ITEM 1A. RISK FACTORS
Investing in our Class A common stock involves a high degree of risk. You should carefully consider the risks and uncertainties described below, together with all of the other information in this Quarterly Report on Form 10-Q, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” and our unaudited condensed consolidated financial statements and the accompanying notes included before making a decision to invest in our Class A common stock. Our business, financial condition, operating results, or prospects could also be adversely affected by risks and uncertainties that are not presently known to us or that we currently believe are not material. If any of the risks actually occur, our business, financial condition, operating results, and prospects could be adversely affected. In that event, the market price of our Class A common stock could decline, and you could lose all or part of your investment.
Summary Risk Factors
Our business is subject to numerous risks and uncertainties, including those risks more fully described below. These risks include, among others, the following, which we consider our most material risks:
•We have a limited operating history, which makes it difficult to evaluate our current business and future prospects and increases the risks associated with your investment.
•We have a history of losses, anticipate increases in our operating expenses in the future, and may not achieve or sustain profitability. If we cannot achieve and sustain profitability, our business, financial condition, and operating results will be adversely affected.
•We face intense competition and could lose market share to our competitors, which would adversely affect our business, operating results, and financial condition.
•Our operating results may fluctuate significantly, which could make our future results difficult to predict and could cause our operating results to fall below expectations.
•A network or data security incident against us, whether actual, alleged, or perceived, would harm our reputation, create liability and regulatory exposure, and adversely impact our business, operating results, and financial condition.
•Defects, errors, or vulnerabilities in our platform, the failure of our platform to block malware or prevent a security breach, misuse of our platform, or risks of product liability claims would harm our reputation and adversely impact our business, operating results, and financial condition.
•If we are unable to retain our customers, renew and expand our relationships with them, and add new customers, we may not be able to sustain revenue growth, and we may not achieve or maintain profitability in the future.
•If our platform is not effectively interoperated within our customers’ IT infrastructure, deployments could be delayed or canceled, which would adversely impact our business, operating results, and financial condition.
•Disruptions or other business interruptions that affect the availability of our platform could adversely impact our customer relationships and overall business.
•We may not timely and cost-effectively scale and adapt our existing technology to meet our customers’ performance and other requirements.
•The dual class structure of our common stock has the effect of concentrating voting control certain stockholders who held our capital stock prior to the completion of our IPO, including our directors, executive officers, and beneficial owners of 5% or greater of our outstanding capital stock who hold in the aggregate approximately 64.2% of the voting power of our capital stock, which will limit or preclude your ability to influence corporate matters, including the election of directors and the approval of any change of control transaction.
Risks Related to Our Business and Industry
We have a limited operating history, which makes it difficult to evaluate our current business and future prospects and increases the risks associated with your investment.
We were founded in January 2013 and released our first endpoint security solution in February 2015. Our limited operating history may make it difficult to evaluate our current business, future prospects and other trends. We have encountered, and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly changing industries, such as the risks and uncertainties described herein. Further, we have limited historical financial data, and we operate in a rapidly evolving market. As a result, any predictions about our future revenue and expenses may not be as accurate as they would be if we had a longer operating history or operated in a more predictable or established market. If our assumptions regarding these risks and uncertainties are incorrect or change due to changes in our markets or otherwise, or if we do not address these risks successfully, our operating and financial results could differ materially from our expectations and our business and operating results would be adversely affected. We cannot assure you that we will be successful in addressing these and other challenges we may face in the future.
We have a history of losses, anticipate increases in our operating expenses in the future, and may not achieve or sustain profitability. If we cannot achieve and sustain profitability, our business, financial condition, and operating results will be adversely affected.
We have incurred net losses in all periods since our inception, and we may not achieve or maintain profitability in the future. We experienced a net loss of $68.2 million and $22.9 million for the three months ended July 31, 2021 and 2020, respectively, and net loss of $130.8 million and $49.6 million for the six months ended July 31, 2021 and 2020, respectively. As of July 31, 2021, we had an accumulated deficit of $481.4 million. While we have experienced significant growth in revenue in recent periods, we cannot predict when or whether we will reach or maintain profitability. We also expect our operating expenses to increase in the future as we continue to invest for our future growth, including expanding our research and development function to drive further development of our platform, expanding our sales and marketing activities, developing the functionality to expand into adjacent markets, and reaching customers in new geographic locations, which will negatively affect our operating results if our total revenue does not increase. In addition to the anticipated costs to grow our business, we also expect to incur significant additional legal, accounting, and other expenses as a newly public company. These efforts and additional expenses may be more costly than we expect, and we cannot guarantee that we will be able to increase our revenue to offset our operating expenses. Our revenue growth is expected to decline and our revenue may decline for a number of other reasons, including reduced demand for our platform, increased competition, a decrease in the growth or reduction in size of our overall market, or if we cannot capitalize on growth opportunities. Any failure to increase our revenue or to manage our costs as we invest in our business would prevent us from achieving or maintaining profitability.
We face intense competition and could lose market share to our competitors, which would adversely affect our business, operating results, and financial condition.
The market for cybersecurity products and services is intensely competitive, fragmented and characterized by rapid changes in technology, customer requirements, industry standards, increasingly sophisticated attackers and by frequent introductions of new or improved products and services. We expect to continue to face intense competition from current competitors, as well as from new entrants into the market. If we are unable to anticipate or react to these challenges, our competitive position would weaken, and we would experience a decline in revenue or reduced revenue growth, and loss of market share that would adversely affect our business, financial condition and operating results.
Our competitors and potential competitors include the following:
•endpoint security providers, such as CrowdStrike Holdings, Inc. and VMware, Inc.;
•legacy anti-virus providers such as McAfee Corp., Symantec (a subsidiary of Broadcom, Inc.), and Microsoft Corporation; and
•providers of general network security products and services who offer a broad portfolio of solutions, such as Palo Alto Networks, Inc.
Our ability to compete effectively depends upon numerous factors, many of which are beyond our control, including, but not limited to:
•our ability to attract and retain new customers, expand our platform or sell additional products and services to our existing customers;
•the budgeting cycles, seasonal buying patterns, and purchasing practices of our customers, including any slowdown in technology spending due to the continuing COVID-19 pandemic and market downturns;
•changes in customer, distributor or reseller requirements or market needs;
•price competition;
•the timing and success of new product and service introductions by us or our competitors or any other change in the competitive landscape of our industry, including consolidation among our competitors or customers and strategic partnerships entered into by and between our competitors;
•changes in our mix of products, subscriptions and services sold, including changes in the average contract length for subscriptions and support;
•our ability to successfully and continuously expand our business domestically and internationally;
•changes in the growth rate of the endpoint security market;
•deferral of orders from customers in anticipation of new or enhanced products and services announced by us or our competitors;
•significant security breaches of, technical difficulties with or interruptions to, the use of our platform;
•the timing and costs related to the development or acquisition of technologies or businesses or strategic partnerships;
•our ability to execute, complete or integrate efficiently any acquisitions that we may undertake;
•increased expenses, unforeseen liabilities, or write-downs and any impact on our operating results from any acquisitions we consummate;
•our ability to increase the size and productivity of our distribution channels;
•decisions by potential customers to purchase security solutions from larger, more established security vendors or from their primary network equipment vendors;
•timing of revenue recognition and revenue deferrals;
•insolvency or credit difficulties confronting our customers, which could increase due to the continuing effects of the COVID-19 pandemic and adversely affect their ability to purchase or pay for our platform, products, and services in a timely manner or at all;
•the cost and potential outcomes of litigation, which could have a material adverse effect on our business;
•future accounting pronouncements or changes in our accounting policies;
•increases or decreases in our expenses caused by fluctuations in foreign currency exchange rates; and
•general macroeconomic conditions, both domestically and in our foreign markets that could impact some or all regions where we operate.
Many of our competitors have greater financial, technical, marketing, sales, and other resources, greater name recognition, longer operating histories, and a larger base of customers than we do. Our competitors may be able to devote greater resources to the development, promotion and sale of their products and services than we can, and they may offer lower pricing than we do. Further, they may have greater resources for research and development of new technologies, customer support and to pursue acquisitions, or they may have other financial, technical, or other resource advantages. Our larger competitors have substantially broader and more diverse product and service offerings and more mature distribution and go-to-market strategies, which allows them to leverage their existing customer and distributor relationships to gain business in a manner that discourages potential customers from purchasing our platform. Also, in connection with the travel restrictions, shelter-in-place and work-from home policies resulting from the COVID-19 pandemic, we have seen an increase in usage and subscriptions from smaller customers, many of whom are small or medium sized businesses. Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering or acquisitions by our competitors or continuing market consolidation. Some of our competitors have recently made or could make acquisitions of businesses or have established cooperative relationships that may allow them to offer more directly competitive and comprehensive products and services than were previously offered and adapt more quickly to new technologies and customer needs. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue and gross margin, increased net losses and loss of market share. Even if there is significant demand for endpoint security solutions like ours, if our competitors include functionality that is, or is perceived to be, equivalent to or better than ours in legacy products that are already generally accepted as necessary components of an organization’s IT security architecture, we will have difficulty increasing the market penetration of our platform. Furthermore, even if the functionality offered by other cybersecurity providers is different and more limited than the functionality of our platform, organizations may elect to accept such limited functionality in lieu of purchasing products and services from additional vendors like us. If we are unable to compete successfully, or if competing successfully requires us to take aggressive action with respect to pricing or other actions, our business, financial condition and operating results would be adversely affected.
Our operating results may fluctuate significantly, which could make our future results difficult to predict and could cause our operating results to fall below expectations.
Our operating results may vary significantly from period to period, which could adversely affect our business, operating results and financial condition. Our operating results have varied significantly from period to period in the past, and we expect that our operating results will continue to vary significantly in the future such that period-to-period comparisons of our operating results may not be meaningful. Accordingly, our financial results in any one quarter should not be relied upon as indicative of future performance. Our quarterly financial results may fluctuate
as a result of a number of factors, many of which are outside of our control and may be difficult to predict, including:
•the continuing impact of the COVID-19 pandemic on our operations, financial results, and liquidity and capital resources, including on customers, sales, expenses, and employees;
•our ability to attract new and retain existing customers or sell additional features to existing customers;
•the budgeting cycles, seasonal buying patterns, and purchasing practices of customers;
•the timing and length of our sales cycles;
•changes in customer or channel partner requirements or market needs;
•changes in the growth rate of the cybersecurity market generally and market for endpoint security;
•the timing and success of new product and service introductions by us or our competitors or any other competitive developments, including consolidation among our customers or competitors;
•the level of awareness of cybersecurity threats, particularly advanced cyberattacks, and the market adoption of our platform;
•our ability to successfully expand our business domestically and internationally;
•decisions by organizations to purchase security solutions from larger, more established security vendors or from their primary IT equipment vendors;
•changes in our pricing policies or those of our competitors;
•any disruption in our relationship with ISVs, channel partners, MSPs, MSSPs, MDRs, OEMs and IR firms;
•insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solution;
•significant security breaches of, technical difficulties with or interruptions to, the use of our platform;
•extraordinary expenses such as litigation or other dispute-related settlement payments or outcomes;
•general economic conditions, both domestic and in our foreign markets;
•future accounting pronouncements or changes in our accounting policies or practices;
•negative media coverage or publicity;
•political events;
•general macroeconomic conditions, both domestically and internationally;
•the amount and timing of operating costs and capital expenditures related to the expansion of our business; and
•increases or decreases in our expenses caused by fluctuations in foreign currency exchange rates.
In addition, we experience seasonal fluctuations in our financial results as we typically receive a higher percentage of our annual orders from new customers, as well as renewal orders from existing customers, in our fourth fiscal quarter as compared to other quarters due to the annual budget approval process of many of our customers.
Any of the above factors, individually or in the aggregate, may result in significant fluctuations in our financial and other operating results from period to period. As a result of this variability, our historical operating results
should not be relied upon as an indication of future performance. Moreover, this variability and unpredictability could result in our failure to meet our operating plan or the expectations of investors or analysts for any period. If we fail to meet such expectations for the reasons described above or other reasons, our stock price could fall substantially, and we could face costly lawsuits, including securities class action suits.
Our platform represents a new approach to endpoint protection and, therefore, it is difficult to predict adoption and demand for our platform.
Our cloud-native, artificial intelligence-enabled endpoint security platform represents a new approach to endpoint protection. Accordingly, it is difficult to predict customer adoption and demand for our platform, the size and growth rate of this market, the entry of competitive products and services or the success of existing competitive products and services.
Any expansion in our market depends on a number of factors, including the cost, performance and perceived value associated with, and customer adoption of, our platform. If the market for our services does not achieve widespread adoption or there is a reduction in demand for our software or our services in our market caused by a lack of customer acceptance, implementation challenges for deployment, technological challenges, competing technologies and services, decreases in corporate spending, weakening economic conditions, or otherwise, it could result in reduced customer orders and decreased revenue, which would adversely affect our business operations and financial condition.
Our platform interoperates with, but does not necessarily replace, other security products. Businesses that use other cybersecurity products and services may be hesitant to purchase our platform if they believe their existing products and services provide a level of security that is sufficient to meet their needs. If we do not succeed in convincing customers that our platform should be an integral part of their overall approach to security, our sales will not grow as quickly as anticipated, or at all, which would have an adverse impact on our business, operating results and financial condition.
If businesses do not continue to adopt our platform for any of the reasons discussed above or for other reasons not contemplated, our sales would not grow as quickly as anticipated, or at all, and our business, operating results and financial condition would be adversely affected.
A network or data security incident against us, whether actual, alleged, or perceived, would harm our reputation, create liability, and regulatory exposure, and adversely impact our business, operating results, and financial condition.
Increasingly, companies are subject to a wide variety of attacks on their networks on an ongoing basis. Traditional computer “hackers,” malicious code (such as viruses and worms), phishing attempts, employee theft or misuse, denial of service attacks, and sophisticated nation-state and nation-state supported actors engage in intrusions and attacks that create risks for our internal networks and cloud deployed products and the information they store and process. Cybersecurity companies face particularly intense attack efforts, and we have faced and will continue to face cyber threats and attacks from a variety of sources. Although we have implemented security measures to prevent such attacks, our networks and systems may be breached due to the actions of outside parties, employee error, malfeasance, a combination of these, or otherwise, and as a result, an unauthorized party may obtain access to our systems, networks, or data. We may face difficulties or delays in identifying or otherwise responding to any attacks or actual or potential security breaches or threats. A breach in our data security or an attack against our platform could impact our networks or the networks of our customers that are secured by our platform, creating system disruptions or slowdowns and providing access to malicious parties to information stored on our networks or the networks of our customers, resulting in data being publicly disclosed, altered, lost, or stolen, which could subject us to liability and adversely impact our financial condition.
