Confidential draft submitted to the Securities and Exchange Commission on December 10, 2020
This draft registration statement has not been filed publicly with the Securities and
Exchange Commission, and all information herein remains strictly confidential.
Registration No. 333‑
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM S‑1
REGISTRATION STATEMENT
Under
The Securities Act of 1933
KNOWBE4, INC.
(Exact name of Registrant as specified in its charter)
| Delaware | 7370 | 36-4827930 | ||||||
| (State or other jurisdiction of incorporation or organization) | (Primary Standard Industrial Classification Code Number) | (I.R.S. Employer Identification Number) | ||||||
KnowBe4, Inc.
33 N. Garden Avenue
Clearwater, FL 33755
(855) 566-9234
(Address, including zip code, and telephone number, including area code, of Registrant’s principal executive offices)
Sjoerd Sjouwerman
Chief Executive Officer
KnowBe4, Inc.
33 N. Garden Avenue
Clearwater, FL 33755
(855) 566-9234
(Name, address, including zip code, and telephone number, including area code, of agent for service)
Copies to:
| Tony Jeffries Megan J. Baier Wilson Sonsini Goodrich & Rosati, Professional Corporation 1301 Avenue of the Americas New York, NY 10019 (212) 999-5800 | Shrikrishna Venkataraman Co-President & Chief Financial Officer KnowBe4, Inc. 33 N. Garden Avenue Clearwater, FL 33755 (855) 566-9234 | Mark T. Bettencourt Joseph C. Theis, Jr. Jesse Nevarez Goodwin Procter LLP 100 Northern Avenue Boston, MA 02210 (617) 570-1000 | ||||||
Approximate date of commencement of proposed sale to the public: As soon as practicable after the effective date of this Registration Statement.
If any of the securities being registered on this Form are to be offered on a delayed or continuous basis pursuant to Rule 415 under the Securities Act of 1933, check the following box. ☐
If this Form is filed to register additional securities for an offering pursuant to Rule 462(b) under the Securities Act, please check the following box and list the Securities Act registration statement number of the earlier effective registration statement for the same offering. ☐
If this Form is a post-effective amendment filed pursuant to Rule 462(c) under the Securities Act, check the following box and list the Securities Act registration statement number of the earlier effective registration statement for the same offering. ☐
If this Form is a post-effective amendment filed pursuant to Rule 462(d) under the Securities Act, check the following box and list the Securities Act registration statement number of the earlier effective registration statement for the same offering. ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
| Large accelerated filer ☐ | Accelerated filer ☐ | |||||||
| Non-accelerated filer ☒ | Smaller reporting company ☐ | |||||||
| Emerging growth company ☒ | ||||||||
If an emerging growth company, indicate by checkmark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 7(a)(2)(B) of the Securities Act. ☐
CALCULATION OF REGISTRATION FEE
| Title of Each Class of Securities to be Registered | Proposed Maximum Aggregate Offering Price(1)(2) | Amount of Registration Fee(3) | ||||||
| Common Stock, par value $0.00001 per share | ||||||||
________________
(1)Estimated solely for the purpose of computing the amount of the registration fee pursuant to Rule 457(o) under the Securities Act of 1933, as amended.
(2)Includes the aggregate offering price of additional shares of common stock that the underwriters have the option to purchase from the Registrant, if any.
(3)Calculated pursuant to Rule 457(o) based on an estimate of the proposed maximum aggregate offering price.
The Registrant hereby amends this Registration Statement on such date or dates as may be necessary to delay its effective date until the Registrant shall file a further amendment which specifically states that this Registration Statement shall thereafter become effective in accordance with Section 8(a) of the Securities Act of 1933 or until the Registration Statement shall become effective on such date as the Securities and Exchange Commission, acting pursuant to said Section 8(a) may determine.
The information in this preliminary prospectus is not complete and may be changed. These securities may not be sold until the registration statement filed with the Securities and Exchange Commission is effective. This preliminary prospectus is not an offer to sell these securities and it is not soliciting an offer to buy these securities in any jurisdiction where the offer or sale is not permitted.
PRELIMINARY PROSPECTUS (Subject to completion)
Issued , 2021
Shares
Common Stock
KnowBe4, Inc. is offering shares of its common stock. This is our initial public offering and no public market currently exists for our shares. We anticipate that the initial public offering price will be between $ and $ per share.
We intend to apply to list our common stock on the Nasdaq Global Select Market under the symbol “KNBE.”
We are an “emerging growth company” under the federal securities laws and, as such, have elected to comply with certain reduced public company reporting requirements for this prospectus and future filings.
Investing in our common stock involves risks. See “Risk Factors” on page 16.
Neither the Securities and Exchange Commission nor any state securities commission has approved or disapproved of these securities or determined if this prospectus is truthful or complete. Any representation to the contrary is a criminal offense.
| Per Share | Total | ||||||||||
| Initial public offering price | $ | $ | |||||||||
Underwriting discounts and commissions(1) | $ | $ | |||||||||
| Proceeds to us before expenses | $ | $ | |||||||||
________________
(1)See “Underwriting” for a description of compensation payable to the underwriters.
We have granted the underwriters an option for a period of 30 days to purchase up to an additional shares of our common stock at the initial public offering price less the underwriting discount.
The underwriters expect to deliver the shares against payment in New York, New York, on or about , 2021.
| Morgan Stanley | Goldman Sachs & Co. LLC | BofA Securities | KKR | ||||||||
Prospectus dated , 2021.
TABLE OF CONTENTS
| Page | |||||
You should rely only on the information contained in this prospectus and in any free writing prospectus. Neither we nor the underwriters have authorized anyone to provide you with information different from that contained in this prospectus. We and the underwriters are offering to sell, and seeking offers to buy, shares of our common stock only in jurisdictions where offers and sales are permitted. The information in this prospectus is accurate only as of the date of this prospectus, regardless of the time of delivery of this prospectus or any sale of shares of our common stock.
Neither we nor any of the underwriters have done anything that would permit this offering or possession or distribution of this prospectus in any jurisdiction where action for that purpose is required, other than in the United States. Persons outside the United States who come into possession of this prospectus must inform themselves about, and observe any restrictions relating to, the offering of the shares of common stock and the distribution of this prospectus outside of the United States.
“KnowBe4,” the KnowBe4 logo, and our other registered or common law trademarks, service marks, or trade names appearing in this prospectus are the property of KnowBe4, Inc. Other trademarks and trade names referred to in this prospectus are the property of their respective owners.
PROSPECTUS SUMMARY
This summary highlights information contained elsewhere in this prospectus. This summary does not contain all of the information you should consider before buying shares in this offering. Therefore, you should read this entire prospectus carefully, including the “Risk Factors” section and our consolidated financial statements and the related notes included elsewhere in this prospectus. Unless the context requires otherwise, the words “we,” “us,” “our” and “KnowBe4” refer to KnowBe4, Inc. and its consolidated subsidiaries.
KNOWBE4, INC.
Mission
Our mission is to enable employees to make smarter security decisions, every day.
Overview
KnowBe4 has developed the leading security awareness platform enabling organizations to assess, monitor and minimize the ongoing cybersecurity threat of social engineering attacks. We are pioneering an integrated approach to security awareness that incorporates cloud-based software, machine learning, artificial intelligence, advanced analytics and insights with engaging content. Our platform is purpose-built to change human behavior and streamline security operations in order to reduce social engineering risks.
We believe every organization’s greatest asset is also its greatest security risk – its people. As investments in security products grow significantly, attackers are increasingly leveraging social engineering to circumvent the traditional layers of cybersecurity defense. Social engineering relies on the manipulation of human behavior and can range from enlisting unsuspecting employees in schemes to defraud their employers to gaining access to systems during the initial phase of broader, multi-stage cyberattacks that can result in devastating breaches. Because these attacks are low-cost and high-volume and have a high probability of success, they enable the attacker to achieve a significant return on investment. Social engineering represents a universal cybersecurity risk, as it specifically targets the employees rather than the infrastructure of an organization.
Historically, organizations have invested significantly in cybersecurity defenses with the belief that infrastructure-centric tools alone could provide adequate protection. Despite billions of dollars spent on security products each year, security breaches continue to be reported with increasing frequency. Recent secular trends, including globally distributed workforces, work from home and the technological complexity of the modern digital workplace, have vastly expanded the attack surface. A single click on a phishing email, insecure disposal of a sensitive document, use of a weak password and a host of other employee behaviors can prove disastrous to an organization. These effects are far-reaching, ranging from incident response costs and lost productivity to negative media coverage, loss of revenue and impacted customer confidence. More often than not, the difference between a secure and insecure interaction comes down to human behavior, but changing human behavior is a significant challenge.
We believe security awareness is the most effective way for organizations to manage the extraordinary unaddressed risk of social engineering, representing a fundamental shift in cybersecurity. Our security awareness platform is designed on a unique foundation that combines machine learning, artificial intelligence and advanced analytics with a deep understanding of human behavioral science. Our platform is purpose-built to alter human behavior and continuously reinforce secure behaviors through ongoing knowledge checks, behavior-based interventions, data analysis and relevant and interactive content. Our customers can strengthen their overall security posture by complementing their existing security infrastructure investments with a platform dedicated to reducing the risks associated with social engineering. We enable organizations to effectively enhance the security awareness of their workforce, converting their employees into a critical last line of defense against cyberattacks.
1
Our platform currently includes:
•Security Awareness: enables continuous assessment of employees through simulated social engineering attacks across multiple mediums and remediation through real-time delivery of highly engaging modules that are curated based on relevant and specific risks;
•Security Orchestration, Automation and Response (SOAR): enables security professionals to prioritize and automate security workstreams in order to respond to and remediate social engineering attacks; and
•Governance, Risk and Compliance: enables organizations to analyze security risk and automate the management of compliance and audit functions.
We designed our platform to meet the needs of IT administrators, as effective, scalable, quick to deploy and easy to use for organizations of all sizes. Our platform design allows us to scale from small businesses to large enterprises using a single code base. Our products are deployed on a common data platform with embedded analytical tools and reporting APIs that allow our customers to continually assess and monitor ongoing risks to the organization.
As the behavior of any employee could represent a threat, our customers tend to adopt our platform across the entire organization to protect all employees from social engineering threats. We have developed an effective go-to-market strategy that has been proven to help us reach both small and midsized businesses and large enterprises. We employ an efficient inside sales model that translates across all customer segments, complimented by channel partnerships that provide significant sales leverage and have enabled us to further penetrate the enterprise market. As a result, we have been able to grow our customer base rapidly in recent years, from more than 22,500 as of December 31, 2018 to more than 30,000 as of December 31, 2019. Our leadership in the security awareness market has been recognized by both Gartner Inc. and Forrester Research Inc.
We continue to experience significant growth, with total revenue increasing from $71.3 million for the year ended December 31, 2018 to $120.6 million for the year ended December 31, 2019, representing year-over-year growth of 69%. Our annual recurring revenue, or ARR, has grown from $88.6 million as of December 31, 2018 to $145.4 million as of December 31, 2019, a 64% increase. Our net loss increased from $9.2 million for the year ended December 31, 2018 to $124.3 million for the year ended December 31, 2019, which included $0.9 million and $118.1 million of stock-based compensation expense, respectively. Our cash flows from operations increased from $17.7 million for the year ended December 31, 2018 to $29.7 million for the year ended December 31, 2019. Our free cash flow was $8.2 million and $18.9 million for the years ended December 31, 2018 and 2019, respectively. See the sections titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Key Business Metrics—Annual Recurring Revenue” for additional information regarding ARR and “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Non-GAAP Financial Measures—Free Cash Flow and Free Cash Flow Margin” for additional information regarding free cash flow and for a reconciliation of free cash flow to the most directly comparable financial measure calculated in accordance with U.S. generally accepted accounting principles, or GAAP.
Industry Background
Social Engineering Attacks Targeting Humans Are the Most Successful Cyberattacks
Social engineering, which encompasses attacks on the human layer of an organization, can take the form of phishing, spear phishing, pretexting, business email compromise, smishing (SMS-based phishing) and vishing (voice-based phishing). These methods can result in the direct compromise of proprietary information or can serve as the first phase in sophisticated multi-stage attacks, enabling credential theft, ransomware delivery and malware delivery, among others, that can ultimately result in costly security breaches. In effect, by targeting human behavior rather than infrastructure, social engineering attacks can be utilized by attackers to circumvent multiple layers of security.
Due to the relative ease and cost-effectiveness of developing and deploying social engineering attacks, coupled with their effectiveness and the potential value of the resulting breaches, these methods have become the preferred
2
and most frequent avenue for hackers to gain access to IT systems and sensitive information. Several recent high-profile breaches, ranging from data loss events of major corporations and government entities, to account takeovers of prominent individuals, to ransomware attacks on local governments and hospitals, have all involved social engineering methods. Based on data from the 2020 Verizon Data Breach Investigations Report, we believe attacks on the human layer are now responsible for a majority of events leading to breaches.
Digital Transformation Has Expanded the Social Engineering Attack Surface
Not only has the widespread adoption of digital technologies significantly impacted how companies conduct business, it has also fundamentally changed the relationship of their employees with technology in their everyday professional and personal lives. Individuals increasingly use digital mediums as their primary form of communication and increasingly rely on online services in everyday life. Furthermore, the amount of personal data available for cyberattackers to use in crafting convincing social engineering attacks is staggering. According to Statista, over half of the global population currently uses social media, where accounts provide cyberattackers with a vast repository of knowledge about an individual, including their detailed personal history, interests, contacts and other valuable information. These trends have made individuals more susceptible than ever to social engineering attacks and greatly expanded the social engineering attack surface.
The increasing number of employees working remotely, in cloud applications and consumer-oriented devices that are often purposed for enterprise uses but only partially enterprise-managed, has significantly eroded the traditional security perimeter. With a sustained shift to digital and remote workplaces, accelerated by the global coronavirus pandemic, we believe the threat of social engineering will become more pronounced. Since the onset of the pandemic, VMware reports that 88% of businesses have seen an increase in social engineering attacks. This changing landscape requires humans to become the last line of defense against cyber threats.
Attackers Are Launching Increasingly Targeted Cyberattacks at Scale
Cyberattackers across all levels of sophistication employ social engineering techniques. These attackers range from hackers leveraging basic techniques to more sophisticated criminal organizations motivated by financial gains, to highly-advanced military and intelligence services of well-funded nation-states. Regardless of their level of expertise, cyberattackers can leverage social engineering to launch targeted cyberattacks at scale. The most basic social engineering attacks require minimal investment and can be cost-efficiently distributed to a wide target audience, while increasingly advanced attacks use highly customized messages developed through advanced research and emerging technologies such as AI or facial recognition.
Modern cyberattacks are pervasive, targeting businesses of all sizes across a broad range of industries including technology, transportation, healthcare, financial services, governments and political organizations, utility and retail. According to the Center for Strategic and International Studies, the global cost of cybercrime is estimated to be approximately $1 trillion annually, and the Ponemon Institute and IBM Security estimate that the average cost of a data breach has increased by 10% since 2014 to $3.86 million.
Cybersecurity Resources Are Constrained
Cybersecurity resources have become highly constrained. Skills shortages are at an all-time high, particularly in the areas of big data and analytics, cybersecurity and AI, with 54% of chief information officers, or CIOs, stating that they struggle to find the right talent in response to the Harvey Nash/KPMG CIO Survey 2020. Specifically, the 2020 (ISC)2 Cybersecurity Workforce Study estimated a global gap of over 3.1 million cybersecurity professionals.
Companies do not have enough IT security staff to effectively train employees on how to protect against ever-changing social engineering techniques or efficiently address threats that are reported. Rebuilding security training internally every year and sorting through reported threats on an individual basis is not resource-efficient for companies. These resource gaps highlight the need for software and automation in developing security awareness to protect against social engineering.
3
Limitations of Existing Offerings
Historically, organizations have relied on either content-centric or infrastructure-centric vendors for security awareness or have opted for limited or no training due to the inefficacy of existing offerings. Content-centric alternatives, including products from traditional vendors and internally-developed tools, provide organizations with generic and ineffective training programs that are primarily designed to satisfy minimum compliance requirements. These alternatives offer limited functionality and do not create the engagement needed to change human behavior. Infrastructure-centric alternatives provide basic point products for security training that are typically secondary to core security infrastructure products. Neither of these alternatives offers an integrated platform-based approach to security awareness that is specifically designed to manage the risk of social engineering.
Key Strengths of Our Platform
We provide an integrated platform that enables organizations to assess, monitor and mitigate the persistent threat of social engineering. Our cloud-based platform employs a differentiated combination of software, machine learning, artificial intelligence, analytics, insights, content and security workstreams that is designed to meaningfully impact human behavior to continually improve an organization’s security posture in response to social engineering threats. The key strengths of our platform include:
Targeted Focus on Human Behavior
Our platform is exclusively focused on human behavior, as we believe that elevating the security awareness of an organization’s employees is essential to managing the risk associated with social engineering. We believe that infrastructure-based security controls alone are inadequate, requiring humans to become the critical last line of defense for an organization. In growing the category for security awareness, we are focused on building a platform capable of changing insecure behaviors and reinforcing secure behaviors of individuals. This allows us to invest technology and development resources to drive innovation and differentiation in products designed to address the human layer of security. Our focus has helped us establish market leadership and we believe will position us favorably to capitalize as the scope of the human layer of security expands.
Continuous Intelligence and Analytics
Our platform continuously assesses users and monitors social engineering risk, creating an active feedback loop that enables organizations to continually drive improvements in employee security awareness and overall security posture. Frequent training, knowledge checks and behavior-based intervention all reinforce secure behaviors and provide critical data for measuring, improving and maintaining security awareness within an organization.
The advanced analytics delivered by our platform enable security administrators to identify, monitor and manage the social engineering risk of the organization as a whole, or of individual employees or groups of employees on an ongoing basis. Our platform analyzes a broad and extensive set of risk data to assess the level of social engineering risks within an organization and provides security professionals with actionable insights to modify and improve security awareness programs based on risk profiles at the individual or group level. Through the learner experience dashboard, our platform also provides employees visibility into their individual susceptibility to social engineering threats, which promotes continuous engagement and improvement in security awareness.
Effective and Efficient Security Awareness Administration
Our platform is designed to enable security administrators to mitigate social engineering risk through automated, machine learning-driven administration of training specifically customized to an individual user or group of users. The platform analyzes users’ behavior and allows organizations to categorize employees based on dynamic or custom groupings to tailor simulated social engineering campaigns, assignments and analytical reporting based on identified potential vulnerabilities. Our platform leverages a machine learning engine to provide administrators with targeted recommendations based on the results of simulated tests and users’ risk scores prompting the delivery of relevant content with a demonstrated ability to reduce the risks associated with social engineering.
4
The platform also includes embedded SOAR functionality to prioritize and automate security operations related to user-reported social engineering threats. With these capabilities, security professionals can minimize risk to the organization by quickly responding to and effectively remediating the most severe social engineering threats. All together, these capabilities are designed to reduce the administrative burden of security awareness management and operations on resource-constrained IT and security professionals.
Expansive Library of Engaging and Effective Content
We have built an expansive library of differentiated security awareness content, containing approximately 1,200 pieces of content, that is continuously refreshed to ensure that our offerings always reflect the expanding range of social engineering threats. We leverage our extensive proprietary data set on human behavior and social engineering attacks, first-party threat environment research and crowd-sourcing methods to update our simulated threat templates in near real-time, in order to convincingly emulate real-world social engineering methods.
We believe the range and sophistication of our content library and technology makes our platform highly effective in changing human behavior to reduce social engineering risk. We employ dedicated content centers of excellence across geographies to produce differentiated content that reflects themes based on the broader global threat environment, but is highly localized and culturally relevant. The breadth and scope of our content enables it to fully meet the needs of large global enterprises with geographically diverse workforces, driving increased customer satisfaction and retention.
Ease of Platform Deployment and Use
We have designed our platform to be easy to deploy and use, enabling our customers to achieve rapid time-to-value and cost efficiency in security awareness operations. Our cloud-based platform requires minimal implementation efforts, enabling customers to quickly onboard and complete an initial baseline simulated social engineering campaign. We have also developed integrations with mainstream identity platforms, including Active Directory and SCIM, that further streamline platform deployment and ongoing user administration. Our management console offers simple and automated administration of security awareness programs and related workstreams, reducing the resource and expertise requirements on the organization. For employees, the user interface of our platform has also been designed to deliver an intuitive, easy-to-use and high quality experience that is on par with best-in-class consumer experiences.
Designed to Serve the Entire Market
As we believe social engineering is a universal problem, the ability to scale our technology to meet the needs of all organizations has been a central tenet of our platform design philosophy from the beginning. As a result, we have designed our products to be both accessible to smaller organizations without dedicated IT departments and scalable to organizations with hundreds of thousands of users and multiple security teams dispersed across the world. Our cloud-based delivery model, scalable multi-tenant architecture and global content centers of excellence allow us to regularly introduce new content and platform features to our customers quickly and seamlessly.
Our Market Opportunity
We believe that companies of all sizes and across all industries and geographies require a security awareness platform to manage the ongoing threat of social engineering. As such, we estimate the total market opportunity for our platform currently to be approximately $15 billion for the year ended December 31, 2020.
For KMSAT and PhishER, we calculate our market opportunity by estimating the total number of employees in over 50 addressable geographies globally segmented into large enterprise, enterprise, medium business and small business categories. We apply a per employee price, depending on the segment, using internally generated data of actual customer spend based on the customer size and location. For KCM in the U.S., we apply an average contract value to a set number of organizations using internally generated data of actual customer spend based on the size of such organizations. For KCM internationally, we estimate the size of the market as a multiple of the U.S. market implied by the proportional market sizes for our KMSAT and PhishER products. The aggregate sum of the calculated values across KMSAT, PhishER and KCM, as described herein, represents our total estimated market
5
opportunity. The estimated market opportunity for KMSAT represents approximately half of our total market opportunity.
For more information regarding the estimates of market opportunity included within this prospectus, see the section titled “Business—Our Market Opportunity”.
Our Growth Strategy
Key elements of our growth strategy include:
Expand Our Customer Base
We believe there is a significant opportunity to invest in our sales and marketing activities to drive broader market knowledge of the importance of security awareness. Increasing category awareness of our market enables us to expand our customer base with less education effort and more efficient go-to-market execution. In addition to growing the small to medium sized customer base that we have focused on since inception, we believe that there is significant opportunity to increase penetration in the enterprise segment.
Expand Internationally
The international market represents a clear expansion opportunity for us. We have grown our revenue generated by customers outside of North America from 6.0% in 2018 to 9.7% in 2019 and in 2020. To pursue this opportunity, we are rapidly expanding our international operations, increasing our physical presence through headcount additions and investing in further localizing our platform. Our platform is currently accessible in over 30 languages and we plan to expand this language support in the future, along with increasing our region-specific content offerings.
Grow Our Partner Network
We plan to increase our channel partnerships to help us efficiently reach new territories and opportunities. Growing our international channel partnerships will help us reach new jurisdictions where we have not yet developed extensive brand awareness and local customer relationships. We believe managed service providers, or MSPs, and channel partners represent an efficient way to sell to smaller customers, as organizations with limited or no IT departments often rely on MSPs to provide specialized security skills or knowledge. In 2019, MSPs and channel partners were involved in generating 32.3% of our revenue. As our business becomes more mature, we believe the revenue contribution from channel partners and MSPs will continue to increase.
Expand Our Existing Customer Relationships
We plan to continue cross-selling products and upselling subscription tiers within our existing customer base. We believe that our integrated platform and the strength of our customer success program are key to our ability to cross-sell and upsell to our existing customers. We plan to continue to invest in our technology and platform and in customer success personnel to retain existing customers and drive increased product attachment rates.
Invest in Our Platform and Content
We believe that continued investment in our technology platform and content is important to our ability to maintain and extend our market leadership. We invest in technology and development activities to continuously strengthen our platform and release additional features and products to the market. We believe that our ability to leverage the immense amount of data collected from our customers’ usage and to incorporate their feedback into our platform and content offerings have contributed to our market-leading position. We continue to explore methods to monetize our data assets in the future and continue to integrate our customer feedback into future product development opportunities.
6
Selectively Pursue Strategic Acquisitions
We plan to pursue strategic acquisitions that we believe will be complementary to our existing platform, enhance our technology and our content and increase the value proposition we deliver to our customers. For example, we may pursue acquisitions that we believe will help us add new features, accelerate customer growth, enter new markets and add talents and expertise to our organization.
Risks Related to Our Business
Investing in our common stock involves risk. You should carefully consider all the information in this prospectus prior to investing in our common stock. These risks are discussed more fully in the section entitled “Risk Factors” immediately following this prospectus summary. These risks and uncertainties include, but are not limited to, the following:
•We have a limited operating history, which makes it difficult to forecast our revenue and evaluate our business and future prospects.
•We have a history of losses and may not be able to achieve or sustain profitability in the future.
•The global COVID-19 pandemic, including the related containment efforts, has had, and we expect will continue to have, certain negative impacts on our business and operations, and we are unable to predict with certainty the extent to which it may continue to adversely affect our business, financial condition or results of operations.
•We believe our long-term value as a company will be greater if we focus on growth, which may negatively impact our profitability in the near term.
•If we are unable to attract new customers or develop new products that achieve market acceptance, our revenue growth and profitability will be harmed.
•If our customers do not renew their subscriptions for our platform and add additional products to their subscriptions, our future results of operations could be harmed.
•We recognize revenue from subscriptions over the term of our customer contracts, and as such, our reported revenue and related metrics may differ significantly in a given period, and our revenue in any period may not be indicative of our financial health and future performance.
•Failure to effectively develop and expand our marketing and sales capabilities or maintain successful relationships with our channel partners could harm our ability to increase our customer base and achieve broader market acceptance of our products.
•If we are not able to provide successful updates, enhancements and features to our technology to, among other things, keep up with emerging threats and customer needs, our business, financial condition and results of operations could be adversely affected.
•A network, systems or data security incident may allow unauthorized access to our network, systems or data or our customers’ data, harm our reputation, create additional liability and adversely impact our financial results.
•Complying with evolving privacy and other data related laws and requirements may be expensive and force us to make adverse changes to our business, and failure to comply with such laws and requirements could result in substantial harm to our business.
•The nature of our business requires the application of complex accounting rules, including revenue and expense recognition rules, and any significant changes in current rules, or interpretations thereof, could affect our financial statements and results of operations.
7
•Interruptions or delays in the services provided by third-party data centers or internet service providers could impair the delivery of our platform and products, expose us to litigation and negatively impacting our relationships with customers, adversely affecting our business.
•Our results of operations may be harmed if we are subject to a protracted infringement claim or a claim that results in a significant damage award.
•If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate reduced revenue and incur costly litigation to protect our rights.
•Upon completion of this offering, our executive officers, directors and holders of 5% or more of our common stock will collectively beneficially own approximately % of the outstanding shares of our common stock and continue to have substantial control over us, which will limit your ability to influence the outcome of important transactions, including a change in control.
Implications of Being an Emerging Growth Company
As a company with less than $1.07 billion in revenue during our last fiscal year, we qualify as an “emerging growth company” as defined in the Jumpstart Our Business Startups Act of 2012, or the JOBS Act. An emerging growth company may take advantage of specified reduced reporting and other requirements that are otherwise applicable generally to public companies. These provisions include:
•we are required to include only two years of audited consolidated financial statements in this prospectus in addition to any required interim financial statements, and correspondingly required to provide only reduced disclosure in “Management’s Discussion and Analysis of Financial Condition and Results of Operations”;
•we are not required to engage an auditor to report on our internal controls over financial reporting pursuant to Section 404(b) of the Sarbanes-Oxley Act of 2002, as amended;
•we may take advantage of extended transition periods for complying with new or revised accounting standards;
•we are not required to submit certain executive compensation matters to stockholder advisory votes, such as “say-on-pay,” “say-on-frequency” and “say-on-golden parachutes”; and
•we are not required to disclose certain executive compensation related items such as the correlation between executive compensation and performance and comparisons of the chief executive officer’s compensation to our median employee compensation.
