly affect our operations. We could be adversely affected by hostilities involving Israel, including acts of terrorism or any other hostilities involving or threatening Israel, the interruption or curtailment of trade between Israel and its trading partners, a significant increase in inflation or a significant downturn in the economic or financial condition of Israel. Any on-going or future armed conflicts, terrorist activities, tension along the Israeli borders or with other countries in the region, including Iran, or political instability in the region could disrupt international trading activities in Israel and may materially and negatively affect our business and could harm our results of operations.
Certain countries, as well as certain companies and organizations, continue to participate in a boycott of Israeli companies, companies with large Israeli operations and others doing business with Israel and Israeli companies. The boycott, restrictive laws, policies or practices directed towards Israel, Israeli businesses or Israeli citizens could, individually or in the aggregate, have a material adverse effect on our business in the future.
Some of our officers and employees in Israel are obligated to perform routine military reserve duty in the Israel Defense Forces, depending on their age and position in the armed forces. Furthermore, they have been and may in the future be called to active reserve duty at any time under emergency circumstances for extended periods of time. Our operations could be disrupted by the absence, for a significant period, of one or more of our officers or key employees due to military service, and any significant disruption in our operations could harm our business.
Our insurance does not cover losses that may occur as a result of an event associated with the security situation in the Middle East or for any resulting disruption in our operations. Although the Israeli government has in the past covered the reinstatement value of direct damages that were caused by terrorist attacks or acts of war, we cannot be assured that this government coverage will be maintained or, if maintained, will be sufficient to compensate us fully for damages incurred and the government may cease providing such coverage or the coverage might not suffice to cover potential damages. Any losses or damages incurred by us could have a material adverse effect on our business.
The tax benefits that were available to our Israeli subsidiary terminated in 2020 and unless new tax benefits become available in the future, our Israeli subsidiary could become subject to an increase in taxes.
Our Israeli subsidiary has benefited from a status of a “Beneficiary Enterprise” under the Israeli Law for the Encouragement of Capital Investments, 5719-1959, or the Investment Law, since its incorporation. Based on an evaluation of the relevant factors under the Investment Law, including the level of foreign (i.e., non-Israeli) investment in our company, we have determined that the effective tax rate to be paid by our Israeli subsidiary as a “Beneficiary Enterprise” has historically been approximately 10%. If our Israeli subsidiary does not meet the requirements for maintaining this status, for example, if the Israeli subsidiary materially changes the nature of its business or, if the level of foreign investment in our company decreases, it may no longer be eligible to enjoy this or any other reduced tax rate. As a result, our Israeli subsidiary would be subject to Israeli corporate tax at the standard rate, which, as of January 1, 2021 was set at 23%. Even if our Israeli subsidiary continues to meet the relevant requirements, the tax benefits that the status of “Beneficiary Enterprise” provides terminated on December 31, 2020 with respect to income generated after that date. Unless new tax benefits become available to us, the amount of taxes that our Israeli subsidiary would pay would increase, as all of our Israeli operations would consequently be subject to corporate tax at the
standard rate, which could adversely affect our tax expenses and effective tax rates. Additionally, if our Israeli subsidiary increases its activities outside of Israel, for example, through acquisitions, these activities may not be eligible for inclusion in Israeli tax benefit programs. The tax benefit derived from the status of “Beneficiary Enterprise” is dependent upon the ability to generate sufficient taxable income. Accordingly, our Israeli subsidiary may be unable to earn enough taxable income in order to fully utilize its tax benefits.
Risks Related to the Ownership of our Common Stock
Substantial future sales of shares of our common stock could cause the market price of our common stock to decline.
Sales of a substantial number of shares of our common stock into the public market, or the perception that these sales might occur, for whatever reason, including as a result of the conversion of the outstanding 2025 Notes, could depress the market price of our common stock and could impair our ability to raise capital through the sale of additional equity securities. We are unable to predict the effect that such sales may have on the prevailing market price of our common stock.
As of December 31, 2020, we had options, restricted stock units (“RSUs”) and performance stock units ("PSUs") outstanding that, if fully vested and exercised, would result in the issuance of approximately 3.1 million shares of our common stock. All of the shares of our common stock issuable upon exercise of options and vesting of RSUs and PSUs have been registered for public resale under the Securities Act. Accordingly, these shares will be able to be freely sold in the public market upon issuance as permitted by any applicable vesting requirements.
We do not intend to pay dividends on our common stock, so any returns will be limited to the value of our stock.
We have never declared or paid cash dividends on our common stock. We currently anticipate that we will retain any future earnings and do not expect to pay any dividends in the foreseeable future. Any determination to pay dividends in the future will be at the discretion of our board of directors and will be dependent on a number of factors, including our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors may deem relevant. In addition, the Credit and Security Agreement for our Credit Facility contains a prohibition on the payment of cash dividends. Until such time that we pay a dividend, stockholders, including holders of our 2025 Notes who receive shares of our common stock upon conversion of the 2025 Notes, must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments. Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
Anti-takeover provisions in our charter documents and under Delaware law and provisions in the indenture for our 2025 Notes and Credit Facility could make an acquisition of us, which may be beneficial to our stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management, thereby depressing the trading price of our common stock and 2025 Notes.
Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may delay, discourage or prevent an acquisition of us or a change in our management, including transactions in which stockholders might otherwise receive a premium for their shares, or transactions that our stockholders might otherwise deem to be in their best interests. These provisions include:
•authorizing “blank check” preferred stock, which could be issued by the board without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt;
•a classified board of directors whose members can only be dismissed for cause;
•the prohibition on actions by written consent of our stockholders;
•the limitation on who may call a special meeting of stockholders;
•the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon at stockholder meetings; and
•the requirement of at least 75% of the outstanding capital stock to amend any of the foregoing second through fifth provisions.
In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us, unless the merger or combination is approved in a prescribed manner. Although we believe these provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to
negotiate with our board of directors, they would apply even if an offer rejected by our board were considered beneficial by some stockholders. In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management.
In addition, if a “fundamental change” occurs prior to the maturity date of the 2025 Notes, holders of the 2025 Notes will have the right, at their option, to require us to repurchase all or a portion of their Convertible Notes. If a “make-whole fundamental change” (as defined in the Indenture) occurs prior the maturity date, we will in some cases be required to increase the conversion rate of the 2025 Notes for a holder that elects to convert its 2025 Notes in connection with such “make-whole fundamental change”. These features of the 2025 Notes may make a potential acquisition more expensive for a potential acquiror, which may in turn make it less likely for a potential acquiror to offer to purchase our company, or reduce the amount of consideration offered for each share of our common stock in a potential acquisition. Furthermore, the Indenture prohibits us from engaging in certain mergers or acquisitions unless, among other things, the surviving entity assumes our obligations under the 2025 Notes. Last, under our Credit Facility we cannot sell or transfer or otherwise dispose of any assets of the Company to any person or entity subject to certain exceptions and we cannot merge, amalgamate or consolidate with any other entity.