Any actual, alleged or perceived security breach in our systems or networks, or any other actual, alleged or perceived data security incident we suffer, could result in damage to our reputation, negative publicity, loss of customers and sales, loss of competitive advantages over our competitors, increased costs to remedy any problems and otherwise respond to any incident, regulatory investigations and enforcement actions, costly litigation, and other liability. We would also be exposed to a risk of loss or litigation and potential liability under laws, regulations and
contracts that protect the privacy and security of personal information. For example, the California Consumer Privacy Act of 2018, or the CCPA, imposes a private right of action for security breaches that could lead to some form of remedy including regulatory scrutiny, fines, private right of action settlements, and other consequences. Where a security incident involves a breach of security leading to the accidental or unlawful destruction, loss, alternation, unauthorized disclosure of, or access to, personal data in respect of which we are a controller or processor under the GDPR or U.K. GDPR (as defined below), this could result in fines of up to €20 million or 4% of annual global turnover under the GDPR or £17 million and 4% of total annual revenue in the case of the U.K. GDPR. We may also be required to notify such breaches to regulators and/or individuals which may result in us incurring additional costs.
In addition, we may incur significant financial and operational costs to investigate, remediate, eliminate and put in place additional tools and devices designed to prevent actual or perceived security breaches and other security incidents, as well as costs to comply with any notification obligations resulting from any security incidents. Any of these negative outcomes could adversely impact the market perception of our platform and customer and investor confidence in our company, and would adversely impact our business, operating results, and financial condition.
Defects, errors, or vulnerabilities in our platform, the failure of our platform to block malware or prevent a security breach, misuse of our platform, or risks of product liability claims would harm our reputation and adversely impact our business, operating results, and financial condition.
Our platform is multi-faceted and may be deployed with material defects, software “bugs” or errors that are not detected until after their commercial release and deployment to our customers. From time to time, certain of our customers have reported defects in our platform related to performance, scalability, and compatibility. Our platform also provides our customers with the ability to customize a multitude of settings, and it is possible that a customer could misconfigure our platform or otherwise fail to configure our products in an optimal manner. Such defects and misconfigurations of our platform could cause our platform to operate at suboptimal efficacy, cause it to fail to secure customers’ computing environments and detect and block threats or temporarily interrupt the functionality of our customers’ endpoints. In addition, because the techniques used by computer hackers to access or sabotage target computing environments change frequently and generally are not recognized until launched against a target, there is a risk that an advanced attack could emerge that our platform is unable to detect or prevent. Furthermore, as a well-known provider of security solutions, our networks, platform, products, including cloud-based technology, and customers could be targeted by attacks specifically designed to disrupt our business and harm our reputation. In addition, defects or errors in our platform could result in a failure to effectively update customers’ cloud-based products. Our data centers and networks may experience technical failures and downtime, may fail to distribute appropriate updates, or may fail to meet the increased requirements of a growing customer base, any of which could temporarily or permanently expose our customers’ computing environments, leaving their computing environments unprotected against cyber threats. Any of these situations could result in negative publicity to us, damage our reputation, and increase expenses and customer relations issues, which would adversely impact our business, financial condition, and operating results.
Advances in computer capabilities, discoveries of new weaknesses and other developments with software generally used by the Internet community may increase the risk we will suffer a security breach. Furthermore, our platform may fail to detect or prevent malware, ransomware, viruses, worms or similar threats for any number of reasons, including our failure to enhance and expand our platform to reflect industry trends, new technologies and new operating environments, the complexity of the environment of our clients and the sophistication of malware, viruses and other threats. Our platform may fail to detect or prevent threats in any particular test for a number of reasons. We or our service providers may also suffer security breaches or unauthorized access to personal information, financial account information, and other confidential information due to employee error, rogue employee activity, unauthorized access by third parties acting with malicious intent or who commit an inadvertent mistake or social engineering. If we experience any breaches of security measures or sabotage or otherwise suffer unauthorized use or disclosure of, or access to, personal information, financial account information or other confidential information, we might be required to expend significant capital and resources to address these problems. We may not be able to remedy any problems caused by hackers or other similar actors in a timely manner, or at all. To the extent potential customers, industry analysts or testing firms believe that the failure to detect or prevent any particular threat is a flaw or indicates that our platform does not provide significant value, our reputation
and business would be harmed. Any real or perceived defects, errors or vulnerabilities in our platform, or any other failure of our platform to detect an advanced threat, could result in:
•a loss of existing or potential customers;
•delayed or lost revenue and adverse impacts to our business, financial condition and operating results;
•a delay in attaining, or the failure to attain, market acceptance;
•the expenditure of significant financial and research and development resources in efforts to analyze, correct, eliminate, or work around errors or defects, and address and eliminate vulnerabilities;
•an increase in resources devoted to customer service and support, which could adversely affect our gross margin;
•harm to our reputation or brand; and
•claims and litigation, regulatory inquiries, or investigations, enforcement actions, and other claims and liabilities, all of which may be costly and burdensome and further harm our reputation.
Because techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not recognized until after they are launched against a target, we and our service providers may be unable to anticipate these techniques or to implement adequate preventative measures. Moreover, if a high-profile cybersecurity incident occurs with respect to another software as a service, or SaaS, provider, customers may lose trust in the security of the SaaS business model generally, which could adversely impact our ability to retain existing customers or attract new ones. In the last few years there have been many successful advanced cybersecurity incidents that have damaged several prominent companies in spite of strong information security measures. For example, SolarWinds Corporation, a provider of IT monitoring and management products and services, experienced a cyberattack that appears likely to be the result of a supply chain attack by an outside nation state, resulting in vulnerabilities being included in software updates related to its Orion Platform products delivered between March and June 2020. We expect that the risks associated with cybersecurity incidents and the costs of preventing such attacks will continue to increase in the future.
In addition, we cannot assure you that any limitation of liability provisions in our customer agreements, contracts with third-party vendors and service providers, or other contracts would be enforceable or adequate or would otherwise protect us from any liabilities or damages with respect to any particular claim relating to a security breach or other security-related matter as a result of federal, state, or local laws or ordinances, or unfavorable judicial decisions in the U.S. or other countries. We maintain insurance to protect against certain claims associated with the use of our platform, but our insurance coverage may not adequately cover any claim asserted against us. In addition, even claims that ultimately are unsuccessful could result in our expenditure of funds in litigation, divert management’s time and other resources, and harm our reputation. We also cannot be certain that our insurance coverage will be adequate for data handling or data security liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any future claim will not be excluded or otherwise be denied coverage by any insurer. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could adversely impact our business, operating results and financial condition.
If we are unable to retain our customers, renew and expand our relationships with them, and add new customers, we may not be able to sustain revenue growth, and we may not achieve or maintain profitability in the future.
In recent periods, we have experienced rapid growth in the adoption of our platform, customer base and revenue. However, we may not continue to grow in the future. Any success that we may experience in the future will depend, in large part, on our ability to, among other things:
•maintain, renew and expand our existing customer base;
•continue to attract new customers;
•induce customers to expand deployment of the initially adopted module(s) of our platform across their organizations and infrastructure, and to adopt additional modules of our platform and services;
•improve the capabilities of our platform through research and development;
•continue to successfully expand our business domestically and internationally; and
•successfully compete with other companies in the endpoint security industry.
Our customers have no obligation to renew their subscription for our platform after the expiration of their contractual subscription period, which is generally one to three years, and in the normal course of business, some customers have elected not to renew. In addition, our customers may renew for shorter contract subscription lengths or cease using certain features. Our customer retention and expansion may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our services, our pricing, customer security and networking issues and requirements, our customers’ spending levels, decreases in the number of endpoints to which our customers deploy our solution, mergers and acquisitions involving our customers, industry developments, competition and general economic conditions. If our efforts to maintain and expand our relationships with our existing customers are not successful, our business, operating results and financial condition will materially suffer.
If our platform is not effectively interoperated within our customers’ IT infrastructure, deployments could be delayed or canceled, which would adversely impact our business, operating results, and financial condition.
Our platform must effectively interoperate with our customers’ existing IT infrastructure, which often has different specifications, utilizes multiple protocol standards, deploys products and services from multiple vendors, and contains multiple generations of products and services that have been added over time. As a result, our solutions can sometimes encounter interoperability issues on deployment or over time, which require additional support and problem solving with customers, in some cases, at a substantial cost to us. We may also have to modify our software so that our products will interoperate with a customer’s infrastructure. These issues would cause longer deployment and integration times for our platform and could cause order cancellations, all of which would adversely impact our business, operating results and financial condition. In addition, government and other customers may require our platform to comply with certain security or other certifications and standards. If we are unable to achieve, or are delayed in achieving, compliance with these certifications and standards, we may be disqualified from selling our platform to such customers, or may otherwise be at a competitive disadvantage, either of which could adversely impact our business, operating results and financial condition.
Disruptions or other business interruptions that affect the availability of our platform could adversely impact our customer relationships and overall business.
Our platform is hosted through Amazon Web Services, or AWS. Our software and systems are designed to use computing, storage capabilities, bandwidth, and other services provided by AWS, and currently our cloud service infrastructure is run on AWS. We have experienced, and expect in the future that we may experience from time to time, interruptions, delays or outages in service availability due to a variety of factors. Capacity constraints could arise from a number of causes such as technical failures, natural disasters, fraud or security attacks. The level of service provided by AWS, or regular or prolonged interruptions in that service, could also impact the use of, and our customers’ satisfaction with, our platform and could harm our business and reputation. In addition, hosting costs will increase as our customer base grows, which could adversely impact our business, operating results and financial condition.
Furthermore, AWS has discretion to change and interpret its terms of service and other policies with respect to us, including on contract renewal, and those actions may be unfavorable to our business operations. AWS may also take actions beyond our control that could seriously harm our business, including discontinuing or limiting our access to one or more AWS services, increasing pricing terms, terminating or seeking to terminate our contractual relationship altogether, or altering how we are able to process data on AWS in a way that is unfavorable or costly to us. Although we expect that we could obtain similar services from other third parties, if our arrangement with AWS
were terminated, we could experience interruptions on our platform and in our ability to make our content available to customers, as well as delays and additional expenses in arranging for alternative cloud infrastructure services. Such a transition may require technical changes to our platform, including, but not limited to, our cloud service infrastructure which was designed to run on AWS. Making such changes could be costly in terms of time and financial resources.
Any of these factors could reduce our revenue, subject us to liability, and cause our customers to decline to renew their subscriptions, any of which would harm our business and operating results.
We may not timely and cost-effectively scale and adapt our existing technology to meet our customers’ performance and other requirements.
Our future growth is dependent upon our ability to continue to meet the needs of new customers and the expanding needs of our existing customers as their use of our solutions grows. As our customers gain more experience with our platform, the number of endpoints and events, the amount of data transferred, processed and stored by us, and the number of locations where our platform is being accessed, have in the past, and may in the future, expand rapidly. In order to meet the performance and other requirements of our customers, we intend to continue to make significant investments to increase capacity and to develop and implement new technologies in our service and cloud infrastructure operations. These technologies, which include databases, applications and server optimizations, network and hosting strategies and automation, are often advanced, complex, new and untested. We may not be successful in developing or implementing these technologies. In addition, it takes a significant amount of time to plan, develop and test improvements to our technologies and infrastructure, and we may not be able to accurately forecast demand or predict the results we will realize from such improvements. To the extent that we do not effectively scale our operations to meet the needs of our growing customer base and to maintain performance as our customers expand their use of our solution, we will not be able to grow as quickly as we anticipate, our customers may reduce or cancel use of our solutions and we will be unable to compete as effectively and our business and operating results will be adversely impacted.
If we do not accurately anticipate and promptly respond to changes in our customers’ technologies, business plans or security needs, our competitive position and prospects will be adversely impacted.
The cybersecurity market has grown quickly and is expected to continue to evolve rapidly. Moreover, many of our customers operate in markets characterized by rapidly changing technologies and business plans, which require them to add numerous network-connected endpoints and adapt to increasingly complex IT environments, incorporating a variety of hardware, software applications, operating systems and networking protocols. As their technologies and business plans grow more complex, we expect these customers to face new and increasingly sophisticated methods of attack. We face significant challenges in ensuring that our platform effectively identifies and responds to these advanced and evolving attacks. As a result of the continued rapid innovations in the technology industry, including the rapid growth of smartphones, tablets and other devices, enterprise employees using personal devices for work, and the rapidly evolving Internet of Things, we expect the networks of our customers to continue to change rapidly and become more complex. There can be no assurance that we will be successful in developing and marketing, on a timely basis, enhancements to our platform that adequately address the changing needs of our customers. In addition, any enhancements to our platform could involve research and development processes that are more complex, expensive and time-consuming than we anticipate. We may experience unanticipated delays in the availability of enhancements to our platform and may fail to meet customer expectations with respect to the timing of such availability. If we do not quickly respond to the rapidly changing and rigorous needs of our customers by developing and releasing updates to our platform on a timely basis that can adequately respond to advanced threats and our customers’ evolving needs, our business, operating results and financial condition will be adversely affected.
If we are not able to maintain and enhance our brand and reputation, our business and operating results may be adversely affected.
We believe that maintaining and enhancing our brand and our reputation as a leading provider of endpoint security solutions is critical to our relationship with our existing customers, channel partners and alliance partners
and our ability to attract new customers and partners. The successful promotion of our brand will depend on a number of factors, including our marketing efforts, our ability to continue to develop additional features for our platform, our ability to successfully differentiate our platform from competitive cloud-based or legacy security solutions and, ultimately, our ability to detect and stop breaches. Although we believe it is important for our growth, our brand promotion activities may not be successful or yield increased revenue.
In addition, independent industry or financial analysts and research firms often test our solutions and provide reviews of our platform, as well as the products of our competitors, and perception of our platform in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors’ products, our brand may be adversely affected. Our solutions may fail to detect or prevent threats in any particular test for a number of reasons that may or may not be related to the efficacy of our solutions in real world environments. To the extent potential customers, industry analysts or testing firms believe that the occurrence of a failure to detect or prevent any particular threat is a flaw or indicates that our solutions or services do not provide significant value, we may lose customers, and our reputation, financial condition and business would be harmed. Additionally, the performance of our channel partners and alliance partners may affect our brand and reputation if customers do not have a positive experience with these partners. In addition, we have in the past worked, and continue to work, with high profile customers as well as assist in analyzing and remediating high profile cyberattacks. Our work with such customers has exposed us to publicity and media coverage. Negative publicity about us, including about our management, the efficacy and reliability of our platform, our products offerings, our professional services and the customers we work with, even if inaccurate, could adversely affect our reputation and brand.
If we are unable to maintain successful relationships with our channel partners and alliance partners, or if our channel partners or alliance partners fail to perform, our ability to market, sell and distribute our platform will be limited, and our business, operating results, and financial condition will be harmed.