We may take advantage of these provisions until the earliest to occur of: (i) the end of the first fiscal year in which our annual gross revenues are $1.07 billion or more; (ii) the end of the first fiscal year in which we are deemed to be a “large accelerated filer,” as defined in the Securities Exchange Act of 1934, as amended, or the Exchange Act; (iii) the date on which we have, during the previous three-year period, issued more than $1.0 billion in non-convertible debt securities; and (iv) the end of the fiscal year during which the fifth anniversary of this listing occurs. We may choose to take advantage of some, but not all, of the available benefits under the JOBS Act.
We currently intend to take advantage of certain of the exemptions discussed above. Accordingly, the information contained herein may be different than the information you receive from other public companies in which you invest.
For risks related to our status as an emerging growth company, see “Risk Factors—Risks Related to Our Common Stock and This Offering—We are an “emerging growth company” and we cannot be certain if the reduced disclosure requirements applicable to emerging growth companies will make our common stock less attractive to investors.”
8
Company Information
We were formed as a limited liability company in Delaware in August 2010 under the name SEQRIT, LLC. We then converted into a Delaware corporation under the name KnowBe4, Inc. in January 2016. Our headquarters is located at 33 N. Garden Avenue, Clearwater, FL 33755 and our telephone number is (855) 566-9234. You can access our website at www.knowbe4.com. Information contained on our website is not part of this prospectus or the registration statement of which it forms a part and is not incorporated by reference in this prospectus or the registration statement of which it forms a part.
9
THE OFFERING
| Common stock offered by us | shares | ||||
| Common stock to be outstanding after this offering | shares (or shares, if the underwriters exercise their option to purchase additional shares from us in full) | ||||
| Option to purchase additional shares | We have granted the underwriters an option for a period of 30 days after the date of this prospectus to purchase up to an additional shares of our common stock at the initial public offering price less underwriting discounts and commissions. | ||||
| Use of proceeds | We estimate that the net proceeds from the sale of shares of our common stock in this offering will be approximately $ (or approximately $ if the underwriters exercise their option to purchase additional shares from us in full), based upon the assumed initial public offering price of $ per share, which is the midpoint of the price range set forth on the cover page of this prospectus, and after deducting the estimated underwriting discounts and commissions and estimated offering expenses payable by us. We intend to use the net proceeds from this offering for working capital, capital expenditures and other general corporate purposes. We may also use a portion of our net proceeds to fund potential acquisitions, or investments in, technologies or businesses that complement our business, although we have no present commitments or agreements to enter into any such acquisitions or make any such investments. See “Use of Proceeds.” | ||||
| Proposed Nasdaq Global Select Market symbol | “KNBE” | ||||
| Risk factors | See “Risk Factors” and other information included in this prospectus for a discussion of factors you should carefully consider before deciding to invest in shares of our common stock. | ||||
| Conflicts of Interest | Certain entities affiliated with Goldman Sachs & Co. LLC and KKR Capital Markets LLC, underwriters for this offering, each collectively beneficially own in excess of 10% of our issued and outstanding common stock. As a result, each of Goldman Sachs & Co. LLC and KKR Capital Markets LLC is deemed to have a “conflict of interest” under Rule 5121 of the Financial Industry Regulatory Authority, or FINRA. FINRA Rule 5121 requires that a “qualified independent underwriter” meeting certain standards participate in the preparation of the registration statement and prospectus and exercise the usual standards of due diligence in respect thereto. Morgan Stanley and Co. LLC will serve as a qualified independent underwriter within the meaning of FINRA Rule 5121 in connection with this offering. For more information, see “Underwriting.” | ||||
The number of shares of our common stock to be outstanding after this offering is based on the shares of our common stock outstanding as of December 31, 2020 (including an aggregate of shares of common stock issuable upon the assumed automatic conversion of shares of outstanding convertible preferred stock upon the closing of this offering, or the Capital Stock Conversion, as if such conversion occurred on December 31, 2020), and excludes the following:
• shares of common stock issuable upon exercise of options to purchase shares of our common stock outstanding as of December 31, 2020 under our 2016 Equity Incentive Plan, or the 2016 Plan, at a weighted-average exercise price of $ per share;
10
• shares of common stock issuable upon exercise of options to purchase shares of our common stock that we granted after December 31, 2020 under our 2016 Plan, at a weighted-average exercise price of $ per share;
• shares of common stock reserved for future issuance under our 2021 Equity Incentive Plan, which will become effective on the business day immediately prior to the date of effectiveness of the registration statement of which this prospectus forms a part, as well as any automatic increases in the number of shares of common stock reserved for future issuance under this plan; and
• shares of common stock reserved for future issuance under our 2021 Employee Stock Purchase Plan, which will become effective on the business day immediately prior to the date of effectiveness of the registration statement of which this prospectus forms a part, as well as any automatic increases in the number of shares of common stock reserved for future issuance under this plan.
Except as otherwise indicated, all information in this prospectus assumes:
•the filing and effectiveness of our amended and restated certificate of incorporation and the effectiveness of our amended and restated bylaws, which will occur immediately after the closing of this offering;
•the effectiveness of a -for-1 stock split of our capital stock to be effected on ;
•no exercise of outstanding options after December 31, 2020;
•the Capital Stock Conversion, as if such conversion occurred on December 31, 2020; and
•no exercise by the underwriters of their option to purchase additional shares of common stock from us in this offering.
11
SUMMARY HISTORICAL CONSOLIDATED FINANCIAL DATA
In the following tables, we provide our summary historical consolidated financial data. The summary historical consolidated statements of operations data for each of the years ended December 31, 2018, 2019 and 2020 as well as the summary consolidated balance sheet data as of December 31, 2020 are derived from our audited consolidated financial statements included elsewhere in this prospectus. You should read the summary historical consolidated financial data set forth below in conjunction with our consolidated financial statements, the notes to our consolidated financial statements and “Management’s Discussion and Analysis of Financial Condition and Results of Operations” included elsewhere in this prospectus. Our summary historical consolidated results are not necessarily indicative of results to be expected for future periods. The summary historical consolidated financial data in this section are not intended to replace our consolidated financial statements and are qualified in their entirety by our consolidated financial statements and related notes included elsewhere in this prospectus.
| December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| (in thousands, except share and per share data) | |||||||||||||||||
Summary Consolidated Statement of Operations Data: | |||||||||||||||||
| Revenues, net | $ | 71,287 | $ | 120,575 | |||||||||||||
| Cost of revenues | 12,062 | 20,579 | |||||||||||||||
| Gross profit | 59,225 | 99,996 | |||||||||||||||
| Operating expenses: | |||||||||||||||||
| Sales and marketing | 45,101 | 69,090 | |||||||||||||||
| Technology and development | 3,299 | 10,662 | |||||||||||||||
| General and administrative | 20,525 | 145,776 | |||||||||||||||
| Total operating expenses | 68,925 | 225,528 | |||||||||||||||
| Operating loss | (9,700) | (125,532) | |||||||||||||||
| Other (expense) income: | |||||||||||||||||
| Interest income | 505 | 799 | |||||||||||||||
| Interest expense | (29) | (47) | |||||||||||||||
| Other income | 76 | 90 | |||||||||||||||
| Loss before income tax (expense) benefit | (9,148) | (124,690) | |||||||||||||||
| Income tax (expense) benefit | (98) | 367 | |||||||||||||||
| Net loss | $ | (9,246) | $ | (124,323) | |||||||||||||
| Net loss per share: | |||||||||||||||||
| Basic and diluted | $ | (4.18) | $ | (76.51) | |||||||||||||
| Weighted-average shares outstanding used to compute net loss per share: | |||||||||||||||||
| Basic and diluted | 2,212,964 | 1,673,960 | |||||||||||||||
| Pro forma net loss per share: | |||||||||||||||||
| Basic | |||||||||||||||||
| Diluted | |||||||||||||||||
| Pro forma weighted-average shares outstanding used to compute pro forma net loss per share: | |||||||||||||||||
| Basic | |||||||||||||||||
| Diluted | |||||||||||||||||
12
| As of December 31, 2020 | |||||||||||||||||
| Actual | Pro Forma(1) | Pro Forma As Adjusted(2)(3) | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Summary Consolidated Balance Sheet Data: | |||||||||||||||||
| Cash and cash equivalents | |||||||||||||||||
| Total current assets | |||||||||||||||||
| Total assets | |||||||||||||||||
| Total current liabilities | |||||||||||||||||
| Total liabilities | |||||||||||||||||
| Stockholders’ equity (deficit) | |||||||||||||||||
________________
(1)The unaudited pro forma consolidated balance sheet data as of December 31, 2020 presents our consolidated balance sheet data to give effect to (i) the Capital Stock Conversion, as if such conversion occurred on December 31, 2020; and (ii) the filing and effectiveness of our amended and restated certificate of incorporation and the adoption of our amended and restated bylaws immediately prior to the closing of this offering.
(2)The unaudited pro forma consolidated balance sheet data as of December 31, 2020 as adjusted balance sheet data gives effect to (i) the pro forma adjustments set forth in footnote (1) above and (ii) the issuance and sale of shares of common stock in this offering at the assumed initial public offering price of $ per share, which is the midpoint of the price range set forth on the cover page of this prospectus, after deducting the estimated underwriting discounts and commissions and estimated offering expenses payable by us.
(3)A $1.00 increase (decrease) in the assumed initial public offering price of $ per share would increase (decrease) each of cash and cash equivalents, total assets and total stockholders’ deficit by $ , assuming that the number of shares offered by us, as set forth on the cover page of this prospectus, remains the same, and after deducting the estimated underwriting discounts and commissions and estimated offering expenses payable by us. Similarly, each 1,000,000 share increase or decrease in the number of shares offered in this offering would increase or decrease each of cash and cash equivalents, total assets and total stockholders’ deficit by $ million, assuming that the price per share for the offering remains at $ (which is the midpoint of the price range set forth on the cover page of this prospectus), and after deducting the estimated underwriting discounts and commissions and estimated offering expenses payable by us.
Key Business Metrics
We regularly monitor a number of financial and operating metrics, including the following key metrics, in order to measure our current performance and estimate our future performance, as follows:
| Year Ended December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| Number of customers | 22,521 | 30,259 | |||||||||||||||
| Year-over-year growth | 53 | % | 35 | % | |||||||||||||
| Annual recurring revenue (in thousands) | $ | 88,645 | $ | 145,369 | |||||||||||||
| Year-over-year growth | 91 | % | 64 | % | |||||||||||||
Number of Customers
We believe that our ability to increase the number of customers on our platform is an indicator of our market penetration, the growth of our business and potential future business opportunities. Increasing awareness of our platform and products, combined with further overall awareness of the need to address the human risk within cybersecurity, has continued to expand our customer base to include organizations of all sizes across all industries. We define a customer as a separate and distinct buying entity, such as a company, an educational or government institution or a distinct business unit of a large company that has an active contract with us to access our platform. We do not consider our channel partners as separate customers as our contracts are executed with the end user, and we treat MSPs, who may purchase our products on behalf of multiple companies, as a single customer.
13
Annual Recurring Revenue
We believe that ARR is a key metric to measure our business performance because it is driven by our ability to acquire new customers and to maintain and expand our relationship with existing customers. We define ARR as the annualized value of all contractual subscription agreements as of the end of the period. We perform this calculation on an individual contract basis and aggregate the value for all active contracts to arrive at total ARR. ARR does not have any standardized meaning and is therefore unlikely to be comparable to similarly titled measures presented by other companies. ARR should be viewed independently of revenue and deferred revenue and is not intended to be combined with or to replace either of those items. ARR is not a forecast and the active contracts at the date used in calculating ARR may or may not be extended by our customers.
Non-GAAP Financial Measures
In addition to our results determined in accordance with GAAP, we believe the following non-GAAP measures are useful in evaluating our operating performance. We believe that non-GAAP financial information, when taken collectively, may be helpful to investors because it provides consistency and comparability with past financial performance. However, non-GAAP financial information is presented for supplemental informational purposes only, has limitations as an analytical tool, and should not be considered in isolation or as a substitute for financial information presented in accordance with GAAP. Other companies, including companies in our industry, may calculate similarly-titled non-GAAP measures differently or may use other measures to evaluate their performance, all of which could reduce the usefulness of our non-GAAP financial measures as tools for comparison. A reconciliation is provided below for each non-GAAP financial measure to the most directly comparable financial measure stated in accordance with GAAP. Investors are encouraged to review the related GAAP financial measures and the reconciliation of these non-GAAP financial measures to their most directly comparable GAAP financial measures and not rely on any single financial measure to evaluate our business.
Non-GAAP Operating Loss
We define non-GAAP operating loss as GAAP operating loss excluding stock-based compensation expense and amortization of acquired intangible assets, and acquisition-related expenses. Costs associated with acquisitions include legal, accounting and other professional fees, as well as changes in the fair value of contingent consideration obligations. We believe non-GAAP operating loss provides our management and investors consistency and comparability with our past financial performance and facilitate period-to-period comparisons of operations, as this metric generally eliminates the effects of certain variables unrelated to our overall operating performance.
| Year Ended December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Operating loss | $ | (9,700) | $ | (125,532) | |||||||||||||
| Add: Stock-based compensation expense | 855 | 118,022 | |||||||||||||||
| Add: Amortization of acquired intangible assets | 58 | 83 | |||||||||||||||
| Add: Acquisition related costs | 276 | 292 | |||||||||||||||
| Non-GAAP operating loss | $ | (8,511) | $ | (7,135) | |||||||||||||
Free Cash Flow and Free Cash Flow Margin
We define free cash flow as net cash provided by operating activities less purchases of property, equipment, amounts capitalized for internal-use software and principal payments on finance leases. Free cash flow margin is calculated as free cash flow divided by revenue. We believe that free cash flow and free cash flow margin are meaningful indicators of profitability to management and investors about the amount of cash generated from our
14
operations that, after the investments in property, equipment and capitalized internal-use software, can be used for strategic initiatives.
| Year Ended December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| (in thousands, except percentages) | |||||||||||||||||
| Net cash provided by operating activities | $ | 17,716 | $ | 29,718 | |||||||||||||
| Less: Purchases of property and equipment | (3,957) | (5,573) | |||||||||||||||
| Less: Capitalized internal-use software | (5,514) | (5,223) | |||||||||||||||
| Free Cash Flow | $ | 8,245 | $ | 18,922 | |||||||||||||
| Free Cash Flow Margin | 11.6 | % | 15.7 | % | |||||||||||||
15
RISK FACTORS
An investment in our common stock offered by this prospectus involves a substantial risk of loss. You should carefully consider these risk factors, together with all of the other information included in this prospectus, before you decide to purchase shares of our common stock. The occurrence of any of the following risks could materially adversely affect our business, financial condition or results of operations. In that case, the trading price of our common stock could decline, and you may lose part or all of your investment.
Risks Related to Our Business and Our Industry
We have a limited operating history, which makes it difficult to forecast our revenue and evaluate our business and future prospects.
We have been in existence since 2010 and much of our growth has occurred in recent periods. As a result of our limited operating history, our ability to forecast our future results of operations and plan for and model future growth is limited and subject to a number of uncertainties. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly changing industries, such as the risks and uncertainties described herein. Additionally, the sales cycle for the evaluation and implementation of our platform and products, which can range from several days for small businesses to multiple months for enterprise deals, may also cause us to experience uncertainty in the timing between increasing operating expenses and the generation of corresponding revenue, if any. Accordingly, we may be unable to prepare accurate internal financial forecasts or replace anticipated revenue that we do not receive as a result of uncertainties arising from these factors, and our results of operations in future reporting periods may be below the expectations of investors. If we do not address these risks successfully, our results of operations could differ materially from our estimates and forecasts or the expectations of investors, causing our business to suffer and our stock price to decline.
We have a history of losses and may not be able to achieve or sustain profitability in the future.
We have incurred net losses in all annual periods since our inception, and we expect we will continue to incur net losses for the foreseeable future. We experienced net losses of $9.2 million, $124.3 million and $ million for the years ending December 31, 2018, 2019 and 2020, respectively. As of December 31, 2020, we had an accumulated deficit of $ . Because the market for our platform and products has not yet reached widespread adoption, it is difficult for us to predict our future results of operations. Overall growth of our revenue depends on a number of factors, including:
•pricing our platform and products effectively so that we are able to attract new customers and expand sales to our existing customers;
•continuing to develop and offer products that are superior to those of competitors;
•expanding the functionality of our platform and products;
•maintaining and expanding the rates at which customers purchase and renew subscriptions to our platform and products;
•providing our customers with support that meets their needs;
•continuing to introduce our platform and products to new markets outside of the United States; and
•our ability to hire and retain sufficient numbers of sales and marketing, research and development and general and administrative personnel, and expand our global operations.
In addition, we expect our operating expenses to increase significantly over the next several years, as we continue to hire additional personnel, particularly in sales and marketing, expand our operations and infrastructure, both domestically and internationally, and continue to develop our platform and products. In addition to the expected costs to grow our business, we also expect to incur significant additional legal, accounting and other expenses as a
16
newly public company. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.
We have experienced rapid growth in recent periods, and if we do not manage our future growth, our business and results of operations will be adversely affected.
We have experienced rapid revenue growth in recent periods and we expect to continue to invest broadly across our organization to support our growth. For example, our headcount grew from 621 employees as of December 31, 2018, to 840 employees as of December 31, 2019, to employees as of December 31, 2020. Although we have experienced rapid growth historically, we may not sustain our current growth rates nor can we assure you that our investments to support our growth will be successful. The growth and expansion of our business will require us to invest significant financial and operational resources and will require the continuous dedication of our management team. We have encountered and will continue to encounter risks and difficulties frequently experienced by rapidly growing companies in evolving industries, including market acceptance of our platform and products, adding new customers, intense competition and our ability to manage our costs and operating expenses. Our future success will depend in part on our ability to manage our growth effectively, which will require us to, among other things:
•effectively attract, integrate and retain a large number of new employees, particularly members of our sales and marketing and research and development teams;
•further improve our platform and products to support our business needs;
•provide a high level of customer service;
•maintain our corporate culture;
•enhance our information and communication systems to ensure that our employees and offices around the world are well coordinated and can effectively communicate with each other and our growing base of channel partners and customers; and
•improve our financial, management and compliance systems and controls.
If we fail to achieve these objectives effectively, our ability to manage our expected growth, ensure uninterrupted operation of our platform and products, and comply with the rules and regulations applicable to our business could be impaired. Additionally, the quality of our platform and products could suffer and we may not be able to adequately address competitive challenges. Any of the foregoing could adversely affect our business, financial condition and results of operations.
The global COVID-19 pandemic, including the related containment efforts, has had, and we expect will continue to have, certain negative impacts on our business and operations, and we are unable to predict with certainty the extent to which it may continue to adversely affect our business, financial condition or results of operations.
In December 2019, a novel strain of coronavirus, or COVID-19, was first reported to the World Health Organization, or WHO, and in January 2020, the WHO declared the outbreak to be a public health emergency. In March 2020, the WHO characterized COVID-19 as a pandemic. Since then, the COVID-19 pandemic and efforts to control its spread have significantly curtailed the movement of people, goods and services worldwide. As a result, we have enabled our employees and contractors to work remotely, implemented travel restrictions and shifted some company events and meetings to virtual experiences, all of which represent a significant disruption in how we operate our business. The operations of our partners, vendors and customers have likewise been disrupted.
While the duration and extent of the COVID-19 pandemic depends on future developments that cannot be accurately predicted at this time, such as the extent and effectiveness of containment and mitigation actions, it has already had an adverse effect on the global economy, and the ultimate societal and economic impact of the COVID-19 pandemic remains unknown. In particular, the conditions caused by this pandemic may affect the rate of global IT spending, which could adversely affect demand for our platform and products. Further, the COVID-19 pandemic has caused us to experience, in some cases, longer sales cycles and an increase in certain prospective and current customers seeking lower prices or other more favorable contract terms, and has limited the ability of our
17
direct sales force to travel to industry events for lead generation. In addition, the COVID-19 pandemic could reduce the value or duration of subscriptions, negatively impact collections of accounts receivable, reduce expected spending from our customers, cause some of our customers to go out of business and affect contraction or attrition rates of our customers, all of which could adversely affect our business, financial condition and results of operations. Additionally, concerns over the economic impact of COVID-19 have caused extreme volatility in financial and other capital markets, which may adversely affect our stock price and our ability to access capital markets in the future.
Conversely, the COVID-19 pandemic may temporarily increase demand for our platform and products. Many companies have implemented long term work-from-home policies, with employees accessing their systems remotely, which has increased cybersecurity and privacy risks for these companies. Increased awareness of cyber and privacy risks could increase interest in our platform and products and there is no assurance that the levels of interest, demand and use of our platform and products will continue or will not decrease after the pandemic ends. Any such decrease could have an adverse effect on our growth and the success of our platform and products.
We believe our long-term value as a company will be greater if we focus on growth, which may negatively impact our profitability in the near term.
Part of our business strategy is to primarily focus on our long-term growth. As a result, our profitability may be lower in the near term than it would be if our strategy were to maximize short-term profitability. Significant expenditures on sales and marketing efforts, growing our platform and products and expanding our research and development, each of which we intend to continue to invest in, may not ultimately grow our business or cause long-term profitability. If we are ultimately unable to achieve profitability at the level anticipated by industry or financial analysts and our stockholders, our stock price may decline.
We provide service level commitments under our customer contracts. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service, or face contract termination with refunds of prepaid amounts related to unused subscriptions, which could harm our business, financial condition and results of operations.
Our customer agreements contain service level commitments, under which we guarantee specified availability of our platform and products. In light of our historical experience with meeting our service level commitments, we do not currently have any material liabilities accrued on our balance sheet for these commitments. Any failure of or disruption to our cloud-based platform could make our products unavailable to our customers. If we are unable to meet the stated service level commitments to our customers or suffer extended periods of unavailability of our platform and products, we may be contractually obligated to provide affected customers with service credits for future subscriptions, or customers could elect to terminate and receive refunds for prepaid amounts related to unused subscriptions. Our revenue, other results of operations and financial condition could be harmed if we suffer unscheduled downtime that exceeds the service level commitments under our agreements with our customers, and any extended service outages could adversely affect our business and reputation as customers may elect not to renew and we could lose future sales.
If we are unable to attract new customers or develop new products that achieve market acceptance to cross-sell or upsell to our existing customers, our revenue growth and profitability will be harmed.
Since our customers tend to adopt our platform across their entire organizations, to increase our revenue and achieve and maintain profitability, we must expand our customer base. To attract customers, we must drive a broader awareness of the pervasive risks of social engineering and successfully convey our platform’s ability to convert an organization’s employees into an effective last line of defense. We will continue to invest in our inside sales force complemented by a channel strategy designed to increase brand awareness and to enable us to reach new territories and acquire new customers. Numerous factors, however, may impede our ability to acquire new customers, including our failure to recruit talented sales and marketing personnel and to retain and motivate our current sales and marketing personnel, to develop or expand relationships with effective channel partners and managed service providers, or MSPs, to successfully deploy products for new customers, to provide quality customer support once deployed and to execute on our marketing strategies.
18
In addition, our ability to increase revenue depends in large part on our ability to develop compelling new products to cross-sell and upsell to our existing customer base. To do so, we must continue to invest in our technology and platform in order to create new adjacencies and use cases. The success of any new product deployment will depend on several factors, including timely completion and delivery, competitive pricing, adequate quality testing, integration with our existing platform and products and overall market acceptance. If we are unable to successfully develop new products or otherwise gain market acceptance, we may not be able to increase revenues by cross-selling or upselling to our existing customer base, and our business, results of operations and financial condition would be harmed.
If our customers do not renew their subscriptions for our platform and add additional products to their subscriptions, our future results of operations could be harmed.
In order for us to maintain or improve our results of operations, it is important that our customers renew their subscriptions for our platform and products when existing contract terms expire and that we expand our commercial relationships with our existing customers. Our customers have no obligation to renew their subscriptions for our platform and products after the expiration of their contractual period, which is typically one to three years, and in the normal course of business, some customers have elected not to renew. In addition, our customers may renew for fewer products, renew for shorter contract lengths or switch to a lower-cost tier. If our customers do not renew their subscriptions, we could incur impairment losses related to our deferred contract acquisition costs. It is difficult to accurately predict long-term customer retention because of our varied customer base and given the length of our subscription contracts. Our customer retention and expansion may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our products, our customer support, our prices and pricing plans, our customers’ spending levels, mergers and acquisitions involving our customers, competition and deteriorating general economic conditions.
Our future success also depends in part on the rate at which we cross-sell or upsell to our current customers, which is driven by a number of factors, including customer satisfaction with our services, general economic conditions and customer reaction to our pricing. If our efforts to expand our relationship with our existing customers are not successful, our business may materially suffer.
We recognize revenue from subscriptions over the term of our customer contracts, and as such, our reported revenue and related metrics may differ significantly in a given period, and our revenue in any period may not be indicative of our financial health and future performance.
The subscription terms of our customer contracts typically range from one to three years and are recorded upon invoicing, which typically happens on an annual basis. A substantial majority of our revenue is recognized over the term of the subscription. As a result, much of the revenue we report each quarter is derived from contracts that we entered into with customers in prior periods. Consequently, a decline in new or renewed subscriptions in any quarter will not be fully reflected in revenue or other results of operations in that quarter but will negatively affect our revenue and other results of operations across future quarters. Any increases in the average term of subscriptions would result in revenue for those contracts being recognized over longer periods of time with less positive impact on our results of operations in the near term. Accordingly, our revenue in any given period may not be an accurate indicator of our financial health and future performance.
Failure to effectively develop and expand our marketing and sales capabilities or maintain successful relationships with our channel partners could harm our ability to increase our customer base and achieve broader market acceptance of our products.
Our ability to increase our customer base and achieve broader market acceptance of our platform and products will depend to a significant extent on our ability to expand our marketing and sales operations and to maintain successful relationships with our channel partners. We plan to continue expanding our direct inside sales force and engaging additional channel partners, both domestically and internationally. This expansion will require us to invest significant financial and other resources. Our business will be harmed if our efforts do not generate a corresponding increase in revenue. We may not achieve anticipated revenue growth from expanding our direct sales force if we are unable to hire and develop talented direct inside sales personnel, if our new direct inside sales personnel are unable
19
to achieve desired productivity levels in a reasonable period of time or if we are unable to retain our existing direct inside sales personnel.
In order to grow our business, we anticipate that we will continue to depend on our relationships with our channel partners who we rely on, in addition to our direct sales force, to sell and support our products. For the years ended December 31, 2018, 2019 and 2020, while no individual channel partner accounted for 10% or more of our sales, in the aggregate, our channel partners accounted for 20.4%, 32.3% and % of our revenue, respectively, and we expect that sales to channel partners will continue to account for a substantial portion of our revenue for the foreseeable future. We utilize channel partners to efficiently increase the scale of our marketing and sales efforts and increase our market penetration to customers who we otherwise might not reach on our own. Our ability to achieve revenue growth in the future will depend, in part, on our success in maintaining successful relationships with our channel partners.
