SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
|☒||ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934|
For the fiscal year ended December 31, 2021
|☐||TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934|
|For the transition period from to |
Commission File Number 001-40351
(Exact name of Registrant as specified in its charter)
|(State or other jurisdiction of incorporation or organization)||(Primary Standard Industrial Classification Code Number)||(I.R.S. Employer Identification Number)|
33 N. Garden Avenue
Clearwater, FL 33755
(Address, including zip code, and telephone number, including area code, of Registrant’s principal executive offices)
Securities registered pursuant to Section 12(b) of the Act:
|Title of each class||Trading Symbol||Name of each exchange on which registered|
|Class A common stock, par value $0.00001||KNBE||The Nasdaq Stock Market LLC|
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☐ No ☒
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes ☐ No ☒
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes ☐ No ☒
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes ☒ No ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
|Large accelerated filer ☐||Accelerated filer ☐|
Non-accelerated filer ☒
Smaller reporting company ☐
Emerging growth company ☒
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☒
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☐
Indicate by check mark whether the registrant is a shell company (as defined by Rule 12b-2 of the Exchange Act). Yes ☐ No ☒
The aggregate market value of voting stock held by non-affiliates of the registrant was $2.2 billion as of June 30, 2021, the last business day of the registrant’s most recently completed second fiscal quarter (based on the closing sales price for the common stock on the Nasdaq Stock Market on such date). Shares of common stock held by each executive officer and director have been excluded in that such persons may be deemed to be affiliates. This determination of affiliate status is not necessarily a conclusive determination for other purposes.
At March 4, 2022, there were 72,765,169 shares of the registrant’s Class A Common Stock outstanding.and 101,930,933 shares of the registrant’s Class B Common Stock outstanding.
Portions of the registrant’s Definitive Proxy Statement relating to the 2022 Annual Meeting of Stockholders are incorporated by reference into Part III of this Annual Report on Form 10-K where indicated. Such Definitive Proxy Statement will be filed with the Securities and Exchange Commission within 120 days after the end of the registrant’s fiscal year ended December 31, 2021.
CAUTIONARY NOTE REGARDING FORWARD-LOOKING STATEMENTS
This Annual Report on Form 10-K contains forward-looking statements. These statements may relate to, but are not limited to, expectations of future operating results or financial performance, capital expenditures, use of proceeds from this offering, introduction of new products, regulatory compliance, plans for growth and future operations, as well as assumptions relating to the foregoing. Forward-looking statements are inherently subject to risks and uncertainties, some of which cannot be predicted or quantified. These risks and other factors include, but are not limited to, those listed under “Risk Factors.” In some cases, you can identify forward-looking statements by terminology such as “may,” “will,” “should,” “could,” “expect,” “plan,” “anticipate,” “believe,” “estimate,” “predict,” “intend,” “potential,” “might,” “would,” “continue” or the negative of these terms or other comparable terminology. Actual events or results may differ from those expressed in these forward-looking statements, and these differences may be material and adverse. Forward looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:
•our future financial performance, including our revenue, cost of revenue, gross profit or gross margin and operating expenses;
•the sufficiency of our cash, cash equivalents and investments to meet our liquidity needs;
•our ability to attract new customers, cross-sell or upsell our existing customers and develop new products;
•our ability to maintain the security and availability of our platform and products;
•our ability to continue to build our direct sales organization;
•our ability to effectively manage our growth and future expenses;
•our ability to increase our number of customers;
•our ability to successfully expand in our existing markets and into new markets;
•our ability to effectively manage our growth and future expenses;
•our estimated total addressable market;
•our ability to expand our network of channel partners;
•our ability to maintain, protect and enhance our intellectual property;
•our ability to comply with modified or new laws and regulations applying to our business;
•our anticipated investments in sales and marketing and research and development;
•our ability to manage growth through identification, execution and integration of acquisitions;
•our ability to successfully defend litigation brought against us; and
•the increased expenses associated with being a public company.