Substantially all of our sales are fulfilled through our channel partners, including resellers, distributors, MSPs, MSSPs, MDRs, OEMs, and IR firms, and we expect that we will continue to generate a significant portion of our revenue from channel partners for the foreseeable future. Our channel partners generated 92% and 95% of our revenue for the three and six months ended July 31, 2021 and 2020, respectively. Our two largest channel partners for the three and six months ended July 31, 2021 and 2020 were Exclusive Networks and SHI International Corp. We generated 19% of our revenue from Exclusive Networks for both the three months ended July 31, 2021 and 2020. We generated 18% and 19% of our revenue from Exclusive Networks for the six months ended July 31, 2021 and 2020, respectively. We generated 9% and 13% of our revenue from SHI International for the three months ended July 31, 2021 and 2020, respectively. We generated 9% and 13% of our revenue from SHI International for the six months ended July 31, 2021 and 2020, respectively. Our agreements with our channel partners, including agreements with Exclusive Networks and SHI International, are non-exclusive, do not last for set terms, and may be terminated by either party at any time. Further, channel partners fulfill our sales on a purchase order basis and do not impose minimum purchase requirements or related terms on sales. Additionally, we have entered, and intend to continue to enter, into alliance partnerships with third parties to support our future growth plans. The loss of a substantial number of our channel partners or alliance partners, or the failure to recruit additional partners, would adversely affect our business, operating results, and financial condition.
To the extent our partners are unsuccessful in selling our platform, or if we are unable to enter into arrangements with and retain a sufficient number of high-quality partners in each of the regions in which we sell our platform, we are unable to keep them motivated to sell our platform, or our partners shift focus to other vendors and/or our competitors, our ability to sell our platform and operating results will be harmed. The termination of our relationship with any significant partner may adversely impact our sales and operating results. Our ability to achieve revenue growth in the future will depend in part on our ability to maintain successful relationships with our channel partners and in training our channel partners to independently sell and deploy our platform.
We are also exposed to credit and liquidity risks and our operating results will be harmed if our partners were to become unable or unwilling to pay us, terminated their relationships with us or went out of business. Although we have programs in place that are designed to monitor and mitigate such risks, we cannot guarantee these programs will be effective in reducing our risks. If we are unable to adequately control these risks, our business, operating
results, and financial condition would be harmed. If partners fail to pay us under the terms of our agreements or we are otherwise unable to collect on our accounts receivable from these partners, we may be adversely affected both from the inability to collect amounts due and the cost of enforcing the terms of our contracts, including litigation. Our partners may seek bankruptcy protection or other similar relief and fail to pay amounts due to us, or pay those amounts more slowly, either of which would adversely affect our business, operating results and financial condition. We may be further impacted by consolidation of our existing channel partners. In such instances, we may experience changes to our overall business and operational relationships due to dealing with a larger combined entity, and our ability to maintain such relationships on favorable contractual terms may be more limited. We may also become increasingly dependent on a more limited number of channel partners, as consolidation increases the relative proportion of our business for which each channel partner is responsible, which may magnify the risks described in the preceding paragraphs.
Our business depends, in part, on sales to government organizations, and significant changes in the contracting or fiscal policies of such government organizations could have an adverse impact on our business and operating results.
Our future growth depends, in part, on increasing sales to government organizations. Demand from government organizations is often unpredictable, subject to budgetary uncertainty. We have made significant investments to address the government sector, but we cannot assure you that these investments will be successful, or that we will be able to maintain or grow our revenue from the government sector. Although we anticipate that they may increase in the future, sales to governmental organizations have not accounted for, and may never account for, a significant portion of our revenue. Sales to governmental organizations are subject to a number of challenges and risks that may adversely impact our business and operating results, including the following risks:
•selling to governmental agencies can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that such efforts will generate a sale;
•government certification requirements applicable to our platform may change and, in doing so, restrict our ability to sell into the governmental sector until we have attained the revised certification. For example, although we are currently certified under the Federal Risk and Authorization Management Program, or FedRAMP, such certification is costly to maintain and if we lost our certification in the future it would restrict our ability to sell to government customers;
•government demand and payment for our platform may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our platform;
•governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in the government refusing to continue buying our platform, which would adversely impact our revenue and operating results, or institute fines or civil or criminal liability if the audit were to uncover improper or illegal activities; and
•governments may require certain products to be manufactured, produced, hosted or accessed solely in their country or in other relatively high-cost locations, and we may not produce or host all products in locations that meet these requirements, affecting our ability to sell these products to governmental agencies.
The occurrence of any of the foregoing could cause governmental organizations to delay or refrain from purchasing our solutions in the future or otherwise have an adverse effect on our business, operating results and financial condition.
Our long-term success depends, in part, on our ability to expand the sale of our platform to customers located outside of the United States and our current, and any further, expansion of our international operations exposes us to risks that could have a material adverse effect on our business, operating results, and financial condition.
We are generating a growing portion of our revenue outside of the United States, and conduct our business activities in various foreign countries, including some emerging markets where we have limited experience, where
the challenges of conducting our business can be significantly different from those we have faced in more developed markets and where business practices may create internal control risks. There are certain risks inherent in conducting international business, including:
•fluctuations in foreign currency exchange rates, which could add volatility to our operating results;
•new, or changes in, regulatory requirements;
•uncertainty regarding regulation, currency, tax, and operations resulting from the United Kingdom’s, or the U.K. exit from the European Union, or the E.U., and possible disruptions in trade, the sale of our services and commerce, and movement of our people between the U.K., E.U., and other locations;
•tariffs, export and import restrictions, restrictions on foreign investments, sanctions, and other trade barriers or protection measures;
•we consider ourselves to be a processor under the GDPR/U.K. GDPR in some instances and a controller of personal data in other circumstances. For example, by expanding into the E.U. and U.K., we may also trigger Article 3(2) of the GDPR/U.K. GDPR as we may be considered to be monitoring data subjects. Additionally, where processing personal data on behalf of our E.U./U.K. customers or processing personal data of E.U./U.K. end users, we may be required to sign data processing agreements which comply with Article 28 of the GDPR/U.K. GDPR. Likewise, to the extent any of our E.U./U.K. entities directly contract with E.U./U.K. customers for the provision of services, we will be directly subject to the GDPR/U.K. GDPR as a processor when processing this personal data;
•costs of localizing products and services;
•lack of acceptance of localized products and services;
•the need to make significant investments in people, solutions and infrastructure, typically well in advance of revenue generation;
•challenges inherent in efficiently managing an increased number of employees over large geographic distances, including the need to implement appropriate systems, policies, benefits and compliance programs;
•difficulties in maintaining our corporate culture with a dispersed and distant workforce;
•treatment of revenue from international sources, evolving domestic and international tax environments, and other potential tax issues, including with respect to our corporate operating structure and intercompany arrangements;
•different or weaker protection of our intellectual property, including increased risk of theft of our proprietary technology and other intellectual property;
•economic weakness or currency-related crises;
•compliance with multiple, conflicting, ambiguous or evolving governmental laws and regulations, including employment, tax, privacy, anti-corruption, import/export, antitrust, data transfer, storage and protection, and industry-specific laws and regulations, including rules related to compliance by our third-party resellers and our ability to identify and respond timely to compliance issues when they occur, and regulations applicable to us and our third-party data providers from whom we purchase and resell syndicated data;
•vetting and monitoring our third-party resellers in new and evolving markets to confirm they maintain standards consistent with our brand and reputation;
•generally longer payment cycles and greater difficulty in collecting accounts receivable;
•our ability to adapt to sales practices and customer requirements in different cultures;
•the lack of reference customers and other marketing assets in regional markets that are new or developing for us, as well as other adaptations in our market generation efforts that we may be slow to identify and implement;
•dependence on certain third parties, including resellers with whom we do not have extensive experience;
•natural disasters, acts of war, terrorism, or pandemics, including the ongoing COVID-19 pandemic;
•corporate espionage; and
•political instability and security risks in the countries where we are doing business and changes in the public perception of governments in the countries where we operate or plan to operate.
We have undertaken, and might undertake, additional corporate operating restructurings that involve our group of foreign country subsidiaries through which we do business abroad. We consider various factors in evaluating these restructurings, including the alignment of our corporate legal entity structure with our organizational structure and its objectives, the operational and tax efficiency of our group structure, and the long-term cash flows and cash needs of our business. Such restructurings increase our operating costs, and if ineffectual, could increase our income tax liabilities and our global effective tax rate.
Tax laws are dynamic and subject to change as new laws are passed and new interpretations of the law are issued or applied. The U.S. enacted significant tax reform in December 2017, and we are continuing to evaluate its impact as new guidance and regulations are published. In addition, the Organization for Economic Co-operation and Development, or OECD, issued final action items or proposals related to its initiative to combat base erosion and profit shifting, or BEPS. The OECD urged its members to adopt the proposals to counteract the effects of taxpayers’ use of tax havens and preferential tax regimes globally. One BEPS proposal redefines a “permanent establishment” under treaty tax law, and changes how profits would be attributed to the permanent establishment. Some countries have incorporated the BEPS proposals into their laws and we expect other countries to follow suit, including the adoption of market-based, income sourcing provisions that assign a greater share of taxable income of a non-resident taxpayer to the country of its customer’s location than do traditional “arm’s length” income sourcing provisions. Some of the BEPS and related proposals, if enacted into law in the United States and in the foreign countries where we do business, could increase the burden and costs of our tax compliance. Moreover, such changes could increase the amount of taxes we incur in those jurisdictions, and in turn, increase our global effective tax rate.
We have experienced rapid growth in recent periods, and if we do not effectively manage our future growth, our business, operating results, and financial condition may be adversely affected.
We have experienced rapid revenue growth in recent periods, and we expect to continue to invest broadly across our organization to support our growth. For example, our headcount grew from over 540 employees as of July 31, 2020, to over 980 employees as of July 31, 2021. Although we have experienced rapid growth historically, we may not sustain our current growth rates, nor can we assure you that our investments to support our growth will be successful. The growth and expansion of our business will require us to invest significant financial and operational resources and the continuous dedication of our management team.
In addition, as we have grown, our number of customers has also increased significantly, and we have increasingly managed more complex deployments of our platform in more complex computing environments. The rapid growth and expansion of our business places a significant strain on our management, operational, and financial resources. To manage any future growth effectively, we must continue to improve and expand our information technology and financial infrastructure, our operating and administrative systems and controls, and our ability to manage headcount, capital, and processes in an efficient manner. Effectively managing our growth may also be more difficult to accomplish the longer that our employees must work remotely due to the COVID-19 pandemic.
If we continue to experience rapid growth, we may not be able to successfully implement or scale improvements to our systems, processes, and controls in an efficient or timely manner. In addition, our existing
systems, processes, and controls may not prevent or detect all errors, omissions, or fraud. We may also experience difficulties in managing improvements to our systems, processes, and controls or in connection with third-party software licensed to help us with such improvements. Any future growth will continue to add complexity to our organization and require effective coordination throughout our organization. Failure to manage any future growth effectively could result in increased costs, cause difficulty or delays in deploying new customers, reduce demand for our platform, cause difficulties in introducing new features or other operational difficulties, and any of these difficulties would adversely affect our business, operating results and financial condition.
Our sales cycles can be long and unpredictable, and our sales efforts require considerable time and expense.
Our revenue recognition is difficult to predict because of the length and unpredictability of the sales cycle for our platform, particularly with respect to large organizations and government entities. Customers often view the subscription to our platform as a significant strategic decision and, as a result, frequently require considerable time to evaluate, test and qualify our platform prior to entering into or expanding a relationship with us. Large enterprises and government entities in particular often undertake a significant evaluation process that further lengthens our sales cycle.
Our direct sales team develops relationships with our customers, and works with our channel partners on account penetration, account coordination, sales and overall market development. We spend substantial time and resources on our sales efforts without any assurance that our efforts will produce a sale. Security solution purchases are frequently subject to budget constraints, multiple approvals and unanticipated administrative, processing and other delays. As a result, it is difficult to predict whether and when a sale will be completed. The failure of our efforts to secure sales after investing resources in a lengthy sales process would adversely affect our business, operating results and financial condition.
The sales prices of our platform may decrease, or the mix of our sales may change, which may reduce our gross profits and adversely affect our financial results.
We have limited experience with respect to determining the optimal prices for our platform. As the market for endpoint security matures, or as new competitors introduce new products or services that are similar to or compete with ours, we may be unable to attract new customers at the same price or based on the same pricing model as we have used historically. Further, competition continues to increase in the market segments in which we participate, and we expect competition to further increase in the future, thereby leading to increased pricing pressures. Larger competitors with more diverse product and service offerings may reduce the price of products or services that compete with ours or may bundle them with other products and services. This could lead customers to demand greater price concessions or additional functionality at the same price levels. As a result, in the future we may be required to reduce our prices or provide more features without corresponding increases in price, which would adversely affect our business, operating results, and financial condition.
Because we recognize revenue from subscriptions to our platform over the term of the subscription, downturns or upturns in new business will not be immediately reflected in our operating results.
We generally recognize revenue from customers ratably over the term of their subscription, which is generally one to three years. As a result, a substantial portion of the revenue we report in each period is attributable to the recognition of deferred revenue relating to agreements that we entered into during previous periods. Consequently, any increase or decrease in new sales or renewals in any one period will not be immediately reflected in our revenue for that period. Any such change, however, would affect our revenue in future periods. Accordingly, the effect of downturns or upturns in new sales and potential changes in our rate of renewals will not be fully reflected in our operating results until future periods. We may also be unable to timely reduce our cost structure in line with a significant deterioration in sales or renewals that would adversely affect our business, operating results and financial condition.
We provide service level commitments under some of our customer contracts. If we fail to meet these contractual commitments, we could be obligated to provide partial refunds or our customers could be entitled to terminate their contracts and our business would suffer.
Certain of our customer agreements contain service level commitments, which contain specifications regarding the availability of our platform and our support services. Failure of or disruption to our infrastructure could impact the performance of our platform and the availability of services to customers. If we are unable to meet our stated service level commitments or if we suffer extended periods of poor performance or unavailability of our platform, we may be contractually obligated to provide affected customers with partial refunds or termination rights. To date, there has not been a material failure to meet our service level commitments, and we do not currently have any material liabilities accrued on our condensed consolidated balance sheets for such commitments. Our business, operating results and financial condition would be adversely affected if we suffer performance issues or downtime that exceeds the service level commitments under our agreements with our customers.
Our business is subject to the risks of warranty claims, product returns and product defects from real or perceived defects in our solutions or their misuse by our customers or third parties and indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
We may be subject to liability claims for damages related to errors or defects in our solution. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our platform will harm our business and operating results. Although we generally have limitation of liability provisions in our terms and conditions of sale, they may not fully or effectively protect us from claims as a result of federal, state or local laws or ordinances, or unfavorable judicial decisions in the United States or other countries. The sale and support of our platform also entails the risk of product liability claims.
Additionally, we typically provide indemnification to customers for certain losses suffered or expenses incurred as a result of third-party claims arising from our infringement of a third party’s intellectual property. We also provide unlimited liability for certain breaches of confidentiality, as defined in our terms of service. We also provide limited liability in the event of certain breaches of our terms of service. Certain of these contractual provisions survive termination or expiration of the applicable agreement. We have not to date received any indemnification claims from third parties. However, as we continue to grow, the possibility of these claims against us will increase.