General Risks Factors
Failure to protect our proprietary technology and intellectual property rights could substantially harm our business.
The success of our business and competitive position depends on our ability to obtain, protect and enforce our trade secrets, trademarks, copyrights, patents and other intellectual property rights. We attempt to protect our intellectual property under patent, trademark, copyrights and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.protection and may not now or in the future provide us with a competitive advantage.
As of January 31, 2020,29, 2021, we had 6974 issued patents in the United States and 3128 pending U.S. patent applications. We also had 3541 patents issued and 7163 applications pending for examination in non-U.S. jurisdictions, and twothree pending PCT patent applications, all of which are counterparts of our U.S. patent applications. We may file additional patent applications in the future. The process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way through to the successful issuance of a patent. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not issue as granted patents, that the scope of our issued patents will be insufficient or not have the coverage originally sought, that our issued patents will not provide us with any competitive advantages, and that our patents and other intellectual property rights may be challenged by others or invalidated through administrative process or litigation. In addition, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. Our policy is to require our employees (and our consultants and service providers that develop intellectual property included in our products) to execute written agreements in which they assign to us their rights in potential inventions and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such intellectual property), but we cannot assure youprovide assurance that we have adequately protected our rights in every such agreement or that we have executed an agreement with every such party. Finally, in order to benefit from patent and other intellectual property protection, we must monitor, detect and pursue infringement claims in certain circumstances in relevant jurisdictions, all of which is costly and time-consuming. As a result, we may not be able to obtain adequate protection or to enforce our issued patents or other intellectual property effectively.
In addition to patented technology, we rely on our unpatented proprietary technology and trade secrets. Despite our efforts to protect our proprietary technologies and our intellectual property rights, unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors, channel partners and customers, and generally limit access to and distribution of our proprietary information and proprietary technology through certain procedural safeguards. These agreements may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology. We cannot provide assurance that the steps taken by us will prevent misappropriation of our trade secrets or technology or infringement of our intellectual property. In addition, the laws of some foreign countries where we operate do not protect our proprietary rights to as great an extent as the laws of the United States, and many foreign countries do not enforce these laws as diligently as government agencies and private parties in the United States.
Moreover, industries in which we operate, such as data security, cybersecurity, compliance, data retention and data governance are characterized by the existence of a large number of relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. From time to time, third parties have asserted and may assert their patent, copyright, trademark and other intellectual property rights against us, our channel partners or our customers. Successful claims of infringement or misappropriation by a third party could prevent us from distributing certain products, performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others or to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology. Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected. In some cases, we indemnify our channel partners and customers against claims that our products infringe the intellectual property of third parties. Defending against claims of infringement or being deemed to be infringing the intellectual property rights of others could impair our ability to innovate, develop, distribute and sell our current and planned products and services. If we are unable to protect our intellectual property rights and ensure that we are not violating the intellectual property rights of others, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create the innovative products that have enabled us to be successful to date.
We may face increased competition in our market.
While there are some companies which offer certain features similar to those embedded in our solutions, as well as others with whom we compete in certain tactical use cases, we believe that we do not currently compete with a company that offershave registered the same breadth of functionalities that we offer in a single integrated solution. Nevertheless, we do compete against a select group of software vendors, such as Veritas Technologies LLC“Varonis” name and Quest Software that provide standalone solutions, similar to those found in our comprehensive software suite,logo and “DatAdvantage”, “DataPrivilege”, “DatAlert”, “DatAnywhere” and other names in the specific marketsUnited States and, as related to some of these names, certain other countries. However, we cannot provide assurance that any future trademark registrations will be issued for pending or future applications or that any registered trademarks will be enforceable or provide adequate protection of our proprietary rights.
We also license software from third parties for integration into our solution, including open source software and other software available on commercially reasonable terms. We cannot provide assurance that such third parties will maintain such software or continue to make it available. We also rely on confidentiality agreements, consulting agreements, work-for-hire agreements and invention assignment agreements with our employees, consultants and others.
Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. In addition, others may independently discover our trade secrets, in which case we operate. We also face direct competition with respect to certain of our products, specifically Data Transport Engine, DatAnswers and DatAdvantage for Directory Services. As we continue to augment our functionality with insider threat detection and user behavior analytics and as we expand our classification capabilities to better serve compliance needs with new regulations, like GDPR and other data privacy laws, we may face increased perceived and real competition from other security and classification technologies. As we expand our coverage and penetration in the cloud, we may face increased perceived and real competition from other cloud-focused technologies. In the future, as customer requirements evolve and new technologies are introduced, we may experience increased competition if established or emerging companies develop solutions that address the enterprise data market. Furthermore, because we operate in a relatively new and evolving area, we anticipate that competition will increase based on customer demand for these types of products.
In particular, if a more established company were to target our market, we may face significant competition. They may have competitive advantages, such as greater name recognition, larger sales, marketing, research and acquisition resources, access to larger customer bases and channel partners, a longer operating history and lower labor and development costs, which may enable them to respond more quickly to new or emerging technologies and changes in customer requirements or devote greater resources to the development, promotion and sale of their products than we do. Increased competition could result in us failing to attract customers or maintain licenses at the same rate. It could also lead to price cuts, alternative pricing structures or the introduction of products available for free or a nominal price, reduced gross margins, longer sales cycles and loss of market share.
In addition, our current or prospective channel partners may establish cooperative relationships with any future competitors. These relationships may allow future competitors to rapidly gain significant market share. These developments could also limit our ability to obtain revenues from existing and new customers.
Our ability to compete successfully in our market will also depend on a number of factors, including ease and speed of product deployment and use, the quality and reliability of our customer service and support, total cost of ownership, return on investment and brand recognition. Any failure by us to successfully address current or future competition in any one of these or other areas may reduce the demand for our products and adversely affect our business, results of operations and financial condition.
Interruptions or performance problems, including associated with our website or support website or any caused by cyberattacks, may adversely affect our business.
Our continued growth depends in part on the ability of our existing and potential customers to quickly access our website and support website. Access to our support website is also imperative to our daily operations and interaction with customers, as it allows customers to download our software, fixes and patches, as well as open and respond to support tickets and register license keys for evaluation or production purposes. We have experienced, and may in the future experience, website disruptions, outages and other performance problems due to a variety of factors, including technical failures, cyberattacks, natural disasters, infrastructure changes, human or software errors, capacity constraints due to an overwhelming number of users accessing our website simultaneously and denial of service or fraud. In some instances, we maywould not be able to identifyassert trade secret rights or develop similar technologies and processes. Further, the causecontractual provisions that we enter into may not prevent unauthorized use or causes of these website performance problems within an acceptable period of time. It may become increasingly difficult to maintain and improve the performancedisclosure of our websites, especially during peak usage timesproprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as our software becomes more complexprotective of intellectual property rights as those in the United States and our user traffic increases. If our websites are unavailable or if our users arewhere mechanisms for enforcement of intellectual property rights may be weak. We may be unable to downloaddetermine the extent of any unauthorized use or infringement of our software, patchessolution, technologies or fixes within a reasonable amount of time or at all, we may suffer reputational harm and our business would be negatively affected.intellectual property rights.