Our agreements with our channel partners are generally non-exclusive, meaning our channel partners may offer customers competitive products from different companies, and generally allow the channel partner to terminate its agreements with us for any reason upon 30 days’ notice. For example, some of our channel partners also sell or provide integration and administration services for our competitors’ products, and if such channel partners devote greater resources to marketing, reselling and supporting competing products, this could harm our business, financial condition and results of operations. If our channel partners do not effectively market and sell our products, choose to use greater efforts to market and sell their own products or those of others or fail to meet the needs of our customers, our ability to grow our business, sell our products and maintain our reputation may be adversely affected. The loss of key channel partners, our possible inability to replace them or the failure to recruit additional channel partners could materially and adversely affect our results of operations. If we are unable to maintain our relationships with these channel partners, our business, financial condition, results of operations or cash flows could be adversely affected
If we are not able to provide successful updates, enhancements and features to our technology to, among other things, keep up with emerging threats and customer needs, our business, financial condition and results of operations could be adversely affected.
Our industry is marked by rapid technological developments and demand for new and enhanced products and features to address the evolving risks associated with social engineering. In particular, cybersecurity threats are becoming increasingly sophisticated and responsive to the new security measures designed to thwart them. If we fail to identify and respond to new and increasingly complex methods of attack and update our products to address such threats, our business and reputation will suffer. The success of any new enhancements, features or products that we introduce depends on several factors, including the timely completion, introduction and market acceptance of such enhancements, features or products. We may not be successful in either developing these modifications and enhancements or in bringing them to market in a timely fashion. Furthermore, modifications to existing technologies will increase our research and development expenses. If we are unable to successfully enhance our existing products to meet customer requirements, increase adoption and usage of our products or develop new products, enhancements and features, our business, financial condition and results of operations will be harmed.
In addition, our future success depends, in part, on continued market adoption of cloud-based technologies such as our platform as an alternative to on-premise offerings. While the market for cloud-based technologies is growing, it is not as mature as the market for legacy on-premise offerings, and organizations that have invested substantial resources into on-premise systems may be reluctant or unwilling to migrate to cloud-based platforms. It is uncertain whether cloud-based technologies will achieve and sustain high levels of customer demand and market acceptance. Our success depends on the adoption of cloud-based technologies globally and across industries. It is difficult to predict market adoption rates and the future growth rate and size of the market for cloud-based technologies. If cloud-based technologies do not achieve widespread adoption or there is a reduction in demand for cloud-based technologies caused by a lack of customer acceptance, technological challenges, weakening economic conditions, security or privacy concerns, competing technologies and solutions, reductions in corporate spending or otherwise, our business, financial condition and results of operations will be harmed.
20
Certain estimates of market opportunity and forecasts of market growth included in this prospectus may prove to be inaccurate.
This prospectus includes our internal estimates of the addressable market for security awareness products. Market opportunity estimates and growth forecasts, whether obtained from third-party sources or developed internally, are subject to significant uncertainty and are based on assumptions and estimates that may not prove to be accurate. The estimates and forecasts in this prospectus relating to the size and expected growth of our target market, market demand and adoption, capacity to address this demand and pricing may prove to be inaccurate. In particular, estimates regarding our current and projected market opportunity are difficult to predict. In addition, our internal estimates of the addressable market for security awareness products reflect the opportunity available from all participants and potential participants in the market. The addressable market we estimate may not materialize for many years, if ever, and even if the markets in which we compete meet the size estimates and growth forecasted in this prospectus, our business could fail to grow at similar rates, if at all.
If we cannot maintain our company culture as we grow, we could lose the innovation, teamwork, passion and focus on execution that we believe contribute to our success and our business may be harmed.
We believe that our corporate culture has been a contributor to our success, which we believe fosters innovation, teamwork, passion and focus on building and marketing our platform and products. As we grow and develop the infrastructure of a public company, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could harm our future success, including our ability to retain and recruit personnel, innovate and operate effectively and execute on our business strategy. Additionally, our productivity and the quality of our products may be adversely affected if we do not integrate and train our new employees quickly and effectively. If we experience any of these effects in connection with future growth, it could impair our ability to attract new customers, retain existing customers and expand their use of our products, all of which would adversely affect our business, financial condition and results of operations.
Our financial results may fluctuate due to increasing variability in our sales cycles.
We plan our expenses based on certain assumptions about the length and variability of our sales cycle. These assumptions are based upon historical trends for sales cycles and conversion rates associated with our existing customers. As we continue to focus on sales to larger organizations, we expect our sales cycles to lengthen and become less predictable, which may harm our financial results. Factors that may influence the length and variability of our sales cycle include, among other things:
•the need to raise awareness about the benefits of our platform and products;
•the discretionary nature of purchasing and budget cycles and decisions;
•the competitive nature of evaluation and purchasing processes;
•announcements or planned introductions of new products, features or functionality by us or our competitors; and
•potentially lengthy purchasing approval processes.
Our increasing focus on sales to larger organizations may further increase the variability of our financial results. If we are unable to close one or more expected significant transactions with large organizations in a particular period, or if an expected transaction is delayed until a subsequent period, our results of operations for that period, and for any future periods in which revenue from such transaction would otherwise have been recognized, may be harmed.
A network, systems or data security incident may allow unauthorized access to our network, systems or data or our customers’ data, harm our reputation, create additional liability and adversely impact our financial results.
Increasingly, companies are subject to a wide variety of attacks on their networks and systems on an ongoing basis. In addition to traditional computer “hackers,” malicious code (such as viruses and worms), employee or
21
contractor theft or misuse and denial-of-service attacks, sophisticated nation-state and nation-state supported actors now engage in attacks (including advanced persistent threat intrusions). Despite significant efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks. The security measures we have integrated into our internal networks and systems, and into our platform and products, which are designed to detect unauthorized activity and prevent or minimize security breaches, may not function as expected or may not be sufficient to protect our internal networks, platform and products against certain attacks. In addition, techniques used to sabotage or to obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently and generally are not recognized until launched against a target. As a result, we may be unable to anticipate these techniques or implement adequate preventative measures to prevent an electronic intrusion into our networks or systems, unauthorized access to or disclosure of data or other security breaches or incidents.
Third parties also may attempt to fraudulently induce employees or customers into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data, which could result in significant legal and financial exposure, the loss, alteration or compromise of our sensitive or otherwise critical business information, a loss of confidence in the security of our platform and products, interruptions or malfunctions in our operations, and, ultimately, harm to our future business prospects and revenue. As a well-known provider of products in the security awareness market, we may be a particularly attractive target for these and other forms of attacks.
Our customers’ storage and use of data concerning, among others, their employees, contractors, customers and partners is essential to their use of our platform and products, which stores, transmits and processes customers’ proprietary information and personally identifiable information. If a breach of customer data security were to occur or to be perceived to occur, as a result of third-party action, employee or contractor error, malfeasance or otherwise, and the confidentiality, integrity or availability of our customers’ data was disrupted or believed to have been disrupted, we could face claims by and incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers, and our platform and products may be perceived as less desirable, which could negatively affect our business and damage our reputation. In addition, a network, systems or other security breach, whether or not impacting or being perceived to impact the confidentiality, integrity or availability of our customers’ data, could result in the loss of customers and make it more challenging to acquire new customers.
In addition, security breaches impacting our platform and products could result in a risk of loss, alteration or unauthorized access to or disclosure of information maintained on or processed by our platform and products, which, in turn, could lead to claims, litigation, governmental audits and investigations and possible liability, damage our relationships with our existing customers and have a negative impact on our ability to attract and retain new customers. These breaches, or any perceived breach, of our employees, networks or systems, in particular, because of our position as a security awareness company, may also undermine confidence in our platform or products and result in damage to our reputation, negative publicity, loss of channel partners, customers and sales, increased costs to remedy any problem and costly litigation. In addition, a breach of the security measures of one of our key channel partners or independent software vendors could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack. If a high profile security breach occurs with respect to another Software-as-a-Service, or SaaS, provider, our customers and potential customers may lose trust in the security of the SaaS business model generally, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these negative outcomes could adversely impact market acceptance of our products and could harm our business, financial condition and results of operations.
We may be required to expend significant capital and financial resources to protect against the foregoing threats and to alleviate problems caused by actual or perceived security breaches. We may face difficulties or delays in identifying, remediating and responding to attacks and actual or perceived security breaches. Additionally, we use third party service providers to provide data hosting and other services to us, and they face similar risks. Any actual or perceived security breach at a company providing services to us could result in the impacts described above. The current COVID-19 pandemic has resulted in increased employees and other personnel working remotely, which increases the risk we and our service providers face.
22
While we maintain insurance that may cover certain liabilities relating to security breaches, subject to applicable deductibles and policy limitations, our insurance may be insufficient to cover all liabilities incurred. We cannot be certain that our insurance coverage will be adequate for liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, premiums or deductibles could have a material adverse effect on our business, results of operations and financial condition.
Complying with evolving privacy and other data related laws and requirements may be expensive and force us to make adverse changes to our business, and failure to comply with such laws and requirements could result in substantial harm to our business.
Laws and regulations governing data privacy and protection, information security, the use of the Internet as a commercial medium, the use of data in artificial intelligence and machine learning and data sovereignty requirements are rapidly evolving, extensive, complex and include inconsistencies and uncertainties. Examples of recent and anticipated developments that have or could impact our business include the following:
•The General Data Protection Regulation, or GDPR, took effect in May 2018 and established several requirements applicable to the handling of personal data of individuals in the European Union, or EU. The GDPR is wide-ranging in scope and imposes numerous additional requirements on companies that process personal data, including imposing accountability obligations requiring data controllers and processors to maintain a record of their data processing and implement policies and procedures as part of its mandated privacy governance framework. It also requires data controllers to be transparent and disclose to data subjects how their personal data will be used; establishes rights for individuals with respect to their personal data, including rights of access and deletion in certain circumstances; imposes limitations on retention of personal data; establishes data breach notification requirements; and sets standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities.
•The GDPR also imposes strict rules applied to the transfer of personal data out of the European Economic Area, or EEA, and the United Kingdom to third countries deemed to lack adequate privacy protections (including the United States), unless an appropriate safeguard specified by the GDPR is implemented, such as the Standard Contractual Clauses, or SCCs, approved by the European Commission, or a derogation applies. The Court of Justice of the European Union, or CJEU, recently deemed the SCCs valid. However, the CJEU ruled that transfers made pursuant to the SCCs and other alternative transfer mechanisms must be analyzed on a case-by-case basis to ensure EU standards of data protection are met in the jurisdiction where the data importer is based, and concerns remain about the potential for the SCCs and other mechanisms to face additional challenges. European regulators recently have issued guidance following the CJEU ruling that imposes significant new diligence requirements on transferring data outside the EEA, including under an approved transfer mechanism. This guidance requires an “essential equivalency” assessment of the laws of the destination country. If essentially equivalent protections are not available in the destination country, the exporting entity must then assess if supplemental measures can be put in place that, in combination with the chosen transfer mechanism, would address the deficiency in the laws and ensure that essentially equivalent protection can be given to the data. Complying with this guidance will be expensive and time consuming and may ultimately prevent us from transferring personal data outside the EEA, which would cause significant business disruption.
•The EU has proposed the Regulation on Privacy and Electronic Communications, or ePrivacy Regulation, which, if adopted, would impose new obligations on the use of personal data in the context of electronic communications, particularly with respect to online tracking technologies and direct marketing.
•In January 2020, the United Kingdom formally left the EU. The United Kingdom’s withdrawal from the EU is commonly referred to as “Brexit.” The United Kingdom has implemented legislation that implements and complements the GDPR, and which will provide for the implementation of GDPR requirements, including those related to cross-border data transfer, in United Kingdom law once a period of “transition” expires on December 31, 2020. We cannot fully predict how United Kingdom data protection laws or
23
regulations may develop in the longer term, including those relating to data transfers. We may be required to take steps to ensure the lawfulness of our data transfers, particularly if by the end of the transition period there will not be an EU Commission’s adequacy decision regarding the United Kingdom.
•In January 2020, the California Consumer Privacy Act, or CCPA, took effect, providing California residents increased privacy rights and protections, including the ability to opt out of sales of their personal information. The CCPA went into effect in January 2020 and became enforceable by the California Attorney General in July 2020. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and afford such consumers new rights with respect to their personal information, including the right to request deletion of their personal information, the right to receive the personal information on record for them, the right to know what categories of personal information generally are maintained about them, as well as the right to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation.
•California voters also approved a new privacy law, the California Privacy Rights Act, or CPRA, in the November 3, 2020 election. The CPRA significantly modifies the CCPA. The CCPA and CPRA may increase our compliance costs and exposure to liability. Effective January 1, 2023, the CPRA imposes additional obligations on covered companies and will significantly modify the CCPA, including by expanding consumers’ rights with respect to certain sensitive personal information. The CPRA also creates a new state agency that will be vested with authority to implement and enforce the CCPA and the CPRA. The effects of the CCPA and the CPRA are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation. Other U.S. states are considering adopting similar laws. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies.
Additionally, both U.S. and non-U.S. governments are considering regulating artificial intelligence and machine learning.
These and other similar legal and regulatory developments could contribute to legal and economic uncertainty, affect how we design, market, sell and operate our platform and products, how our customers process and share data, how we process and use data and how we transfer personal data from one jurisdiction to another, which could negatively impact demand for our platform and products. We may incur substantial costs to comply with such laws and regulations, to meet the demands of our customers relating to their own compliance with applicable laws and regulations and to establish and maintain internal policies, self-certifications, and third-party certifications supporting our compliance programs. Our customers may bind us to certain obligations pursuant to the GDPR or other laws or regulations relating to privacy or data protection, and we may be or become bound by other contractual obligations relating to privacy, data protection or information security. We may be required to expend substantial resources to comply with these obligations. In addition, any actual or perceived non-compliance with applicable laws, regulations, policies, certifications or contractual obligations could result in proceedings, investigations or claims against us by regulatory authorities, customers or others, leading to reputational harm, significant fines, litigation costs and damages. For example, if regulators assert that we have failed to comply with the GDPR, we may be subject to fines of up to EUR 20 million or 4% of our worldwide annual revenue, whichever is greater, as well as potential data processing restrictions. Authorities have shown a willingness to impose significant fines and issue orders preventing the processing of personal data on non-compliant businesses. Moreover, individuals can claim damages resulting from infringement of the GDPR and other European data protection laws. The GDPR also introduces the right for non-profit organizations to bring claims on behalf of data subjects. In addition to the foregoing, a breach of the GDPR or other applicable privacy and data protection laws and regulations could result in regulatory investigations, reputational damage, orders change our use of data, enforcement notices, or potential civil claims including class action type litigation. All of these impacts could have a material adverse effect on our business, financial condition and results of operations.
24
We publish privacy policies and other documentation regarding our collection, processing, use and disclosure of personal information, credit card information or other confidential information. Although we endeavor to comply with applicable laws and regulations relating to privacy, data protection, and information security, and our related policies, certifications, representations and documentation, we may at times fail to do so or may be perceived to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving or maintaining compliance if our employees or service providers fail to comply with our policies, certifications, representations and documentation. Such failures can subject us to potential claims, litigation and international, local, state and federal action if they are found or alleged to be deceptive, unfair or to misrepresent our actual practices.
We also collect information about cyber threats from open sources, intermediaries and third parties that we make available to our customers in our industry publications. While we have implemented certain procedures to facilitate compliance with applicable laws and regulations in connection with the collection of this information, we cannot assure you that these procedures have been effective or that we, or third parties, many of whom we do not control, have complied with all laws or regulations in this regard. Failure by our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties to comply with applicable laws and regulations in the collection of this information also could have negative consequences to us, including reputational harm, government investigations and penalties. Although we take precautions to prevent our information collection practices and services from being provided in violation of such laws, our information collection practices and services may have been in the past, and could in the future be, provided in violation of such laws.
Our international operations and plans for future international expansion expose us to significant risks, and failure to manage those risks could adversely impact our business, financial condition and results of operations.
We derived 6.0%, 9.7% and % of our total revenue from international customers for the years ended December 31, 2018, 2019 and 2020, respectively. We are continuing to adapt to and develop strategies to address international markets and our growth strategy includes expansion into target geographies including opportunistically through acquisitions, but there is no guarantee that such efforts will be successful. We expect that our international activities will continue to grow in the future, as we continue to pursue opportunities in international markets. These international operations will require significant management attention and financial resources and are subject to substantial risks, including:
•greater difficulty in negotiating contracts with standard terms, enforcing contracts and managing collections and longer collection periods;
•higher costs of doing business internationally, including costs incurred in establishing and maintaining office space and equipment for our international operations;
•management communication and integration problems resulting from cultural and geographic dispersion;
•risks associated with trade restrictions and foreign legal requirements, including any importation, certification and localization of our platform and products that may be required in foreign countries;
•greater risk of unexpected changes in regulatory practices, tariffs and tax laws and treaties;
•compliance with anti-bribery laws, including, without limitation, compliance with the U.S. Foreign Corrupt Practices Act of 1977, as amended, or FCPA, the U.S. Travel Act and the UK Bribery Act 2010, or the Bribery Act, violations of which could lead to significant fines, penalties and collateral consequences for our company;
•heightened risk of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, or irregularities in, financial statements;
•the uncertainty of protection for intellectual property rights in some countries;
•general economic and political conditions or events in these foreign markets, including, but not limited to, Brexit;
25
•foreign exchange controls or tax regulations that might prevent us from repatriating cash earned outside the United States;
•political and economic instability in some countries;
•double taxation of our international earnings and potentially adverse tax consequences due to changes in the tax laws of the United States or the foreign jurisdictions in which we operate;
•unexpected costs for the localization of our services, including translation into foreign languages and adaptation for local practices and regulatory requirements;
•requirements to comply with foreign privacy, data protection and information security laws and regulations, and the risks and costs of noncompliance;
•greater difficulty in identifying, attracting and retaining local qualified personnel, and the costs and expenses associated with such activities;
•greater difficulty identifying qualified channel partners and maintaining successful relationships with such partners;
•differing employment practices and labor relations issues; and
•difficulties in managing and staffing international offices and increased travel, infrastructure and legal compliance costs associated with multiple international locations.
As we continue to develop and grow our business globally, our success will depend in large part on our ability to anticipate and effectively manage these risks. The expansion of our existing international operations and entry into additional international markets will require significant management attention and financial resources. Our failure to successfully manage our international operations and the associated risks could limit the future growth of our business.
The nature of our business requires the application of complex accounting rules, including revenue and expense recognition rules, and any significant changes in current rules, or interpretations thereof, could affect our financial statements and results of operations.
The accounting rules and regulations that we must comply with are complex and subject to interpretation by the Financial Accounting Standards Board, or the FASB, the Securities and Exchange Commission, or the SEC, and various bodies formed to promulgate and interpret appropriate accounting principles. Recent actions and public comments from the FASB and the SEC have been focused on the integrity of financial reporting and internal controls over financial reporting. Many companies’ accounting policies and practices are being subject to heightened scrutiny by regulators and the public. In addition, the accounting rules and regulations are continually changing in ways that could materially impact our financial statements. We cannot predict the impact of future changes to accounting principles or our accounting policies on our financial statements going forward, which could significantly affect our reported financial results and could affect the reporting of transactions completed before the announcement of the change. Further, if we were to change our critical accounting estimates, our results of operations could be significantly affected.
We rely upon SaaS technologies from third parties to operate our business, and interruptions or performance problems with these technologies may adversely affect our business, financial condition and results of operations.
We rely on hosted SaaS applications from third parties in order to operate critical functions of our business, including platform delivery, enterprise resource planning, customer relationship management, billing, project management and accounting and financial reporting. If these services become unavailable due to extended outages, interruptions or because they are no longer available on commercially reasonable terms, our expenses could increase, our ability to manage finances could be interrupted and our processes for managing sales of our platform and products and supporting our customers could be impaired until equivalent services, if available, are identified,
26
obtained and implemented, all of which could adversely affect our business, financial condition and results of operations.
Interruptions or delays in the services provided by third-party data centers or internet service providers could impair the delivery of our platform and products, expose us to litigation and negatively impact our relationships with customers, adversely affecting our business.
We host our platform using Amazon Web Services, or AWS, data centers, a provider of cloud infrastructure services, and, therefore, we are vulnerable to service interruptions at AWS, which could impact the ability of our customers to access our platform at any time, without interruption or degradation of performance. All of our products reside on hardware owned or leased and operated by us in these locations. Our operations depend on protecting the virtual cloud infrastructure hosted in AWS by maintaining its configuration, architecture and interconnection specifications, as well as the information stored in these virtual data centers, which third-party internet service providers transmit. Although we have disaster recovery plans that utilize multiple AWS locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake, power loss, telecommunications failures, unauthorized intrusion, computer viruses and disabling devices, hacking and other security attacks, natural disasters, war, criminal acts, military actions, terrorist attacks and other similar events beyond our control could negatively affect the security or availability of our platform and products. A prolonged AWS service disruption affecting our platform and products for any of the foregoing reasons could damage our reputation with current and potential customers, expose us to liability, cause us to lose customers or otherwise harm our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the AWS services we use.
AWS enables us to order and reserve server capacity in varying amounts and sizes distributed across multiple regions. AWS provides us with computing and storage capacity pursuant to an agreement that continues until terminated by either party. AWS may terminate the agreement by providing 30 days prior written notice and may, in some cases, terminate the agreement immediately for cause upon notice.
Our platform and products are accessed by a large number of customers, often at the same time. As we continue to expand the number of our customers and products available to our customers, we may not be able to scale our technology to accommodate the increased capacity requirements, which may result in interruptions or delays in service. In addition, the failure of AWS data centers or third-party internet service providers to meet our capacity requirements could result in interruptions or delays in access to our platform and products or impede our ability to scale our operations. In the event that our AWS service agreements are terminated, or there is a lapse of service, interruption of internet service provider connectivity or damage to such facilities, we could experience interruptions in access to our platform and products as well as delays and additional expense in arranging new facilities and services.
Although we maintain insurance for our business, the coverage under our policies may not be adequate to compensate us for all losses that may occur. In addition, we cannot provide assurance that we will continue to be able to obtain adequate insurance coverage at an acceptable cost.
We depend on our executive officers and other key employees, the loss of whom could adversely affect our business.
We believe that our success is substantially dependent on our ability to attract, retain and motivate the members of our management team and other key employees throughout our organization. In particular, we depend on the services of Stu Sjouwerman, our founder and Chief Executive Officer, who is critical to our future vision and strategic direction. We rely on our leadership team in the areas of research and development, operations, security, marketing, sales, customer support and general and administrative functions. Although we have entered into employment agreements with our leadership team, our employees, including our executive officers, work for us on an “at-will” basis, which means they may terminate their employment with us at any time. If Mr. Sjouwerman or one or more of our key employees or members of our management team resigns or otherwise ceases to provide us with their service, and if we fail to have in place and execute an effective succession plan for key executives, our business could be harmed.
27
In addition, because our future success is dependent on our ability to continue to refresh and enhance our library of differentiated security awareness content and expand our platform features, we are heavily dependent on our ability to attract and retain qualified personnel with the requisite background and industry experience to drive content creation and product development. As we expand our business domestically and globally, our continued success will also depend on our ability to attract and retain qualified content development personnel capable of creating localized, culturally relevant security awareness content, as well as to attract and retain qualified sales, marketing and operational personnel capable of supporting a larger and more diverse customer base. The loss of the services of a significant number of our content, technology or sales personnel could be disruptive to our content and product development efforts, which could harm our ability to retain existing customers and to expand our global customer base.
If our platform and products fail to perform properly, our reputation could be adversely affected and our market share could decline, which could have a material adverse effect on our business, financial condition and results of operations.
Our platform and products are inherently complex and may contain material defects or errors. In the future we may experience website disruptions, outages and other performance problems. These problems may be caused by a variety of factors, including infrastructure changes, human or software errors or negligence, viruses, hacking and other security attacks, fraud, increased resource consumption from expansion or modification to our code and spikes in customer usage. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages and our operations infrastructure may fail to keep pace with increased sales, causing new customers to experience delays. We may be required to issue credits or refunds for prepaid amounts related to unused services; see “—We provide service level commitments under our customer contracts. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service, or face contract termination with refunds of prepaid amounts related to unused subscriptions, which could harm our business, financial condition and results of operations” above. Any defects in functionality or that cause interruptions in the availability of our platform and products could result in:
•loss or delayed market acceptance and sales;
•breach of warranty or other contractual claims for damages incurred by customers;
•loss of customers;
•diversion of development and customer service resources; and
•injury to our reputation;
any of which could have a material adverse effect on our business, financial condition and results of operations. In addition, the costs incurred in correcting any material defects or errors might be substantial.
The market in which we participate is competitive, and if we do not compete effectively, our business, financial condition and results of operations could be harmed.
The market for our platform and products is rapidly evolving and fragmented, and we expect competition to increase in the future. Although we believe competitors that compete with our platform and products to manage the ongoing problem of social engineering are currently limited, a number of companies have developed, or are developing, products that currently are, or in the future may be, competitive with our offerings. For example, certain larger enterprise providers, such as Proofpoint, Mimecast and Cofense, all attempt to address human risk through a product offering that is often tied to other products and is not given a singular focus. Nevertheless, competition continues to increase in the market segments in which we operate, and we expect competition to further increase in the future. Larger competitors with more diverse product and service offerings may reduce the price of products or subscriptions that compete with ours or may bundle them with other products and subscriptions. These competitive pressures may cause our subscription prices to decline for a variety of reasons, including competitive pricing pressures, discounts, anticipation of the introduction of new products by competitors or promotional programs
28
offered by us or our competitors. If we are unable to maintain our pricing due to competitive pressures or other factors, our margins will be reduced and our gross profits, business, financial condition and results of operations would be adversely affected. As a result, as competition in our market increases, it could result in increased pricing pressure, decreased revenue, increased sales and marketing expenses and loss of market share for us, any of which could adversely affect our business, financial condition and results of operations.
We may experience quarterly fluctuations in our results of operations due to a number of factors that make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations.
Our quarterly results of operations fluctuate as a result of a number of factors, many of which are outside of our control and may be difficult to predict, including, but not limited to:
•the level of demand for our platform and products;
•the timing and success of new product introductions by us or our competitors or any other change in the competitive landscape of our market;
•pricing pressure as a result of competition or otherwise;
•seasonal buying patterns for IT spending;
•errors in forecasting the demand for our products, which could lead to lower revenue, increased costs or both;
•increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;
•credit or other difficulties confronting our channel partners;
•adverse litigation judgments, settlements or other litigation-related costs;
•changes in the legislative or regulatory environment, including with respect to privacy, data protection and security and enforcement by government regulators, including fines, orders or consent decrees;
•system failures or actual or perceived security breaches;
•fluctuations in foreign currency exchange rates;
•costs related to the acquisition of businesses, talent, technologies or intellectual property, including potentially significant amortization costs and possible write-downs; and
•general economic conditions in either domestic or international markets, including geopolitical uncertainty and instability.
Any one or more of the factors above may result in significant fluctuations in our results of operations. You should not rely on our past results as an indicator of our future performance. The variability and unpredictability of our quarterly results of operations or other operating metrics could result in our failure to meet our expectations or those of analysts that cover us or investors with respect to revenue or other metrics for a particular period. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.
We may face exposure to foreign currency exchange rate fluctuations.
Today, our international contracts are sometimes denominated in local currencies; however, the majority of our international costs are denominated in local currencies. Over time, an increasing portion of our international contracts may be denominated in local currencies. Therefore, fluctuations in the value of the U.S. dollar and foreign currencies may affect our results of operations when translated into U.S. dollars. We do not currently engage in
29
currency hedging activities to limit the risk of exchange rate fluctuations. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.
We may need to raise additional capital to expand our operations and invest in new products, which capital may not be available on terms acceptable to us, or at all, and which could reduce our ability to compete and could harm our business.