If our customers or other third parties we do business with make intellectual property rights or other indemnification claims against us, we will incur significant legal expenses and may have to pay damages, license fees and/or stop using technology found to be in violation of the third party’s rights. We may also have to seek a license for the technology. Such license may not be available on reasonable terms, if at all, and may significantly increase our operating expenses or may require us to restrict our business activities and limit our ability to deliver certain solutions or features. We may also be required to develop alternative non-infringing technology, which could require significant effort and expense and/or cause us to alter our platform, which could harm our business. Large indemnity obligations, whether for intellectual property or in certain limited circumstances, other claims, would harm our business, operating results and financial condition.
Additionally, our platform may be used by our customers and other third parties who obtain access to our solutions for purposes other than for which our platform was intended.
Under certain circumstances our employees may have access to our customers’ platforms. An employee may take advantage of such access to conduct malicious activities. Any such misuse of our platform could result in negative press coverage and negatively affect our reputation, which could result in harm to our business, reputation and operating results.
We maintain insurance to protect against certain claims associated with the use of our platform, but our insurance coverage may not adequately cover any claim asserted against us. In addition, even claims that ultimately are unsuccessful could result in our expenditure of funds in litigation, divert management’s time and other resources, and harm our business and reputation. We have offered some of our customers a limited warranty, subject to certain conditions, and our potential liability under this warranty is provided by our insurance carrier to us. For example, in limited circumstances, we offer certain customers ransomware warranty in addition to their subscriptions, providing
coverage in the form of a limited monetary payment, if they are affected by a ransomware attack (as specified in our ransomware warranty agreement). The ransomware warranty coverage provides that we will pay $1,000 per endpoint affected by a ransomware-based breach subject to the terms and limitations of the warranty, and is further capped at $1 million for every consecutive 12 months in which the customer subscribes to the solutions with respect to the affected endpoint. Any failure or refusal of our insurance providers to provide the expected insurance benefits to us after we have paid the ransomware warranty claims would cause us to incur significant expense or cause us to cease offering this warranty which could damage our reputation, cause us to lose customers, expose us to liability claims by our customers, negatively impact our sales and marketing efforts, and have an adverse effect on our business, financial condition and operating results. Further, although the terms of the warranty do not allow those customers to use warranty claim payments to fund payments to persons on the U.S. Treasury Department’s Office of Foreign Assets Control, or OFAC, list of Specially Designated Nationals and Blocked Persons or who are otherwise subject to U.S. sanctions, we cannot assure you that all of our customers will comply with our warranty terms or refrain from taking actions, in violation of our warranty and applicable law.
Risks Related to our People
We rely on our management team and other key employees and will need additional personnel to grow our business, and the loss of one or more key employees or our inability to hire, integrate, train and retain qualified personnel, including members of our board of directors, could harm our business.
Our future success is dependent, in part, on our ability to hire, integrate, train, retain and motivate the members of our management team and other key employees throughout our organization. The loss of key personnel, including key members of our management team or members of our board of directors, as well as certain of our key marketing, sales, finance, support, product development, human resources, or technology personnel, could disrupt our operations and have an adverse effect on our ability to grow our business. In particular, we are highly dependent on the services of Tomer Weingarten, our co-founder, Chairman of the Board of Directors, President, and Chief Executive Officer, who is critical to the development of our technology, platform, future vision and strategic direction.
Competition for highly skilled personnel is intense, especially in the San Francisco Bay Area and in Israel, where we have a substantial presence and need for highly skilled personnel, and we may not be successful in hiring or retaining qualified personnel to fulfill our current or future needs. We have, from time to time, experienced, and we expect to continue to experience, difficulty in hiring and retaining highly skilled employees with appropriate qualifications. For example, in recent years, recruiting, hiring and retaining employees with expertise in the cybersecurity industry has become increasingly difficult as the demand for cybersecurity professionals has increased as a result of the recent cybersecurity attacks on global corporations and governments. Many of the companies with which we compete for experienced personnel have greater resources than we have. Our competitors also may be successful in recruiting and hiring members of our management team or other key employees, and it may be difficult for us to find suitable replacements on a timely basis, on competitive terms, or at all. We have in the past, and may in the future, be subject to allegations that employees we hire have been improperly solicited, or that they have divulged proprietary or other confidential information or that their former employers own such employees’ inventions or other work product, or that they have been hired in violation of non-compete provisions or non-solicitation provisions.
In addition, job candidates and existing employees often consider the value of the equity awards they receive in connection with their employment. If the perceived value of our equity or equity awards declines, it may adversely affect our ability to retain highly skilled employees. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and future growth prospects would be severely harmed. Further, our competitors may be successful in recruiting and hiring members of our management team or other key employees, and it may be difficult for us to find suitable replacements on a timely basis, on competitive terms, or at all. If we fail to attract new personnel or fail to retain and motivate our current personnel, our business and future growth prospects would be severely harmed.
If we do not effectively hire, integrate and train additional sales personnel, and expand our sales and marketing capabilities, we may be unable to increase our customer base and increase sales to our existing customers.
Our ability to increase our customer base and achieve broader market adoption of our platform will depend to a significant extent on our ability to continue to expand our sales and marketing operations. We plan to dedicate significant resources to sales and marketing programs and to expand our sales and marketing capabilities to target additional potential customers, but there is no guarantee that we will be successful in attracting and maintaining additional customers. If we are unable to find efficient ways to deploy our sales and marketing investments or if our sales and marketing programs are not effective, our business and operating results would be adversely affected.
Furthermore, we plan to continue expanding our sales force and there is significant competition for sales personnel with the skills and technical knowledge that we require. Our ability to achieve revenue growth will depend, in part, on our success in hiring, integrating, training and retaining sufficient numbers of sales personnel to support our growth, particularly in international markets. New hires require significant training and may take significant time before they achieve full productivity. Our recent hires and planned hires may not become productive as quickly as we expect, and we may be unable to hire or retain sufficient numbers of qualified individuals in the markets where we do business or plan to do business. If we are unable to hire and train a sufficient number of effective sales personnel, or the sales personnel we hire are not successful in obtaining new customers or increasing sales to our existing customer base, our business, operating results and financial condition will be adversely affected.
Any inability to maintain a high-quality customer support organization could lead to a lack of customer satisfaction, which could hurt our customer relationships and have a material adverse effect on our business, financial condition and operating results.
Once our platform is deployed within our customers’ computing environments, our customers rely on our technical support services to assist with service customization and optimization and to resolve certain issues relating to the implementation and maintenance of our platform. If we do not effectively assist our customers in deploying our platform, succeed in helping our customers quickly resolve technical issues, or provide effective ongoing support, our ability to sell additional products and services as part of our platform to existing customers would be adversely affected and our reputation with potential customers could be damaged.
In addition, our sales process is highly dependent on our product and business reputation and on positive recommendations from our existing customers. Any failure to maintain high-quality technical support, or a market perception that we do not maintain high-quality support, could adversely affect our reputation, our ability to sell our services to existing and prospective customers, and our business, operating results and financial condition.
We believe that our corporate culture has contributed to our success, and if we cannot maintain this culture as we grow, we could lose the innovation, creativity, and teamwork fostered by our culture, and our business may be harmed.
We believe that our corporate culture has been a key contributor to our success. If we do not continue to develop our corporate culture as we grow and evolve, it could harm our ability to foster the innovation, creativity, and teamwork that we believe is important to support our growth. As our organization grows and we are required to implement more complex organizational structures, we may find it increasingly difficult to maintain the beneficial aspects of our corporate culture, which could negatively impact our future success.
Risks Related to Our Intellectual Property
Our proprietary rights may be difficult to enforce, which could enable others to copy or use aspects of our platform without compensating us.
We rely primarily on patent, trademark, copyright and trade secrets laws, and confidentiality procedures and contractual provisions to protect our technology. Valid patents may not issue from our pending applications, and the claims eventually allowed on any patents may not be sufficiently broad to protect our technology or platform. Any issued patents may be challenged, invalidated or circumvented, and any rights granted under these patents may not actually provide adequate defensive protection or competitive advantages to us. Patent applications in the United
States are typically not published until at least 18 months after filing, or, in some cases, not at all, and publications of discoveries in industry-related literature lag behind actual discoveries. We cannot be certain that we were the first to make the inventions claimed in our pending patent applications or that we were the first to file for patent protection. Additionally, the process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner. In addition, recent changes to the patent laws in the United States may bring into question the validity of certain software patents and may make it more difficult and costly to prosecute patent applications. Such changes may lead to uncertainties or increased costs and risks surrounding the prosecution, validity, ownership, enforcement, and defense of our issued patents and patent applications and other intellectual property, the outcome of third-party claims of infringement, misappropriation, or other violation of intellectual property brought against us and the actual or enhanced damages (including treble damages) that may be awarded in connection with any such current or future claims, and could have a material adverse effect on our business, operating results, and financial condition.
Despite our efforts to protect our proprietary rights, unauthorized parties may attempt to copy aspects of our platform or obtain and use information that we regard as proprietary. We generally enter into confidentiality or license agreements with our employees, consultants, vendors and customers, and generally limit access to and distribution of our proprietary information. However, such agreements may not be enforceable in full or in part in all jurisdictions and any breach could have a negative effect on our business and our remedy for such breach may be limited. The contractual provisions that we enter into may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. As such, we cannot guarantee that the steps taken by us will prevent misappropriation of our technology. Policing unauthorized use of our technology or platform is difficult. In addition, the laws of some foreign countries do not protect our proprietary rights to as great an extent as the laws of the United States, and many foreign countries do not enforce these laws as diligently as government agencies and private parties in the United States. For example, many foreign countries limit the enforceability of patents against certain third parties, including government agencies or government contractors. In these countries, patents may provide limited or no benefit. Effective trade secret protection may also not be available in every country in which our products are available or where we have employees or independent contractors. The loss of trade secret protection could make it easier for third parties to compete with our products by copying functionality. In addition, any changes in, or unexpected interpretations of, the trade secret and employment laws in any country in which we operate may compromise our ability to enforce our trade secret and intellectual property rights. From time to time, legal action by us may be necessary to enforce our patents and other IP rights, to protect our trade secrets, to determine the validity and scope of the proprietary rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could negatively affect our business, operating results and financial condition. If we are unable to protect our proprietary rights (including aspects of our software and platform protected other than by patent rights), we will find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create our platform and other innovative products that have enabled us to be successful to date. Moreover, we may need to expend additional resources to defend our intellectual property rights in foreign countries, and our inability to do so could impair our business or adversely affect our international expansion.
Third parties may claim that our platform infringes their intellectual property rights and this may create liability for us or otherwise adversely affect our business, operating results and financial condition.
Third parties may claim that our current or future products and services infringe their intellectual property rights, and such claims may result in legal claims against our channel partners, our alliance partners, our customers and us. These claims may damage our brand and reputation, harm our customer relationships, and create liability for us. We expect the number of such claims to increase as the number of products and services and the level of competition in our market grows, as the functionality of our platform overlaps with that of other products and services, and as the volume of issued software patents and patent applications continues to increase. We generally agree in our customer contracts to indemnify customers for certain expenses or liabilities they incur as a result of third-party intellectual property infringement claims associated with our platform. To the extent that any claim arises as a result of third-party technology we have licensed for use in our platform, we may be unable to recover from the appropriate third party any expenses or other liabilities that we incur.
Companies in the software and technology industries, including some of our current and potential competitors, own large numbers of patents, copyrights, trademarks, and trade secrets and frequently enter into litigation based on allegations of infringement or other violations of intellectual property rights. In addition, many of these companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights and to defend claims that may be brought against them. Furthermore, patent holding companies, non-practicing entities, and other adverse patent owners that are not deterred by our existing intellectual property protections may seek to assert patent claims against us. From time to time, third parties, including certain of these leading companies, have invited us to license their patents and may, in the future, assert patent, copyright, trademark, or other intellectual property rights against us, our channel partners, our alliance partners, or our customers. We have received, and may in the future receive, notices that claim we have misappropriated, misused, or infringed other parties’ intellectual property rights, and, to the extent we gain greater market visibility, we face a higher risk of being the subject of intellectual property infringement claims, which is not uncommon with respect to the enterprise software market. For example, we recently received a letter from International Business Machines Corporation, or IBM, alleging that we infringe on three U.S. patents held by IBM. To date, no litigation has been filed by IBM against us regarding the IBM patents. Based upon our preliminary review of these patents, we believe we have meritorious defenses to IBM’s allegations, although there can be no assurance that IBM will refrain from suing us, or that we will be successful in defending against these allegations or reaching a business resolution that is satisfactory to us.
There may be third-party intellectual property rights, including issued or pending patents, that cover significant aspects of our technologies or business methods. We may also face exposure to third-party intellectual property infringement, misappropriation, or violation actions if we engage software engineers or other personnel who were previously engaged by competitors or other third parties and those personnel inadvertently or deliberately incorporate proprietary technology of third parties into our products. In addition, we may lose valuable intellectual property rights or personnel. A loss of key personnel or their work product could hamper or prevent our ability to develop, market, and support potential products or enhancements, which could severely harm our business. Any intellectual property claims, with or without merit, could be very time-consuming, could be expensive to settle or litigate, and could divert our management’s attention and other resources. These claims could also subject us to significant liability for damages, potentially including treble damages if we are found to have willfully infringed patents or copyrights, and may require us to indemnify our customers for liabilities they incur as a result of such claims. These claims could also result in our having to stop using technology found to be in violation of a third party’s rights. We might be required to seek a license for the intellectual property, which may not be available on reasonable terms or at all. Even if a license were available, we could be required to pay significant royalties, which would increase our operating expenses. Alternatively, we could be required to develop alternative non-infringing technology, which could require significant time, effort, and expense, and may affect the performance or features of our platform. If we cannot license or develop alternative non-infringing substitutes for any infringing technology used in any aspect of our business, we would be forced to limit or stop sales of our platform and may be unable to compete effectively. Any of these results would adversely affect our business, operating results and financial condition.
We license technology from third parties, and our inability to maintain those licenses could harm our business.
We currently incorporate, and will in the future incorporate, technology that we license from third parties, including software, into our solutions. Licensing technologies from third parties exposes us to increased risk of being the subject of intellectual property infringement due to, among other things, our lower level of visibility into the development process with respect to such technology and the care taken to safeguard against infringement risks. We cannot be certain that our licensors do not or will not infringe on the intellectual property rights of third parties or that our licensors have or will have sufficient rights to the licensed intellectual property in all jurisdictions in which we may sell our platform. Some of our agreements with our licensors may be terminated by them for convenience, or otherwise provide for a limited term. If we are unable to continue to license technology because of intellectual property infringement claims brought by third parties against our licensors or against us, or if we are unable to continue our license agreements or enter into new licenses on commercially reasonable terms, our ability to develop and sell solutions and services containing or dependent on that technology would be limited, and our business could be harmed. Additionally, if we are unable to license technology from third parties, we may be forced to acquire or develop alternative technology, which we may be unable to do in a commercially feasible manner, or at
all, and may require us to use alternative technology of lower quality or performance standards. This could limit or delay our ability to offer new or competitive solutions and increase our costs. As a result, our business, operating results and financial condition would be adversely affected.