We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, results of operations, prospects, business strategy and financial needs. The outcome of the events described in these forward-looking statements is subject to risks, uncertainties, assumptions and other factors described in the section captioned “Risk Factors” and elsewhere in this Annual Report on Form 10-K. These risks are not exhaustive. New risks and uncertainties emerge from time to time and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements contained in this Annual Report on Form 10-K. We cannot assure you that the results, events and circumstances reflected in the forward-looking
statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in the forward-looking statements.
In addition, statements that “we believe” and similar statements reflect our beliefs and opinions on the relevant subject. These statements are based upon information available to us as of the date of this Annual Report on Form 10-K , and while we believe such information forms a reasonable basis for such statements, such information may be limited or incomplete, and our statements should not be read to indicate that we have conducted an exhaustive inquiry into, or review of, all potentially available relevant information. These statements are inherently uncertain and investors are cautioned not to unduly rely upon these statements.
You should read this Annual Report on Form 10-K and the documents that we reference in this Annual Report on Form 10-K and have filed as exhibits to the registration statement of which this Annual Report on Form 10-K forms a part with the understanding that our actual future results, levels of activity, performance and achievements may be materially different from what we expect. We qualify all of our forward-looking statements by these cautionary statements.
The forward-looking statements made in this Annual Report on Form 10-K relate only to events as of the date on which such statements are made. We undertake no obligation to update any forward-looking statements after the date of this Annual Report on Form 10-K or to conform such statements to actual results or revised expectations, except as required by law.
Item 1. Business
KnowBe4, Inc. (the “Company” or “KnowBe4”) has developed the leading security awareness platform enabling organizations to assess, monitor and minimize the ongoing cybersecurity threat of social engineering attacks. We are pioneering an integrated approach to security awareness that incorporates cloud-based software, machine learning, artificial intelligence, advanced analytics and insights with engaging content. Our platform is purpose-built to drive awareness, change human behavior and enable a security-minded culture that results in a reduction of social engineering risks.
We believe every organization’s greatest asset is also its greatest security risk – its people. As investments in security products grow significantly, attackers are increasingly leveraging social engineering to circumvent the traditional layers of cybersecurity defense. Social engineering relies on the manipulation of human behavior and can range from enlisting unsuspecting employees in schemes to defraud their employers to gaining access to systems during the initial phase of broader, multi-stage cyberattacks that can result in devastating breaches. Because these attacks are low-cost and high-volume and have a high probability of success, they enable the attacker to achieve a significant return on investment. Social engineering represents a universal cybersecurity risk, as it specifically targets the employees rather than the infrastructure of an organization. As such, social engineering risks affect every organization, regardless of the sophistication of their security infrastructure.
Historically, organizations have invested significantly in cybersecurity defenses with the belief that infrastructure-centric tools alone could provide adequate protection. Despite significant amounts spent each year, security breaches continue to be reported with increasing frequency. Additionally, recent trends, including globally distributed workforces, work from home and the technological complexity of the modern digital workplace have vastly expanded the attack surface. A single click on a phishing email, insecure disposal of a sensitive document, use of a weak password and a host of other employee behaviors can prove disastrous to an organization. These effects are far-reaching, ranging from incident response costs and lost productivity to negative media coverage, loss of revenue and impacted customer confidence. More often than not, the difference between a secure and insecure interaction comes down to human behavior.
We believe security awareness is the most effective way for organizations to manage the unaddressed risk of social engineering. Security awareness has historically been isolated to information security and IT professionals and focused on compliance and simplistic content delivery. Our platform is designed to promote awareness, change human behavior and drive a security-minded culture. The foundation of our security awareness platform combines
automation, machine learning, artificial intelligence and continuous testing with data analysis and relevant and interactive content. Our products enable customers to strengthen their overall security posture by creating a security-minded culture characterized by active user participation with a focus on mitigating the human element of security risk across their entire organization. We enable organizations to effectively enhance the security awareness of their workforce, converting their employees into a critical last line of defense against cyberattacks.