Real or perceived errors, failures or bugs in our software could adversely affect our growth prospects.
Because our software uses complex technology, undetected errors, failures or bugs may occur. Our software is often installed and used in a variety of computing environments with different operating system management software, and equipment and networking configurations, which may cause errors or failures of our software or other aspects of the computing environment into which it is deployed. In addition, deployment of our software into computing environments may expose undetected errors, compatibility issues, failures or bugs in our software. Despite testing by us, errors, failures or bugs may not be found in our software until it is released to our customers. Moreover, our customers could incorrectly implement or inadvertently misuse our software, which could result in customer dissatisfaction and adversely impact the perceived utility of our products as well as our brand. Any of these real or perceived errors, compatibility issues, failures or bugs in our software could result in negative publicity, reputational harm, loss of or delay in market acceptance of our software, loss of competitive position or claims by customers for losses sustained by them. In such an event, we may be required, or may choose, for customer relations or other reasons, to expend additional resources in order to help correct the problem.
If Alleviating any of these problems could require significant expenditures of our software is perceived as not being secure, customers may reducecapital and other resources and could cause interruptions or delays in the use of or stop using our software, and we may incur significant liabilities.
Our software involves the transmission of data between data stores, and between data stores and desktop and mobile computers, and may in the future involve the storage of data. Any security breaches with respect to such data could result in the loss of this information, litigation, indemnity obligations and other liabilities. While we have taken steps to protect the confidential information that we have access to, including confidential information we may obtain through our customer support services or customer usage of our products, we have no direct control over the substance of the content. Therefore, if customers use our software for the transmission of personally identifiable information and our security measures are breached as a result of third-party action, employee error, malfeasance or otherwise, our reputation could be damaged, our business may suffer and we could incur significant liability. Because techniques used to obtain unauthorized access or sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. While we maintain insurance coverage for some of the above events, the potential liabilities associated with these events could exceed the insurance coverage we maintain. Any or all of these issues could tarnish our reputation, negatively impact our ability to attract new customers or sell additional products to our existing customers, cause existing customers to elect not to renew their maintenance and support agreements or subject us to third-party lawsuits, regulatory fines or other action or liability, thereby adversely affecting our results of operations.
We are subject to a number of legal requirements, contractual obligations and industry standards regarding security, data protection and privacy, and any failure to comply with these requirements, obligations or standards could have an adverse effect on our reputation, business, financial condition and operating results.
Privacy and data information security have become a significant issue in the United States and in many other countries where we have employees and operations and where we offer licenses to our products. The regulatory framework for privacy and personal information security issues worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. The U.S. federal and various state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations limiting, or laws and regulations regarding, the collection, distribution, use, disclosure, storage and security of personal information. For example, California recently enacted the CCPA, which went into effect on January 1, 2020, that requires, among other things, covered companies to provide new disclosures to California consumers and afford such consumers new abilities to opt-out of certain sales of personal information.
Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. Laws and regulations in these jurisdictions apply broadly to the collection, use, storage, disclosure and security of data that identifies or may be used to identify or locate an individual, such as names, email addresses and, in some jurisdictions, Internet Protocol addresses. These laws and regulations often are more restrictive than those in the United States and are rapidly evolving. For example, the EU data protection regime, the GDPR became enforceable on May 25, 2018. Additionally, the United Kingdom enacted legislation in May 2018 that substantially implements the GDPR, but the United Kingdom’s exit from the EU (which formally occurred on January 31, 2020), commonly referred to as “Brexit," has created uncertainty with regard to the regulation of data protection in the United Kingdom. In particular, it is unclear how data transfers to and from the United Kingdom will be regulated following Brexit. Complying with the GDPR or other laws, regulations or other obligations relating to privacy, data protection or information security may cause us to incur substantial operational costs or require us to modify our data handling practices. Non-compliance could result in proceedings against us by governmental entities or others, could result in substantial fines or other liability and may otherwise adversely impact our business, financial condition and operating results.
Some statutory requirements, both in the United States and abroad, include obligations of companies to notify individuals of security breaches involving particular personal information,solutions, which could result from breaches experienced by us or our service providers. Even though we may have contractual protections with our service providers, a security breach could impact our reputation, harm our customer confidence, hurt our sales or cause us to lose existing or potential customers and could expose us to potential liability or require us to expend significant resources on data security and in responding to such breach.
In addition to government regulation, privacy advocates and industry groups may propose new and different self-regulatory standards that either legally or contractually apply to us. We also expect that there will continue to be new proposed laws and regulations concerning privacy, data protection and information security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. New laws, amendments to or re-interpretations of existing laws and regulations, industry standards, contractual obligations and other obligations may require us to incur additional costs and restrict our business operations. Because the interpretation and application of laws and other obligations relating to privacy and data protection are still uncertain, it is possible that these laws and other obligations may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our software. If so, in addition to the
possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our software, which could have an adverse effect on our business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new features could be limited. Any inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business.operating results and growth prospect.
Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our products. Privacy and personal information security concerns, whether valid or not valid, may inhibit market adoption of our products particularly in certain industries and foreign countries.
Our long-term growth depends, in part, on being able to continue to expand internationally on a profitable basis, which subjects us to risks associated with conducting international operations.
Historically, we have generated athe majority of our revenues from customers in North America. For the year ended December 31, 2019,2020, approximately 70% of our total revenues were derived from sales in North America. Nevertheless, we have operations across the globe, and we plan to continue to expand our international operations as part of our long-term growth strategy. The further expansion of our international operations will subject us to a variety of risks and challenges, including:
•sales and customer service challenges associated with operating in different countries;
•increased management travel, a lack of travel due to pandemics, infrastructure and legal compliance costs associated with having multiple international operations;
•difficulties in receiving payments from different geographies, including difficulties associated with currency fluctuations, payment cycles, transfer of funds or collecting accounts receivable, especially in emerging markets;
•variations in economic or political conditions between each country or region;
•economic uncertainty around the world and adverse effects arising from economic interdependencies across countries and regions;
•the uncertainty around the effects of global pandemics, including the COVID-19 outbreak, on our business and results of operations;
•uncertainty around a potential reverse or renegotiation of international trade agreements and partnerships under the administration of U.S. President Donald J. Trump;partnerships;
•the continued economic and legal uncertainty around how Brexit will impact the United Kingdom’s access to the EU Single Market, the related regulatory environment, the global economy and the resulting impact on our business;
•compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;
•ability to hire, retain and train local employees and the ability to comply with foreign labor laws and local labor requirements, such as representations by an internal labor committee in France which is affiliated with an external trade union and the applicability of collective bargaining arrangements at the national level in certain European countries;
•compliance with laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act of 1977, or the FCPA, the U.K.UK Bribery Act, of 2010, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our software in certain foreign markets, and the risks and costs of non-compliance;
•heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of financial statements and irregularities in financial statements;
•reduced protection for intellectual property rights in certain countries and practical difficulties and costs of enforcing rights abroad; and
•compliance with the laws of numerous foreign taxing jurisdictions and overlapping of different tax regimes.regimes and digital tax imposed on our operations in foreign taxing jurisdictions.