Some of our technology incorporates “open source” software, which could negatively affect our ability to sell our platform and subject us to possible litigation.
Our platform contains third-party open source software components, and failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our products and subscriptions. The use and distribution of open source software may entail greater risks than the use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our products to conditions we do not intend, many of the risks associated with use of open source software cannot be eliminated and could negatively affect our business. In addition, the wide availability of source code used in our solutions could expose us to security vulnerabilities.
Some open source licenses contain requirements that we make available source code for modifications or derivative works we create based upon the type of open source software we use. If we combine our proprietary software with open source software in a certain manner, we could, under certain open source licenses, be required to release the source code of our proprietary software to the public, including authorizing further modification and redistribution, or otherwise be limited in the licensing of our services, each of which could provide an advantage to our competitors or other entrants to the market, create security vulnerabilities in our solution, require us to re-engineer all or a portion of our platform, and reduce or eliminate the value of our services. This would allow our competitors to create similar products with lower development effort and time and ultimately could result in a loss of sales for us.
The terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in ways that could impose unanticipated conditions or restrictions on our ability to commercialize products and subscriptions incorporating such software. Moreover, we cannot assure you that our processes for controlling our use of open source software in our products and subscriptions will be effective. From time to time, we may face claims from third parties asserting ownership of, or demanding release of, the open source software or derivative works that we developed using such software (which could include our proprietary source code), or otherwise seeking to enforce the terms of the applicable open source license. These claims could result in litigation. Litigation could be costly for us to defend, have a negative effect on our operating results and financial condition, or require us to devote additional research and development resources to change our solution. Responding to any infringement or noncompliance claim by an open source vendor, regardless of its validity, discovering certain open source software code in our platform, or a finding that we have breached the terms of an open source software license, could harm our business, operating results and financial condition, by, among other things:
•resulting in time-consuming and costly litigation;
•diverting management’s time and attention from developing our business;
•requiring us to pay monetary damages or enter into royalty and licensing agreements that we would not normally find acceptable;
•causing delays in the deployment of our platform or service offerings to our customers;
•requiring us to stop offering certain services or features of our platform;
•requiring us to redesign certain components of our platform using alternative non-infringing or non-open source technology, which could require significant effort and expense;
•requiring us to disclose our software source code and the detailed program commands for our software; and
•requiring us to satisfy indemnification obligations to our customers.
Risks Related to Legal and Regulatory Matters
We are subject to laws and regulations, including governmental export and import controls, sanctions and anti-corruption laws, that could impair our ability to compete in our markets and subject us to liability if we are not in full compliance with applicable laws.
We are subject to laws and regulations, including governmental export controls, that could subject us to liability or impair our ability to compete in our markets. Our platform and related technology is subject to U.S. export controls, including the U.S. Department of Commerce’s Export Administration Regulations, and we and our employees, representatives, contractors, agents, intermediaries and other third parties are also subject to various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control, or OFAC. We incorporate standard encryption algorithms into our platform, which, along with the underlying technology, may be exported outside of the U.S. only with the required export authorizations, including by license, license exception or other appropriate government authorizations, which may require the filing of an encryption registration and classification request. We also offer certain customers a ransomware warranty in addition to their subscriptions, providing coverage in the form of a limited monetary payment, if they are affected by a ransomware attack (as specified in our ransomware warranty agreement), and though the terms of the warranty do not allow those customers to use warranty claim payments to fund payments to persons on OFAC’s list of Specially Designated Nationals and Blocked Persons or who are otherwise subject to U.S. sanctions, we cannot assure you that all of our customers will comply with our warranty terms or refrain from taking actions, in violation of our warranty and applicable law. Furthermore, U.S. export control laws and economic sanctions prohibit the shipment of certain cloud-based solutions to countries, governments and persons targeted by U.S. sanctions. We also collect information about cyber threats from open sources, intermediaries and third parties that we make available to our customers in our threat industry publications. While we have implemented certain procedures to facilitate compliance with applicable laws and regulations in connection with the collection of this information, we cannot assure you that these procedures have been effective or that we, or third parties who we do not control, have complied with all laws or regulations in this regard. Failure by our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties to comply with applicable laws and regulations in the collection of this information also could have negative consequences to us, including reputational harm, government investigations and penalties.
Although we take precautions to prevent our information collection practices and services from being provided in violation of such laws, our information collection practices and services may have been in the past, and could in the future be, provided in violation of such laws. If we or our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties fail to comply with these laws and regulations, we could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may also be adversely affected through reputational harm, loss of access to certain markets or otherwise. Obtaining the necessary authorizations, including any required license, for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities.
Various countries regulate the import of certain encryption technology, including through import permit and license requirements, and have enacted laws that could limit our ability to distribute our platform or could limit our customers’ ability to implement our platform in those countries. Changes in our platform or changes in export and import regulations may create delays in the introduction of our platform into international markets, prevent our customers with international operations from deploying our platform globally or, in some cases, prevent the export or import of our platform to certain countries, governments or persons altogether. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our platform by, or in our decreased ability to export or sell our platform to, existing or potential customers with international operations. Any decreased use of our platform or limitation on our ability to export or sell our platform would adversely affect our business, operating results and financial condition.
We are also subject to the United States Foreign Corrupt Practices Act of 1977, as amended, or the FCPA, the United Kingdom Bribery Act 2010, or the Bribery Act, and other anti-corruption, sanctions, anti-bribery, anti-money laundering and similar laws in the United States and other countries in which we conduct activities. Anti-corruption
and anti-bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees, agents, intermediaries and other third parties from promising, authorizing, making or offering improper payments or other benefits to government officials and others in the private sector. We leverage third parties, including intermediaries, agents and channel partners, to conduct our business in the United States and abroad, to sell subscriptions to our platform and to collect information about cyber threats. We and these third parties may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of these third-party business partners and intermediaries, our employees, representatives, contractors, channel partners, agents, intermediaries and other third parties, even if we do not explicitly authorize such activities. While we have policies and procedures to address compliance with FCPA, Bribery Act and other anti-corruption, sanctions, anti-bribery, anti-money laundering and similar laws, we cannot assure you that they will be effective, or that all of our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties have not taken, or will not take actions, in violation of our policies and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase. Noncompliance with these laws could subject us to investigations, severe criminal or civil sanctions, settlements, prosecution, loss of export privileges, suspension or debarment from U.S. government contracts, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, whistleblower complaints, adverse media coverage and other consequences. Any investigations, actions or sanctions could harm our reputation, business, operating results and financial condition.
If we fail to adequately protect personal information or other information we process or maintain, our business, financial condition and operating results could be adversely affected.
We receive, store, and process personal information from our employees, customers, and the employees of our customers, our end users. A wide variety of state, national, and international laws, as well as regulations and industry standards apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal information and other information, the scope of which are changing, subject to differing interpretations, and may be inconsistent across countries or conflict with other rules. Additionally, laws, regulations, and standards covering marketing and advertising activities conducted by telephone, email, mobile devices, and the internet, may be applicable to our business, such as the Controlling the Assault of Non-Solicited Pornography And Marketing Act, or CAN-SPAM, and similar state consumer protection laws. Evolving and changing definitions of personal data and personal information within the E.U., the U.S., and elsewhere, may limit or inhibit our ability to operate or expand our business. Data protection and privacy-related laws and regulations are evolving and may result in ever increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions.
With respect to E.U. and U.K. employees, contractors and other personnel, as well as for our customers’ and prospective customers’ personal data, such as contact information, we are subject to the E.U. General Data Protection Regulation, or the GDPR, and the U.K. General Data Protection Regulation and U.K. Data Protection Act 2018, or the U.K. GDPR, respectively. We are a controller with respect to this data.
Additionally, by expanding into the E.U. and U.K., we may also trigger Article 3(2) of the GDPR/U.K. GDPR directly as we may be considered to be monitoring data subjects. To the extent we process personal data on behalf of our customers for the provision of services, we may also be required to enter into data processing agreements which comply with Article 28 of the GDPR/U.K. GDPR.
The GDPR/U.K. GDPR imposes more stringent data protection requirements than previously effective data protection law and, where we are acting as a controller, includes requirements to provide detailed disclosures about how personal data is collected and processed (in a concise, intelligible and easily accessible form); demonstrating that an appropriate legal basis is in place or otherwise exists to justify data processing activities; granting new rights for data subjects in regard to their personal data (including the right to be “forgotten” and the right to data portability), as well as enhancing data subject rights, such as data subject access requests; introducing the obligation to notify data protection regulators or supervisory authorities (and in certain cases, affected individuals) of significant data breaches; defining for the first time pseudonymized (key-coded) data; imposing limitations on retention of personal data; maintaining a record of data processing; and complying with the principal of accountability and the obligation to demonstrate compliance through policies, procedures, training and audit. Where
we act as a processor and process personal data on behalf of our customers, we are required to execute mandatory data processing clauses with those customers. The GDPR/U.K. GDPR provides for penalties for noncompliance of up to the greater of €20 million or 4% of worldwide annual revenues (in the case of the GDPR) or £17 million and 4% of worldwide annual revenue (in the case of the U.K. GDPR). As we are required to comply with both the GDPR and the U.K. GDPR, we could be subject to parallel enforcement actions with respect to breaches of the GDPR/U.K. GDPR which affect both E.U. and U.K. data subjects. In addition to the foregoing, a breach of the GDPR or U.K. GDPR could result in regulatory investigations, reputational damage, orders to cease or change our processing of our data, enforcement notices, and/or assessment notices (for a compulsory audit). We may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm.
The GDPR and U.K. GDPR requires, among other things, that personal information only be transferred outside of the European Economic Area, or the EEA, or the U.K., respectively to jurisdictions that have been deemed adequate by the European Commission or by the U.K. data protection regulator, respectively. Accordingly, personal information may not be transferred to those jurisdictions that have not been deemed adequate, which at the present time, includes the United States, unless steps are taken to legitimize those data transfers. Recent legal developments in the E.U. have created complexity and uncertainty regarding such transfers. For example, on July 16, 2020, the European Court of Justice, or the CJEU, invalidated the E.U.-U.S. Privacy Shield framework, or the Privacy Shield, upon which we relied to provide a mechanism for the transfer of data from E.U. Member States to the United States, on the grounds that the Privacy Shield failed to offer adequate protections to E.U. personal information transferred to the United States. Further, the CJEU also advised that the Standard Contractual Clauses (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism and potential alternative to the Privacy Shield) may not be alone sufficient to protect data transferred to the United States or other Third Countries under certain circumstances. Use of the data transfer mechanisms must now be assessed on a case-by-case basis taking into account the legal regime applicable in the destination country, in particular applicable surveillance laws and rights of individuals, and additional measures and/or contractual provisions may need to be put in place. The CJEU also stated that if a competent supervisory authority believes that the standard contractual clauses cannot be complied with in the destination country and that the required level of protection cannot be secured by other means, such supervisory authority is under an obligation to suspend or prohibit that transfer. We previously relied on our own, as well as our vendors’, Privacy Shield certification for the purposes of transferring personal data from the EEA to the United States in compliance with the GDPR/U.K. GDPR’s data export conditions. These recent developments require us to review and amend the legal mechanisms by which we make or receive personal data transfers to the United States and we may need to implement additional safeguards, such as Standard Contractual Clauses, to further enhance the security of data transferred out of the EEA and the U.K., which could increase our compliance costs, expose us to further regulatory scrutiny and liability, and adversely affect our business.
Further, on June 4, 2021, the European Commission finalized new versions of the Standard Contractual Clauses, with the Implementing Decision now in effect as of June 27, 2021. Under the Implementing Decision, we will have until December 27, 2022 to update any existing agreements, or any new agreements executed before September 27, 2021 that rely on Standard Contractual Clauses as the data transfer mechanism. To comply with the Implementing Decision and the new Standard Contractual Clauses, we may need to implement additional safeguards to further enhance the security of data transferred out of the EEA, which could increase our compliance costs, expose us to further regulatory scrutiny and liability, and adversely affect our business. In addition, the U.K.’s withdrawal from the E.U. means that the U.K. will become a “third country” for the purposes of data transfers from the E.U. to the U.K. following the expiration of the six-month personal data transfer grace period (from January 1, 2021) set out in the E.U. and U.K. Trade and Cooperation Agreement, unless a relevant adequacy decision is adopted in favor of the U.K. (which would allow data transfers without additional measures). The European Commission issued a draft adequacy decision for personal information transfers from the EEA to the U.K. in February 2021. Although the European Data Protection Board, or EDPB, issued an opinion generally supportive of the draft adequacy decision, the EDPB urged further assessment of certain issues and continued monitoring of developments in U.K. law. If this adequacy decision is not passed by representatives from each of the E.U. member states, we must implement protection measures such as the Standard Contractual Clauses for data transfers between the E.U. and the U.K. or
find alternative solutions for the compliant transfer of personal data from the E.U. into the U.K. As supervisory authorities continue to issue further guidance on personal information (including regarding data export and circumstances in which we cannot use the standard contractual clauses), we could suffer additional costs, complaints, or regulatory investigations or fines, and if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. Loss, retention or misuse of certain information and alleged violations of laws and regulations relating to privacy and data security, and any relevant claims, may expose us to potential liability and may require us to expend significant resources on data security and in responding to and defending such allegations and claims.
We are also subject to evolving E.U. and U.K. privacy laws on cookies and e-marketing. In the E.U. and the U.K., regulators are increasingly focusing on compliance with requirements in the online behavioral advertising ecosystem, and current national laws that implement the ePrivacy Directive are highly likely to be replaced by an E.U. regulation known as the ePrivacy Regulation which will significantly increase fines for non-compliance. In the E.U. and the U.K., informed consent is required for the placement of a cookie or similar technologies on a user’s device and for direct electronic marketing. The GDPR also imposes conditions on obtaining valid consent, such as a prohibition on pre-checked consents and a requirement to ensure separate consents are sought for each type of cookie or similar technology. While the text of the ePrivacy Regulation is still under development, a recent European court decision and regulators’ recent guidance are driving increased attention to cookies and tracking technologies. If regulators start to enforce the strict approach in recent guidance, this could lead to substantial costs, require significant systems changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, increase costs and subject us to additional liabilities. Regulation of cookies and similar technologies, and any decline of cookies or similar online tracking technologies as a means to identify and potentially target users, may lead to broader restrictions and impairments on our marketing and personalization activities and may negatively impact our efforts to understand users.