We expect that our existing cash and cash equivalents, cash provided by operating activities and unbilled amounts related to contracted non-cancelable subscription agreements, which are not reflected on the balance sheet, will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months. Retaining or expanding our current levels of personnel and product offerings may require additional funds to respond to business challenges, including the need to develop new products and enhancements to our platform and products, improve our operating infrastructure or acquire complementary businesses and technologies. Our failure to raise additional capital or generate the significant capital necessary to expand our operations and invest in new products could reduce our ability to compete and could harm our business. Accordingly, we may need to engage in additional equity or debt financings to secure additional funds. If we raise additional equity financing, our stockholders may experience significant dilution of their ownership interests and the market price of our common stock could decline. If we engage in debt financing, the holders of debt may have priority over the holders of our common stock, and we may be required to accept terms that restrict our operations or our ability to incur additional indebtedness or to take other actions that would otherwise be in the interests of the debt holders. Any of the above could harm our business, financial condition and results of operations.
Adverse economic conditions or reduced IT security spending may adversely impact our revenue and profitability.
Our operations and performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on IT networking and security solutions. Our business depends on the overall demand for these solutions and on the economic health and general willingness of our current and prospective customers to purchase our platform and products. Weak economic conditions or a reduction in IT security spending could materially and adversely affect our business, financial condition and results of operations in a number of ways, including by reducing sales, lengthening sales cycles and lowering prices for our platform and products.
Any future litigation against us could be costly and time-consuming to defend.
We may become subject to legal proceedings and claims that arise in the ordinary course of business, such as claims brought by our customers in connection with commercial disputes or employment claims made by our current or former employees. Litigation might result in substantial costs and may divert management’s attention and resources, which might seriously harm our business, financial condition and results of operations. Insurance might not cover such claims, might not provide sufficient payments to cover all the costs to resolve one or more such claims and might not continue to be available on terms acceptable to us (including premium increases or the imposition of large deductible or co-insurance requirements). A claim brought against us that is uninsured or underinsured could result in unanticipated costs, potentially harming our business, financial position and results of operations. In addition, we cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or that our insurers will not deny coverage as to any future claim.
Failure to comply with laws and regulations applicable to our business could subject us to fines and penalties.
Our business is subject to regulation by various federal, state, local and foreign governmental agencies, including, but not limited to, agencies responsible for monitoring and enforcing privacy, data protection and information security laws and regulations, employment and labor laws, workplace safety, product safety, environmental laws, consumer protection laws, anti-bribery laws, import and export controls, federal securities laws and tax laws and regulations. In certain jurisdictions, these regulatory requirements may be more stringent than in
30
the United States. Actual or alleged noncompliance by us, our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties with applicable regulations or requirements could subject us to:
•investigations, enforcement actions and sanctions;
•mandatory changes to our platform, products or business practices;
•disgorgement of profits, fines and damages;
•civil and criminal penalties or injunctions;
•claims for damages by our customers or channel partners;
•termination of contracts;
•loss of intellectual property rights; and
•temporary or permanent debarment from sales to government organizations.
If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, financial condition and results of operations could be adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could harm our business, financial condition and results of operations.
In addition, we endeavor to properly classify employees as exempt versus non-exempt under applicable law. Although there are no pending or threatened material claims or investigations against us asserting that some employees are improperly classified as exempt, the possibility exists that some of our current or former employees could have been incorrectly classified as exempt employees.
Sales to government entities are subject to a number of challenges and risks.
A number of our customers are U.S., state or foreign government entities. Such entities may demand contract terms that are less favorable than standard arrangements with private sector customers and may have statutory, contractual or other legal rights to terminate contracts with us or our partners for convenience or for other reasons. Any such termination may adversely affect our ability to contract with other government customers as well as our reputation, business, financial condition and results of operations.
In addition, as a vendor for government entities, we must comply with laws, regulations and policies governing such governmental bodies, including those related to their cybersecurity practices. For example, the State of California Office of Information Security Phishing Exercise Standard (SIMM 5320-A), released in October 2020, established specific requirements for California state entities and agencies to coordinate phishing exercises with the California Department of Technology Office of Information Security and the California Cybersecurity Integration Center and other requirements for execution. Other states and jurisdictions may adopt versions of this standard or consider other new cybersecurity or data protection measures in the future, imposing additional compliance burdens on us and our customers.
Generally, the laws, regulations and policies that govern our ability to contract with government customers impose added costs on our business, and failure by us, our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties to comply with applicable regulations and requirements could lead to claims for damages, penalties, termination of contracts, loss of exclusive rights in our intellectual property and temporary suspension or permanent debarment from government contracting. Any such damages, penalties, disruptions or limitations in our ability to do business with the public sector could result in reduced sales of our products, reputational damage, penalties and other sanctions, any of which could harm our reputation, business, financial condition and results of operations.
31
We are subject to laws and regulations, including governmental export and import controls, sanctions and anti-corruption laws that could impair our ability to compete in our markets and subject us to liability if we are not in full compliance with applicable laws.
We are subject to laws and regulations, including governmental export controls, that could subject us to liability or impair our ability to compete in our markets. Our products are subject to U.S. export controls, including the U.S. Department of Commerce’s Export Administration Regulations, and we and our employees, representatives, contractors, agents, intermediaries and other third parties are also subject to various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Furthermore, U.S. export control laws and economic sanctions prohibit the export and provision of certain cloud-based solutions to, and other transactions and dealings with, countries, governments and persons targeted by U.S. sanctions.
If we or our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties fail to comply with these laws and regulations, we could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may also be adversely affected through reputational harm, loss of access to certain markets, government investigations or otherwise. Obtaining the necessary authorizations including any required license for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities.
Various countries regulate the export and import of certain encryption technology, including through export and import permit and license requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries. Changes in our products or changes in export and import regulations may create delays in the introduction of our products into international markets, prevent our customers with international operations from deploying our products globally or, in some cases, prevent the export or import of our products to certain countries, governments or persons altogether. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations or change in the countries, governments, persons or technologies targeted by such regulations could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations.
We are also subject to the FCPA, Bribery Act and other anti-corruption, sanctions, anti-bribery, anti-money laundering and similar laws in the United States and other countries in which we conduct activities. Anti-corruption and anti-bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees, agents, intermediaries and other third parties from promising, authorizing, making or offering improper payments or other benefits to government officials and others in the private sector. We leverage third parties, including intermediaries, agents and channel partners, to conduct our business in the United States and abroad to sell subscriptions to our products and to collect information about cyber threats. We and these third parties may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of these third-party business partners and intermediaries, our employees, representatives, contractors, channel partners, agents, intermediaries and other third parties, even if we do not explicitly authorize such activities. While we have policies and procedures to address compliance with the FCPA, Bribery Act and other anti-corruption, sanctions, anti-bribery, anti-money laundering and similar laws, we cannot assure you that they will be effective, or that all of our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties have taken, or will not take, actions in violation of our policies and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase. Noncompliance with these laws could subject us to investigations, severe criminal or civil sanctions, settlements, prosecution, loss of export privileges, suspension or debarment from U.S. government contracts, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, whistleblower complaints, adverse media coverage and other consequences. Any investigations, actions or sanctions could harm our reputation, business, financial condition and results of operations.
32
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
We have incurred substantial losses during our history, do not expect to become profitable in the near future, and may never achieve profitability. Unused U.S. federal net operating losses, or NOLs, may be carried forward to offset future taxable income, if any, until such unused NOLs expire. Under the Tax Cuts and Jobs Act, or the Tax Act, enacted in 2017, as modified by the Coronavirus Aid, Relief, and Economic Security Act, or the CARES Act, enacted on March 27, 2020, U.S. federal NOLs incurred in taxable years beginning after December 31, 2017, can be carried forward indefinitely, but the deductibility of such U.S. federal NOLs in taxable years beginning after December 31, 2020 is limited to 80% of taxable income. Our NOLs may also be subject to limitations under state law. For example, California recently enacted legislation suspending the use of NOLs for taxable years 2020, 2021 and 2022 for many taxpayers.
As of December 31, 2019, we had federal and state NOL carryforwards of $64.9 million (of which $53.1 million were incurred in taxable years beginning after December 31, 2017) and $50.3 million, respectively. The federal NOL carryforwards will begin to expire in 2036 and the state NOL carryforwards will begin to expire in 2031, if not utilized.
In addition, under Section 382 of the Internal Revenue Code, if a corporation undergoes an “ownership change,” generally defined as a greater than 50 percentage point change (by value) in its equity ownership over a three-year period, the corporation’s ability to use its pre-change NOL carryforwards and other pre-change tax attributes, such as research tax credits, to offset its post-change income may be limited. We do not expect to experience an ownership change in connection with this offering, though any such ownership change could result in increased future tax liability. In addition, we may experience ownership changes in the future as a result of subsequent shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change NOL carryforwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us.
Changes in tax laws or regulations in the various tax jurisdictions we are subject to that are applied adversely to us or our customers could increase the costs of our products and harm our business.
New income, sales, use or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time. Those enactments could harm our domestic and international business operations, and our business and financial performance. Further, existing tax laws, statutes, rules, regulations or ordinances could be interpreted, changed, modified or applied adversely to us. These events could require us or our customers to pay additional tax amounts on a prospective or retroactive basis, as well as require us or our customers to pay fines and/or penalties and interest for past amounts deemed to be due. If we raise our prices to offset the costs of these changes, existing and potential future customers may elect not to purchase our products in the future. Additionally, new, changed, modified or newly interpreted or applied tax laws could increase our customers’ and our compliance, operating and other costs, as well as the costs of our products. Further, these events could decrease the capital we have available to operate our business. Any or all of these events could harm our business, financial condition and results of operations.
Our business may be subject to additional obligations to collect and remit sales tax and other taxes, and we may be subject to tax liability for past sales. Any successful action by state, foreign or other authorities to collect additional or past sales tax could harm our business.
States and some local taxing jurisdictions have differing rules and regulations governing sales and use taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our platform and products in various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as state tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. We could also be subject to audits in states and international jurisdictions for which we have not accrued tax liabilities. A successful assertion that we should be collecting additional sales or other taxes on our products in jurisdictions where we have not historically done so and do not accrue for sales taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our products or otherwise harm our business, financial condition and results of operations.
33
We file sales tax returns in certain states within the United States as required by law. We do not collect sales or other similar taxes in other states and many of such states do not apply sales or similar taxes to the products that we provide. However, one or more states or foreign authorities could seek to impose additional sales, use or other tax collection and record-keeping obligations on us or may determine that such taxes should have, but have not been, paid by us. Liability for past taxes may also include substantial interest and penalty charges. Any successful action by state, foreign or other authorities to compel us to collect and remit sales, use or other taxes, either retroactively, prospectively or both, could harm our business, financial condition and results of operations.
We are a multinational organization faced with increasingly complex tax issues in many jurisdictions, and we could be obligated to pay additional taxes in various jurisdictions.
As a multinational organization, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents, which could have a material adverse effect on our liquidity and results of operations. Furthermore, one or more jurisdictions in which we do not believe we are currently subject to tax payment, withholding or filing requirements could assert that we are subject to such requirements. Any of these claims or assertions could have a material impact on us and the results of our operations.
If we fail to enhance our brand cost-effectively, our ability to expand our customer base will be impaired and our business, financial condition and results of operations may suffer.
We believe that developing and maintaining awareness of our brand in a cost-effective manner is critical to achieving widespread acceptance of our existing and future products and is an important element in attracting new customers. Furthermore, we believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts and on our ability to provide reliable and useful products at competitive prices. In the past, our efforts to build our brand have involved significant expenses. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, or incur substantial expenses in an unsuccessful attempt to promote and maintain our brand, we may fail to attract new customers or retain our existing customers to the extent necessary to realize a sufficient return on our brand-building efforts, and our business, financial condition and results of operations could suffer.
Catastrophic events may disrupt our business.
Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce and the global economy, and thus could harm our business. We have a large employee presence in Clearwater, Florida and the east coast of the United States is often subject to seasonal hurricanes. In the event of a major hurricane, earthquake or other catastrophic event such as fire, power loss, telecommunications failure, cyber-attack, war or terrorist attack, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our application development, lengthy interruptions in our products, breaches of data security and loss, alteration or compromise of critical data, all of which could harm our business, financial condition and results of operations. In addition, the insurance we maintain may not be adequate to cover our losses resulting from disasters or other business interruptions.
Risks Related to Our Intellectual Property
Our results of operations may be harmed if we are subject to a protracted infringement claim or a claim that results in a significant damage award.
A key tenet of our security awareness platform and products is the ability for our customers to perform simulated social engineering attacks on their users as part of our comprehensive training program. These social engineering attacks, typically in the form of a simulated phishing email, often use actual third-party names, logos, marks and other content in order to enhance the effectiveness of the simulation. In addition, we register domain
34
names containing third-party names or marks, or variations thereof, to be used in connection with our simulated phishing emails. Although we do not believe that the use of such names, logos, marks and other content for our customers’ internal training purposes infringes upon the trademark rights or other intellectual property rights of others, some third parties have objected to such use of training materials. These third parties have sent us requests or demands to remove their names, logos, marks and other content from our platform and products, and others have alleged that such use infringes upon their trademark rights or copyrights or otherwise creates actionable claims under state law. Also, some third parties have sent us privacy service requests or demands to cease use of and transfer domains containing their names, marks or variations thereof. To date, we have taken a case-by-case approach and worked to resolve all brand-owner demands directly with the individual brand owners. Although no legal actions have resulted from historical demands, there is no assurance that legal actions will not result in the future from objecting brand owners. Additionally, as knowledge of our business expands, we may experience such demands with increasing frequency. Such legal actions, regardless of their merit, could require us to expend significant financial resources and attention by management and other personnel, result in injunctions against us that prevent us from using third-party names, logos, marks and other content on our platform and products, require us to pay monetary awards to third parties and/or transfer domain name registrations.
Furthermore, because any legal actions could involve novel questions of law regarding simulated phishing activities for which there is no or very little precedent, and, because the outcomes of any such actions could depend on questions of specific state laws that vary from state to state, the outcomes of any such legal proceedings are uncertain and could vary depending on the jurisdiction in which an action is brought. Any such outcomes could adversely impact our relationship with our customers, including by prompting them to discontinue their business relationship with us. The occurrence of any of these results could also materially adversely affect our business, financial condition and results of operations.
If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate reduced revenue and incur costly litigation to protect our rights.
Our success is dependent, in part, upon protecting our proprietary information and technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual restrictions to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of certain jurisdictions and foreign countries. Further, the laws of some countries do not protect proprietary rights to the same extent as the laws of the United States, and mechanisms for enforcement of intellectual property rights in some foreign countries may be inadequate. To the extent we expand our international activities, our exposure to unauthorized use of our products and proprietary information may increase. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon or misappropriating our technology and intellectual property.
We rely in part on trade secrets, proprietary know-how and other confidential information to maintain our competitive position. Although we enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances, no assurance can be given that these agreements will be effective in controlling access to and distribution of our products and proprietary information. Further, these agreements do not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our products.
To protect our intellectual property rights, we may be required to spend significant resources to monitor and protect these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation could be costly, time consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against
35
unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our products, impair the functionality of our products, delay introductions of new products, result in our substituting inferior or more costly technologies into our products or injure our reputation. In addition, we may be required to license additional technology from third parties to develop and market new products, and we cannot assure you that we will be able to license that technology on commercially reasonable terms or at all, and our inability to license this technology could harm our ability to compete.
We use open source software in our products, which could negatively affect our ability to offer our products and subject us to litigation or other actions.
We use open source software in our products and may use more open source software in the future. From time to time, there have been claims challenging the ownership of open source software against companies that incorporate open source software into their products. However, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, have a negative effect on our business, financial condition and results of operations or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with open source software in a certain manner, we could, under certain of the open source licenses, be required to release the source code of our proprietary software to the public. This would allow our competitors to create similar products with less development effort and time. If we inappropriately use open source software, or if the license terms for open source software that we use change, we may be required to re-engineer our products, incur additional costs, discontinue the sale of some or all of our products or take other remedial actions.
In addition to risks related to license requirements, usage of open source software can lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or assurances of title or controls on origin of the software. In addition, many of the risks associated with usage of open source software, such as the lack of warranties or assurances of title, cannot be eliminated, and could, if not properly addressed, negatively affect our business. We have established processes to help alleviate these risks, including a review process for screening requests from our development organizations for the use of open source software, but we cannot be sure that all of our use of open source software is in a manner that is consistent with our current policies and procedures, or will not subject us to liability.
We incorporate technology from third parties into our platform and products, and our inability to obtain or maintain rights to the technology could harm our business.
We license software and other technology from third parties that incorporate into or integrate with, our platform and products. We cannot be certain that our licensors are not infringing on the intellectual property rights of third parties or that our licensors have sufficient rights to the licensed intellectual property in all jurisdictions in which we may sell our platform and products. In addition, many licenses are non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Some of our agreements with our licensors may be terminated for convenience by them, or otherwise provide for a limited term. If we are unable to continue to license any of this technology for any reason, our ability to develop and sell our platform and products containing such technology could be harmed. Similarly, if we are unable to license necessary technology from third parties now or in the future, we may be forced to acquire or develop alternative technology, which we may be unable to do in a commercially feasible manner or at all, and we may be required to use alternative technology of lower quality or performance standards. This could limit and delay our ability to offer new or competitive products and increase our costs of production. As a result, our business and results of operations could be significantly harmed. Additionally, as part of our longer-term strategy, we plan to open our platform and products to third-party developers and applications to further extend their functionality. We cannot be certain that such efforts to grow our business will be successful.
36
Risks Related to Our Common Stock and This Offering
There has been no prior public trading market for our common stock, and an active trading market for our common stock may never develop or be sustained.
We intend to apply to list our common stock on the Nasdaq Global Select Market, or Nasdaq, under the symbol “KNBE.” However, we cannot assure you that an active trading market for our common stock will develop on that exchange or elsewhere or, if developed, that any market will be sustained. Accordingly, we cannot assure you of the likelihood that an active trading market for our common stock will develop or be maintained, the liquidity of any trading market, your ability to sell your shares of our common stock when desired or the prices that you may obtain for your shares.
Upon completion of this offering, our executive officers, directors and holders of 5% or more of our common stock will collectively beneficially own approximately % of the outstanding shares of our common stock and continue to have substantial control over us, which will limit your ability to influence the outcome of important transactions, including a change in control.
Upon completion of this offering, our executive officers, directors and our stockholders who own 5% or more of our outstanding common stock and their affiliates, in the aggregate, will beneficially own approximately % of the outstanding shares of our common stock, based on the number of shares outstanding as of December 31, 2020 and assuming no exercise of the underwriters’ option to purchase additional shares of common stock from us. As a result, these stockholders, if acting together, will be able to influence or control matters requiring approval by our stockholders, including the election of directors and the approval of mergers, acquisitions or other extraordinary transactions. They may also have interests that differ from yours and may vote in a way with which you disagree and which may be adverse to your interests. This concentration of ownership may have the effect of delaying, preventing or deterring a change in control of our company, could deprive our stockholders of an opportunity to receive a premium for their common stock as part of a sale of our company and might ultimately affect the market price of our common stock.
The market price of our common stock may be volatile, and you could lose all or part of your investment.
Prior to this offering, there has been no public market for shares of our common stock. The initial public offering price of our common stock will be determined through negotiation among us and the underwriters. This price does not necessarily reflect the price at which investors in the market will be willing to buy and sell shares of our common stock following this offering. In addition, the market price of our common stock following this offering is likely to be volatile and could be subject to fluctuations in response to various factors, some of which are beyond our control. These fluctuations could cause you to lose all or part of your investment in our common stock since you might be unable to sell your shares at or above the price you paid in this offering. Factors that could cause fluctuations in the market price of our common stock include the following:
•price and volume fluctuations in the overall stock market from time to time;
•volatility in the market prices and trading volumes of technology stocks;
•changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
•sales of shares of our common stock by us or our stockholders, as well as the anticipation of lock-up releases;
•failure of securities analysts to maintain coverage of us, changes in financial estimates by securities analysts who follow our company or our failure to meet these estimates or the expectations of investors;
•the financial projections we may provide to the public, any changes in those projections or our failure to meet those projections;
•announcements by us or our competitors of new offerings or platform features;
37
•the public’s reaction to our press releases, other public announcements and filings with the SEC;
•rumors and market speculation involving us or other companies in our industry;
•short selling of our common stock or related derivative securities;
•actual or anticipated changes or fluctuations in our results of operations;
•actual or anticipated developments in our business, our competitors’ businesses or the competitive landscape generally;
•announced or completed acquisitions of businesses, offerings or technologies by us or our competitors;
•developments or disputes concerning our intellectual property or other proprietary rights;
•litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors;
•new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
•system failures or actual or perceived privacy or security incidents;
•changes in accounting standards, policies, guidelines, interpretations or principles;
•any significant change in our management; and
•general economic conditions and slow or negative growth of our markets.
In addition, in the past, following periods of volatility in the overall market and the market price of a particular company’s securities, securities class action litigation has often been instituted against these companies. This litigation, if instituted against us, would result in substantial costs and a diversion of our management’s attention and resources.
A substantial portion of the outstanding shares of our common stock after this offering will be restricted from immediate resale but may be sold on a stock exchange in the near future. The large number of shares eligible for public sale or subject to rights requiring us to register them for public sale could depress the market price of our common stock.
The market price of our common stock could decline as a result of sales of a large number of shares of our common stock in the market after this offering, and the perception that these sales could occur may also depress the market price of our common stock. Based on shares of our common stock outstanding as of December 31, 2020 (assuming the Capital Stock Conversion occurred as of December 31, 2020), we will have shares of our common stock outstanding after this offering, assuming no exercise of the underwriters’ option to purchase additional shares of common stock from us. Our executive officers, directors and the holders of substantially all of our capital stock and securities convertible into or exchangeable for our capital stock have entered into lock-up agreements with the underwriters under which they have agreed or will agree, subject to specific exceptions, not to, without the prior written consent of Morgan Stanley & Co. LLC and Goldman Sachs & Co. LLC on behalf of the underwriters, dispose of or hedge any of our stock for 180 days following the date of this prospectus.
As a result of these agreements and the provisions of our Amended and Restated Investors’ Rights Agreement dated May 1, 2019, or our IRA, described further in the section titled “Description of Capital Stock—Registration Rights,” and subject to the provisions of Rule 144 or Rule 701, shares of our common stock will be available for sale in the public market as follows:
•beginning on the date of this prospectus, all shares of our common stock sold in this offering will be immediately available for sale in the public market; and
38
•beginning 181 days after the date of this prospectus (subject to the terms of the lock-up agreements described above), the remainder of the shares of our common stock will be eligible for sale in the public market from time to time thereafter, subject in some cases to the volume and other restrictions of Rule 144, as described below.
Upon completion of this offering, stockholders owning an aggregate of up to shares of our common stock will be entitled, under our IRA, to require us to register shares owned by them for public sale in the United States. In addition, we intend to file a registration statement to register shares reserved for future issuance under our equity compensation plans. Upon effectiveness of that registration statement, subject to the satisfaction of applicable exercise periods and the expiration or waiver of the lock-up agreements referred to above, the shares issued upon exercise of outstanding stock options or upon settlement of outstanding restricted stock unit awards will be available for immediate resale in the United States in the open market.
Sales of our common stock as restrictions end or pursuant to registration rights may make it more difficult for us to sell equity securities in the future at a time and at a price that we deem appropriate. These sales also could cause the market price of our common stock to fall and make it more difficult for you to sell shares of our common stock.
Sales, directly or indirectly, of shares of our common stock by existing equityholders could cause our stock price to decline.
Sales, directly or indirectly, of a substantial number of shares of our common stock, or the public perception that these sales might occur, could depress the market price of our common stock and could impair our ability to raise capital through the sale of additional equity securities. Many of our existing equityholders have substantial unrecognized gains on the value of the equity they hold, and may take, or attempt to take, steps to sell, directly or indirectly, their shares or otherwise secure, or limit the risk to, the value of their unrecognized gains on those shares.
While our executive officers, directors and the holders of substantially all of our capital stock and securities convertible into or exchangeable for our capital stock have entered into lock-up agreements with the underwriters, sales, short sales or hedging transactions involving our equity securities, whether before or after this offering and whether or not we believe them to be prohibited, could adversely affect the price of our common stock. Further, record holders of our securities are typically the parties to the lock-up agreements, while holders of beneficial interests in our shares who are not also record holders in respect of such shares are not typically subject to any such agreements or other similar restrictions. Accordingly, we believe that holders of beneficial interests who are not record holders and are not bound by lock-up agreements could enter into transactions with respect to those beneficial interests that negatively impact our stock price. In addition, to the extent an equityholder does not comply with or the underwriters are unable to enforce the terms of a lock-up agreement, such equityholder may be able to sell, short sell, transfer, hedge, pledge or otherwise dispose of or attempt to sell, short sell, transfer, hedge, pledge or otherwise dispose of, their equity interests at any time after the closing of this offering, which could negatively impact the price of our common stock.
If you purchase our common stock in this offering, you will incur immediate and substantial dilution.
The assumed initial public offering price of $ per share, which is the midpoint of the price range set forth on the cover page of this prospectus, is substantially higher than the pro forma as adjusted net tangible book value per share of our outstanding common stock of $ per share as of December 31, 2020. Investors purchasing shares of our common stock in this offering will pay a price per share that substantially exceeds the book value of our tangible assets after subtracting our liabilities. Therefore, if you purchase common stock in this offering, you will incur immediate dilution of $ per share in the net tangible book value per share from the price you paid.
This dilution is due in large part to the fact that our earlier investors paid substantially less than the initial public offering price when they purchased shares prior to this offering. In addition, as of December 31, 2020, options to purchase shares of our common stock with a weighted-average exercise price of $ per share were outstanding under our equity plans. The exercise of any of these options would result in additional dilution. As a result of the dilution to investors purchasing shares in this offering, investors may receive less than the purchase price paid in this offering, if anything, in the event of our liquidation.
39
The issuance of additional stock in connection with financings, acquisitions, investments, our equity incentive plans or otherwise will dilute all other stockholders.
Our amended and restated certificate of incorporation that will be in effect upon completion of this offering authorizes us to issue up to shares of common stock and up to shares of preferred stock with such rights and preferences as may be determined by our board of directors. Subject to compliance with applicable rules and regulations, we may issue shares of common stock or securities convertible into shares of our common stock from time to time in connection with a financing, acquisition, investment, our equity incentive plans, or otherwise. Any such issuance could result in substantial dilution to our existing stockholders and cause the market price of our common stock to decline.
We have broad discretion over the use of the net proceeds from this offering and we may not use them effectively.
We cannot specify with any certainty the particular uses of the net proceeds that we will receive from this offering. Our management will have broad discretion in the application of the net proceeds from this offering, including for any of the purposes described in the section titled “Use of Proceeds,” and you will not have the opportunity as part of your investment decision to assess whether the net proceeds are being used appropriately. Because of the number and variability of factors that will determine our use of the net proceeds from this offering, their ultimate use may vary substantially from their currently intended use. The failure by our management to apply these proceeds effectively could adversely affect our business, financial condition and results of operations. Pending their use, we may invest our proceeds in a manner that does not produce income or that loses value. Our investments may not yield a favorable return to our investors and may negatively impact the price of our common stock.
If we fail to maintain an effective system of internal controls, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
As a public company, we will be subject to the reporting requirements of the Securities Exchange Act of 1934, as amended, or the Exchange Act, the Sarbanes-Oxley Act of 2002, or the Sarbanes-Oxley Act, and the rules and regulations of Nasdaq. We expect that the requirements of these rules and regulations will increase our legal, accounting and financial compliance costs; make some activities more difficult, time-consuming and costly; and place significant strain on our personnel, systems and resources.
The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. We are continuing to develop and refine our disclosure controls, internal control over financial reporting and other procedures that are designed to ensure information required to be disclosed by us in the reports that we will file with the SEC is recorded, processed, summarized and reported within the time periods specified in SEC rules and forms, and information required to be disclosed in reports under the Exchange Act is accumulated and communicated to our principal executive and financial officers.