Any of these risks could adversely affect our international operations, reduce our revenues from outside the United States or increase our operating costs, adversely affecting our business, results of operations and financial condition and growth prospects. There can be no assurance that all of our employees, independent contractors and channel partners will comply with the formal policies we have and will implement, or applicable laws and regulations. Violations of laws or key control policies by our employees, independent contractors and channel partners could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our software and services and could have a material adverse effect on our business and results of operations.
If currency exchange rates fluctuate substantially in the future, our results of operations, which are reported in U.S. dollars, could be adversely affected.
Our functional and reporting currency is the U.S. dollar, and we generate a majority of our revenues and incur a majority of our expenses in U.S. dollars. Revenues and expenses are also incurred in other currencies, primarily Euros, Pounds Sterling, Canadian dollars, Australian dollars and New Israeli Shekels ("NIS"). Accordingly, changes in exchange rates may have a material adverse effect on our business, results of operations and financial condition. The exchange rates between the U.S. dollar and foreign currencies have fluctuated substantially in recent years and may continue to fluctuate substantially in the future. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our software and our subscription licenses and maintenance renewals to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows. Volatility in exchange rates may continue in the short term after the United Kingdom's recent exit from the EU. Although the United Kingdom has passed legislation regarding the immediate impact of Brexit, it is still unclear what terms, if any, may be agreed within the United Kingdom and between the United Kingdom and other countries on many aspects of fiscal policy, cross-border trade and international relations, both in the final outcome and for any transitional period. The United Kingdom's withdrawal from the EU, as well as other member countries' public discussions about the possibility of withdrawing from the EU, may also create global economic and legal uncertainty, which may impact, among other things, the demand for our products.
We incur expenses for employee compensation and other operating expenses at our non-U.S. locations in local currencies. The weakening of the U.S. dollar against such currencies would cause the U.S. dollar equivalent of such expenses to increase which could have a negative impact on our reported results of operations. We use forward foreign exchange contracts to hedge or mitigate the effect of changes in foreign exchange rates on our operating expenses denominated in certain foreign currencies. However, this strategy might not eliminate our exposure to foreign exchange rate fluctuations and involves costs and risks of its own, such as cash expenditures, ongoing management time and expertise, external costs to implement the strategy and potential accounting implications. Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets and the difference between the interest rates of the currencies being hedged.
We are exposed to collection and credit risks, which could impact our operating results.
Our accounts receivable and contract assets are subject to collection and credit risks. These assets may include upfront purchase commitments for multiple years of subscription-based software licenses and maintenance services, which may be invoiced over multiple reporting periods increasing these risks. For example, our operating results may be impacted by significant bankruptcies among customers, which could negatively impact our revenues and cash flows. Although we have processes in place that are designed to monitor and mitigate these risks, we cannot guarantee these programs will be effective. If we are unable to adequately control these risks, our business, operating results and financial condition could be harmed.
Our use of open source software could negatively affect our ability to sell our software and subject us to possible litigation.
We use open source software and expect to continue to use open source software in the future. Some open source software licenses require users who distribute open source software as part of their own software product to publicly disclose all or part of the source code to such software product or to make available any derivative works of the open source code on unfavorable terms or at no cost. We may face ownership claims of third parties over, or seeking to enforce the license terms applicable to, such open source software, including by demanding the release of the open source software, derivative works or our proprietary source code that was developed using such software. These claims could also result in litigation, require us to purchase a costly license or require us to devote additional research and development resources to change our software, any of which would have a negative effect on our business and results of operations. In addition, if the license terms for the open source code change, we may be forced to re-engineer our software or incur additional costs. Finally, we cannot assure you that we have incorporated open source software into our own software in a manner that conforms with our current policies and procedures.
Our business is highly dependent upon our brand recognition and reputation, and the failure to maintain or enhance our brand recognition or reputation may adversely affect our business.
We believe that enhancing the “Varonis” brand identity and maintaining our reputation in the information technology industry is critical to our relationships with our customers and to our ability to attract new customers. Our brand recognition and reputation is dependent upon:
our ability to continue to offer high-quality, innovative and error- and bug-free products;
our ability to maintain customer satisfaction with our products;
our ability to be responsive to customer concerns and provide high quality customer support, training and professional services;
our marketing efforts;
any misuse or perceived misuse of our products;
positive or negative publicity;
interruptions, delays or attacks on our website; and
litigation or regulatory-related developments.
We may not be able to successfully promote our brand or maintain our reputation. In addition, independent industry analysts often provide reviews of our products, as well as other products available in the market, and perception of our product in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive than reviews about other products available in the market, our brand may be adversely affected. Furthermore, negative publicity relating to events or activities attributed to us, our employees, our channel partners or others associated with any of these parties, may tarnish our reputation and reduce the value of our brand. Damage to our reputation and loss of brand equity may reduce demand for our products and have an adverse effect on our business, results of operations and financial condition. Any attempts to rebuild our reputation and restore the value of our brand may be costly and time consuming, and such efforts may not ultimately be successful.
Moreover, it may be difficult to enhance our brand and maintain our reputation in connection with sales to channel partners. Promoting our brand requires us to make significant expenditures, and we anticipate that the expenditures will increase as our market becomes more competitive, as we expand into new markets and geographies and as more sales are generated to our channel partners. To the extent that these activities yield increased revenues, these revenues may not offset the increased expenses we incur. If we do not successfully enhance our brand and maintain our reputation, our business may not grow, we may have reduced pricing power relative to competitors with stronger brands, and we could lose customers, all of which would adversely affect our business, operations and financial results.
False detection of security breaches, false identification of malicious sources or misidentification of sensitive or regulated information could adversely affect our business.
Our cybersecurity products may falsely detect threats that do not actually exist. For example, our DatAlert product may enrich metadata collected by our products with information from external sources and third-party data providers. If the information from these data providers is inaccurate, the potential for false positives increases. These false positives, while typical in the industry, may affect the perceived reliability of our products and solutions and may therefore adversely impact market acceptance of our products. As definitions and instantiations of personal identifiers and other sensitive content change, automated classification technologies may falsely identify or fail to identify data as sensitive. If our products and solutions fail to detect exposures or restrict access to important systems, files or applications based on falsely identifying legitimate use as an attack or otherwise unauthorized, then our customers’ businesses could be adversely affected. Any such false identification of use and subsequent restriction could result in negative publicity, loss of customers and sales, increased costs to remedy any problem and costly litigation.