We depend on a number of third parties in relation to the operation of our business, a number of which process personal data on our behalf or as our sub-processor. To the extent required by applicable law, we attempt to mitigate the associated risks of using third parties by performing security assessments and detailed due diligence, entering into contractual arrangements to ensure that providers only process personal data according to our instructions or comparable instructions to the instructions of our customer (as applicable), and that they have sufficient technical and organizational security measures in place. Where we transfer personal data outside the E.U. or the U.K. to such third parties, we do so in compliance with the relevant data export requirements, as described above. There is no assurance that these contractual measures and our own privacy and security-related safeguards will protect us from the risks associated with the third-party processing, storage and transmission of such information. Any violation of data or security laws by our third-party processors could have a material adverse effect on our business and result in the fines and penalties under the GDPR and the UK GDPR outlined above.
In the United States, state and federal lawmakers and regulatory authorities have increased their attention on the collection and use of consumer data. In the United States, non-sensitive consumer data generally may be used under current rules and regulations, subject to certain restrictions, so long as the person does not affirmatively “opt-out” of the collection or use of such data. If an “opt-in” model or additional required “opt-outs” were more readily adopted in the United States, less data may be available, and the cost of data likely would increase. For example, California recently enacted the CCPA, which became operative on January 1, 2020 and became enforceable by California Attorney General on July 1, 2020. Since, the CCPA has been amended on multiple occasions with additional regulations coming into force on August 14, 2020 with more recent amendments on March 15, 2021. Additionally, although not effective until January 1, 2023, the California Privacy Rights Act, or the CPRA, which expands upon the CCPA, was passed in the recent election on November 3, 2020. The CCPA requires (and the CPRA will require) covered companies to, among other things, provide new disclosures to California consumers, and affords such consumers new privacy rights such as the ability to opt-out of certain sales of personal information and expanded rights to access and require deletion of their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is collected, used and shared. The CCPA provides for civil penalties for violations, as well as a private right of action for security breaches that may increase security breach litigation. The CPRA creates obligations relating to consumer data beginning on January 1, 2022,
with enforcement beginning on July 1, 2023. Potential uncertainty surrounding the CCPA and CPRA may increase our compliance costs and potential liability, particularly in the event of a data breach, and could have a material adverse effect on our business, including how we use personal information, our financial condition, and the results of our operations or prospects. For example, the California Attorney General announcement on July 19, 2021 offered insight into how that office will seek to enforce the CCPA and what may constitute legal liability, inferring that CCPA remains subject to varying interpretations by the Attorney General until final regulations are promulgated by the independent California Privacy Protection Agency established under the CPRA. The CCPA has also prompted a number of proposals for new federal and state privacy legislation that, if passed, could increase our potential liability, increase our compliance costs and adversely affect our business.
Further, Virginia enacted the Virginia Consumer Data Protection Act, or the CDPA, which is another comprehensive state privacy law, that will also be effective January 1, 2023, while Colorado recently enacted its Colorado Privacy Act, or CPA, in July 2021 which will be effective July 1, 2023. The CCPA, CPRA, CDPA, and CPA may increase our compliance costs and potential liability, particularly in the event of a data breach, and could have a material adverse effect on our business, including how we use personal information, our financial condition, the results of our operations or prospects.
New worldwide data protection laws, including the aforementioned U.S. and European jurisdictions, may lead to ever changing definitions of personal information and other sensitive information which may also limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing of data. Notably some foreign jurisdictions require that certain types of data be retained on servers within these respective jurisdictions. Our failure to comply with applicable laws, directives, and regulations may result in enforcement action against us, including fines, and damage to our reputation, any of which may have an adverse effect on our business and operating results.
We generally seek to comply with industry standards and are subject to the terms of our privacy policies and privacy-related obligations to third parties. We strive to comply with all applicable laws, policies, legal obligations and industry codes of conduct relating to privacy and data protection to the extent possible. However, it is possible that these obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. Any failure or perceived failure by us, even if unfounded, to comply with applicable privacy and data security laws and regulations, our privacy policies, or our privacy-related obligations to users or other third parties, or any compromise of security that results in the unauthorized release or transfer of personal information or other customer data, may result in governmental enforcement actions, litigation, or public statements against us by consumer advocacy groups or others and could cause our users to lose trust in us, which would have an adverse effect on our reputation and business. For example, in 2017, we reached a consent agreement with the Federal Trade Commission, or the FTC, to resolve an investigation relating to certain disclosures in our privacy policy. The consent agreement requires us, among other things, to provide information about our compliance with the FTC order and about representations made in our marketing materials. We have remedied the matter that led to the FTC order and implemented controls designed to prevent similar issues in the future, and have not received any inquiries from the FTC to date. However, we may be subject to future investigations and legal proceedings by the FTC or other regulators. It is possible that a regulatory inquiry might result in changes to our policies or business practices. Violation of existing or future regulatory orders or consent decrees could subject us to substantial monetary fines and other penalties that could negatively affect our financial condition and operating results. In addition, it is possible that future orders issued by, or enforcement actions initiated by, regulatory authorities could cause us to incur substantial costs or require us to change our business practices in a manner materially adverse to our business.
Any significant change to applicable laws, regulations or industry practices regarding the use or disclosure of our users’ data, or regarding the manner in which the express or implied consent of users for the use and disclosure of such data is obtained – or in how these applicable laws, regulations or industry practices are interpreted and enforced by state, federal and international privacy regulators – could require us to modify our services and features, possibly in a material manner, may subject us to regulatory enforcement actions and fines, and may limit our ability to develop new services and features that make use of the data that our users voluntarily share with us.
We may become involved in litigation that may adversely affect us.
From time to time, we have been subject to claims, suits and other proceedings. For example, we are currently the subject of litigation with Cylance, Inc. For additional information regarding this litigation, see the section titled “Part II—Legal Proceedings.” Regardless of the outcome, legal proceedings can have an adverse impact on us because of legal costs and diversion of management attention and resources, and could cause us to incur significant expenses or liability, adversely affect our brand recognition or require us to change our business practices. The expense of litigation and the timing of this expense from period to period are difficult to estimate, subject to change and could adversely affect our business, operating results and financial condition. It is possible that a resolution of one or more such proceedings could result in substantial damages, settlement costs, fines and penalties that would adversely affect our business, consolidated financial condition, operating results or cash flows in a particular period. These proceedings could also result in reputational harm, sanctions, consent decrees or orders requiring a change in our business practices. Because of the potential risks, expenses and uncertainties of litigation, we may, from time to time, settle disputes, even where we have meritorious claims or defenses, by agreeing to settlement agreements. Because litigation is inherently unpredictable, we cannot assure you that the results of any of these actions will not have a material adverse effect on our business, financial condition, operating results and prospects. Any of these consequences could adversely affect our business, operating results and financial condition.
Risks Related to Financial and Accounting Matters
If we fail to maintain an effective system of internal controls, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
We are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, and the rules and regulations of the applicable listing standards of the New York Stock Exchange, or the NYSE. We expect that the requirements of these rules and regulations will continue to increase our legal, accounting, and financial compliance costs, make some activities more difficult, time-consuming, and costly, and place significant strain on our personnel, systems, and resources.
The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. We are continuing to develop and refine our disclosure controls, internal control over financial reporting and other procedures that are designed to ensure information required to be disclosed by us in our financial statements and in the reports that we will file with the SEC is recorded, processed, summarized and reported within the time periods specified in SEC rules and forms, and information required to be disclosed in reports under the Exchange Act is accumulated and communicated to our principal executive and financial officers.
Our current controls and any new controls we develop may become inadequate because of changes in conditions in our business. Additionally, to the extent we acquire other businesses, the acquired company may not have a sufficiently robust system of internal controls and we may uncover new deficiencies. Further, weaknesses in our internal controls may be discovered in the future. Any failure to develop or maintain effective controls, or any difficulties encountered in their implementation or improvement, could harm our operating results, may result in a restatement of our financial statements for prior periods, cause us to fail to meet our reporting obligations, and could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in the periodic reports we will file with the SEC. However, while we remain an “emerging growth company,” we will not be required to include an attestation report on internal control over financial reporting issued by our independent registered public accounting firm. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the market price of our Class A common stock. We are not currently required to comply with the SEC rules that implement Sections 302 and 404 of the Sarbanes-Oxley Act, and we are therefore not required to make a formal assessment of the effectiveness of our internal control over financial reporting for that purpose.
Being a public company, and particularly after we are no longer an “emerging growth company,” requires significant resources and management oversight. As a result, management’s attention may be diverted from other business concerns, which could harm our business, financial condition and operating results.
We are an “emerging growth company” and the reduced disclosure requirements applicable to emerging growth companies may make our Class A common stock less attractive to investors.
We are an “emerging growth company” as defined in the JOBS Act. For as long as we continue to be an emerging growth company, we may take advantage of exemptions from various reporting requirements that are applicable to other public companies that are not emerging growth companies, including (i) not being required to comply with the auditor attestation requirements of the Sarbanes-Oxley Act, (ii) reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements and (iii) exemptions from the requirements of holding nonbinding advisory stockholder votes on executive compensation and stockholder approval of any golden parachute payments not approved previously. We currently intend to take advantage of the exemptions previously listed.
We could be an emerging growth company for up to five fiscal years following the completion of our IPO. However, certain circumstances could cause us to lose that status earlier, including the date on which we are deemed to be a “large accelerated filer,” under applicable SEC rules, if we have total annual gross revenue of $1.07 billion or more, or if we issue more than $1.0 billion in non-convertible debt during any three-year period before that time.
Under the JOBS Act, emerging growth companies can also delay adopting new or revised accounting standards until such time as those standards apply to private companies. We have elected to take advantage of the benefits of this extended transition period. Accordingly, our financial statements may therefore not be comparable to those of companies that comply with such new or revised accounting standards. Until the date that we are no longer an “emerging growth company” or affirmatively and irrevocably opt out of the exemption provided by Section 7(a)(2)(B) of the Securities Act, upon issuance of a new or revised accounting standard that applies to our financial statements and that has a different effective date for public and private companies, we will disclose the date on which adoption is required for non-emerging growth companies and the date on which we will adopt the recently issued accounting standard.
We incur significant costs and management resources as a result of operating as a public company.
As a public company, we incur significant legal, accounting, compliance and other expenses that we did not incur as a private company and these expenses will increase even more after we are no longer an “emerging growth company.” Our management and other personnel devote a substantial amount of time and incur significant expense in connection with compliance initiatives. For example, in becoming a public company, we adopted additional internal controls and disclosure controls and procedures, retained a transfer agent and adopted an insider trading policy. As a public company, we bear all of the internal and external costs of preparing and distributing periodic public reports in compliance with our obligations under the securities laws.
In addition, regulations and standards relating to corporate governance and public disclosure, including the Sarbanes-Oxley Act, and the related rules and regulations implemented by the SEC and the NYSE have increased legal and financial compliance costs and will make some compliance activities more time-consuming. We have invested and intend to continue to invest resources to comply with evolving laws, regulations and standards, and this investment has resulted in and will continue to result in increased general and administrative expenses and may divert management’s time and attention from our other business activities. If our efforts to comply with new laws, regulations and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to practice, regulatory authorities may initiate legal proceedings against us, and our business may be harmed. In connection with our IPO, we increased our directors’ and officers’ insurance coverage, which increased our insurance related costs.m In the future, it may be more expensive or more difficult for us to obtain director and officer liability insurance, and we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors would also make it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit committee and compensation committee, and qualified executive officers.
Future acquisitions, strategic investments, partnerships or alliances could be difficult to identify and integrate, divert the attention of key management personnel, disrupt our business, dilute stockholder value and adversely affect our business, operating results and financial condition.
As part of our business strategy, we have in the past and expect to continue to make investments in and/or acquire complementary companies, services or technologies. For example, in February 2021, we acquired Scalyr, a data analytics firm. Our ability as an organization to acquire and integrate other companies, services or technologies in a successful manner in the future is not guaranteed. We may not be able to find suitable acquisition candidates, and we may not be able to complete such acquisitions on favorable terms, if at all. Our due diligence efforts may fail to identify all of the problems, liabilities or other shortcomings or challenges involved in an acquisition. If we do complete acquisitions, we may not ultimately strengthen our competitive position or ability to achieve our business objectives, and any acquisitions we complete could be viewed negatively by our end customers or investors. In addition, if we are unsuccessful at integrating such acquisitions, or the technologies associated with such acquisitions, into our company, the revenue and operating results of the combined company could be adversely affected. Any integration process may require significant time and resources, and we may not be able to manage the process successfully. We may not successfully evaluate or utilize the acquired technology or personnel, or accurately forecast the financial impact of an acquisition transaction, including accounting charges. We may have to pay cash, incur debt or issue equity securities to pay for any such acquisition, each of which could adversely affect our financial condition and the market price of our Class A common stock. The sale of equity or issuance of debt to finance any such acquisitions could result in dilution to our stockholders. The incurrence of indebtedness would result in increased fixed obligations and could also include covenants or other restrictions that would impede our ability to manage our operations.
Additional risks we may face in connection with acquisitions include:
•diversion of management time and focus from operating our business to addressing acquisition integration challenges;
•coordination of research and development and sales and marketing functions;
•integration of product and service offerings;
•retention of key employees from the acquired company;
•changes in relationships with strategic partners as a result of product acquisitions or strategic positioning resulting from the acquisition;
•cultural challenges associated with integrating employees from the acquired company into our organization;
•integration of the acquired company’s accounting, management information, human resources and other administrative systems;
•the need to implement or improve controls, procedures and policies at a business that prior to the acquisition may have lacked sufficiently effective controls, procedures and policies;
•additional legal, regulatory or compliance requirements;
•financial reporting, revenue recognition or other financial or control deficiencies of the acquired company that we don’t adequately address and that cause our reported results to be incorrect;
•liability for activities of the acquired company before the acquisition, including intellectual property infringement claims, violations of laws, commercial disputes, tax liabilities and other known and unknown liabilities;
•unanticipated write-offs or charges; and
•litigation or other claims in connection with the acquired company, including claims from terminated employees, customers, former stockholders or other third parties.
Our failure to address these risks or other problems encountered in connection with acquisitions and investments could cause us to fail to realize the anticipated benefits of these acquisitions or investments, cause us to incur unanticipated liabilities, and harm our business generally.
We could be subject to additional tax liabilities and United States federal income tax reform could adversely affect us.
We are subject to U.S. federal, state, local and sales taxes in the United States and foreign income taxes, withholding taxes and transaction taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for income taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our future income tax obligations could be adversely affected by changes in, or interpretations of, tax laws in the United States or in other jurisdictions in which we operate.