Our current controls and any new controls we develop may become inadequate because of changes in conditions in our business. Further, weaknesses in our internal controls may be discovered in the future. Any failure to develop or maintain effective controls, or any difficulties encountered in their implementation or improvement, could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal controls also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports we will file with the SEC under Section 404 of the Sarbanes-Oxley Act. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the market price of our common stock.
In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended and anticipate we will continue to expend significant resources, including accounting-related costs, and provide significant management oversight. Any failure to maintain the adequacy of our internal controls, or consequent inability to produce accurate financial statements on a timely basis, could increase our operating costs and could materially impair our ability to operate our business. If our internal
40
controls are perceived as inadequate or we are unable to produce timely or accurate financial statements, investors may lose confidence in our operating results and our stock price could decline. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on Nasdaq.
We are not currently required to comply with the SEC rules that implement Sections 302 and 404 of the Sarbanes-Oxley Act, and we are therefore not required to make a formal assessment of the effectiveness of our internal controls over financial reporting for that purpose. Upon becoming a public company, we will be required to comply with certain of these rules, which will require management to certify financial and other information in our quarterly and annual reports and provide an annual management report on the effectiveness of our internal control over financial reporting commencing with our second Annual Report on Form 10-K. To comply with the requirements of being a public company, we will need to undertake various actions, such as implementing new internal controls and procedures and hiring accounting or internal audit staff.
Our independent registered public accounting firm is not required to formally attest to the effectiveness of our internal control over financial reporting until after we are no longer an emerging growth company. At such time, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed or operating. Any failure to maintain effective disclosure controls and internal control over financial reporting could have a material and adverse effect on our business, financial condition and results of operations, and could cause a decline in the price of our stock.
We have identified a material weakness in our internal control over financial reporting.
Prior to this offering, we were a private company and had limited accounting and financial reporting personnel and other resources with which to address our internal controls and related procedures. In connection with the audit of our consolidated financial statements for the years ended December 31, 2018 and 2019, we and our independent registered public accounting firm identified a material weakness in our internal control over financial reporting. A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of our annual or interim financial statements will not be prevented or detected on a timely basis. The material weakness in our case arose from the lack of appropriate levels of finance resources with the right skill sets to perform timely and effective reviews of complex accounting positions, the period end close process and financial reporting and not having the appropriate staffing in place to timely and effectively analyze the accounting impact of specific accounting transactions. If we are unable to remedy our material weakness, or if we generally fail to establish and maintain effective internal controls appropriate for a public company, we may be unable to produce timely and accurate financial statements, and we may conclude that our internal control over financial reporting is not effective, which could adversely impact our investors’ confidence and our stock price.
We are an “emerging growth company” and we cannot be certain if the reduced disclosure requirements applicable to emerging growth companies will make our common stock less attractive to investors.
For so long as we remain an “emerging growth company” as defined in the JOBS Act, we may take advantage of certain exemptions from various requirements that are applicable to public companies that are not “emerging growth companies,” including, but not limited to, not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements and exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved. We may take advantage of these exemptions until we are no longer an emerging growth company. We would cease to be an emerging growth company upon the earliest to occur of: (i) the first fiscal year following the fifth anniversary of our initial public offering; (ii) the first fiscal year after our annual gross revenue is $1.07 billion or more; (iii) the date on which we have, during the previous three-year period, issued more than $1.0 billion in non-convertible debt securities; or (iv) the date we qualify as a “large accelerated filer,” which means the end of any fiscal year in which the market value of our common stock held by non-affiliates exceeded $700.0 million as of the end of the second quarter of that fiscal year. We cannot predict if investors will find our common stock less attractive because we may rely on these exemptions. If some investors find our common stock less
41
attractive as a result, there may be a less active trading market for our common stock and our stock price may be more volatile.
If securities or industry analysts do not publish research or publish inaccurate or unfavorable research about us, our business or our market, or if they change their recommendations regarding our common stock adversely, the market price and trading volume of our common stock could decline.
The trading market for our common stock will depend, in part, on the research and reports that securities or industry analysts publish about us, our business, our market or our competitors. The analysts’ estimates are based upon their own opinions and are often different from our estimates or expectations. If any of the analysts who cover us change their recommendation regarding our common stock adversely, provide more favorable relative recommendations about our competitors or publish inaccurate or unfavorable research about our business, the price of our securities would likely decline. If few securities analysts commence coverage of us, or if one or more of these analysts cease coverage of us or fail to publish reports on us regularly, we could lose visibility in the financial markets and demand for our securities could decrease, which could cause the price and trading volume of our common stock to decline.
We do not intend to pay dividends for the foreseeable future.
We currently intend to retain any future earnings to finance the operation and expansion of our business, and we do not expect to declare or pay any dividends in the foreseeable future. As a result, stockholders must rely on sales of their common stock after price appreciation as the only way to realize any future gains on their investment.
The requirements of being a public company may strain our resources, divert management’s attention and affect our ability to attract and retain qualified board members.
As a public company, we will be subject to the reporting and corporate governance requirements of the Exchange Act, the listing requirements of Nasdaq and other applicable securities rules and regulations, including the Sarbanes-Oxley Act and the Dodd-Frank Wall Street Reform and Consumer Protection Act. Compliance with these rules and regulations will increase our legal and financial compliance costs, make some activities more difficult, time-consuming or costly and increase demand on our systems and resources, particularly after we are no longer an “emerging growth company” as defined in the JOBS Act. Among other things, the Exchange Act requires that we file annual, quarterly and current reports with respect to our business, financial condition and results of operations and maintain effective disclosure controls and procedures and internal control over financial reporting. In order to improve our disclosure controls and procedures and internal control over financial reporting to meet this standard, significant resources and management oversight may be required. As a result, management’s attention may be diverted from other business concerns, which could harm our business, financial condition and results of operations. Although we have already hired additional personnel to help comply with these requirements, we may need to further expand our legal and finance departments in the future, which will increase our costs and expenses.
In addition, changing laws, regulations and standards relating to corporate governance and public disclosure are creating uncertainty for public companies, increasing legal and financial compliance costs and making some activities more time-consuming. These laws, regulations and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We intend to invest resources to comply with evolving laws, regulations and standards, and this investment may result in increased general and administrative expense and a diversion of management’s time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations and standards differ from the activities intended by regulatory or governing bodies, regulatory authorities may initiate legal proceedings against us and our business and prospects may be harmed. As a result of disclosure of information in the filings required of a public company and in this prospectus, our business, financial condition and results of operations will become more visible, which may result in threatened or actual litigation, including by competitors and other third parties. If such claims are successful, our business, financial condition and results of operations could be materially harmed, and even if the claims do not result in litigation or are resolved in our favor, these claims, and
42
the time and resources necessary to resolve them, could divert the resources of our management and materially harm our business, financial condition and results of operations.
We also expect that being a public company and these new rules and regulations will make it more expensive for us to obtain director and officer liability insurance, and we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors could also make it more difficult for us to attract and retain qualified executive officers and members of our board of directors, particularly to serve on our audit committee and compensation committee.
In addition, as a result of our disclosure obligations as a public company, we will have reduced strategic flexibility and will be under pressure to focus on short-term results, which may materially and adversely affect our ability to achieve long-term profitability.
Delaware law and provisions in our amended and restated certificate of incorporation and amended and restated bylaws could make a merger, tender offer or proxy contest difficult, thereby depressing the market price of our common stock.
Our status as a Delaware corporation and the anti-takeover provisions of the Delaware General Corporation Law may discourage, delay or prevent a change in control by prohibiting us from engaging in a business combination with an interested stockholder for a period of three years after the date of the transaction in which the person became an interested stockholder, even if a change of control would be beneficial to our existing stockholders. In addition, our amended and restated certificate of incorporation and amended and restated bylaws will contain provisions that may make the acquisition of our company more difficult, including the following:
•our board of directors will be classified into three classes of directors with staggered three-year terms, and directors will only be able to be removed from office for cause;
•certain amendments to our amended and restated certificate of incorporation will require the approval of at least % of our then-outstanding common stock;
•our stockholders will only be able to take action at a meeting of stockholders and will not be able to take action by written consent for any matter;
•our amended and restated certificate of incorporation will not provide for cumulative voting;
•vacancies on our board of directors will be able to be filled only by our board of directors and not by stockholders;
•a special meeting of our stockholders may only be called by the chairperson of our board of directors, our Chief Executive Officer or a majority of our board of directors;
•certain litigation against us can only be brought in Delaware;
•our amended and restated certificate of incorporation authorizes undesignated preferred stock, the terms of which may be established and shares of which may be issued without further action by our stockholders; and
•advance notice procedures apply for stockholders to nominate candidates for election as directors or to bring matters before an annual meeting of stockholders.
These provisions, alone or together, could discourage, delay or prevent a transaction involving a change in control of our company. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors of their choosing and to cause us to take other corporate actions they desire, any of which, under certain circumstances, could limit the opportunity for our stockholders to receive a premium for their shares of our common stock, and could also affect the price that some investors are willing to pay for our common stock.
43
Our amended and restated bylaws will designate a state or federal court located within the State of Delaware and the federal district courts of the United States as the exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers or employees.
Our amended and restated bylaws, which will become effective immediately prior to the completion of this offering, will provide that, unless we consent in writing to the selection of an alternative forum, to the fullest extent permitted by law, the sole and exclusive forum for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (iii) any action arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws, or (iv) any other action asserting a claim that is governed by the internal affairs doctrine shall be the Court of Chancery of the State of Delaware (or, if the Court of Chancery does not have jurisdiction, the federal district court for the District of Delaware), in all cases subject to the court having jurisdiction over indispensable parties named as defendants. Our amended and restated bylaws further provide that the federal district courts of the United States will be the exclusive forum for resolving any complaints asserting a cause of action arising under the Securities Act of 1933, as amended, or the Securities Act.
Any person or entity purchasing or otherwise acquiring any interest in any of our securities shall be deemed to have notice of and consented to this provision. This exclusive forum provision may limit a stockholder’s ability to bring a claim in a judicial forum of its choosing for disputes with us or our directors, officers or other employees, which may discourage lawsuits against us and our directors, officers and other employees. This exclusive forum provision will not apply to any causes of action arising under the Securities Act or the Exchange Act or any other claim for which the federal courts have exclusive jurisdiction. Further, the enforceability of similar choice of forum provisions in other companies’ charter documents has been challenged in legal proceedings, and it is possible that a court could find these types of provisions to be inapplicable or unenforceable. For example, the Court of Chancery of the State of Delaware recently determined that a provision stating that U.S. federal district courts are the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act is not enforceable. However, this decision may be reviewed and ultimately overturned by the Delaware Supreme Court. If a court were to find either exclusive forum provision in our amended and restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the dispute in other jurisdictions, which could harm our results of operations.
44
CAUTIONARY NOTE REGARDING FORWARD-LOOKING STATEMENTS
This prospectus contains forward-looking statements. These statements may relate to, but are not limited to, expectations of future operating results or financial performance, capital expenditures, use of proceeds from this offering, introduction of new products, regulatory compliance, plans for growth and future operations, as well as assumptions relating to the foregoing. Forward-looking statements are inherently subject to risks and uncertainties, some of which cannot be predicted or quantified. These risks and other factors include, but are not limited to, those listed under “Risk Factors.” In some cases, you can identify forward-looking statements by terminology such as “may,” “will,” “should,” “could,” “expect,” “plan,” “anticipate,” “believe,” “estimate,” “predict,” “intend,” “potential,” “might,” “would,” “continue” or the negative of these terms or other comparable terminology. Actual events or results may differ from those expressed in these forward-looking statements, and these differences may be material and adverse. Forward looking statements contained in this prospectus include, but are not limited to, statements about:
•our future financial performance, including our revenue, cost of revenue, gross profit or gross margin and operating expenses;
•the sufficiency of our cash, cash equivalents and investments to meet our liquidity needs;
•our ability to attract new customers, cross-sell or upsell our existing customers and develop new products;
•our ability to maintain the security and availability of our platform and products;
•our ability to continue to build our direct sales organization;
•our ability to effectively manage our growth and future expenses;
•our ability to increase our number of customers;
•our ability to successfully expand in our existing markets and into new markets;
•our ability to effectively manage our growth and future expenses;
•our estimated total addressable market;
•our ability to expand our network of channel partners;
•our ability to maintain, protect and enhance our intellectual property;
•our ability to comply with modified or new laws and regulations applying to our business;
•our anticipated investments in sales and marketing and research and development;
•our ability to successfully defend litigation brought against us;
•the increased expenses associated with being a public company; and
•our use of the net proceeds from this offering.
We have based the forward-looking statements contained in this prospectus primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, results of operations, prospects, business strategy and financial needs. The outcome of the events described in these forward-looking statements is subject to risks, uncertainties, assumptions and other factors described in the section captioned “Risk Factors” and elsewhere in this prospectus. These risks are not exhaustive. Other sections of this prospectus include additional factors that could adversely impact our business and financial performance. Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements contained in this prospectus. We cannot assure you that the
45
results, events and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in the forward-looking statements.
In addition, statements that “we believe” and similar statements reflect our beliefs and opinions on the relevant subject. These statements are based upon information available to us as of the date of this prospectus, and while we believe such information forms a reasonable basis for such statements, such information may be limited or incomplete, and our statements should not be read to indicate that we have conducted an exhaustive inquiry into, or review of, all potentially available relevant information. These statements are inherently uncertain and investors are cautioned not to unduly rely upon these statements.
You should read this prospectus and the documents that we reference in this prospectus and have filed as exhibits to the registration statement of which this prospectus forms a part with the understanding that our actual future results, levels of activity, performance and achievements may be materially different from what we expect. We qualify all of our forward-looking statements by these cautionary statements.
The forward-looking statements made in this prospectus relate only to events as of the date on which such statements are made. We undertake no obligation to update any forward-looking statements after the date of this prospectus or to conform such statements to actual results or revised expectations, except as required by law.
46
MARKET AND INDUSTRY DATA
This prospectus also contains estimates and other information concerning our industry, including market size and growth rates of the markets in which we participate, that are based on industry publications, surveys and forecasts or other publicly available information, as well as other information based on our internal sources. This information involves a number of assumptions and limitations, and you are cautioned not to give undue weight to these estimates. The industry in which we operate is subject to a high degree of uncertainty and risk due to a variety of factors, including those described in “Risk Factors” and “Cautionary Note Regarding Forward-Looking Statements.” These and other factors could cause actual results to differ from those expressed in these publications, surveys and forecasts.
Certain information in the text of this prospectus is contained in independent industry publications and publicly-available reports. The source of these independent industry publications is provided below:
•Forrester Research, Inc., The Forrester WaveTM: Security Awareness and Training Solutions, Q1 2020, February 25, 2020
•IBM Security, Cost of a Data Breach Report 2020, 2020
•International Data Corporation, Inc., Worldwide Security Spending Guide, July 2020
•(ISC)2, Strategies for Building and Growing Strong Cybersecurity Teams: (ISC)2 Cybersecurity Workforce Study, 2020
•KPMG, Harvey Nash / KPMG CIO Survey 2020, 2020
•Krombholz, K., Hobel, H., Huber, M., Weippl, E. (2014), “Advanced Social Engineering Attacks.” Journal of Information Security and Applications, Volume 22, June 2015
•Trend Micro Research, Mapping the Future:Dealing with Pervasive and Persistent Threats, 2019
•Verizon, 2020 Data Breach Investigations Report (DBIR), 2020
•VMware Carbon Black, Global Threat Report: Extended Enterprise Under Threat, June 2020
•World Economic Forum, The Global Risks Report 2019, 14th Edition, 2019
47
USE OF PROCEEDS
We estimate that the net proceeds from the sale of the shares of our common stock that we are selling in this offering will be approximately $ million (or approximately $ million if the underwriters exercise their option to purchase additional shares of our common stock in full), based on an assumed initial public offering price of $ per share, the mid-point of the range on the front cover of this prospectus, after deducting underwriting discounts and commissions and estimated offering expenses.
The principal purposes of this offering are to create a public market for our common stock and to facilitate our future access to the public equity markets, as well as to obtain additional capital.
Except as discussed below, we currently have no specific plans for the use of a significant portion of the net proceeds of this offering. However, we anticipate that we will use the net proceeds from this offering for general corporate purposes, which may include working capital, capital expenditures, other corporate expenses and acquisitions of complementary products, technologies or businesses. We currently have no agreements or commitments with respect to acquisitions of complementary products, technologies or businesses. The timing and amount of our actual expenditures will be based on many factors, including cash flows from operations and the anticipated growth of our business. Accordingly, our management will have broad discretion in applying the net proceeds from this offering, and investors will be relying on the judgment of our management regarding the application of the net proceeds from this offering. Pending these uses, we intend to invest the net proceeds of this offering primarily in short-term, investment-grade, interest-bearing instruments.
Assuming no exercise of the underwriters’ option to purchase additional shares, if we were to price the offering at $ per share, the low end of the range on the cover of this prospectus, we estimate that we would receive net proceeds of $ million, assuming the total number of shares offered by us remains the same and after deducting underwriting discounts and commissions and estimated offering expenses payable by us. If we were to price the offering at $ per share, the high end of the range on the cover of this prospectus, then we estimate that we would receive net proceeds of $ million, assuming the total number of shares offered by us remains the same and after deducting underwriting discounts and commissions and estimated offering expenses payable by us.
48
DIVIDEND POLICY
We anticipate that we will retain any earnings to support operations and to finance the growth and development of our business. Accordingly, although we paid a one-time special dividend in the year ended December 31, 2019, we do not expect to pay cash dividends on our common stock in the foreseeable future. See Note 10 to our consolidated financial statements included elsewhere in this prospectus.
49
CAPITALIZATION
The following table sets forth our capitalization as of December 31, 2020:
•on an actual basis without any adjustments to reflect subsequent or anticipated events;
•on a pro forma basis to give effect to (i) the Capital Stock Conversion, as if such conversion occurred on December 31, 2020; and (ii) the filing and effectiveness of our amended and restated certificate of incorporation and the adoption of our amended and restated bylaws immediately prior to the closing of this offering; and
•on a pro forma as adjusted basis to give effect to (i) the pro forma adjustments set forth above and (ii) the issuance and sale of shares of common stock in this offering at the assumed initial public offering price of $ per share, which is the midpoint of the price range set forth on the cover page of this prospectus, after deducting the estimated underwriting discounts and commissions and estimated offering expenses payable by us.
| As of December 31, 2020 | |||||||||||||||||
| Actual | Pro Forma | Pro Forma As Adjusted | |||||||||||||||
| (in thousands, except share and per share data) | |||||||||||||||||
| Cash and cash equivalents | $ | $ | $ | ||||||||||||||
| Stockholders’ equity (deficit): | |||||||||||||||||
| Convertible preferred stock, $0.00001 par value per share, shares authorized; shares issued and outstanding actual; no shares issued or outstanding pro forma and pro forma as adjusted | — | — | |||||||||||||||
| Preferred stock, $0.00001 par value per share; no shares authorized, issued or outstanding, actual or pro forma; shares authorized, no shares issued and outstanding, pro forma as adjusted | $ | — | $ | — | $ | — | |||||||||||
| Common stock, $0.00001 par value per share; shares authorized actual and pro forma; shares authorized pro forma as adjusted; shares issued and outstanding actual; shares issued and outstanding pro forma; and shares issued and outstanding pro forma as adjusted | |||||||||||||||||
| Additional paid-in capital | |||||||||||||||||
| Accumulated other comprehensive loss | |||||||||||||||||
| Accumulated deficit | |||||||||||||||||
| Total stockholders’ equity (deficit) | |||||||||||||||||
| Total capitalization | $ | $ | $ | ||||||||||||||
The number of shares of our common stock to be outstanding after this offering is based on the shares of our common stock outstanding as of December 31, 2020 (including the Capital Stock Conversion, as if such conversion occurred on December 31, 2020), and excludes the following:
• shares of common stock issuable upon exercise of options to purchase shares of our common stock outstanding as of December 31, 2020 under our 2016 Equity Incentive Plan, or the 2016 Plan, at a weighted-average exercise price of $ per share;
• shares of common stock issuable upon exercise of options to purchase shares of our common stock that we granted after December 31, 2020 under our 2016 Plan, at a weighted-average exercise price of $ per share;
50
• shares of common stock reserved for future issuance under our 2021 Equity Incentive Plan, which will become effective on the business day immediately prior to the date of effectiveness of the registration statement of which this prospectus forms a part, as well as any automatic increases in the number of shares of common stock reserved for future issuance under this plan; and
• shares of common stock reserved for future issuance under our 2021 Employee Stock Purchase Plan, which will become effective on the business day immediately prior to the date of effectiveness of the registration statement of which this prospectus forms a part, as well as any automatic increases in the number of shares of common stock reserved for future issuance under this plan.
51
DILUTION
If you invest in our common stock in this offering, your ownership interest will be immediately diluted to the extent of the difference between the initial public offering price per share and the pro forma net tangible book value per share of our common stock after this offering.
Our pro forma net tangible book value as of December 31, 2020 was $ million, or $ per share. Pro forma net tangible book value per share is determined by subtracting our total liabilities from the total book value of our tangible assets and dividing the difference by the number of shares of common stock deemed to be outstanding, after giving effect to (i) the Capital Stock Conversion, as if such conversion occurred on December 31, 2020; and (ii) the filing and effectiveness of our amended and restated certificate of incorporation and the adoption of our amended and restated bylaws immediately prior to the closing of this offering.
After giving effect to receipt of the net proceeds from our issuance and sale of shares of common stock in this offering at an assumed initial public offering price of $ per share of common stock, which is the midpoint of the price range set forth on the cover page of this prospectus, and after deducting the estimated underwriting discounts and commissions and estimated offering expenses payable by us, our pro forma as adjusted net tangible book value as of December 31, 2020 would have been approximately $ million, or $ per share of common stock. This amount represents an immediate increase in pro forma as adjusted net tangible book value of $ per share to our existing stockholders and an immediate dilution in pro forma as adjusted net tangible book value of approximately $ per share to new investors purchasing shares of our common stock in this offering. We determine dilution by subtracting the pro forma as adjusted net tangible book value per share after this offering from the estimated offering price that a new investor will pay for a share of common stock. The following table illustrates this dilution:
Assumed initial public offering price per share | $ | ||||||||||
Pro forma net tangible book value per share as of December 31, 2020 before this offering | $ | ||||||||||
| Increase in pro forma as adjusted net tangible book value per share attributable to investors in this offering | |||||||||||
| Pro forma as adjusted net tangible book value per share after this offering | $ | ||||||||||
| Dilution in pro forma as adjusted net tangible book value per share to new common stock investors in this offering | $ | ||||||||||
Each $1.00 increase (decrease) in the assumed initial public offering price of $ per share, which is the midpoint of the price range set forth on the cover page of this prospectus, would increase (decrease) the pro forma as adjusted net tangible book value per share after this offering by approximately $ per share, and dilution in pro forma as adjusted net tangible book value per share to new investors by approximately $ per share, assuming that the number of shares offered by us, as set forth on the cover page of this prospectus, remains the same and after deducting the estimated underwriting discounts and commissions and estimated offering expenses payable by us.
Each increase (decrease) of 1,000,000 shares in the number of shares offered in this offering, as set forth on the cover page of this prospectus, would increase (decrease) our pro forma as adjusted net tangible book value after this offering by approximately $ million, or $ per share, and would increase (decrease) the dilution per share to new investors by $ per share, assuming that the assumed initial public offering price of $ per share, which is the midpoint of the price range set forth on the cover page of this prospectus, remains the same, and after deducting underwriting discounts and commissions and estimated offering expenses payable by us.
If the underwriters exercise their option to purchase additional shares in full, the pro forma as adjusted net tangible book value after the offering would be $ per share, the increase in pro forma as adjusted net tangible book value per share to existing stockholders would be $ per share and the dilution in pro forma as adjusted net tangible book value to new investors would be $ per share, in each case assuming an initial public offering price of $ per share, which is the midpoint of the price range set forth on the cover page of this prospectus, after deducting the estimated underwriting discounts and commissions and estimated offering expenses payable by us.
52
The following table summarizes, as of December 31, 2020, after giving effect to this offering, the number of shares of common stock purchasable from us, the total consideration payable, or to be paid, to us and the average price per share payable, or to be paid, by existing stockholders and by the new investors. The calculation below is based on an assumed initial public offering price of $ per share, which is the midpoint of the price range set forth on the cover page of this prospectus, before deducting the estimated underwriting discounts and commissions and estimated offering expenses payable by us.
| Shares Purchased | Total Consideration | Average Price Per Share | |||||||||||||||||||||||||||
| Number | Percent | Number | Percent | ||||||||||||||||||||||||||
Existing Investors | % | $ | % | $ | |||||||||||||||||||||||||
New Investors | |||||||||||||||||||||||||||||
| Total | % | $ | % | $ | |||||||||||||||||||||||||
Each $1.00 increase (decrease) in the assumed initial public offering price of $ per share would increase (decrease) the total consideration paid by new investors and the total consideration paid by all stockholders by $ million, assuming the number of shares offered by us remains the same and after deducting the estimated underwriting discounts and commissions, but before estimated offering expenses payable by us.
The number of shares of our common stock to be outstanding after this offering is based on the shares of our common stock outstanding as of December 31, 2020 (including the Capital Stock Conversion, as if such conversion occurred on December 31, 2020), and excludes the following:
• shares of common stock issuable upon exercise of options to purchase shares of our common stock outstanding as of December 31, 2020 under our 2016 Equity Incentive Plan, or the 2016 Plan, at a weighted-average exercise price of $ per share;
• shares of common stock issuable upon exercise of options to purchase shares of our common stock that we granted after December 31, 2020 under our 2016 Plan, at a weighted-average exercise price of $ per share;
• shares of common stock reserved for future issuance under our 2021 Equity Incentive Plan, which will become effective on the business day immediately prior to the date of effectiveness of the registration statement of which this prospectus forms a part, as well as any automatic increases in the number of shares of common stock reserved for future issuance under this plan; and
• shares of common stock reserved for future issuance under our 2021 Employee Stock Purchase Plan, which will become effective on the business day immediately prior to the date of effectiveness of the registration statement of which this prospectus forms a part, as well as any automatic increases in the number of shares of common stock reserved for future issuance under this plan.