Our success depends in part on maintaining and increasing our sales to customers in the public sector.
We derive a portion of our revenues from contracts with federal, state, local and foreign governments and government-owned or -controlled entities (such as public health care bodies, educational institutions and utilities), which we refer to as the public sector herein. We believe that the success and growth of our business will continue to depend on our successful procurement of public sector contracts. Selling to public sector entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that our efforts will produce any sales. Factors that could impede our ability to maintain or increase the amount of revenues derived from public sector contracts include:
changes in public sector fiscal or contracting policies;
decreases in available public sector funding;
changes in public sector programs or applicable requirements;
the adoption of new laws or regulations or changes to existing laws or regulations;
potential delays or changes in the public sector appropriations or other funding authorization processes;
the requirement of contractual terms that are unfavorable to us, such as most-favored-nation pricing provisions; and
delays in the payment of our invoices by public sector payment offices.
Furthermore, we must comply with laws and regulations relating to public sector contracting, which affect how we and our channel partners do business in both the United States and abroad. These laws and regulations may impose added costs on our business, and failure to comply with these or other applicable regulations and requirements, including non-compliance in the past, could lead to claims for damages from our channel partners, penalties, termination of contracts, and temporary suspension or permanent debarment from public sector contracting.
The occurrence of any of the foregoing could cause public sector customers to delay or refrain from purchasing licenses of our software in the future or otherwise have an adverse effect on our business, operations and financial results.
We are subject to governmental export and import controls that could subject us to liability or impair our ability to compete in international markets.
We incorporate encryption technology into certain of our products and these products are subject to U.S. export control. We are also subject to Israeli export controls on encryption technology since our product development initiatives are primarily conducted by our wholly-owned Israeli subsidiary. We have obtained the required licenses to export our products outside of the United States. In addition, the current encryption means used in our products are listed in the “free means encryption items” published by the Israeli Ministry of Defense, which means we are exempt from obtaining an encryption control license. If the applicable U.S. or Israeli legal requirements regarding the export of encryption technology were to change or if we change the encryption means in our products, we may need to apply for new licenses in the United States and may no longer be able to rely on our licensing exception in Israel. There can be no assurance that we will be able to obtain the required licenses under these circumstances. Furthermore, various other countries regulate the import of certain encryption technology, including import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries.
We are also subject to U.S. and Israeli export control and economic sanctions laws, which prohibit the shipment of certain products to embargoed or sanctioned countries, governments and persons. Our products could be exported to these sanctioned targets by our channel partners despite the contractual undertakings they have given us and any such export could have negative consequences, including government investigations, penalties and reputational harm. Moreover, the Trump Administration may create further uncertainty regarding export or import regulations, economic sanctions or related legislation. It remains unclear what specifically President Trump would or would not do with respect to the initiatives he has raised and what support he would have to implement any such potential changes. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations.
Our business in countries with a history of corruption and transactions with foreign governments increase the risks associated with our international activities.
As we operate and sell internationally, we are subject to the FCPA and other laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental customers in countries known to experience corruption, particularly certain emerging countries in Eastern Europe, South and Central America, East Asia, Africa and the Middle East. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, channel partners or sales agents that could be in violation of various anti-corruption laws, even though these parties may not be under our control. While we have implemented safeguards to prevent these practices by our employees, consultants, channel partners and sales agents, our existing safeguards and any future improvements may prove to be less than effective, and our employees, consultants, channel partners or sales agents may engage in conduct for which we might be held responsible. Violations of the FCPA or other anti-corruption laws may result in severe criminal or civil sanctions, including suspension or debarment from government contracting, and we may be subject to other liabilities, which could negatively affect our business, operating results and financial condition.
Our tax rate may vary significantly depending on our stock price.
The tax effects of the accounting for stock-based compensation may significantly impact our effective tax rate from period to period. In periods in which our stock price is higher than the grant price of the stock-based compensation vesting in that period, we will recognize excess tax benefits that will decrease our effective tax rate. In future periods in which our stock price is lower than the grant price of the stock-based compensation vesting in that period, our effective tax rate may increase. The amount and value of stock-based compensation issued relative to our earnings in a particular period will also affect the magnitude of the impact of stock-based compensation on our effective tax rate. These tax effects are dependent on our stock price, which we do not control, and a decline in our stock price could significantly increase our effective tax rate and adversely affect our financial results.
Multiple factors may adversely affect our ability to fully utilize our net operating loss carryforwards.
A U.S. corporation's ability to utilize its federal net operating loss (“NOL”) carryforwards is limited under Section 382 of the Internal Revenue Code of 1986, as amended (the “Code”), if the corporation undergoes an ownership change. We performed a Section 382 analysis (the “Analysis”) which concluded that our ability to utilize our NOL and tax credit carryforwards is subject to an annual limitation, as we underwent a section 382 ownership change during 2017. The Analysis further concluded that our NOL carryforwards should be available for our utilization before they expire. As of December 31, 2017, our NOL carryforwards were $22.9 million.
Since January 1, 2018, we generated additional NOLs, which are not subject to the annual limitation described above. Future changes in our stock ownership, including future offerings, as well as changes that may be outside of our control, could result in a subsequent ownership change under Section 382 of the Internal Revenue Code of 1986, as amended (the "Code"), that would impose an annual limitation on NOLs generated after December 31, 2017. In addition, the cash tax benefit from our NOLs is dependent upon our ability to generate sufficient taxable income. Accordingly, we may be unable to earn enough taxable income in order to fully utilize our current NOLs.
Changes in our provision for income taxes or adverse outcomes resulting from examination of our income tax returns could adversely affect our results.
We are subject to income taxation in the United States, Israel and numerous other jurisdictions. Determining our provision for income taxes requires significant management judgment. In addition, our provision for income taxes could be adversely affected by many factors, including, among other things, changes to our operating structure, changes in the amounts of earnings in jurisdictions with different statutory tax rates, changes in the valuation of deferred tax assets and liabilities and changes in tax laws. Significant judgment is required to determine the recognition and measurement attributes prescribed in Accounting Standards Codification (“ASC 740-10-25”). ASC 740-10-25 applies to all income tax positions, including the potential recovery of previously paid taxes, which if settled unfavorably could adversely impact our provision for income taxes. Our income in certain countries is subject to reduced tax rates provided we meet certain ongoing employment and capital investment commitments. Failure to meet these commitments could adversely impact our provision for income taxes.
We are also subject to the regular examination of our income tax returns by the U.S. Internal Revenue Services and other tax authorities in various jurisdictions. Tax authorities may disagree with our intercompany charges, cross-jurisdictional transfer pricing or other matters and assess additional taxes. While we regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our provision for income taxes, there can be no assurance that the outcomes from these regular examinations will not have a material adverse effect on our results of operations and cash flows. Further, we may be audited in various jurisdictions, and such jurisdictions may assess additional taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our results of operations or cash flows in the period or periods for which a determination is made.