For example, in December 2017, the United States adopted new tax law legislation commonly referred to as the Tax Cuts and Jobs Act of 2017, or the Tax Act (as modified by the Coronavirus Aid, Relief, and Economic Security Act), which significantly reforms the Internal Revenue Code of 1986, as amended, or the Internal Revenue Code. The Tax Act, among other things, includes changes to U.S. federal tax rates, imposes significant additional limitations on the deductibility of interest and the use of net operating losses generated in tax years beginning after December 31, 2017, allows for the expensing of certain capital expenditures, and puts into effect the migration from a “worldwide” system of taxation to a largely territorial system. Further changes to U.S. tax laws, including limitations on the ability of taxpayers to claim and utilize foreign tax credits, as well as changes to U.S. tax laws that may be enacted in the future, could impact the tax treatment of our foreign earnings. Due to expansion of our international business activities, any changes in the U.S. taxation of such activities may increase our worldwide effective tax rate and adversely affect our operating results and financial condition. The enactment of legislation implementing changes in the U.S. taxation of international business activities or the adoption of other tax reform policies could adversely impact our operating results and financial condition.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
As of January 31, 2021, we had aggregate U.S. federal and state net operating loss carryforwards of $20.7 million and $74.0 million, respectively, which may be available to offset future taxable income for U.S. income tax purposes. If not utilized, the federal net operating loss carryforwards will begin to expire in 2034, and the state net operating loss carryforwards will begin to expire in 2027. In addition, we had federal research and development credit carryforwards of $0.1 million, which will begin to expire in 2039, and state research and development credit carryforwards of $0.2 million, which do not expire. We also had foreign net operating loss carryforwards of $266.8 million, which do not expire. Realization of these net operating loss and research and development credit carryforwards depends on future income, and there is a risk that certain of our existing carryforwards could expire unused and be unavailable to offset future income tax liabilities, which could adversely affect our operating results and financial condition.
In addition, under Sections 382 and 383 of the Internal Revenue Code, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in ownership by “5 percent shareholders” over a rolling three-year period, the corporation’s ability to use its pre-change net operating loss carryovers and other pre-change tax attributes, such as research and development credits, to offset its post-change income or taxes may be limited. Similar rules apply under U.S. state tax laws. We may have experienced ownership changes in the past and we may experience an ownership change in the future as a result of shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change U.S. net operating loss carryforwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us.
We could be required to collect additional sales, use, value added, digital services, or other similar taxes or be subject to other liabilities that may increase the costs our customers would have to pay for our solutions and adversely affect our business, operating results, and financial condition.
We collect sales, use, value added, digital services, and other similar taxes in a number of jurisdictions. One or more U.S. states or countries may seek to impose incremental or new sales, use, value added, digital services, or other tax collection obligations on us. Further, an increasing number of U.S. states have considered or adopted laws that attempt to impose tax collection obligations on out-of-state companies. Additionally, the Supreme Court of the United States ruled in South Dakota v. Wayfair, Inc. et al, or Wayfair, that online sellers can be required to collect sales and use tax despite not having a physical presence in the state of the customer. In response to Wayfair, or otherwise, U.S. states or local governments may adopt, or begin to enforce, laws requiring us to calculate, collect, and remit taxes on sales in their jurisdictions. A successful assertion by one or more U.S. states requiring us to collect taxes where we presently do not do so, or to collect more taxes in a jurisdiction in which we currently do collect some taxes, could result in substantial liabilities, including taxes on past sales, as well as interest and penalties. Furthermore, certain jurisdictions, such as the U.K. and France, have recently introduced a digital services tax, which is generally a tax on gross revenue generated from users or customers located in in those jurisdictions, and other jurisdictions have enacted or are considering enacting similar laws. A successful assertion by a U.S. state or local government, or other country or jurisdiction that we should have been or should be collecting additional sales, use, value added, digital services or other similar taxes could, among other things, result in substantial tax payments, create significant administrative burdens for us, discourage potential customers from subscribing to our platform due to the incremental cost of any such sales or other related taxes, or otherwise harm our business.
Our corporate structure and intercompany arrangements are subject to the tax laws of various jurisdictions, and we could be obligated to pay additional taxes, which would harm our operating results and financial condition.
We are expanding our international operations and staff to support our business in international markets. We generally conduct our international operations through wholly-owned subsidiaries and are or may be required to report our taxable income in various jurisdictions worldwide based upon our business operations in those jurisdictions. Our intercompany relationships are subject to complex transfer pricing regulations administered by taxing authorities in various jurisdictions in which we operate with potentially divergent tax laws. The amount of taxes we pay in different jurisdictions will depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies by taxing authorities and courts in various jurisdictions, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. It is not uncommon for tax authorities in different countries to have conflicting views, for instance, with respect to, among other things, the manner in which the arm’s length standard is applied for transfer pricing purposes, the transfer pricing and charges for intercompany services and other transactions, or with respect to the valuation of intellectual property. If taxing authorities in any of the jurisdictions in which we conduct our international operations were to successfully challenge our transfer pricing, we could be required to reallocate part or all of our income to reflect transfer pricing adjustments, which could result in an increased tax liability to us. In such circumstances, if the country from where the income was reallocated did not agree to the reallocation, we could become subject to tax on the same income in both countries, resulting in double taxation. Furthermore, the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations.
We are subject to federal, state and local income, sales and other taxes in the United States and income, withholding, transaction and other taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for income taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations, including those relating to income tax nexus, by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchange
rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions including in jurisdictions in which we are not currently filing, may assess new or additional taxes, sales taxes and value added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have an adverse effect on our operating results or cash flows in the period or periods for which a determination is made.
If our estimates or judgments relating to our critical accounting policies prove to be incorrect or financial reporting standards or interpretations change, our operating results could be adversely affected.
The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the amounts reported in our condensed consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as discussed in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our condensed consolidated financial statements include but are not limited to those related to the valuation of our common stock prior to our IPO in June 2021, stock-based compensation, the period of benefit for deferred contract acquisition costs, standalone selling prices for each performance obligation, useful lives of long-lived assets, the incremental borrowing rate (IBR) used for operating lease liabilities, and accounting for income taxes. Additionally, as a result of the COVID-19 pandemic, many of management’s estimates and assumptions require increased judgment and carry a higher degree of variability and volatility. Our operating results may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our operating results to fall below the expectations of industry or financial analysts and investors, resulting in a potential decline in the market price of our Class A common stock.
Additionally, we regularly monitor our compliance with applicable financial reporting standards and review new pronouncements and drafts thereof that are relevant to us. As a result of new standards, changes to existing standards and changes in their interpretation, we might be required to change our accounting policies, alter our operational policies and implement new or enhance existing systems so that they reflect new or amended financial reporting standards, or we may be required to restate our published financial statements. Such changes to existing standards or changes in their interpretation may have an adverse effect on our reputation, business, financial condition and profit, or cause an adverse deviation from our revenue and operating profit target, which may adversely affect our financial results.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our business, operating results and financial condition.
Our sales contracts are denominated in U.S. dollars, and therefore our revenue is not subject to foreign currency risk. However, strengthening of the U.S. dollar increases the real cost of our platform to our customers outside of the United States, which could lead to delays in the purchase of our platform and the lengthening of our sales cycle. If the U.S. dollar continues to strengthen, this could adversely affect our financial condition and operating results. In addition, increased international sales in the future, including through our channel partners and other partnerships, may result in greater foreign currency denominated sales, increasing our foreign currency risk.
Our operating expenses incurred outside the U.S. and denominated in foreign currencies are increasing and are subject to fluctuations due to changes in foreign currency exchange rates. These expenses are denominated in foreign currencies and are subject to fluctuations due to changes in foreign currency exchange rates. We do not currently hedge against the risks associated with currency fluctuations but may do so in the future.
We may require additional capital to fund our business and support our growth, and any inability to generate or obtain such capital may adversely affect our operating results and financial condition.
In order to support our growth and respond to business challenges, such as developing new features or enhancements to our platform to stay competitive, acquiring new technologies, and improving our infrastructure, we
have made significant financial investments in our business and we intend to continue to make such investments. As a result, we may need to engage in additional equity or debt financings to provide the funds required for these investments and other business endeavors. If we raise additional funds through equity or convertible debt issuances, our existing stockholders may suffer significant dilution and these securities could have rights, preferences, and privileges that are superior to those of holders of our Class A common stock. We expect that our existing cash and cash equivalents will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months. If we obtain additional funds through debt financing, we may not be able to obtain such financing on terms favorable to us. Such terms may involve restrictive covenants making it difficult to engage in capital raising activities and pursue business opportunities, including potential acquisitions. The trading prices of technology companies have been highly volatile as a result of the COVID-19 pandemic, which may reduce our ability to access capital on favorable terms or at all. In addition, a recession, depression, or other sustained adverse market event resulting from the continuing COVID-19 pandemic could adversely affect our business and the value of our Class A common stock. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired and our business may be adversely affected, requiring us to delay, reduce, or eliminate some or all of our operations.
Risks Related to the Offering and Ownership of Our Class A Common Stock
The market price of our Class A common stock may be volatile, and you could lose all or part of your investment.
We cannot predict the prices at which our Class A common stock will continue to trade. The market price of our Class A common stock depends on a number of factors, including those described in this “Risk Factors” section, many of which are beyond our control and may not be related to our operating performance. In addition, the limited public float of our Class A common stock will tend to increase the volatility of the trading price of our Class A common stock. These fluctuations could cause you to lose all or part of your investment in our Class A common stock. Factors that could cause fluctuations in the market price of our Class A common stock include the following:
•actual or anticipated changes or fluctuations in our operating results;
•the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections;
•announcements by us or our competitors of new products or new or terminated significant contracts, commercial relationships or capital commitments;
•industry or financial analyst or investor reaction to our press releases, other public announcements and filings with the SEC;
•rumors and market speculation involving us or other companies in our industry;
•price and volume fluctuations in the overall stock market from time to time;
•changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
•the expiration of market standoff or contractual lock-up agreements and sales of shares of our Class A common stock by us or our stockholders;
•failure of industry or financial analysts to maintain coverage of us, changes in financial estimates by any analysts who follow our company, or our failure to meet these estimates or the expectations of investors;
•actual or anticipated developments in our business or our competitors’ businesses or the competitive landscape generally;
•litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors;
•developments or disputes concerning our intellectual property rights or our solutions, or third-party proprietary rights;
•announced or completed acquisitions of businesses or technologies by us or our competitors;
•new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
•any major changes in our management or our board of directors;
•effects of public health crises, pandemics, and epidemics, such as the COVID-19 pandemic;
•general economic conditions and slow or negative growth of our markets; and
•other events or factors, including those resulting from war, incidents of terrorism or responses to these events.
In addition, the stock market in general, and the market for technology companies in particular, has experienced extreme price and volume fluctuations that have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry factors may seriously affect the market price of our Class A common stock, regardless of our actual operating performance. In addition, in the past, following periods of volatility in the overall market and the market prices of a particular company’s securities, securities class action litigation has often been instituted against that company. Securities litigation, if instituted against us, could result in substantial costs and divert our management’s attention and resources from our business. This could have an adverse effect on our business, operating results and financial condition.
Sales of substantial amounts of our Class A common stock in the public markets, or the perception that they might occur, could cause the market price of our Class A common stock to decline.
Sales of a substantial number of shares of our Class A common stock into the public market, including shares of Class A common stock held by our existing stockholders that have been converted from shares of Class B common stock, and particularly sales by our directors, executive officers, and principal stockholders, or the perception that these sales might occur, could cause the market price of our Class A common stock to decline.
All of the shares of Class A common stock sold in our IPO are freely tradable without restrictions or further registration under the Securities Act, except for any shares held by our affiliates as defined in Rule 144 under the Securities Act (including any shares that were purchased by any of our affiliates in the IPO).
Subject to certain exceptions, we and all of our directors, executive officers, and certain other record holders that together represent a substantial majority of our outstanding common stock and securities directly or indirectly convertible into or exchangeable or exercisable for our Class A common stock, have agreed not to offer, sell or agree to sell, directly or indirectly, or engage in any hedging transactions, any shares of our capital stock without the prior written consent of Morgan Stanley & Co. LLC and Goldman Sachs & Co. LLC on behalf of the underwriters, during the period ending on the earlier of (i) the opening of trading on the second trading day immediately following our public release of earnings for the third quarter of fiscal 2022 and (ii) the date that is 180 days after June 29, 2021, which is the date of our Final Prospectus, or the “Full Lock-Up Release.”
The remaining holders of our outstanding common stock and securities directly or indirectly convertible into or exchangeable or exercisable for our Class A common stock, have not entered into lock-up agreements with the underwriters and, therefore, are not subject to the restrictions described above. These holders are subject to market standoff agreements with us that restrict their ability to transfer shares of our outstanding common stock and securities directly or indirectly convertible into or exchangeable or exercisable for our Class A common stock, and we will not waive any of the restrictions of such market standoff agreements during the period ending 180 days after the date of the Final Prospectus without the prior written consent of Morgan Stanley & Co. LLC and Goldman Sachs & Co. LLC on behalf of the underwriters, provided that we may waive such restrictions to the extent consistent with the terms of the lock-up agreements with the underwriters. The market standoff agreements do not prohibit these holders from pledging or hedging activities with respect to our securities.
In addition, approximately 40 million outstanding shares of our Class B common stock and securities directly or indirectly convertible into or exchangeable or exercisable for our Class A common stock as of July 31, 2021 (excluding vested restricted stock units and vested and exercisable stock options) may be sold for a seven-trading day period beginning at the commencement of trading on September 28, 2021, or the 91st day after June 29, 2021, the date of our Final Prospectus. Following this period, the remaining shares shall be locked-up until the Full Lock-Up Release.
Upon the expiration of the restricted period described above, all of the securities subject to such lock-up and market standoff restrictions will become eligible for sale, subject to compliance with applicable securities laws. Furthermore, Morgan Stanley & Co. LLC and Goldman Sachs & Co. LLC may waive the lock-up agreements entered into by our executive officers, directors, and holders of our securities before they expire.
Sales of a substantial number of such shares upon expiration of the lock-up and market standoff agreements, or the perception that such sales may occur, or early release of these agreements, could cause our market price to fall or make it more difficult for you to sell your Class A common stock at a time and price that you deem appropriate.
Following the expiration of the market standoff and lock-up agreements referred to above, our amended and restated investors’ rights agreement, dated October 28, 2020, certain stockholders can require us to file a registration statement for the public resale of such capital stock or to include such shares in registration statements that we may file for us or other stockholders.
An aggregate of 4,230,000 shares of our Class B common stock beneficially owned by Mr. Weingarten, our co-founder, Chairman of our Board of Directors, Chief Executive Officer, and President, are pledged as collateral to secure personal indebtedness pursuant to a security and pledge agreement effective June 2021.
We may also issue our shares of our capital stock or securities convertible into shares of our capital stock from time to time in connection with a financing, acquisition, investment, or otherwise.
The dual class structure of our common stock will have the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO, including our directors, executive officers, and beneficial owners of 5% or greater of our outstanding capital stock who will hold in the aggregate approximately 64.2% of the voting power of our capital stock as of July 31, 2021, which will limit or preclude your ability to influence corporate matters, including the election of directors and the approval of any change of control transaction.