53
SELECTED HISTORICAL CONSOLIDATED FINANCIAL DATA
In the following tables, we provide our selected historical consolidated financial data. The selected historical consolidated statements of operations data for each of the years ended December 31, 2018, 2019 and 2020 as well as the selected consolidated balance sheet data as of December 31, 2018, 2019 and 2020 are derived from our audited consolidated financial statements included elsewhere in this prospectus. You should read the selected historical consolidated financial data set forth below in conjunction with our consolidated financial statements, the notes to our consolidated financial statements and “Management’s Discussion and Analysis of Financial Condition and Results of Operations” included elsewhere in this prospectus. Our selected historical consolidated results are not necessarily indicative of results to be expected for future periods. The selected historical consolidated financial data in this section are not intended to replace our consolidated financial statements and are qualified in their entirety by our consolidated financial statements and related notes included elsewhere in this prospectus.
| December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| (in thousands, except share and per share data) | |||||||||||||||||
Selected Consolidated Statement of Operations Data: | |||||||||||||||||
| Revenues, net | $ | 71,287 | $ | 120,575 | $ | ||||||||||||
Cost of revenues(2) | 12,062 | 20,579 | |||||||||||||||
| Gross profit | 59,225 | 99,996 | |||||||||||||||
| Operating expenses: | |||||||||||||||||
Sales and marketing(2) | 45,101 | 69,090 | |||||||||||||||
Technology and development(2) | 3,299 | 10,662 | |||||||||||||||
General and administrative(2) | 20,525 | 145,776 | |||||||||||||||
| Total operating expenses | 68,925 | 225,528 | |||||||||||||||
| Operating loss | (9,700) | (125,532) | |||||||||||||||
| Other income (expense): | |||||||||||||||||
| Interest income | 505 | 799 | |||||||||||||||
| Interest expense | (29) | (47) | |||||||||||||||
| Other income | 76 | 90 | |||||||||||||||
| Loss before income tax (expense) benefit | (9,148) | (124,690) | |||||||||||||||
| Income tax (expense) benefit | (98) | 367 | |||||||||||||||
| Net loss | $ | (9,246) | $ | (124,323) | $ | ||||||||||||
Net loss per share:(1) | |||||||||||||||||
| Basic and diluted | $ | (4.18) | $ | (76.51) | |||||||||||||
Weighted-average shares outstanding used to compute net loss per share:(1) | |||||||||||||||||
| Basic and diluted | 2,212,964 | 1,673,960 | |||||||||||||||
Pro forma net loss per share:(1) | |||||||||||||||||
| Basic | |||||||||||||||||
| Diluted | |||||||||||||||||
Pro forma weighted-average shares outstanding used to compute pro forma net loss per share:(1) | |||||||||||||||||
| Basic | |||||||||||||||||
| Diluted | |||||||||||||||||
54
________________
(1)Please refer to Note 12 to our consolidated financial statements included elsewhere in this prospectus for an explanation of the methods used to compute the historical and pro forma net loss per share and the number of shares used in the computation of the per share amounts.
| December 31, | |||||||||||||||||
2018 | 2019 | 2020 | |||||||||||||||
| (in thousands) | |||||||||||||||||
Selected Consolidated Balance Sheet Data: | |||||||||||||||||
| Cash and cash equivalents | $ | 44,573 | $ | 48,864 | |||||||||||||
| Total current assets | 73,882 | 98,476 | |||||||||||||||
| Total assets | 106,832 | 161,028 | |||||||||||||||
| Total current liabilities | 62,554 | 103,172 | |||||||||||||||
| Total liabilities | 96,311 | 166,043 | |||||||||||||||
| Stockholders’ equity (deficit) | 10,521 | (5,015) | |||||||||||||||
(2)Amounts include stock-based compensation expense as follows:
| December 31, | |||||||||||||||||
2018 | 2019 | 2020 | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Cost of revenues | $ | 28 | $ | 83 | |||||||||||||
| Sales and marketing | 223 | 5,750 | |||||||||||||||
| Technology and development | 43 | 162 | |||||||||||||||
| General and administrative | 589 | 112,110 | |||||||||||||||
| Total stock-based compensation expense | $ | 883 | $ | 118,105 | $ | — | |||||||||||
See the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Key Business Metrics” for information about our key business metrics and “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Non-GAAP Financial Measures” for more information about and a reconciliation of our non-GAAP financial measures to their most directly comparable GAAP financial measures.
55
MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and the related notes to those statements included elsewhere in this prospectus. In addition to historical financial information, the following discussion and analysis contains forward-looking statements that involve risks, uncertainties and assumptions. Our actual results and timing of selected events may differ materially from those anticipated in these forward-looking statements as a result of many factors, including those discussed under “Risk Factors” and elsewhere in this prospectus. See “Cautionary Note Regarding Forward-Looking Statements.”
Overview
KnowBe4 has developed the leading security awareness platform enabling organizations to assess, monitor and minimize the ongoing cybersecurity threat of social engineering attacks. We are pioneering an integrated approach to security awareness that incorporates cloud-based software, machine learning, artificial intelligence, advanced analytics and insights with engaging content. Our platform is purpose-built to change human behavior and streamline security operations in order to reduce social engineering risks.
KnowBe4 was founded in 2010 by cybersecurity veterans based on the observation that social engineering tactics targeted at the human level often allowed attackers to bypass and evade security infrastructure defenses. Attackers often use low-cost, high-volume social engineering methods to gain access to systems during the initial phase of broader, multi-stage cyberattacks that can result in devastating security breaches. Social engineering represents a universal cybersecurity risk, as it specifically targets the employees rather than the infrastructure of an organization. As such, social engineering affects organizations of all sizes and across all industries, regardless of their level of security infrastructure spend.
The KnowBe4 platform is designed to be powerful, yet highly scalable, intuitive and easy to deploy, in order to reduce the administrative burden of managing social engineering risk on security and IT professionals. Customers can deploy our platform quickly across their entire organization to monitor and reduce the cybersecurity risk associated with their employees’ behavior.
We began selling our initial product, which was the precursor to our Kevin Mitnick Security Awareness Training, or KMSAT, product, in 2011 and began experiencing more significant market adoption in 2014, which coincides with the emergence of ransomware attacks spread via social engineering tactics. Our initial product provided the foundation for our future offerings, as it focused on enabling organizations to assess their social engineering risks and providing security awareness training to mitigate these risks. Over time, we have developed additional functionality to enhance management and risk assessment capabilities of our platform, as well as additional content to improve the efficacy of our security awareness modules. We later released KnowBe4 Compliance Manager, or KCM, a product enabling organizations to manage compliance and audit cycles. In December 2018, we released PhishER, our security orchestration and automation product, that enables security operations teams to prioritize and automate security workstreams in order to respond to and remediate social engineering attacks.
We have established a significant market presence, with over 30,000 customers as of December 31, 2019, across virtually all industries and multiple geographies. No single direct customer represented more than 1.0% of our revenue as of December 31, 2019.
Our business has experienced significant growth and is capital efficient. Since inception, we have raised $34.7 million of capital, net of share repurchases, and we had $48.9 million of cash and cash equivalents as of December 31, 2019. We generated revenue of $71.3 million and $120.6 million for the years ended December 31, 2018 and 2019, respectively, representing year-over-year growth of 69%. Our annual recurring revenue, or ARR, grew from $88.6 million as of December 31, 2018 to $145.4 million as of December 31, 2019, a 64% increase. See the section titled “—Key Business Metrics—Annual Recurring Revenue” for additional information. Our net loss increased from $9.2 million for the year ended December 31, 2018 to $124.3 million for the year ended December 31, 2019, including stock-based compensation expense of $0.9 million and $118.1 million, respectively. Our cash flows from
56
operations increased from $17.7 million as of December 31, 2018 to $29.7 million as of December 31, 2019. Our free cash flow was $8.2 million and $18.9 million in the years ended December 31, 2018 and 2019, respectively. See the section titled “—Non-GAAP Financial Measures—Free Cash Flow and Free Cash Flow Margin” for additional information regarding free cash flow and for a reconciliation of free cash flow to the most directly comparable financial measure calculated in accordance with U.S. generally accepted accounting principles, or GAAP.
Our Business Model
We sell our products to customers of all sizes both directly through our dedicated inside sales teams for enterprise and small and medium businesses, or SMB, and indirectly through channel partners and managed service providers, or MSPs. We focus our selling efforts on evangelizing within our market and the need for comprehensive security awareness. Our sales motion targets IT and security professionals, who advocate for the purchase of our platform within their organization, by demonstrating the value and ease of use of our platform. We run hundreds of webcasts annually and participate in a large number of both physical and virtual security industry events. As part of our lead generation strategy, we offer over a dozen free tools that both add value to our customers and demonstrate the need for our platform. In addition, we have a deeply integrated ecosystem of channel partners, who significantly expand our market reach and ability to expand our sales efforts. Our inside sales representatives work alongside our network of channel partners to engage in joint marketing activities. As a result of our ongoing MSP and channel development efforts, our partners have increasingly driven net new business, and in particular, in our international markets. For the year ended December 31, 2019, MSPs and channel partners were involved in generating 32.3% of our revenue.
Customers typically deploy individual products on our platform to their entire employee base upon initial subscription. Because our products are designed to change human behavior within the entire organization, rollout of our products is performed organization-wide at the onset of a contract rather than focused on certain departments or portions of an organization. We utilize our team of customer success managers to ensure successful adoption and use of our products, while dedicated pricing specialists are tasked with negotiating customer renewals, along with upselling and cross-selling.
We generate substantially all of our revenue from the sale of subscriptions to access our cloud-based platform. Our platform is priced individually by product then based on the subscription tier and number of subscribed users. This pricing model allows us to offer organizations flexibility to meet their individual needs without compromising the overall value of our platform. For KMSAT and PhishER, the number of subscribed users typically includes all or a majority of the employees of the customer organization. For KCM, the number of subscribed users typically includes the employees responsible for the administration of governance and compliance functions within the customer organization. KMSAT and KCM each feature premium tiers, which offer customers access to additional features, including many of our APIs and AI functionality. Additionally, the premium tiers of KMSAT offer customers access to more differentiated content options, including highly produced, serialized content, interactive modules, games and compliance modules.
Generally, the subscription terms of our customer contracts range from one to three years and are invoiced on an annual basis. A substantial majority of our revenue is recognized over the period of the subscription. For our KMSAT product, a portion of revenue earned from subscriptions is recognized at the point-in-time that the customer’s subscription begins. Revenue recognized at contract inception relates to our customer’s ability to download content from our platform, which represents a separate performance obligation.
Key Factors Affecting Our Performance
Market Adoption and Technology Leadership
Our future success depends in large part on the growth in the market for security awareness which encompasses all products designed to address the risks of social engineering. We believe the only way to truly defend against attacks on the human layer is to increase the security awareness of all employees within an organization so they can actively combat these attacks. The limitations of infrastructure-centric security products, which we believe have failed to adequately reduce the risks of social engineering, coupled with a dynamic and growing threat landscape, are intensifying the need for organizations to empower their employees to actively defend against attacks at the
57
human layer. As organizations grow and develop a more distributed and remote employee base, the attack surface available to sophisticated adversaries targeting their data and IT infrastructure expands. Many organizations have yet to deploy technology to address the risks associated with the human layer; as such, we view this market as a largely greenfield opportunity. To ensure comprehensive threat protection, we believe organizations need to adopt a sophisticated, purpose-built technology platform that utilizes AI and machine learning to enable organizations to defend the human layer.
Maintaining our market-leading position in the emerging market for security awareness is a key to our future success. We were identified as a Leader in the 2020 Forrester Wave Security Awareness and Training Solutions report. Our position is, in large part, attributable to the combination of software, content and data analytics on our platform, thoughtful design of our products, prioritization of content development and an unrelenting focus on customer service. To maintain this position, we intend to continue to innovate our existing products and develop new features and products that complement our existing offerings and further address the ongoing risks of social engineering. Additionally, we expect to generate training content that is responsive in near real-time to the current threat environment and is localized to the geographies where we plan to expand.
Investment in Customer Acquisition and Retention
We believe there is a substantial opportunity to further grow our customer base by continuing to make significant investments in sales and marketing and brand awareness. Our ability to attract new customers will depend on a number of factors, including our success in recruiting, training and retaining talented salespeople while scaling our sales and marketing organization and competitive dynamics in our target markets. We anticipate increasing our marketing team headcount and are investing in programs designed to increase quarterly lead-generation and consistently penetrate up-market accounts. We intend to expand both our direct inside sales force and our channel partnerships, with a focus on increasing sales to large organizations. While our platform is built for organizations of all sizes and industries, we plan to further focus our selling efforts, both internally and through our channel partners, on enterprise customers.
We believe that our dedicated teams of customer success managers contribute to our ability to both upsell and cross-sell across our existing customer base and our high customer retention rates. Our products are generally deployed across a customer’s entire organization. Our dollar-based net retention rate as of December 31, 2020 was approximately %. Our dollar-based net retention rate measures our ability to increase revenue across our existing customer base through expanded use of our platform, offset by customers whose subscriptions with us are not renewed or are renewed at a lower amount.
We employ a business model centered around offering products that are easy to adopt and have a very short time to value. As of December 31, 2019, approximately 7.7% of our customers were using more than one product, up from approximately 1.2% a year earlier. Additionally, for the year ended December 31, 2020, approximately % of our new customers landed with more than one product, up from approximately % a year earlier. We believe these metrics indicate strong momentum in the uptake of our newer products.
Expansion of International Operations
Revenue generated from international customers during the years ended December 31, 2018 and 2019 was 6.0% and 9.7% of our total revenue, respectively. A substantial portion of our revenue from international customers has been generated through the establishment of our international sales operations and MSPs and channel partnerships. Additionally, our recent acquisitions have resulted in further international revenue growth. We believe that there is significant opportunity to continue to grow our international business through these sales operations and further development of our international channel partnerships. We believe that global demand for our platform and products will continue to increase as international market awareness grows. We have invested, and plan to continue to invest, ahead of this potential demand, in sales, marketing and support personnel.
58
Key Business Metrics
We regularly monitor a number of financial and operating metrics, including the following key metrics, in order to measure our current performance and estimate our future performance, as follows:
| Year Ended December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| Number of customers | 22,521 | 30,259 | |||||||||||||||
| Year-over-year growth | 52.9 | % | 34.4 | % | |||||||||||||
| Annual recurring revenue (in thousands) | $ | 88,645 | $ | 145,369 | |||||||||||||
| Year-over-year growth | 90.9 | % | 64.0 | % | |||||||||||||
Number of Customers
We believe that our ability to increase the number of customers on our platform is an indicator of our market penetration, the growth of our business and potential future business opportunities. Increasing awareness of our platform and products, combined with further overall awareness of the need to address the human risk within cybersecurity, has continued to expand our customer base to include organizations of all sizes across all industries. We define a customer as a separate and distinct buying entity, such as a company, an educational or government institution or a distinct business unit of a large company that has an active contract with us to access our platform. We do not consider our channel partners as separate customers as our contracts are executed with the end user, and we treat MSPs, who may purchase our products on behalf of multiple companies, as a single customer.
Annual Recurring Revenue
We believe that ARR is a key metric to measure our business performance because it is driven by our ability to acquire new customers and to maintain and expand our relationship with existing customers. We define ARR as the annualized value of all contractual subscription agreements as of the end of the period. We perform this calculation on an individual contract basis and aggregate the value for all active contracts to arrive at total ARR. ARR does not have any standardized meaning and is therefore unlikely to be comparable to similarly titled measures presented by other companies. ARR should be viewed independently of revenue, deferred revenue and remaining performance obligations and is not intended to be combined with or to replace any of those items. ARR is not a forecast and the active contracts at the date used in calculating ARR may or may not be extended by our customers.
Non-GAAP Financial Measures
In addition to our results determined in accordance with GAAP, we believe the following non-GAAP measures are useful in evaluating our operating performance. We believe that non-GAAP financial information, when taken collectively, may be helpful to investors because it provides consistency and comparability with past financial performance. However, non-GAAP financial information is presented for supplemental informational purposes only, has limitations as an analytical tool, and should not be considered in isolation or as a substitute for financial information presented in accordance with GAAP. Other companies, including companies in our industry, may calculate similarly-titled non-GAAP measures differently or may use other measures to evaluate their performance, all of which could reduce the usefulness of our non-GAAP financial measures as tools for comparison. A reconciliation is provided below for each non-GAAP financial measure to the most directly comparable financial measure stated in accordance with GAAP. Investors are encouraged to review the related GAAP financial measures and the reconciliation of these non-GAAP financial measures to their most directly comparable GAAP financial measures and not rely on any single financial measure to evaluate our business.
Non-GAAP Operating Loss
We define non-GAAP operating loss as GAAP operating loss excluding stock-based compensation expense, amortization of acquired intangible assets and acquisition-related costs. Costs associated with acquisitions include legal, accounting and other professional fees, as well as changes in the fair value of contingent consideration obligations. We believe non-GAAP operating loss provides our management and investors consistency and
59
comparability with our past financial performance and facilitates period-to-period comparisons of operations, as this metric generally eliminates the effects of certain variables unrelated to our overall operating performance.
| Year Ended December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Operating loss | $ | (9,700) | $ | (125,532) | |||||||||||||
| Add: Stock-based compensation expense | 855 | 118,022 | |||||||||||||||
| Add: Amortization of acquired intangible assets | 58 | 83 | |||||||||||||||
| Add: Acquisition related costs | 276 | 292 | |||||||||||||||
| Non-GAAP operating loss | $ | (8,511) | $ | (7,135) | |||||||||||||
Free Cash Flow and Free Cash Flow Margin
We define free cash flow as net cash provided by operating activities less purchases of property, equipment, amounts capitalized for internal-use software and principal payments on finance leases. Free cash flow margin is calculated as free cash flow divided by revenue. We believe that free cash flow and free cash flow margin are meaningful indicators of profitability to management and investors about the amount of cash generated from our operations that, after the investments in property, equipment and capitalized internal-use software, can be used for strategic initiatives.
| Year Ended December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| (in thousands, except percentages) | |||||||||||||||||
| Net cash provided by operating activities | $ | 17,716 | $ | 29,718 | |||||||||||||
| Less: Purchases of property and equipment | (3,957) | (5,573) | |||||||||||||||
| Less: Capitalized internal-use software | (5,514) | (5,223) | |||||||||||||||
| Free Cash Flow | $ | 8,245 | $ | 18,922 | |||||||||||||
| Free Cash Flow Margin | 11.6 | % | 15.7 | % | |||||||||||||
Components of Our Operating Results
Revenue
We derive substantially all of our revenue from subscription services fees paid by customers for access to our cloud-based platform, which includes support services and feature upgrades throughout the duration of the customer’s contract. While contracts with our customers do not provide the customer with the right to take possession of software operating on our global cloud-based platform, certain arrangements allow our customers the ability to download and use our content within their own learning management systems. Our content is only available to customers throughout the duration of their subscription and is accessed through our cloud-based platform. Subscription services fees and access to content for download are considered separate performance obligations. Invoiced amounts are allocated between subscription services fees and access to content and are recorded as deferred revenue and revenue, respectively. Deferred revenue primarily consists of amounts invoiced to customers for our subscription services and is generally recognized ratably over the subscription period while revenue related to content downloads is recognized at contract inception.
Subscription terms typically range from one year to three years and begin on the date access to our platform is made available to the customer which coincides with contract inception. Our subscriptions are generally invoiced upfront for the duration of the contract term or in annual installments. Our arrangements are primarily noncancellable and nonrefundable. We collect our receivables in advance of the subscription service period and often issue renewal invoices in advance of the renewal service period.
60
Because we recognize revenue ratably over the terms of our subscription contracts, a substantial portion of the revenue that we report in each period is attributable to the recognition of deferred revenue relating to agreements that we entered into during previous periods. Consequently, increases or decreases in new sales or renewals in any one period may not be immediately reflected as revenue for that period. Accordingly, the effect of downturns in sales and market acceptance of our platform, and potential changes in our rate of renewals, may not be fully reflected in our results of operations until future periods.
Cost of Revenue and Gross Margin
Cost of revenue consists of costs associated with delivering our platform and providing support. These costs include employee-related costs such as salaries and bonuses, stock-based compensation expense and benefits costs associated with our operations and support personnel, costs associated with third-party hosting services, amortization of capitalized internal-use software and content, and allocated overhead. We expect cost of revenue to increase in absolute dollars and as a percentage of revenue, relative to the extent of the growth of our business.
Gross margin is gross profit expressed as a percentage of total revenue. Our gross margin has been and will continue to be affected by various factors, including the timing and amount of costs associated with supporting our platform and the extent to which we expand our customer success team and develop additional content to be hosted on our platform. We intend to continue to invest additional resources in our platform, content development and support services which we expect to result in slight declines in gross margin over time.
Operating Expenses
Sales and Marketing
Sales and marketing expenses consist primarily of employee-related costs, including salaries and wages, stock-based compensation expenses and sales commissions, costs of general marketing programs and promotional activities, travel-related expenses and allocated overhead. Sales commissions earned by our sales force that are considered to be incremental to the cost of acquiring a customer are deferred and amortized over the estimated period of benefit. Marketing programs consist of advertising, events, including our KB4-CON customer conference, which has historically been held during the second quarter of each year, corporate communications, brand building and product marketing activities. We expect our sales and marketing expenses to increase on an absolute dollar basis as we continue to make significant investments in our sales and marketing organization to drive additional revenue, increase market share and expand our global customer base.
Technology and Development
Technology and development costs consist primarily of research and development activities, non-capitalizable costs of developing content and certain overhead allocations. These costs include employee-related costs, consulting services, expenses related to the design, development, testing and enhancements of our subscription services. Technology and development costs are expensed as incurred. From a unit cost standpoint, our technology and development costs are lower primarily due to favorable costs of living in the geographic locations in which our offices are based. We expect that our technology and development expenses will increase in absolute dollars and may increase as a percentage of our revenue as we continue to enhance our platform functionality and develop new content and features. Additionally, our technology and development expense may fluctuate as a percentage of our revenue from period to period depending on the timing of development.
General and Administrative
General and administrative expenses consist primarily of employee-related costs for accounting, finance, legal, IT and human resources personnel and also include expenses related to consulting services, audit fees, tax services, legal services and other general corporate items. Our general and administrative costs also include our investment in internal initiatives and tools which we believe promotes our corporate culture and helps us attract and retain talent. We expect our general and administrative expenses to increase in absolute dollars in future periods as we continue to expand our operations, hire additional personnel and incur costs to support the requirements of being a public company.
61
Interest and Other Income
Interest and other income primarily consists of interest earned on overnight cash deposits and fluctuates with market rates of interest and overall cash balances.
Interest Expense
Interest expense primarily relates to imputed interest calculated on certain contingent liabilities arising from our historical business combinations.
Income Tax Benefit (Expense)
Income tax benefit (expense) consists of federal and state income taxes in the United States and income taxes in certain foreign jurisdictions. Our provision for income taxes has not historically been significant to our business as we have incurred operating losses to date. We maintain a valuation allowance on our U.S. federal, state and foreign deferred tax assets as we have concluded that it is not more likely than not that the deferred assets will be realized.
Results of Operations
The following table is a summary of our consolidated statements of operations:
| Year Ended December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Revenues, net | $ | 71,287 | $ | 120,575 | |||||||||||||
Cost of revenues(1) | 12,062 | 20,579 | |||||||||||||||
| Gross profit | 59,225 | 99,996 | |||||||||||||||
| Operating expenses: | |||||||||||||||||
Sales and marketing(1) | 45,101 | 69,090 | |||||||||||||||
Technology and development(1) | 3,299 | 10,662 | |||||||||||||||
General and administrative(1) | 20,525 | 145,776 | |||||||||||||||
| Total operating expenses | 68,925 | 225,528 | |||||||||||||||
| Operating loss | (9,700) | (125,532) | |||||||||||||||
| Other income (expense): | |||||||||||||||||
| Interest income | 505 | 799 | |||||||||||||||
| Interest expense | (29) | (47) | |||||||||||||||
| Other income | 76 | 90 | |||||||||||||||
| Loss before income tax (expense) benefit | (9,148) | (124,690) | |||||||||||||||
| Income tax (expense) benefit | (98) | 367 | |||||||||||||||
| Net loss | $ | (9,246) | $ | (124,323) | |||||||||||||
________________
(1)Amounts include stock-based compensation expense as follows:
| December 31, | |||||||||||||||||
2018 | 2019 | 2020 | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Cost of revenues | $ | 28 | $ | 83 | |||||||||||||
| Sales and marketing | 223 | 5,750 | |||||||||||||||
| Technology and development | 43 | 162 | |||||||||||||||
| General and administrative | 589 | 112,110 | |||||||||||||||
| Total stock-based compensation expense | $ | 883 | $ | 118,105 | $ | — | |||||||||||
62
Comparison of the Years Ended December 31, 2018 and 2019
Revenues
| Year Ended December 31, | Change | ||||||||||||||||||||||
| 2018 | 2019 | $ | % | ||||||||||||||||||||
| (in thousands) | |||||||||||||||||||||||
| Revenues, net | $ | 71,287 | $ | 120,575 | $ | 49,288 | 69.1 | % | |||||||||||||||
Revenues increased by $49.3 million, or 69.1%, for the year ended December 31, 2019, compared to the year ended December 31, 2018. Of this year over year revenue growth, 39.6% was attributable to growth in new business activity, including new customers. Additional increases in revenues relate to continued expansion into international markets and the addition of a new subscription product. Our customer base grew by approximately 34.4% year-over-year, and sales of our new PhishER product, which was released in December 2018, grew significantly over the prior year period but represented a smaller driver of overall growth.
Cost of Revenues and Gross Margin
| Year Ended December 31, | Change | ||||||||||||||||||||||
| 2018 | 2019 | $ | % | ||||||||||||||||||||
| (in thousands) | |||||||||||||||||||||||
| Cost of revenues | $ | 12,062 | $ | 20,579 | $ | 8,517 | 70.6 | % | |||||||||||||||
| Gross margin | 83.1 | % | 82.9 | % | |||||||||||||||||||
Cost of revenues increased by $8.5 million, or 70.6%, for the year ended December 31, 2019, compared to the year ended December 31, 2018. The overall increase in cost of revenues is in line with our increase in revenues and is primarily driven by increased headcount to support our overall business growth combined with increases in amortization related to our developed technology and content assets. Gross margins remained consistent for the year ended December 31, 2019 when compared to December 31, 2018.
Operating Expenses
Sales and Marketing
| Year Ended December 31, | Change | ||||||||||||||||||||||
| 2018 | 2019 | $ | % | ||||||||||||||||||||
| (in thousands) | |||||||||||||||||||||||
| Sales and marketing | $ | 45,101 | $ | 69,090 | $ | 23,989 | 53.2 | % | |||||||||||||||
Sales and marketing expenses increased by $24.0 million, or 53.2%, for the year ended December 31, 2019, compared to the year ended December 31, 2018. The increase in sales and marketing expenses primarily relates to a $19.9 million increase in employee-related costs, including salaries and commissions and included $5.5 million of stock-based compensation expenses, the majority of which related to the Series C and C-1 Preferred Stock transactions occurring during the year ended December 31, 2019. The overall increase in sales and marketing costs is in line with our business growth over the same period.
Technology and Development
| Year Ended December 31, | Change | ||||||||||||||||||||||
| 2018 | 2019 | $ | % | ||||||||||||||||||||
| (in thousands) | |||||||||||||||||||||||
| Technology and development | $ | 3,299 | $ | 10,662 | $ | 7,363 | 223.2 | % | |||||||||||||||
Technology and development expenses increased by $7.4 million, or 223.2%, for the year ended December 31, 2019, compared to the year ended December 31, 2018. The increase in technology and development costs is driven by a $5.4 million increase in employee-related research and development costs associated with the development of
63
new platform features and preliminary development activity related to new products. The increase is further attributable to increased overhead allocations which are in line with the overall growth of our business.
General and Administrative
| Year Ended December 31, | Change | ||||||||||||||||||||||
| 2018 | 2019 | $ | % | ||||||||||||||||||||
| (in thousands) | |||||||||||||||||||||||
| General and administrative | $ | 20,525 | $ | 145,776 | $ | 125,251 | 610.2 | % | |||||||||||||||
General and administrative expenses increased by $125.3 million, or 610.2%, for the year ended December 31, 2019, compared to the year ended December 31, 2018. The increase is primarily due to $110.6 million of stock-based compensation expense recognized in conjunction with the Series C and C-1 Preferred Stock transactions. Excluding the impact of these transactions, the change in general and administrative expenses was an increase of $14.7 million or 71.6%. Additional increases in general and administrative expenses as compared to the prior year relate to $9.6 million in additional employee-related expenses within our administrative functions along with an additional $6.0 million of costs to support overall growth in the business including professional fees, amortization expenses and lease costs.
Quarterly Results of Operations
The following tables set forth selected unaudited quarterly statements of operations data for each of the eight quarters ended December 31, 2020, as well as the percentage of total revenue that each line item represents for each quarter. The information for each of these quarters has been prepared on the same basis as the audited annual consolidated financial statements included elsewhere in this prospectus and, in the opinion of management, includes all adjustments, which consist only of normal recurring adjustments, necessary for the fair presentation of the results of operations for these periods. This data should be read in conjunction with our audited consolidated financial statements and related notes included elsewhere in this prospectus. These quarterly results are not necessarily indicative of our results of operations to be expected for any future period.