The adoption of the U.S. tax reform and the enactment of additional legislation changes could materially impact our financial position and results of operations.
On December 22, 2017, President Trump signed into law the Tax Cuts and Jobs Act (the "TCJA") that significantly reforms the Code. The TCJA, among other things, includes changes to U.S. federal tax rates, imposes significant additional limitations on the deductibility of certain expenses, restricts the use of net operating loss carryforwards arising after December 31, 2017, allows for the expensing of capital expenditures, and puts into effect the migration from a “worldwide” system of taxation to a territorial system. Due to the expansion of our international business activities, any changes in the U.S. taxation of such activities may increase our worldwide effective tax rate and adversely affect our financial position and results of operations. Further, foreign governments may enact tax laws in response to the TCJA that could result in further changes to global taxation and materially affect our financial position and results of operations.
We conduct our operations in a number of jurisdictions worldwide and report our taxable income based on our business operations in those jurisdictions. Therefore, our intercompany relationships are subject to transfer pricing regulations administered by taxing authorities in various jurisdictions. While we believe that we are currently in material compliance with our obligations under applicable taxing regimes, the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions and may seek to impose additional taxes on us, including for past sales. If such a disagreement were to occur, and our position were not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations.
The Organization for Economic Cooperation and Development (“OECD”) introduced the base erosion and profit shifting project which sets out a plan to address international taxation principles in a globalized, digitized business world (the “BEPS Plan”). During 2018, as part of the BEPS Plan, more than 80 countries chose to implement the Multilateral Convention to Implement Tax Treaty Related Measures to Prevent BEPS (“MLI”). The MLI significantly changes the bilateral tax treaties signed by any country that chose to implement the MLI. In addition, during 2019 the OECD, the EU and individual countries (e.g., France, Austria and Italy) each published an initiative to tax digital transactions executed by a non-resident entity and a local end-user or local end consumer. Under each initiative, the local payer is obligated to withhold a fixed percentage from the gross proceeds paid to the non-resident entity as a tax on executing a digital transaction in that territory, provided the entity’s sales in that territory exceeds a certain threshold (“Digital Service Tax”). As a result of participating countries adopting the international tax policies set under the BEPS Plan, MLI and Digital Service Tax, changes have been and continue to be made to numerous international tax principles and local tax regimes. Due to the expansion of our international business activities, those modifications may increase our worldwide effective tax rate, create tax and compliance obligations in jurisdictions in which we previously had none and adversely affect our financial position.
Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations.
A change in accounting standards or practices could harm our operating results and may even affect our reporting of transactions completed before the change is effective. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may harm our operating results or the way we conduct our business. Additionally, the adoption of new or revised accounting principles may require that we make significant changes to our systems process and controls.
Acquisitions could disrupt our business and adversely affect our results of operations, financial condition and cash flows.
We may make acquisitions that could be material to our business, results of operations, financial condition and cash flows. Our ability as an organization to successfully acquire and integrate technologies or businesses is unproven. Acquisitions involve many risks, including the following:
an acquisition may negatively affect our results of operations, financial condition or cash flows because it may require us to incur charges or assume substantial debt or other liabilities, may cause adverse tax consequences or unfavorable accounting treatment, including potential write-downs of deferred revenues, may expose us to claims and disputes by third parties, including intellectual property claims and disputes, or may not generate sufficient financial return to offset additional costs and expenses related to the acquisition;
we may encounter difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel or operations of any company that we acquire, particularly if key personnel of the acquired company decide not to work for us;
an acquisition may disrupt our ongoing business, divert resources, increase our expenses and distract our management;
an acquisition may result in a delay or reduction of customer purchases for both us and the company we acquired due to customer uncertainty about continuity and effectiveness of service from either company;
we may encounter difficulties in, or may be unable to, successfully sell any acquired products;
an acquisition may involve the entry into geographic or business markets in which we have little or no prior experience or where competitors have stronger market positions;
challenges inherent in effectively managing an increased number of employees in diverse locations;
the potential strain on our financial and managerial controls and reporting systems and procedures;
potential known and unknown liabilities or deficiencies associated with an acquired company that were not identified in advance;
our use of cash to pay for acquisitions would limit other potential uses for our cash and affect our liquidity;
if we incur debt to fund such acquisitions, such debt may subject us to material restrictions on our ability to conduct our business as well as financial maintenance covenants;
the risk of impairment charges related to potential write-downs of acquired assets or goodwill in future acquisitions;
to the extent that we issue a significant amount of equity or convertible debt securities in connection with future acquisitions, existing stockholders may be diluted and earnings per share may decrease; and
managing the varying intellectual property protection strategies and other activities of an acquired company.
We may not succeed in addressing these or other risks or any other problems encountered in connection with the integration of any acquired business. The inability to integrate successfully the business, technologies, products, personnel or operations of any acquired business, or any significant delay in achieving integration, could have a material adverse effect on our business, results of operations, financial condition and cash flows.
We may require additional capital to support our business growth, and this capital might not be available on acceptable terms, or at all.
We continue to make investments to support our business growth and may require additional funds to respond to business challenges, including the need to develop new features or enhance our software, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financing to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. Any debt financing that we may secure in the future could involve restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. We may not be able to obtain additional financing on terms favorable to us, if at all. If we are unable to obtain adequate financing on
terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected.
Our business is subject to the risks of fire, power outages, floods, earthquakes, pandemics and other catastrophic events, and to interruption by manmade problems such as terrorism.
A significant natural disaster, such as a fire, flood or an earthquake, an outbreak of a pandemic disease (such as COVID-19) or a significant power outage could have a material adverse impact on our business, results of operations and financial condition. In the event our customers’ information technologyIT systems or our channel partners’ selling or distribution abilities are hindered by any of these events, we may miss financial targets, such as revenues and sales targets, for a particular quarter. Further, if a natural disaster occurs in a region from which we derive a significant portion of our revenue, customers in that region may delay or forego purchases of our products, which may materially and adversely impact our results of operations for a particular period. In addition, acts of terrorism could cause disruptions in our business or the business of channel partners, customers or the economy as a whole. Given our typical concentration of sales at each quarter end, any disruption in the business of our channel partners or customers that impacts sales at the end of our quarter could have a significant adverse impact on our quarterly results. All of the aforementioned risks may be augmented if the disaster recovery plans for us and our channel partners prove to be inadequate. To the extent that any of the above results in delays or cancellations of customer orders, or the delay in the manufacture,development, deployment or shipment of our products, our business, financial condition and results of operations would be adversely affected.
Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations.
Risks Related to our OperationsA change in Israel
Conditions in Israel may limit our ability to develop and sell our products, which could result in a decrease of our revenues.