Our Class B common stock has 20 votes per share, and our Class A common stock has one vote per share. As of July 31, 2021, the holders of our outstanding Class B common stock hold approximately 99.1% of the voting power of our outstanding capital stock, with our directors, executive officers, and holders of more than 5% of our common stock, and their respective affiliates, holding in the aggregate approximately 64.2% of the voting power of our capital stock as of July 31, 2021. Because of the twenty-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively will continue to control a majority of the combined voting power of our common stock and therefore will be able to control all matters submitted to our stockholders for approval until the earlier of (i) the date specified by a vote of the holders of 66 2/3% of the then outstanding shares of Class B common stock, (ii) seven years from the date of our Final Prospectus, or June 29, 2028, (iii) the first date following the completion of our IPO on which the number of shares of outstanding Class B common stock (including shares of Class B common stock subject to outstanding stock options) held by Tomer Weingarten, including certain permitted entities that Mr. Weingarten controls, is less than 25% of the number of shares of outstanding Class B common stock (including shares of Class B common stock subject to outstanding stock options) that Mr. Weingarten originally held as of the date of our Final Prospectus, (iv) the date fixed by our board of directors, following the first date following the completion of our IPO when Mr. Weingarten is no longer providing services to us as an officer, employee, consultant or member of our board of directors, (v) the date fixed by our board of directors following the date on which, if applicable, Mr. Weingarten is terminated for cause, as defined in our restated certificate of incorporation, and (vi) the date that is 12 months after the death or disability, as defined in our restated certificate of incorporation, of Mr. Weingarten. This concentrated control will limit or preclude your ability to influence corporate matters for the foreseeable future, including the election of directors,
amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.
Future transfers by holders of our Class B common stock will generally result in those shares converting to Class A common stock, subject to limited exceptions, such as certain transfers effected for estate planning purposes. The conversion of Class B common stock to Class A common stock will have the effect, over time, of increasing the relative voting power of those holders of our Class B common stock who retain their shares in the long term.
The dual class structure of our common stock may adversely affect the trading market for our Class A common stock.
We cannot predict whether our dual class structure will, over time, result in a lower or more volatile market price of our Class A common stock, adverse publicity, or other adverse consequences. For example, certain index providers have announced restrictions on including companies with multi-class share structures in certain of their indices. In July 2017, FTSE Russell announced that it plans to require new constituents of its indices to have greater than 5% of the company’s voting rights in the hands of public stockholders, and S&P Dow Jones announced that it will no longer admit companies with multi-class share structures to certain of its indices. Affected indices include the Russell 2000 and the S&P 500, S&P MidCap 400, and S&P SmallCap 600, which together make up the S&P Composite 1500. Also in 2017, MSCI, a leading stock index provider, opened public consultations on their treatment of no-vote and multi-class structures and temporarily barred new multi-class listings from certain of its indices and in October 2018, MSCI announced its decision to include equity securities “with unequal voting structures” in its indices and to launch a new index that specifically includes voting rights in its eligibility criteria. Under such announced policies, the dual class structure of our common stock would make us ineligible for inclusion in certain indices and may discourage such indices from selecting us for inclusion, notwithstanding our automatic termination provision. As a result, mutual funds, exchange-traded funds, and other investment vehicles that attempt to track those indices would not invest in our Class A common stock. It is unclear what effect, if any, these policies will have on the valuations of publicly-traded companies excluded from such indices, but it is possible that they may depress valuations, as compared to similar companies that are included. Given the sustained flow of investment funds into passive strategies that seek to track certain indices, exclusion from certain stock indices would likely preclude investment by many of these funds and could make our Class A common stock less attractive to other investors. As a result, the market price of our Class A common stock could be adversely affected.
General Risk Factors
We may be adversely affected by natural disasters, pandemics and other catastrophic events, and by man-made problems such as terrorism, that could disrupt our business operations, and our business continuity and disaster recovery plans may not adequately protect us from a serious disaster.
Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce, and the global economy, and could have an adverse effect on our business, operating results, and financial condition. Our business operations are also subject to interruption by fire, power shortages, and other events beyond our control. In addition, our global operations expose us to risks associated with public health crises, such as pandemics and epidemics, which could harm our business and cause our operating results to suffer. For example, the ongoing effects of the COVID-19 pandemic and the measures that we, our customers and governmental authorities have adopted have resulted in, and could continue to result in, customers not purchasing or renewing our products or services, significant delays or lengthening of our sales cycles, and reductions in average transaction sizes, and could negatively affect our customer success and sales and marketing efforts, result in difficulties or changes to our customer support, or create operational or other challenges, any of which would harm our business and operating results. In addition, our growth rate may actually slow or decline once the impact of the COVID-19 pandemic tapers as people begin to return to offices and other workplaces. Further, acts of terrorism and other geopolitical unrest could cause disruptions in our business or the businesses of our partners or the economy as a whole. In the event of a natural disaster, including a major earthquake, blizzard, or hurricane, or a catastrophic event such as a fire, power loss, or telecommunications failure, we may be unable to continue our operations and
may endure system interruptions, reputational harm, delays in development of our platform, lengthy interruptions in service, breaches of data security, and loss of critical data, all of which could have an adverse effect on our future operating results. Climate change could result in an increase in the frequency or severity of such natural disasters. For example, our corporate offices are located in California, a state that frequently experiences earthquakes and wildfires. Additionally, all the aforementioned risks will be further increased if we do not implement an effective disaster recovery plan or our partners’ disaster recovery plans prove to be inadequate.
Adverse economic conditions or reduced information technology spending could adversely affect our business, operating results and financial condition.
Our business depends on the overall demand for information technology and on the economic health of our current and prospective customers. In addition, the purchase of our platform is often discretionary and may involve a significant commitment of capital and other resources. Weak global and regional economic conditions and spending environments, geopolitical instability and uncertainty, weak economic conditions in certain regions or a reduction in information technology spending regardless of macro-economic conditions, including the effects of the COVID-19 pandemic on the foregoing issues, could adversely affect our business, operating results, and financial condition, including longer sales cycles, lower prices for our platform, higher default rates among our channel partners, reduced sales and slower or declining growth.
The continuing COVID-19 pandemic could adversely affect our business, operating results, and financial condition.
The COVID-19 pandemic has caused general business disruption worldwide beginning in January 2020. The full extent to which the COVID-19 pandemic will directly or indirectly impact our business, operating results, cash flows, and financial condition will depend on future developments that are highly uncertain and cannot be accurately predicted.
We have experienced, and may continue to experience,negative impacts on certain parts of our business following the implementation of shelter-in-place orders and work-from-home requirements, to mitigate the outbreak of the COVID-19 pandemic, including a lengthening of the sales cycle for some prospective customers and delays in the delivery of professional services and trainings to our customers.
We do not yet know the full extent of potential impacts on our business, operations or on the global economy as a whole, particularly if the COVID-19 pandemic continues and persists for an extended period of time. Potential impacts include:
•our customer prospects and our existing customers may experience slowdowns in their businesses, which in turn may result in reduced demand for our platform, lengthening of sales cycles, loss of customers, and difficulties in collections;
•while we have started to open select offices in a limited capacity in accordance with local ordinances, most of our employees continue to work from home and a substantial number may continue to do so for the foreseeable future, which may result in decreased employee productivity and morale with increased unwanted employee attrition;
•we continue to incur fixed costs, particularly for real estate, and are deriving reduced or no benefit from those costs;
•we may continue to experience disruptions to our growth planning, such as for facilities and international expansion;
•we anticipate incurring costs in returning to work from our facilities around the world, including changes to the workplace, such as space planning, food service, and amenities;
•we may be subject to legal liability for safe workplace claims;
•our critical vendors could go out of business;
•substantially all of our in-person marketing events, including conferences, have been canceled and we are only recently returning to limited in-person events, and we may continue to experience prolonged delays in our ability to reschedule or conduct in-person events and other related activities; and
•our marketing, sales, and support organizations are accustomed to extensive face-to-face customer and partner interactions, and our ability to conduct business is largely unproven.
Any of the foregoing could adversely affect our business, financial condition, and operating results.
Moreover, due to the increasingly distributed nature of many workplaces as a result of shelter-in-place mandates, the demand for cybersecurity solutions like ours has increased during the COVID-19 pandemic. As a result, our business has experienced, and may continue to experience, a positive impact as a result of the COVID-19 pandemic. Moreover, we have seen slower growth in certain operating expenses due to reduced business travel, and the virtualization or cancellation of customer and employee events. However, as a vaccine becomes widely available and people begin to return to offices and other workplaces, any positive impacts of the COVID-19 pandemic on our business may slow or decline once the impact of the pandemic tapers.
If industry or financial analysts do not publish research or reports about our business, or if they issue inaccurate or unfavorable research regarding our Class A common stock, our stock price and trading volume could decline.
The trading market for our Class A common stock will be influenced by the research and reports that industry or financial analysts publish about us or our business. We do not control these analysts or the content and opinions included in their reports. As a new public company, we may be slow to attract research coverage and the analysts who publish information about our Class A common stock will have had relatively little experience with our company, which could affect their ability to accurately forecast our results and make it more likely that we fail to meet their estimates. In the event we obtain industry or financial analyst coverage, if any of the analysts who cover us issues an inaccurate or unfavorable opinion regarding our stock price, our stock price would likely decline. In addition, the stock prices of many companies in the technology industry have declined significantly after those companies have failed to meet, or significantly exceed, the financial guidance publicly announced by the companies or the expectations of analysts. If our financial results fail to meet, or significantly exceed, our announced guidance or the expectations of analysts or public investors, analysts could downgrade our Class A common stock or publish unfavorable research about us. If one or more of these analysts cease coverage of our Class A common stock or fail to publish reports on us regularly, our visibility in the financial markets could decrease, which in turn could cause our stock price or trading volume to decline.
We could be subject to securities class action litigation.
In the past, securities class action litigation has often been instituted against companies following periods of volatility in the market price of a company’s securities. This type of litigation, if instituted, could result in substantial costs and a diversion of management’s attention and resources, which could adversely affect our business, operating results, or financial condition. Additionally, the dramatic increase in the cost of directors’ and officers’ liability insurance may make it more expensive for us to obtain directors’ and officers’ liability insurance in the future and may require us to opt for lower overall policy limits and coverage or to forgo insurance that we may otherwise rely on to cover significant defense costs, settlements, and damages awarded to plaintiffs, or incur substantially higher costs to maintain the same or similar coverage. These factors could make it more difficult for us to attract and retain qualified executive officers and members of our board of directors.
We do not intend to pay dividends in the foreseeable future. As a result, your ability to achieve a return on your investment will depend on appreciation in the price of our Class A common stock.
We have never declared or paid any cash dividends on our capital stock. We currently intend to retain all available funds and any future earnings for use in the operation of our business and do not anticipate paying any dividends in the foreseeable future. Any determination to pay dividends in the future will be at the discretion of our board of directors. Accordingly, investors must rely on sales of their Class A common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
Provisions in our charter documents and under Delaware law could make an acquisition of us, which may be beneficial to our stockholders, more difficult and may limit attempts by our stockholders to replace or remove our current management.
Provisions in our restated certificate of incorporation and amended and restated bylaws may have the effect of delaying or preventing a merger, acquisition or other change of control of the company that the stockholders may consider favorable. In addition, because our board of directors is responsible for appointing the members of our management team, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors. Among other things, our restated certificate of incorporation and amended and restated bylaws include provisions that:
•provide that our board of directors is classified into three classes of directors with staggered three-year terms;
•permit our board of directors to establish the number of directors and fill any vacancies and newly created directorships;
•require super-majority voting to amend some provisions in our restated certificate of incorporation and restated bylaws;
•authorize the issuance of “blank check” preferred stock that our board of directors could use to implement a stockholder rights plan;
•provide that only our chief executive officer or a majority of our board of directors will be authorized to call a special meeting of stockholders;
•eliminate the ability of our stockholders to call special meetings of stockholders;
•do not provide for cumulative voting;
•provide that directors may only be removed “for cause” and only with the approval of two-thirds of our stockholders;
•provide for a dual class common stock structure in which holders of our Class B common stock may have the ability to control the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the outstanding shares of our common stock, including the election of directors and other significant corporate transactions, such as a merger or other sale of our company or its assets;
•prohibit stockholder action by written consent, which requires all stockholder actions to be taken at a meeting of our stockholders;
•provide that our board of directors is expressly authorized to make, alter, or repeal our bylaws; and
•establish advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon by stockholders at annual stockholder meetings.
Moreover, Section 203 of the Delaware General Corporation Law, or DGCL, may discourage, delay, or prevent a change in control of our company. Section 203 imposes certain restrictions on mergers, business combinations, and other transactions between us and holders of 15% or more of our common stock.
Our restated certificate of incorporation contains exclusive forum provisions for certain claims, which may limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, or employees.
Our restated certificate of incorporation provides that the Court of Chancery of the State of Delaware, to the fullest extent permitted by law, will be the exclusive forum for any derivative action or proceeding brought on our behalf, any action asserting a breach of fiduciary duty, any action asserting a claim against us arising pursuant to the
DGCL, our restated certificate of incorporation, or our amended and restated bylaws, or any action asserting a claim against us that is governed by the internal affairs doctrine.
Moreover, Section 22 of the Securities Act creates concurrent jurisdiction for federal and state courts over all claims brought to enforce any duty or liability created by the Securities Act or the rules and regulations thereunder. Our restated certificate of incorporation provides that the federal district courts of the United States will, to the fullest extent permitted by law, be the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act, or Federal Forum Provision. Our decision to adopt a Federal Forum Provision followed a decision by the Supreme Court of the State of Delaware holding that such provisions are facially valid under Delaware law. While there can be no assurance that federal or state courts will follow the holding of the Delaware Supreme Court or determine that the Federal Forum Provision should be enforced in a particular case, application of the Federal Forum Provision means that suits brought by our stockholders to enforce any duty or liability created by the Securities Act must be brought in federal court and cannot be brought in state court.
Section 27 of the Exchange Act creates exclusive federal jurisdiction over all claims brought to enforce any duty or liability created by the Exchange Act or the rules and regulations thereunder. In addition, the Federal Forum Provision applies to suits brought to enforce any duty or liability created by the Exchange Act. Accordingly, actions by our stockholders to enforce any duty or liability created by the Exchange Act or the rules and regulations thereunder must be brought in federal court.
Our stockholders will not be deemed to have waived our compliance with the federal securities laws and the regulations promulgated thereunder.
Any person or entity purchasing or otherwise acquiring or holding any interest in any of our securities shall be deemed to have notice of and consented to our exclusive forum provisions, including the Federal Forum Provision. These provisions may limit a stockholders’ ability to bring a claim in a judicial forum of their choosing for disputes with us or our directors, officers, or employees, which may discourage lawsuits against us and our directors, officers, and employees. Alternatively, if a court were to find the choice of forum provision contained in our restated certificate of incorporation or restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business, financial condition, and operating results.