64
| Three Months Ended | |||||||||||||||||||||||||||||||||||||||||||||||
| March 31, 2019 | June 30, 2019 | September 30, 2019 | December 31, 2019 | March 31, 2020 | June 30, 2020 | September 30, 2020 | December 31, 2020 | ||||||||||||||||||||||||||||||||||||||||
| (in thousands, except customer data) | |||||||||||||||||||||||||||||||||||||||||||||||
| Revenues, net | $ | 24,899 | $ | 27,924 | $ | 31,440 | $ | 36,312 | |||||||||||||||||||||||||||||||||||||||
Cost of revenues (1) | 4,138 | 4,848 | 5,538 | 6,055 | |||||||||||||||||||||||||||||||||||||||||||
| Gross profit | 20,761 | 23,076 | 25,902 | 30,257 | |||||||||||||||||||||||||||||||||||||||||||
| Operating expenses: | |||||||||||||||||||||||||||||||||||||||||||||||
Sales and marketing (1) | 15,735 | 15,986 | 18,198 | 19,171 | |||||||||||||||||||||||||||||||||||||||||||
Technology and development (1) | 2,214 | 2,425 | 2,592 | 3,431 | |||||||||||||||||||||||||||||||||||||||||||
General and administrative (1) | 17,724 | 8,089 | 111,825 | 8,138 | |||||||||||||||||||||||||||||||||||||||||||
| Total operating expenses | 35,673 | 26,500 | 132,615 | 30,740 | |||||||||||||||||||||||||||||||||||||||||||
| Operating loss | (14,912) | (3,424) | (106,713) | (483) | |||||||||||||||||||||||||||||||||||||||||||
| Other income (expense): | |||||||||||||||||||||||||||||||||||||||||||||||
| Interest income | 193 | 189 | 232 | 185 | |||||||||||||||||||||||||||||||||||||||||||
| Interest expense | (4) | (7) | (25) | (11) | |||||||||||||||||||||||||||||||||||||||||||
| Other income | 13 | 27 | 30 | 20 | |||||||||||||||||||||||||||||||||||||||||||
| Loss before income tax (expense) benefit | (14,710) | (3,215) | (106,476) | (289) | |||||||||||||||||||||||||||||||||||||||||||
| Income tax (expense) benefit | (165) | (14) | (6) | 552 | |||||||||||||||||||||||||||||||||||||||||||
| Net (loss) income | $ | (14,875) | $ | (3,229) | $ | (106,482) | $ | 263 | |||||||||||||||||||||||||||||||||||||||
| Number of customers | 24,261 | 26,058 | 28,095 | 30,259 | |||||||||||||||||||||||||||||||||||||||||||
Annual recurring revenue(2) | $ | 101,231 | $ | 113,514 | $ | 128,268 | $ | 145,369 | |||||||||||||||||||||||||||||||||||||||
Free cash flow(2) | $ | 4,319 | $ | 6,112 | $ | 6,344 | $ | 2,147 | |||||||||||||||||||||||||||||||||||||||
________________
(1)Amounts include stock-based compensation expense as follows:
| Three Months Ended | |||||||||||||||||||||||||||||||||||||||||||||||
| March 31, 2019 | June 30, 2019 | September 30, 2019 | December 31, 2019 | March 31, 2020 | June 30, 2020 | September 30, 2020 | December 31, 2020 | ||||||||||||||||||||||||||||||||||||||||
| (in thousands) | |||||||||||||||||||||||||||||||||||||||||||||||
| Cost of revenues | $ | 6 | $ | 21 | $ | 25 | $ | 31 | |||||||||||||||||||||||||||||||||||||||
| Sales and marketing | 3,210 | 117 | 2,146 | 277 | |||||||||||||||||||||||||||||||||||||||||||
| Technology and development | 15 | 34 | 20 | 93 | |||||||||||||||||||||||||||||||||||||||||||
| General and administrative | 9,041 | 236 | 102,550 | 283 | |||||||||||||||||||||||||||||||||||||||||||
| Total stock-based compensation expense | $ | 12,272 | $ | 408 | $ | 104,741 | $ | 684 | |||||||||||||||||||||||||||||||||||||||
(2)See the sections entitled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Key Business Metrics—Annual Recurring Revenue” for additional information regarding ARR and “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Non-GAAP Financial Measures—Free Cash Flow and Free Cash Flow Margin” for additional information regarding free cash flow and for a reconciliation of free cash flow to the most directly comparable financial measure calculated in accordance with U.S. generally accepted accounting principles, or GAAP.”
65
Percentage of Revenues Data
All values from the statement of operations, expressed as percentage of total revenues are as follows:
| Three Months Ended | |||||||||||||||||||||||||||||||||||||||||||||||
| March 31, 2019 | June 30, 2019 | September 30, 2019 | December 31, 2019 | March 31, 2020 | June 30, 2020 | September 30, 2020 | December 31, 2020 | ||||||||||||||||||||||||||||||||||||||||
| Revenues, net | 100 | % | 100 | % | 100 | % | 100 | % | |||||||||||||||||||||||||||||||||||||||
| Cost of revenues | 16.6 | % | 17.4 | % | 17.6 | % | 16.7 | % | |||||||||||||||||||||||||||||||||||||||
| Gross margin | 83.4 | % | 82.6 | % | 82.4 | % | 83.3 | % | |||||||||||||||||||||||||||||||||||||||
| Operating expenses: | |||||||||||||||||||||||||||||||||||||||||||||||
| Sales and marketing | 63.2 | % | 57.2 | % | 57.9 | % | 52.8 | % | |||||||||||||||||||||||||||||||||||||||
| Technology and development | 8.9 | % | 8.7 | % | 8.2 | % | 9.4 | % | |||||||||||||||||||||||||||||||||||||||
| General and administrative | 71.2 | % | 29.0 | % | 355.7 | % | 22.4 | % | |||||||||||||||||||||||||||||||||||||||
| Total operating expenses | 143.3 | % | 94.9 | % | 421.8 | % | 84.7 | % | |||||||||||||||||||||||||||||||||||||||
| Operating loss | (59.9) | % | (12.3) | % | (339.4) | % | (1.3) | % | |||||||||||||||||||||||||||||||||||||||
| Other income (expense): | |||||||||||||||||||||||||||||||||||||||||||||||
| Interest income | 0.8 | % | 0.7 | % | 0.7 | % | 0.5 | % | |||||||||||||||||||||||||||||||||||||||
| Interest expense | — | % | — | % | (0.1) | % | 0.0 | % | |||||||||||||||||||||||||||||||||||||||
| Other income | 0.1 | % | 0.1 | % | 0.1 | % | 0.1 | % | |||||||||||||||||||||||||||||||||||||||
| Loss before income tax (expense) benefit | (59.1) | % | (11.5) | % | (338.7) | % | (0.8) | % | |||||||||||||||||||||||||||||||||||||||
| Income tax (expense) benefit | (0.7) | % | (0.1) | % | — | % | 1.5 | % | |||||||||||||||||||||||||||||||||||||||
| Net (loss) income | (59.7) | % | (11.6) | % | (338.7) | % | 0.7 | % | |||||||||||||||||||||||||||||||||||||||
Quarterly Trends
Our quarterly revenue increased in each of the periods presented due primarily to increases in the number of new customers and contract renewals with existing customers as well as sales of our newer products. Additionally, our fourth quarter has historically been our strongest quarter for new business and renewals, driven by the overall timing of customer contracts, including renewals and customer budget timing. The effect of this seasonality in both invoicing patterns and overall new and renewal business causes the value of invoices that we generate in the fourth quarter for both new business and renewals to increase as a proportion of our total annual invoices.
Cost of revenue has increased in the majority of the periods presented. This overall increase in cost of revenues is in line with our increase in revenue and is primarily driven by increased headcount to support our overall business growth, particularly within our customer success team, combined with increases in amortization related to our developed internal-use software and content assets. Gross margin has improved slightly over the periods presented. We expect margins to remain steady or decrease slightly in the future as we continue to build out our customer support structure to support our overall business growth.
Our operating expenses have generally increased over the periods presented primarily due to increases in headcount and other related expenses to support our growth. Any periods in which operating expenses have not increased sequentially were due to variability in our stock-based compensation expense. Additionally, our technology and development expenses fluctuate quarter to quarter based on the timing and extent of research and development and content production activities while our sales and marketing expenses can be impacted by the timing of industry events. During the first and third quarters of 2019, we experienced significantly higher general
66
and administrative costs driven by the impact of non-recurring stock-based compensation expense recognized during those periods. Excluding the impact of the non-recurring stock-based compensation expense, our general and administrative expenses remain consistent quarter over quarter when considering the growth in our business.
Liquidity and Capital Resources
At December 31, 2019, our principal sources of liquidity were cash and cash equivalents totaling $48.9 million and accounts receivable of $32.0 million. Our cash and cash equivalents are comprised of time deposits with financial institutions. To date, we have financed our operations primarily through payments received from customers using our platform supplemented by private placements of our equity securities. Our positive cash flows from operations on an annual basis enable us to make continued investments in the growth of our business. Following the completion of this offering, we expect that our operating cash flows, in addition to our cash and cash equivalents, will enable us to continue to make such investments in the future. We expect our operating cash flows to further improve as we increase our operational efficiency and experience economies of scale.
We typically invoice our subscription customers annually in advance. Therefore, a substantial source of our cash is from customer prepayments, which are included on our consolidated balance sheets as deferred revenue. Deferred revenue consists of invoiced fees for our subscription services, prior to satisfying the criteria for revenue recognition, which are subsequently recognized as revenue in accordance with our revenue recognition policy. As of December 31, 2019, we had deferred revenue of $139.0 million, of which $83.0 million was recorded as a current liability and is expected to be recorded as revenue in the next 12 months, provided all other revenue recognition criteria are met.
As of December 31, 2019, our remaining performance obligation was $162.8 million. Our remaining performance obligation represents contracted revenue that has not yet been recognized and includes deferred revenue, which has been invoiced and is recorded on the balance sheet, and unbilled amounts that are not recorded on the balance sheet, that will be recognized as revenue in future periods.
We believe our existing cash and cash equivalents, cash provided by operating activities and unbilled amounts related to contracted non-cancelable subscription agreements, which are not reflected on the balance sheet, will be sufficient to meet our working capital and capital expenditure needs over the next 12 months. In the future, we may enter into arrangements to acquire or invest in complementary businesses, products and technologies, and intellectual property rights, though we currently have no agreements or commitments to do so. To facilitate these acquisitions or investments, we may seek additional equity or debt financing, which may not be available on terms favorable to us or at all, impacting our ability to complete subsequent acquisitions or investments.
Cash Flows
The following table presents a summary of our consolidated cash flows from operating, investing and financing activities.
| Year Ended December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| (in thousands) | |||||||||||||||||
| Net cash provided by operating activities | $ | 17,716 | $ | 29,718 | |||||||||||||
| Net cash used in investing activities | $ | (12,743) | $ | (15,766) | |||||||||||||
| Net cash used in financing activities | $ | (168) | $ | (9,612) | |||||||||||||
Operating Activities
Our largest source of cash flows from operations is cash collections from our customers for subscription services while our primary use of cash for operating activities is for employee-related expenses, including salaries, commissions and monthly performance bonuses. We have historically generated positive cash flows from operations as a result of our efficient sales model and period-over-period growth in subscription services.
67
Net cash provided by operating activities during 2019 was $29.7 million, which consisted of a net loss of $124.3 million, adjusted for non-cash charges of $131.3 million and net cash inflows of $22.7 million provided by changes in our operating assets and liabilities. Non-cash charges primarily consisted of $118.1 million of stock-based compensation expense, $12.3 million of amortization of deferred commissions and $7.9 million of depreciation and amortization of our capital assets. Cash outflows from changes in operating assets and liabilities primarily resulted from a $11.8 million increase in the accounts receivable balance and a $10.1 million increase in the total deferred commissions balance. The increase in both accounts receivable and deferred commissions balances is due to the addition of new customers along with the timing of cash collections received. Cash inflows from changes in operating assets and liabilities primarily relate to an $55.3 million increase in the total deferred revenue balance resulting from the sale of additional subscription services under our standard advanced invoicing practices.
Net cash provided by operating activities during 2018 was $17.7 million, which consisted of a net loss of $9.2 million, adjusted for non-cash charges of $8.3 million and net cash inflows of $18.7 million provided by changes in our operating assets and liabilities. Non-cash charges primarily consisted of $7.1 million of amortization of deferred commissions, $4.3 million of depreciation and amortization of our capital assets, approximately $0.9 million of stock-based compensation expense offset by additions to capitalized content of $4.1 million. Cash outflows from changes in operating assets and liabilities primarily resulted from a $7.9 million increase in the accounts receivable balance and a $8.9 million increase in the total deferred commissions balance. The increase in both accounts receivable and deferred commissions balances is due to the addition of new customers along with the timing of cash collections received. Cash inflows from changes in operating assets and liabilities primarily relate to a $39.6 million increase in the total deferred revenue balance resulting from the sale of additional subscription services under our standard advanced invoicing practices.
Investing Activities
Net cash used in investing activities during both 2019 and 2018 is related to $5.0 million and $3.3 million of business combinations completed during 2019 and 2018, respectively, combined with $10.8 million and $9.5 million of capital expenditures for internal-use software and the purchase of property and equipment during 2019 and 2018, respectively.
Financing Activities
Net cash used in financing activities during 2019 primarily relates to a $10.0 million one-time dividend payment issued to our existing shareholders offset by the net impact of the Series C and C-1 Preferred Stock transactions where we received proceeds of $340.4 million for the issuance of preferred stock and paid $339.9 million to repurchase existing common stock and outstanding stock options.
Net cash used in financing activities during 2018 related to proceeds from the exercise of stock options and were not material to our overall cash activity during the period.
Contractual Obligations and Known Future Cash Requirements
The following table summarizes our material contractual obligations as of December 31, 2020 and the years in which these obligations are due:
| Payments Due by Period: | |||||||||||||||||||||||||||||
| Total | Less than 1 year | 1 - 3 years | 3 - 5 years | More than 5 years | |||||||||||||||||||||||||
| (in thousands) | |||||||||||||||||||||||||||||
Operating leases(1) | |||||||||||||||||||||||||||||
Finance leases(2) | |||||||||||||||||||||||||||||
Fair value of contingent consideration(3) | |||||||||||||||||||||||||||||
| Total contractual obligations | $ | — | $ | — | $ | — | $ | — | $ | — | |||||||||||||||||||
________________
(1)Relates to operating leases for real estate and automobiles, expiring between 2020 and 2030.
(2)Relates to finance leases for office equipment, expiring in 2025.
68
(3)Relates to business combinations and the associated contingent consideration. See Note to our consolidated financial statements included elsewhere in this prospectus.
The contractual commitment amounts in the table above are associated with agreements that are enforceable and legally binding. Obligations under contracts that we can cancel without a significant penalty are not included in the table above. Purchase orders issued in the ordinary course of business are not included in the table above, as our purchase orders represent authorizations to purchase rather than binding agreements.
Backlog
Our backlog is made up of remaining performance obligations associated with our customer contracts. These remaining performance obligations represent all future revenue under contract that has not yet been recognized which includes deferred revenue and unbilled amounts.
Indemnification Agreements
Our subscription agreements generally contain standard indemnification obligations. Pursuant to these agreements, we will indemnify, defend and hold the other party harmless with respect to a claim, suit, or proceeding brought against the other party by a third party alleging that our intellectual property infringes upon the intellectual property of the third party, or results from a breach of our representations and warranties or covenants, or that results from any acts of negligence or willful misconduct. The term of these indemnification agreements is generally perpetual any time after the execution of the agreement. Typically, these indemnification provisions do not provide for a maximum potential amount of future payments we could be required to make. However, in the past we have not been obligated to make significant payments for these obligations and no liabilities have been recorded for these obligations on our consolidated balance sheet as of December 31, 2018 or 2019.
We also indemnify our officers and directors for certain events or occurrences, subject to certain limits, while the officer is or was serving at our request in such capacity. The maximum amount of potential future indemnification is unlimited. However, our director and officer insurance policy limits our exposure and enables us to recover a portion of any future amounts paid. Historically, we have not been obligated to make any payments for these obligations and no liabilities have been recorded for these obligations on our consolidated balance sheet as of December 31, 2018 or 2019.
Off-Balance Sheet Arrangements
As of December 31, 2019, we did not have any relationships with unconsolidated organizations or financial partnerships, such as structured finance or special purpose entities, which would have been established for the purpose of facilitating off-balance sheet arrangements or for other contractually narrow or limited purposes.
Quantitative and Qualitative Disclosures About Market Risk
We have operations in the United States and internationally and we are exposed to market risk in the ordinary course of business.
Inflation Rate Risk
We do not believe that inflation has had a material effect on our business, financial condition or results of operations. Nonetheless, if our costs were to become subject to significant inflationary pressures, we may not be able to fully offset such higher costs through price increases. Our inability or failure to do so could harm our business, financial condition and results of operations.
Interest Rate Risk
Our cash and cash equivalents primarily consist of cash on hand and highly liquid investments in money market funds, including overnight investments. As of December 31, 2019, we had cash and cash equivalents of $48.9 million. The carrying amount of our cash equivalents reasonably approximates fair value, due to the short maturities of these instruments. The primary objectives of our investment activities are the preservation of capital, the
69
fulfillment of liquidity needs and the fiduciary control of cash and investments. We do not enter into investments for trading or speculative purposes. Our investments are exposed to market risk due to fluctuations in interest rates, which may affect our interest income and the fair market value of our investments. However, due to the short-term nature of our investment portfolio, we do not believe an immediate 10% increase or decrease in interest rates would have a material effect on the fair market value of our portfolio. We therefore do not expect our operating results or cash flows to be materially affected by a sudden change in market interest rates.
Foreign Currency Risk
The vast majority of our sales contracts are denominated in U.S. dollars, with a small number of contracts denominated in foreign currencies. A portion of our operating expenses are incurred outside the United States, denominated in foreign currencies and subject to fluctuations due to changes in foreign currency exchange rates, particularly changes in the British Pound, Brazilian Real and South African Rand. Additionally, fluctuations in foreign currency exchange rates may cause us to recognize transaction gains and losses in our consolidated statements of operations. During the years ended December 31, 2018 and 2019, a hypothetical 10% change in foreign currency exchange rates applicable to our business would not have had a material impact on our consolidated financial statements. As the impact of foreign currency exchange rates has not been material to our historical operating results, we have not entered into derivative or hedging transactions, but we may do so in the future if our exposure to foreign currency becomes more significant.
JOBS Act Accounting Election
We are an emerging growth company, as defined in the Jump-start Our Business Start-ups, or JOBS Act. Under the JOBS Act, we can delay adopting new or revised accounting standards issued after the enactment of the JOBS Act until those standards apply to private companies, unless we otherwise irrevocably elect not to avail ourselves of this exemption. While we have not made such an irrevocable election, we have not delayed the adoption of any applicable accounting standards.
Critical Accounting Policies and Estimates
Our management’s discussion and analysis of financial condition and results of operations is based upon our financial statements and notes to our financial statements, which were prepared in accordance with GAAP. The preparation of these consolidated financial statements requires us to make estimates and judgments that affect the reported amounts of assets and liabilities and related disclosure of contingent assets and liabilities at the date of the financial statements, and the reported amounts of revenue and expenses during the reporting periods. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable, the results of which form the basis for making judgments about the carrying values of assets and liabilities that are not readily apparent from other sources.
The accounting estimates we use in the preparation of our financial statements will change as new events occur, more experience is acquired, additional information is obtained and our operating environment changes. Changes in estimates are made when circumstances warrant. Such changes in estimates and refinements in estimation methodologies are reflected in our reported results of operations and, if material, the effects of changes in estimates are disclosed in the notes to our financial statements. By their nature, these estimates and judgments are subject to an inherent degree of uncertainty and actual results could differ materially from the amounts reported based on these estimates.
While our significant accounting policies are more fully described in Note 2 of our consolidated financial statements included elsewhere in this prospectus, the following accounting policies involve a greater degree of judgment and complexity. Accordingly, these are the policies we believe are the most critical to aid in fully understanding and evaluating our consolidated financial condition and results of our operations.
70
Revenue Recognition
We account for revenue in accordance with Accounting Standards Codification, or ASC, Topic 606 - Revenue from Contracts with Customers, and apply the following five-step approach for considering contracts:
1.Identification of the contract, or contracts, with the customer.
2.Identification of the performance obligations in the contract.
3.Determination of the transaction price.
4.Allocation of the transaction price to the performance obligations in the contract.
5.Recognition of revenue when, or as, we satisfy a performance obligation.
We recognize revenue at the time the related performance obligation is satisfied by transferring the service to a customer in an amount that reflects the consideration we expect to be entitled to in exchange for those services, net of any sales or other tax. Our subscription contracts typically vary from one year to three years and are generally noncancellable and nonrefundable.
Ratable Subscription Revenue
Subscription services revenue consists of subscription fees earned for providing access to our cloud-based platform, including support services and feature upgrades, if and when available. Our subscription contracts do not provide customers with the right to take possession of the software operating on the cloud platform and, as a result, are accounted for as service arrangements. Our customers’ ability to access to our platform represents a series of distinct services, which fulfills our performance obligation over the subscription term. Accordingly, the amounts invoiced related to subscription revenue are recorded as deferred revenue and recognized on a straight-line basis over the contract term, beginning on the date that the service is made available to the customer.
Initial Subscription Revenue
Most of our contracts with customers also provide content available for download which is considered distinct and accounted for as a separate performance obligation. The transaction price is allocated to the separate performance obligations on a relative stand-alone selling price, or SSP, basis, which requires significant judgment. We determine SSP based on the prices at which we sell subscription services, including discounting practices, taking into consideration the type of subscription, differing levels of content available to our customers and other factors. The relative SSP allocated to content downloads is generally recognized at the point in time our customers gain access to our content.
Deferred Commissions
We capitalize sales commissions and associated payroll taxes and benefits paid to internal sales personnel that are considered incremental to the acquisition of customer contracts. These costs are recorded as deferred commissions on the consolidated balance sheets upon invoicing to the customer and are paid upon cash collection from the customer. We determine whether costs should be deferred based on sales compensation plans, if the commissions are incremental and would not have occurred absent the customer contract. Sales commissions for renewal of a subscription contract are not considered commensurate with the commissions paid for the acquisition of the initial subscription contract given the substantive difference in commission rate between new and renewal contracts.
The portion of commissions paid upon the initial acquisition of a contract are amortized over an estimated period of benefit of six years while commensurate commissions paid upon initial acquisition and commissions paid related to renewal contracts are amortized over the average contract period. An estimate of the portion of commissions related to the downloadable content performance obligation is made, which is recognized at contract inception consistent with the pattern of revenue recognition. This estimate is made in a consistent manner to the SSP allocated to the related portion of revenue, which requires judgment. Judgment is also required when determining
71
the period of benefit for commissions paid for the acquisition of the initial subscription contract. We evaluate both qualitative and quantitative factors including the initial estimated customer life, the technological life of our platform and related significant features, customer attrition and industry practices.
Stock-Based Compensation
Stock-based compensation expense related to equity awards is recognized based on the fair value of the awards on the date of the grant. The fair value of each option award is estimated using the Black-Scholes option-pricing model. Stock-based compensation expense is recognized over the requisite service period of the awards, which is four years. Our option awards have service-based vesting conditions and we record the expense for these awards net of forfeitures, which are recorded as incurred, using the straight-line method.
Our use of the Black-Scholes option-pricing model requires the input of subjective assumptions, which represent management’s best estimates. These estimates involve inherent uncertainties and the application of management’s judgment. These assumptions and estimates are as follows:
•Fair Value of Common Stock - Because our common stock is not yet publicly traded, we must estimate the fair value of common stock, as discussed below in the section titled “Common Stock Valuations.”
•Expected Term - The expected term is estimated using the simplified method, due to a lack of historical exercise activity. The simplified method calculates the expected term as the mid-point of the vesting date and the contractual expiration date of the award.
•Volatility - Since we do not have a trading history of our common stock, the expected volatility is determined based on the historical stock volatilities of our comparable companies. Comparable companies consist of public companies in our industry, which are similar in size, stage of life cycle and financial leverage. We intend to continue to apply this process using the same or similar public companies until a sufficient amount of historical information regarding the volatility of our own share price becomes available, or until circumstances change such that the identified companies are no longer similar to us, in which case, more suitable companies whose share prices are publicly available would be used in the calculation.
•Risk-Free Interest Rate - The risk-free interest rate is based on the U.S. Treasury yield curve in effect at the date closest to the grant date for U.S. Treasury zero-coupon issues with maturities approximating the expected term of the awards.
•Dividend Yield - The expected dividend assumption is based on our current expectations about our anticipated dividend policy. As we have a history of only paying a single one-time dividend and do not anticipate paying dividends in the future, we use an expected dividend yield of zero.
The following table summarizes the assumptions used in the Black-Scholes option pricing model to determine the fair value of our stock options:
| Year Ended December 31, | |||||||||||||||||
| 2018 | 2019 | 2020 | |||||||||||||||
| Expected term (years) | 6.3 | 6.3 | |||||||||||||||
| Expected stock price volatility | 45.0 | % | 45.0 | % | |||||||||||||
| Risk-free interest rate | 2.4% - 3.0% | 2.4% - 3.0% | |||||||||||||||
| Dividend yield | — | % | — | % | |||||||||||||
Common Stock Valuations
The fair value of the common stock underlying our stock-based awards was determined by our board of directors, with input from management and contemporaneous third-party valuations. Because our common stock is
72
not publicly traded, our board of directors exercises judgment and considers numerous objective and subjective factors to determine the best estimate of the fair value of our common stock including:
•valuations performed at or near the time of grant;
•rights, preferences and privileges of our redeemable convertible preferred stock relative to those of our common stock;
•our actual operating and financial performance at the time of the option grant;
•likelihood of achieving a liquidity event, such as an initial public offering or a merger or acquisition of our business;
•the value of comparable companies with respect to industry, business model, stage of growth, financial risk or other factors;
•our stage of development and future financial projections;
•the lack of marketability of our common stock.
We have utilized unrelated third-party specialists to prepare valuations in accordance with the American Institute of Certified Public Accountants Practice Guide, Valuation of Privately-Held-Company Equity Securities Issued as Compensation, or AICPA Guide.
Through the end of 2019, in valuing our common stock, the fair value of our business, or enterprise value, was determined using a combination of approaches including an income approach, a market approach, an Option-Pricing Methodology, or OPM, backsolve method and recent transactions in our preferred and common stock. The income approach estimates value based on the expectation of future cash flows that a company will generate. These future cash flows are discounted to their present values and adjusted to reflect the risks inherent in our cash flows. The market approach estimates value based on a comparison of the subject company to comparable public companies for which a representative market value multiple is determined and then applied to the subject company’s financial results to estimate the value of the subject company. The backsolve method applies a Black-Scholes based option pricing model to calculate an implied enterprise value based on a known component of the equity structure.