Our principal research and development facility, which also houses a portion of our support and general and administrative teams, is located in Israel. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring countries, as well as incidents of terror activities and other hostilities, and a number of state and non-state actors have publicly committed to its destruction. Political, economic and security conditions in Israel could directly affect our operations. We could be adversely affected by hostilities involving Israel, including acts of terrorismaccounting standards or any other hostilities involving or threatening Israel, the interruption or curtailment of trade between Israel and its trading partners, a significant increase in inflation or a significant downturn in the economic or financial condition of Israel. Any on-going or future armed conflicts, terrorist activities, tension along the Israeli borders or with other countries in the region, including Iran, or political instability in the region could disrupt international trading activities in Israel and may materially and negatively affect our business andpractices could harm our operating results and may even affect our reporting of operations.
Certain countries, as well as certain companiestransactions completed before the change is effective. New accounting pronouncements and organizations, continue to participate in a boycottvarying interpretations of Israeli companies, companies with large Israeli operationsaccounting pronouncements have occurred and others doing business with Israel and Israeli companies. The boycott, restrictive laws, policies or practices directed towards Israel, Israeli businesses or Israeli citizens could, individually ormay occur in the aggregate, have a material adverse effect on our business infuture. Changes to existing rules or the future.
Somequestioning of our officers and employees in Israel are obligated to perform routine military reserve duty in the Israel Defense Forces, depending on their age and position in the armed forces. Furthermore, they have been andcurrent practices may in the future be called to active reserve duty at any time under emergency circumstances for extended periods of time. Our operations could be disrupted by the absence, for a significant period, of one or more of our officers or key employees due to military service, and any significant disruption in our operations could harm our operating results or the way we conduct our business.
The tax benefits Additionally, the adoption of new or revised accounting principles may require that are availablewe make significant changes to our Israeli subsidiary require it to continue to meet various conditionssystems process and may be terminated or reduced in the future, which could increase its taxes.controls.
Our Israeli subsidiary benefits from a status of a “Beneficiary Enterprise” under the Israeli Law for the Encouragement of Capital Investments, 5719-1959, or the Investment Law. Based on an evaluation of the relevant factors under the Investment Law, including the level of foreign (i.e., non-Israeli) investment in our company, we have determined that the effective tax rate to be paid by our Israeli subsidiary as a “Beneficiary Enterprise” has historically been approximately 10%. If our Israeli subsidiary does not meet the requirements for maintaining this status, for example, if the Israeli subsidiary materially changes the nature of its business or, if the level of foreign investment in our company decreases, it may no longer be eligible to enjoy this reduced tax rate. As a result, our Israeli subsidiary would be subject to Israeli corporate tax at the standard rate, which, as of January 1, 2020 was set at 23%. Even if our Israeli subsidiary continues to meet the relevant requirements, the tax benefits that the status of “Beneficiary Enterprise” provides are scheduled to terminate on December 31, 2020. If these tax benefits were reduced or eliminated prior to this date, the amount of taxes that our Israeli subsidiary would pay would likely increase, as all of our Israeli operations would consequently be subject to corporate tax at the standard rate, which could adversely affect our results of operations. Additionally, if our Israeli subsidiary increases its activities outside of Israel, for example, through acquisitions, these activities may not be eligible for inclusion in Israeli tax benefit programs. The tax benefit derived from the status of “Beneficiary Enterprise” is dependent upon the ability to generate sufficient taxable income. Accordingly, our Israeli subsidiary may be unable to earn enough taxable income in order to fully utilize its tax benefits.
Risks Related to the Ownership of our Common Stock
Our stock price has been and will likely continue to be volatile.
The market price for our common stock has been, and is likely to continue to be, volatile for the foreseeable future. For example, sincefuture, and
is subject to wide fluctuations in response to various factors, some of which are beyond our control. These factors, as well as the volatility of our common stock, could affect the price at which our convertible noteholders could sell the common stock received upon conversion of the 2025 Notes and could also impact the trading price of the 2025 Notes. Since shares of our common stock were sold in our initial public offering in March 2014 at a price of $22.00 per share, our common stock’s price on The Nasdaq Global Select Market has ranged from $13.25 to $90.07$191.98 through February 7, 2020.5, 2021. On February 7, 2020,5, 2021, the closing price of our common stock was $89.95.$189.78. The market price of our common stock may fluctuate significantly in response to a number of factors, many of which we cannot predict or control, including the factors listed below and other factors described in this “Risk Factors” section:
•actual or anticipated fluctuations in our results or those of our competitors;
•the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections;
•failure of securities analysts to initiate or maintain coverage of our company, changes in financial estimates by any securities analysts who follow our company, or our failure to meet these estimates or the expectations of investors;
•ratings changes by any securities analysts who follow our company;
•announcements of new products, services or technologies, commercial relationships, acquisitions or other events by us or our competitors;
•new announcements that affect investor perception of our industry, including reports related to the discovery of significant cyberattacks;
•changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
•price and volume fluctuations in certain categories of companies or the overall stock market, including as a result of trends in the global economy;
•the trading volume of our common stock;
•changes in accounting principles;
•sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders;
•additions or departures of any of our key personnel;
•lawsuits threatened or filed against us;
•short sales, hedging and other derivative transactions involving our capital stock;
•general economic conditions in the United States and abroad;
•changing legal or regulatory developments in the United States and other countries;
•conversion of the 2025 Notes; and
•other events or factors, including those resulting from war, incidents of terrorism, pandemic (such as COVID-19) or responses to these events.
In addition, the stock markets have experienced extreme price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many technology companies. Stock prices of many technology companies have fluctuated in a manner unrelated or disproportionate to the operating performance of those companies. In the past, stockholders have instituted securities class action litigation following periods of market volatility. If we were to become involved in securities litigation, it could subject us to substantial costs, divert resources and the attention of management from our business and adversely affect our business, results of operations, financial condition and cash flows.flows and may cause a significant increase in the premium paid for our directors and officers insurance.
If securities or industry analysts do not publish research or reports about our business, or publish negative reports about our business, our stock price and trading volume could decline.
The trading market for our common stock depends in part on the research and reports that securities or industry analysts publish about us or our business, our market and our competitors. We do not have any control over these analysts or their expectations regarding our performance on a quarterly or annual basis. If one or more of the analysts who cover us downgrade our stock or change their opinion of our stock, our stock price would likely decline. If we fail to meet one or more of these analysts' published expectations regarding our performance on a quarterly basis, our stock price or trading volume could decline. If one or more of these analysts cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which could cause our stock price or trading volume to decline.
Substantial future sales of shares of our common stock could cause the market price of our common stock to decline.
Sales of a substantial number of shares of our common stock into the public market, or the perception that these sales might occur, could depress the market price of our common stock and could impair our ability to raise capital through the sale of additional equity securities. We are unable to predict the effect that such sales may have on the prevailing market price of our common stock.
As of December 31, 2019, we had options, restricted stock units (“RSUs”) and performance stock units ("PSUs") outstanding that, if fully vested and exercised, would result in the issuance of approximately 3.0 million shares of our common stock. All of the shares of our common stock issuable upon exercise of options and vesting of RSUs and PSUs have been registered for public resale under the Securities Act. Accordingly, these shares will be able to be freely sold in the public market upon issuance as permitted by any applicable vesting requirements.
The requirements of being a public company may strain our resources, divert management’s attention and affect our ability to attract and retain executive management and qualified board members.
As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act of 2002 (the "Sarbanes-Oxley Act"“Sarbanes-Oxley Act”), the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the listing requirements of The Nasdaq Global Select Market and other applicable securities rules and regulations. Compliance with these rules and regulations have increased our legal and financial compliance costs, make some activities more difficult, time-consuming or costly and increase demand on our systems and resources.
The Exchange Act requires, among other things, that we file annual, quarterly and current reports with respect to our business and results of operations. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and, if required, improve our disclosure controls and procedures and internal control over financial reporting to meet this standard, significant resources and management oversight is required. As a result, management’s attention may be diverted from other business concerns, which could adversely affect our business and results of operations. We may need to hire more employees in the future or engage outside consultants, which will increase our costs and expenses. In addition, changing laws, regulations and standards relating to corporate governance and public disclosure are creating uncertainty for public companies, increasing legal and financial compliance costs and making some activities more time consuming. These laws, regulations and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices.
Being a public company, these rules and regulations have made it more expensive for us to obtain director and officer liability insurance, and in the future we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors could also make it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit and compensation committees, and qualified executive officers.
As a result of disclosure of information in our filings with the SEC, our business and financial condition have become more visible, which we believe may result in threatened or actual litigation, including by competitors and other third parties. If such claims are successful, our business and results of operations could be adversely affected, and even if the claims do not result in
litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and adversely affect our business and results of operations.
We are obligated to develop and maintain proper and effective internal control over financial reporting. These internal controls may not be determined to be effective, which may adversely affect investor confidence in our company and, as a result, the value of our common stock.
We are required, pursuant to Section 404 of the Sarbanes–Oxley Act, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. We are also required to have our independent registered public accounting firm issue an opinion on the effectiveness of our internal control over financial reporting on an annual basis. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective.
If we are unable to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion on the effectiveness of our internal control over financial reporting, we could lose investor confidence in the accuracy and completeness of our financial reports, which could cause the price of our common stock to decline, and we may be subject to investigation or sanctions by the SEC.
Future sales and issuances of our capital stock or rights to purchase capital stock could result in additional dilution of the percentage ownership of our stockholders and could cause our stock price to decline.
Future sales and issuances of our capital stock or rights to purchase our capital stock could result in substantial dilution to our existing stockholders. We may sell common stock, convertible securities and other equity securities in one or more transactions at prices and in a manner as we may determine from time to time. If we sell any such securities in subsequent transactions, investors may be materially diluted. New investors in such subsequent transactions could gain rights, preferences and privileges senior to those of holders of our common stock.
We do not intend to pay dividends on our common stock, so any returns will be limited to the value of our stock.
We have never declared or paid cash dividends on our common stock. We currently anticipate that we will retain any future earnings and do not expect to pay any dividends in the foreseeable future. Any determination to pay dividends in the future will be at the discretion of our board of directors and will be dependent on a number of factors, including our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors may deem relevant. In addition, the loan agreement for our credit facility contains a prohibition on the payment of cash dividends. Until such time that we pay a dividend, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us, which may be beneficial to our stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management.
Provisions in our amended and restated certificate of incorporation and amended and restated bylaws may delay or prevent an acquisition of us or a change in our management. These provisions include:
authorizing “blank check” preferred stock, which could be issued by the board without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt;
a classified board of directors whose members can only be dismissed for cause;
the prohibition on actions by written consent of our stockholders;
the limitation on who may call a special meeting of stockholders;
the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon at stockholder meetings; and
the requirement of at least 75% of the outstanding capital stock to amend any of the foregoing second through fifth provisions.
In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us. Although we believe these provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to negotiate with our board of directors, they would apply even if an offer rejected by our board were considered beneficial by some stockholders. In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management.
|
| | | | |
Item 1B. | Unresolved Staff Comments |
We do not have any unresolved comments from the SEC staff.
Our corporate headquarters are located in New York City in an office consisting of approximately 46,000 square feet. This lease expires in February 2026, although we have the option to both terminate the lease in February 2023 and extend the lease for an additional five years. We alsowhich we intend to exercise. In addition, we lease offices in North Carolina consisting of approximately 68,500 square feet, which is our primary U.S. customer support and inside sales center. This lease expires in July 2030, although we have an option to extend the lease for an additional 10 years. Additionally, we currentlyWe also lease an office located in Herzliya, Israel, consisting of approximately 136,000130,000 square feet, where we employ the majority our research and development team and a portion of our support and general and administrative teams. The lease for this office expires in December 2028, although we have the option to extend the lease for an additional five years. We also have a lease in Tel Aviv, Israel consisting of approximately 2,700 square feet, where we employ additional research and development personnel which expires in May 2021. Further, we lease offices in Cork, Ireland consisting of approximately 40,000 square feet, which is our primary EMEA customer support and inside sales center and which expires in December 2035, although we have the option to terminate the lease in December 2030. We also lease smaller offices in France, the United Kingdom, Ireland, Oregon, Virginia, New Jersey, Australia, Germany, the Netherlands, Luxembourg Belgium and SingaporeBelgium (which serve as regional sales offices and some of which are customer support centers). We plan to invest in additional space as needed to accommodate our growth.
We are not currently a party to any material litigation.
|
| | | | |
Item 4. | Mine Safety Disclosures |
Not applicable.
Our common stock has been listed on The NASDAQ Global Select Market under the symbol “VRNS” since February 28, 2014, the date of our initial public offering.
We have never declared or paid cash dividends on our common stock. We currently intend to retain any future earnings for use in the operation of our business and do not intend to declare or pay any cash dividends in the foreseeable future. Any further determination to pay dividends on our common stock will be at the discretion of our board of directors, subject to applicable laws, and will depend on our financial condition, results of operations, capital requirements, general business conditions and other factors that our board of directors considers relevant.
The following shall not be deemed “filed” for purposes of Section 18 of the Exchange Act, or incorporated by reference into any of our other filings under the Exchange Act or the Securities Act, except to the extent we specifically incorporate it by reference into such filing.
This chart compares the cumulative total return on our common stock with that of the NASDAQ Composite Index and the NASDAQ Computer Index. The chart assumes $100 was invested at the close of market on December 31, 20142015 in our common stock, the NASDAQ Composite Index and the NASDAQ Computer Index, and assumes the reinvestment of any dividends. The stock price performance on the following graph is not necessarily indicative of future stock price performance.