Starting in 2020, we changed from using the OPM method to the Probability Weighted Expected Return Method, or PWERM, as the PWERM is the preferred method for a company expecting a liquidity event in the near future. The OPM treats common stock and convertible preferred stock as call options on an enterprise value, with exercise prices based on the liquidation preference of our convertible preferred stock. The common stock is modeled as a call option with a claim on the enterprise at an exercise price equal to the remaining value immediately after our convertible preferred stock is liquidated. PWERM involves a forward-looking analysis of the possible future outcomes of the enterprise. This method is particularly useful when discrete future outcomes can be predicted at a relatively high confidence level with a probability distribution. Discrete future outcomes considered under the PWERM include an initial public offering, or IPO, as well as non-IPO market based outcomes. Determining the fair value of the enterprise using the PWERM requires us to develop assumptions and estimates for both the probability of an IPO liquidity event and non-IPO outcomes, as well as the values we expect those outcomes could yield. We apply significant judgment in developing these assumptions and estimates, primarily based upon the enterprise value we determined, our knowledge of the business and our reasonable expectations of discrete outcomes occurring. After the equity value is determined and allocated to the various classes of shares, a discount for lack of marketability, or DLOM, is applied to arrive at the fair value of common stock. A DLOM is applied based on the theory that as an owner of a private company stock, the stockholder has limited opportunities to sell this stock and any such sale would involve significant transaction costs, thereby reducing overall fair market value.
Upon completion of this offering, our common stock will be publicly traded and it will not be necessary to determine the fair value of our common stock.
73
Recent Accounting Pronouncements
See Note 2 to our consolidated financial statements “Summary of Significant Accounting Policies” for more information.
74
BUSINESS
Mission
Our mission is to enable employees to make smarter security decisions, every day.
Overview
KnowBe4 has developed the leading security awareness platform enabling organizations to assess, monitor and minimize the ongoing cybersecurity threat of social engineering attacks. We are pioneering an integrated approach to security awareness that incorporates cloud-based software, machine learning, artificial intelligence, advanced analytics and insights with engaging content. Our platform is purpose-built to change human behavior and streamline security operations in order to reduce social engineering risks.
We believe every organization’s greatest asset is also its greatest security risk – its people. As investments in security products grow significantly, attackers are increasingly leveraging social engineering to circumvent the traditional layers of cybersecurity defense. Social engineering relies on the manipulation of human behavior and can range from enlisting unsuspecting employees in schemes to defraud their employers to gaining access to systems during the initial phase of broader, multi-stage cyberattacks that can result in devastating breaches. Because these attacks are low-cost and high-volume and have a high probability of success, they enable the attacker to achieve a significant return on investment. Social engineering represents a universal cybersecurity risk, as it specifically targets the employees rather than the infrastructure of an organization. As such, social engineering risks affect every organization, regardless of the sophistication of their security infrastructure.
Historically, organizations have invested significantly in cybersecurity defenses with the belief that infrastructure-centric tools alone could provide adequate protection. According to a forecast from the International Data Corporation, or IDC, organizations spent $59 billion on IT security products in 2019, a figure that is expected to reach $79 billion by 2023. Despite significant amounts spent each year, security breaches continue to be reported with increasing frequency. Recent secular trends, including globally distributed workforces, work from home and the technological complexity of the modern digital workplace have vastly expanded the attack surface. A single click on a phishing email, insecure disposal of a sensitive document, use of a weak password and a host of other employee behaviors can prove disastrous to an organization. These effects are far-reaching, ranging from incident response costs and lost productivity to negative media coverage, loss of revenue and impacted customer confidence. More often than not, the difference between a secure and insecure interaction comes down to human behavior, but changing human behavior is a significant challenge.
We believe security awareness is the most effective way for organizations to manage the extraordinary unaddressed risk of social engineering, representing a fundamental shift in cybersecurity. Our security awareness platform is designed on a unique foundation that combines machine learning, artificial intelligence and advanced analytics with a deep understanding of human behavioral science. Our platform is purpose-built to alter human behavior and continuously reinforce secure behaviors through ongoing knowledge checks, behavior-based interventions, data analysis and relevant and interactive content. Our customers can strengthen their overall security posture by complementing their existing security infrastructure investments with a platform dedicated to reducing the risks associated with social engineering. We enable organizations to effectively enhance the security awareness of their workforce, converting their employees into a critical last line of defense against cyberattacks.
Our platform currently includes:
•Security Awareness: enables continuous assessment of employees through simulated social engineering attacks across multiple mediums and remediation through real-time delivery of highly engaging modules that are curated based on relevant and specific risks;
•Security Orchestration, Automation and Response (SOAR): enables security professionals to prioritize and automate security workstreams in order to respond to and remediate social engineering attacks; and
75
•Governance, Risk and Compliance: enables organizations to analyze security risk and automate the management of compliance and audit functions.
We designed our platform to meet the needs of IT administrators, as effective, scalable, quick to deploy and easy to use for organizations of all sizes. Our platform design allows us to scale from small businesses to large enterprises using a single code base. Our products are deployed on a common data platform with embedded analytical tools and reporting APIs that allow our customers to continually assess and monitor ongoing risks to the organization.
As the behavior of any employee could represent a threat, our customers tend to adopt our platform across the entire organization to protect all employees from social engineering threats. We have developed an effective go-to-market strategy that has been proven to help us reach both small and midsized businesses and large enterprises. We employ an efficient inside sales model that translates across all customer segments, complimented by channel partnerships that provide significant sales leverage and have enabled us to further penetrate the enterprise market. As a result, we have been able to grow our customer base rapidly in recent years, from more than 22,500 as of December 31, 2018 to more than 30,000 as of December 31, 2019. Our leadership in the security awareness market has been recognized by both Gartner Inc. and Forrester Research Inc.
We continue to experience significant growth, with total revenue increasing from $71.3 million for the year ended December 31, 2018 to $120.6 million for the year ended December 31, 2019, representing year-over-year growth of 69%. Our annual recurring revenue, or ARR, has grown from $88.6 million as of December 31, 2018 to $145.4 million as of December 31, 2019, a 64% increase. Our net loss increased from $9.2 million for the year ended December 31, 2018 to $124.3 million for the year ended December 31, 2019, which included $0.9 million and $118.1 million of stock-based compensation expense, respectively. Our cash flows from operations increased from $17.7 million for the year ended December 31, 2018 to $29.7 million for the year ended December 31, 2019. Our free cash flow was $8.2 million and $18.9 million for the years ended December 31, 2018 and 2019, respectively. See the sections titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Key Business Metrics—Annual Recurring Revenue” for additional information regarding ARR and “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Non-GAAP Financial Measures—Free Cash Flow and Free Cash Flow Margin” for additional information regarding free cash flow and for a reconciliation of free cash flow to the most directly comparable financial measure calculated in accordance with U.S. generally accepted accounting principles, or GAAP.
Industry Background
Social Engineering Attacks Targeting Humans Are the Most Successful Cyberattacks
Social engineering, which encompasses attacks on the human layer of an organization, is typically defined as leveraging identity manipulation to deceive individuals into providing malicious actors access to proprietary information or assets. Social engineering can take the form of phishing, spear phishing, pretexting, business email compromise, smishing (SMS-based phishing) and vishing (voice-based phishing). These methods can result in the direct compromise of proprietary information or can serve as the first phase in sophisticated multi-stage attacks, enabling credential theft, ransomware delivery and malware delivery, among other attacks, that can ultimately result in costly security breaches. In effect, by targeting human behavior rather than infrastructure, social engineering attacks can be utilized by attackers to circumvent multiple layers of security.
In effect, by targeting human behavior rather than infrastructure, social engineering attacks can be utilized by attackers to circumvent multiple layers of security. According to IDC, annual worldwide spending on security-related hardware and software will amount to $59 billion in 2019 and is projected to reach $79 billion by 2023. Despite these massive investments on cybersecurity products to protect people, devices and infrastructure, these products are not designed to specifically address vulnerabilities related to human behavior. While the infrastructure-centric approach to security has dominated security investments since the market’s inception, this approach does not deliver the reduction in social engineering risks that can be achieved with a knowledgeable and well-prepared employee population.
76
Due to the relative ease and cost-effectiveness of developing and deploying social engineering attacks, coupled with their effectiveness and the potential value of the resulting breaches, these methods have become the preferred and most frequent avenue for hackers to gain access to IT systems and sensitive information. Several recent high profile breaches, ranging from data loss events of major corporations and government entities, to account takeovers of prominent individuals, to ransomware attacks on local governments and hospitals, have all involved social engineering methods. Based on data from the 2020 Verizon Data Breach Investigations Report, we believe attacks on the human layer are now responsible for a majority of events leading to breaches.
Digital Transformation Has Expanded the Social Engineering Attack Surface
Not only has the widespread adoption of digital technologies significantly impacted how companies conduct business, it has also fundamentally changed the relationship of their employees with technology in their everyday professional and personal lives. Individuals increasingly use digital mediums, including email and text messaging, as their primary form of communication both at work and outside of the office, and increasingly rely on online services in everyday life, from ecommerce to personal banking and bill-pay. The expanding use of technology has provided attackers with a growing number of vectors to imitate in launching social engineering attacks.
Furthermore, the amount of personal data available for cyberattackers to use in crafting convincing social engineering attacks is staggering. According to Statista, over half of the global population currently uses social media, where accounts provide cyberattackers with a vast repository of knowledge about an individual, including their detailed personal history, interests, contacts and other valuable information. Cyberattackers have also taken advantage of the digitization of records to inflict severe breaches of valuable data upon companies in consumer-facing industries and government entities. These data loss events have collectively resulted in millions of records containing highly sensitive personally identifiable information being made available for distribution on the dark web. All of these trends have made individuals more susceptible than ever to social engineering attacks.
At the same time, businesses continue to modernize and invest in digital capabilities, with digital transformation expected to comprise 53% of IT budgets by 2023, according to IDC. However, the same technologies that have enabled global connectivity, productivity and innovation have also empowered cyberattackers. The widespread adoption of mobile devices, ubiquitous network connectivity and adoption of cloud technology have greatly expanded the social engineering attack surface that organizations must protect. The increasing number of employees working remotely, in cloud applications and on consumer-oriented devices that are often multi-purposed for enterprise uses but only partially enterprise-managed, has significantly eroded the traditional security perimeter. With a sustained shift to digital and remote workplaces, accelerated by the global coronavirus pandemic, we believe the threat of social engineering will become more pronounced. Since the onset of the pandemic, VMware reports that 88% of businesses have seen an increase in social engineering attacks. This changing landscape requires humans to become the last line of defense against cyber threats.
Attackers Are Launching Increasingly Targeted Cyberattacks at Scale
Cyberattackers across all levels of sophistication employ social engineering techniques. These attackers range from hackers leveraging basic techniques to more sophisticated criminal organizations motivated by financial gains, to highly-advanced military and intelligence services of well-funded nation-states. The most sophisticated adversaries today are increasingly well-equipped, possessing significant technological and human resources, and are highly deliberate and targeted in their attacks. These groups and individuals are responsible for many breaches that involve theft or ransom of privacy-related data, financial data, intellectual property and trade secrets. Regardless of their level of expertise, cyberattackers can leverage social engineering to launch targeted cyberattacks at scale.
As they do not depend on the technical exploitation of security infrastructure, the most basic social engineering attacks require minimal investment to develop and can be cost-efficiently distributed to a wide target audience, often to devastating results.
However, social engineering attacks are becoming increasingly advanced. For high value targets, cyberattackers conduct extensive background research on the individuals in order to develop highly customized and convincing messages. Other innovative techniques leverage emerging technologies such as AI, facial recognition and voice-based methods. One example is the recent emergence of doctored videos, or deep fakes, demonstrating the advanced
77
means through which hackers use artificial intelligence to impersonate voices for phishing purposes. Through doctored videos, hackers exploit realistic looking images and audio files to impersonate colleagues or senior executives with the intent of gaining access to proprietary systems or sensitive information.
Modern cyberattacks are pervasive, targeting businesses of all sizes across a broad range of industries including technology, transportation, healthcare, financial services, governments and political organizations, utility and retail. The World Economic Forum places the likelihood of data fraud or theft and cyberattacks in the top five global risks, as adversaries often launch devastating attacks that cause significant business disruption and result in billions of dollars in cumulative losses. According to the Center for Strategic and International Studies, the global cost of cybercrime is estimated to be approximately $1 trillion annually, and the Ponemon Institute and IBM Security estimate that the average cost of a data breach has increased by 10% since 2014 to $3.86 million.
Cybersecurity Resources Are Constrained
Cybersecurity resources have become highly constrained. Skills shortages are at an all-time high, particularly in the areas of big data and analytics, cybersecurity and AI, with 54% of chief information officers, or CIOs, stating that they struggle to find the right talent in response to the Harvey Nash/KPMG CIO Survey 2020. Specifically, the 2020 (ISC)2 Cybersecurity Workforce Study estimated a global gap of over 3.1 million cybersecurity professionals.
Companies do not have enough IT security staff to effectively train employees on how to protect against ever-changing social engineering techniques or efficiently address threats that are reported. Rebuilding security training internally every year and sorting through reported threats on an individual basis is not resource-efficient for companies. These resource gaps highlight the need for software and automation in developing security awareness to protect against social engineering.
Limitations of Existing Offerings
Historically, organizations have relied on either content-centric or infrastructure-centric vendors for security awareness, or have opted for limited or no training due to the inefficacy of existing offerings. Content-centric alternatives, including products from traditional vendors and internally-developed tools, provide organizations with generic and ineffective training programs that are primarily designed to satisfy minimum compliance requirements. Infrastructure-centric alternatives provide basic point products for security training that are typically secondary to core security infrastructure products. Neither of these alternatives offers an integrated platform-based approach to security awareness that is specifically designed to manage the risk of social engineering.
As a result, these alternatives feature one or more of the following limitations:
•Lack of Focus on Human Behavior. While some infrastructure-centric vendors offer basic security training capabilities to their customer base, their primary focus is on the development of threat protection products, such as email security or endpoint security. These security vendors attempt to mitigate cybersecurity risk entirely through infrastructure, and do not offer dedicated security awareness platforms designed to change human behavior and mitigate the risk of attackers leveraging social engineering to bypass infrastructure-based defenses.
•Limited Intelligence and Analytics. Alternative offerings do not provide analytics capabilities to accurately assess and monitor the social engineering susceptibility of the organization and its employees over time. As such, organizations are unable to measure the effectiveness of their security awareness investments and programs.
•Challenging to Administer. Alternative offerings provide limited functionality, flexibility and automation in the administration of security training. As a result, security professionals are required to take either a ‘one-size-fits-all’ or resource-intensive manual approach to develop and administer an effective security awareness program.
•Ineffective and Limited Content. Many content-centric vendors and internally-developed tools incorporate a limited library of generic, static and non-globalized training modules that are ineffective at
78
engaging employees. Alternative products are also inadequate in simulating realistic and zero-day threat situations based on the current environment and in addressing the full spectrum of human-based threat vectors.
•Costly to Deploy and Maintain. Infrastructure-centric security alternatives often require costly and time-consuming implementations, preventing organizations from quickly realizing the benefits of their investment. These systems are also complex to operate and maintain, requiring significant ongoing investment in IT and security resources and expertise.
•Do Not Address the Entire Market. Alternative offerings are often optimized to address only one segment of the market. Offerings targeting larger enterprises are often too expensive or complex for small and midsized business to utilize in a cost-effective manner. Conversely, offerings sold into the mid-market often lack the flexibility and scalability to meet the needs of larger enterprises.
Key Strengths of Our Platform
We provide an integrated platform that enables organizations to assess, monitor and mitigate the persistent threat of social engineering. Our cloud-based platform employs a differentiated combination of software, machine learning, artificial intelligence, analytics, insights, content and security workstreams that is designed to meaningfully impact human behavior to continually improve an organization’s security posture in response to social engineering threats. The key strengths of our platform include:
Targeted Focus on Human Behavior
Our platform is exclusively focused on human behavior, as we believe that elevating the security awareness of an organization’s employees is essential to managing the risk associated with social engineering. We believe that infrastructure-based security controls alone are inadequate, requiring humans to become the critical last line of defense for an organization. In growing the category for security awareness, we are focused on building a platform capable of changing insecure behaviors and reinforcing secure behaviors of individuals. This allows us to invest technology and development resources to drive innovation and differentiation in products designed to address the human layer of security. Our focus has helped us establish market leadership and we believe will position us favorably to capitalize as the scope of the human layer of security expands.
Our security awareness platform is built on a foundation of powerful software and technology, including machine learning, artificial intelligence and data analysis capabilities, and is uniquely imbued with behavioral science to bring about significant change in an organization’s security culture and posture. These foundational technology layers are based on extensive development, experience and expertise in the security awareness space, leveraging insights from what we believe is the largest set of human security behavioral data in existence. This integrated data set includes access to a unique data stream, consisting of user-reported threats that have bypassed security infrastructure defenses, only to be detected by humans providing the last line of defense.
Continuous Intelligence and Analytics
Our platform continuously assesses users and monitors social engineering risk, creating an active feedback loop that enables organizations to continually drive improvements in employee security awareness and overall security posture. Frequent training, knowledge checks and behavior-based intervention all reinforce secure behaviors and provide critical data for measuring, improving and maintaining security awareness within an organization. We believe that an ongoing approach to security awareness is essential in response to the dynamically evolving social engineering threat environment.
The advanced analytics delivered by our platform enable security administrators to identify, monitor and manage the social engineering risk of the organization as a whole, or of individual employees or groups of employees on an ongoing basis. Our platform analyzes a broad and extensive set of risk data including simulation history, training history, external breach data and job function to assess the level of social engineering risks and measure changes over time. The platform also provides security professionals with actionable insights to modify and improve security awareness programs based on risk profiles at the individual or group level.
79
Our platform also provides individual employees with visibility into their susceptibility to social engineering threats. Users have the ability to view a dashboard including their risk score, training and simulation test history, as well as specific recommendations for actions to lower their social engineering risk. The ability of employees to monitor their individual risk promotes continuous engagement and improvement in security awareness.
Effective and Efficient Security Awareness Administration
Our platform is designed to enable security administrators to mitigate social engineering risk through automated, machine learning-driven administration of training specifically customized to an individual user or group of users. The platform analyzes users’ behavior and allows organizations to categorize employees based on dynamic or custom groupings to tailor simulated social engineering campaigns, assignments and analytical reporting based on identified potential vulnerabilities. Our platform leverages a machine learning engine to provide administrators with targeted recommendations based on the results of simulated tests and users’ risk scores prompting the delivery of relevant content with a demonstrated ability to reduce the risks associated with social engineering.
The platform also includes embedded SOAR functionality to prioritize and automate security operations related to user-reported social engineering threats. With these capabilities, security professionals can minimize risk to the organization by quickly responding to and effectively remediating the most severe social engineering threats. All together, these capabilities are designed to reduce the administrative burden of security awareness management and operations on resource-constrained IT and security professionals.
Expansive Library of Engaging and Effective Content
We have built an expansive library of differentiated security awareness content, containing approximately 1,200 pieces of content, that is continuously refreshed to ensure that our offerings always reflect the expanding range of social engineering threats. We leverage our extensive proprietary data set on human behavior and social engineering attacks, first-party threat environment research and crowd-sourcing methods to update our simulated threat templates in near real-time, in order to convincingly emulate real-world social engineering methods.
We believe the range and sophistication of our content library and technology makes our platform highly effective in changing human behavior to reduce social engineering risk. We employ dedicated content centers of excellence across geographies to produce differentiated content that reflects themes based on the broader global threat environment, but is highly localized and culturally relevant. Our distributed centers of excellence enable the rapid and efficient creation of a variety of content that is specific to a given market, thereby increasing the efficacy of our content in effecting behavioral change with its intended audience. The breadth and scope of our content enables it to fully meet the needs of large global enterprises with geographically diverse workforces, driving increased customer satisfaction and retention.
Ease of Platform Deployment and Use
We have designed our platform to be easy to deploy and use, enabling our customers to achieve rapid time-to-value and cost efficiency in security awareness operations. Our cloud-based platform requires minimal implementation efforts, enabling customers to quickly onboard and complete an initial baseline simulated social engineering campaign. We have also developed integrations with mainstream identity platforms, including Active Directory and SCIM, that further streamline platform deployment and ongoing user administration. Our management console offers simple and automated administration of security awareness programs and related workstreams, reducing the resource and expertise requirements on the organization. For employees, the user interface of our platform has also been designed to deliver an intuitive, easy-to-use and high quality experience that is on par with best-in-class consumer experiences.
Designed to Serve the Entire Market
As we believe social engineering is a universal problem, the ability to scale our technology to meet the needs of all organizations has been a central tenet of our platform design philosophy from the beginning. As a result, we have designed our products to be both accessible to smaller organizations without dedicated IT departments and scalable to organizations with hundreds of thousands of users and multiple security teams dispersed across the world. Our
80
cloud-based delivery model, scalable multi-tenant architecture and global content centers of excellence allow us to regularly introduce new content and platform features to our customers quickly and seamlessly.
Our Market Opportunity
We believe that companies of all sizes and across all industries and geographies require a security awareness platform to manage the ongoing threat of social engineering. As such, we estimate the total market opportunity for our platform currently to be approximately $15 billion for the year ended December 31, 2020.
For KMSAT and PhishER, we calculate our market opportunity by estimating the total number of employees in over 50 addressable geographies globally segmented into large enterprise, enterprise, medium business and small business categories. We apply a per employee price, depending on the segment, using internally generated data of actual customer spend based on the customer size and location. For KCM in the United States, we apply an average contract value to a set number of organizations using internally generated data of actual customer spend based on the size of such organizations. For KCM internationally, we estimate the size of the market as a multiple of the U.S. market implied by the proportional market sizes for our KMSAT and PhishER products. The aggregate sum of the calculated values across KMSAT, PhishER and KCM, as described herein, represents our total estimated market opportunity. The estimated market opportunity for KMSAT represents approximately half of our total market opportunity.
We define potential large enterprise customers as companies with greater than 10,000 employees, enterprise customers as companies with between 1,000 and 9,999 employees, medium customers as companies with between 100 and 999 employees and small customers as companies with between 20 and 99 employees. Data for companies and employees is based on various data sources from national statistical agencies in each respective region and country and international institutions, such as the U.S. Census Bureau, the World Bank, the European Statistical Office and the Organization for Economic Co-operation and Development, as compiled by Omdia.
The pricing assumptions applied to the estimated number of companies and employees in each market are calculated by leveraging internal data on actual customer spend by size and geography over the last 24 months. For each market segment, we have applied the median annualized spend per employee or organization, as adjusted for ordinary course price increases, which we believe represents a conservative estimate of spend for potential customers.
Our Growth Strategy
We believe we have significant opportunities to extend our market leadership. Key elements of our growth strategy include:
Expand Our Customer Base
We believe there is a significant opportunity to invest in our sales and marketing activities to drive broader market knowledge of the importance of security awareness. Increasing category awareness of our market enables us to expand our customer base with less education effort and more efficient go-to-market execution. We believe that businesses of all sizes are exposed to the risks of social engineering, and that there is a large opportunity to help both SMBs and large enterprises defend against this threat. In addition to growing the small to medium sized customer base that we have focused on since inception, we believe that there is significant opportunity to increase penetration in the enterprise segment.
Expand Internationally
The international market represents a clear expansion opportunity for us. We have grown our revenue generated by customers outside of North America from 6.0% in 2018 to 9.7% in 2019 and in 2020. To pursue this opportunity, we are rapidly expanding our international operations and increasing our physical presence through headcount additions in Europe, the Middle East, Asia-Pacific and South America. We are also investing in further localizing our platform through foreign language translation and customized content. Our platform is currently
81
accessible in over 30 languages and we plan to expand this language support in the future, along with increasing our region-specific content offerings.
Grow Our Partner Network
We plan to increase our channel partnerships to help us efficiently reach new territories and opportunities. Growing our international channel partnerships will help us reach new jurisdictions where we have not yet developed extensive brand awareness and local customer relationships. We believe managed service providers or MSPs, and channel partners represent an efficient way to sell to smaller customers, as organizations with limited or no IT departments often rely on MSPs to provide specialized security skills or knowledge. In 2019, MSPs and channel partners were involved in generating 32.3% of our revenue. As our business becomes more mature, we believe the revenue contribution from channel partners and MSPs will continue to increase.
Expand Our Existing Customer Relationships
We plan to continue cross-selling products and upselling subscription tiers within our existing customer base. Our extensive existing customer base provides substantial opportunity to expand use of our platform offerings as well as upgrade existing subscriptions to higher tiers. We believe that our integrated platform and the strength of our customer success program are key to our ability to cross-sell and upsell to our existing customers. We plan to continue to invest in our technology and platform, which then organically creates new adjacencies and use cases, and to invest in customer success personnel to retain existing customers and drive increased product attachment rates.
Invest in Our Platform and Content
We believe that continued investment in our technology platform and content is important to our ability to maintain and extend our market leadership. We invest in technology and development activities to continuously strengthen our platform and release additional features and products to the market. These development efforts stay true to our core principles that the human layer in cybersecurity is important and that the human layer can be addressed without adding significant complexity to the end user or IT security professional. We believe that our ability to leverage the immense amount of data collected from our customers’ usage and to incorporate their feedback into our platform and content offerings have contributed to our market-leading position. We continue to explore methods to monetize our data assets in the future and continue to integrate our customer feedback into future product development opportunities.
Selectively Pursue Strategic Acquisitions
We plan to pursue strategic acquisitions that we believe will be complementary to our existing platform, enhance our technology and our content, and increase the value proposition we deliver to our customers. For example, we may pursue acquisitions that we believe will help us add new features, accelerate customer growth, enter new markets and add talents and expertise to our organization. During 2018 and 2019, we completed five acquisitions, which expanded our international presence and added to our existing technological capabilities and content.
Our Platform
The KnowBe4 security awareness platform consists of:
•KMSAT, our security awareness training product, which enables continuous assessment of employees through simulated social engineering attacks across multiple mediums and remediation through real-time delivery of highly engaging modules that are curated based on relevant and specific risks;
•PhishER, our security orchestration, automation and response product, which enables security professionals to prioritize and automate security workstreams in response to attacks targeted at the human layer; and
•KCM, our governance, risk and compliance product, which enables organizations to analyze security risk and automate the management of compliance and audit functions
82
All of our products are built on a cloud-based architecture designed to be easy to deploy across organizations of all sizes. We also build machine learning and artificial intelligence into our products to increase the product’s ability to enable behavioral change and to allow the administration of our products to be streamlined and efficient.
Our platform features integrated capabilities that are designed to enhance the overall value proposition to our customers and their employees. Through advanced analytics and risk scoring capabilities, our platform enables customers to proactively identify social engineering risk within their organizations. When a customer is onboarded, our platform provides a baseline risk assessment based on the performance of individual users in an initial simulated phishing campaign. Based on the risk assessment, our platform can enable the automatic administration of high quality, effective training aimed at mitigating identified risk. Organizations are then able to continuously simulate a wide array of social engineering attacks, giving users the ability to fail safely, adjust their behavior and learn through action. This continuous cycle creates an active feedback loop and increases engagement helping prevent users from reverting to risky behavior.
As users become more effective at identifying and reporting potential social engineering attacks, our orchestration, automation and response capabilities help security professionals efficiently manage the workstreams associated with user-reported threats. We leverage a vast repository of proprietary data gathered from user-reported threats that have bypassed infrastructure-based security defenses to continually evolve our platform, automation capabilities and security content to reflect the latest threat environment. Our dataset continually expands and becomes more valuable as the number of trained users utilizing the platform and the security awareness of those users increase. This greatly enhances our ability to leverage the data derived from our customer base in improving our platform.
Our platform’s underlying features and capabilities include AI and machine learning, advanced analytics, risk scoring, dashboards and reporting and flexible APIs. Organizations utilize these tools to continuously assess the ongoing risk of social engineering, respond to these threats and ultimately automate the enterprise’s defense against human-based cyberattacks. We also offer several free tools that provide IT professionals with the ability to identify and respond to a wide range of social engineering threats as well as to assess general end-user security behaviors. These free tools provide us with lead generation capabilities to focus on exposing organizations to our platform in a cost-efficient way. The capabilities of these tools are distinct from our paid products and focus on highlighting the need for effective security awareness.
Our Products
Kevin Mitnick Security Awareness Training (KMSAT)