Our platform currently includes:
•Security Awareness: enables continuous assessment of employees through simulated social engineering attacks across multiple mediums and remediation through real-time delivery of highly engaging modules that are curated based on relevant and specific risks;
•Security Orchestration, Automation and Response (SOAR): enables security professionals to prioritize and automate security workstreams in order to respond to and remediate social engineering attacks; and
•Governance, Risk and Compliance: enables organizations to analyze security risk and automate the management of compliance and audit functions.
We designed our platform to meet the needs of IT administrators, as effective, scalable, quick to deploy and easy to use for organizations of all sizes. Our platform design allows us to scale from small businesses to large enterprises and our products are deployed on a common data platform with embedded analytical tools and reporting APIs, resulting in seamless integration. Additionally, our products are designed to bring substantial amounts of data into an organization’s existing security stack allowing our customers to continually assess and monitor ongoing risks to the organization. With our recent acquisition of SecurityAdvisor, we believe we will be able to address an entirely new category of risk associated with human behavior through the introduction of Human Detection and Response or HDR. Through integrations with an organizations’ existing security layers, we expect to be able to take real-time corrective action against insecure human behaviors based on data obtained through existing technical security controls.
As the behavior of any employee could represent a threat, our customers tend to adopt our platform across the entire organization to protect all employees from social engineering threats. We have developed an effective go-to-market strategy that has been proven to help us reach both small and midsized businesses and large enterprises. We employ an efficient inside sales model that translates across all customer segments, complimented by channel partnerships that provide significant sales leverage and have enabled us to further penetrate the enterprise market.
Key Strengths of Our Platform
We provide an integrated platform that enables organizations to assess, monitor and mitigate the persistent threat of social engineering. Our cloud-based platform employs a differentiated combination of software, machine learning, artificial intelligence, analytics, insights, content and security workstreams that is designed to meaningfully impact human behavior and continually improve an organization’s security posture in response to social engineering threats. The key strengths of our platform include:
Targeted Focus on Human Behavior
Our platform is exclusively focused on human behavior, as we believe that elevating the security awareness of an organization’s employees is essential to managing the risk associated with social engineering. We believe that infrastructure-based security controls alone are inadequate, requiring humans to become the critical last line of defense for an organization. In growing the category for security awareness, we are focused on building a platform capable of changing insecure behaviors and reinforcing secure behaviors of individuals. This allows us to invest in technology and development resources to drive innovation and differentiation in products designed to address the human layer of security. We believe our focus has helped us establish market leadership and will position us favorably to capitalize on market opportunities as the scope of the human layer of security expands.
Continuous Intelligence and Analytics
Our platform continuously assesses users and monitors social engineering risk, creating an active feedback loop that enables organizations to drive improvements in employee security awareness and overall security posture. Frequent training, knowledge checks and behavior-based intervention all reinforce secure behaviors and provide critical data for measuring, improving and maintaining security awareness within an organization.
The advanced analytics delivered by our platform enable security administrators to identify, monitor and manage the social engineering risk of the organization as a whole, or of individual employees or groups of employees. Our platform analyzes a broad and extensive set of risk data to assess the level of social engineering risks within an organization and provides security professionals with actionable insights to modify and improve security awareness programs based on risk profiles at the individual or group level. Through the learner experience dashboard, our platform also provides employees visibility into their individual susceptibility to social engineering threats, which promotes continuous engagement and improvement in security awareness.
Effective and Efficient Security Awareness Administration
Our platform is designed to enable security administrators to mitigate social engineering risk through automated, machine learning-driven administration of training specifically customized to an individual user or group of users. The platform analyzes users’ behavior and allows organizations to categorize employees based on dynamic or custom groupings to tailor simulated social engineering campaigns, assignments and analytical reporting based on identified potential vulnerabilities. Our platform leverages a machine learning engine to provide administrators with targeted recommendations based on the results of simulated tests and users’ risk scores prompting the delivery of relevant content designed to reduce the risks associated with social engineering.
The platform also includes embedded SOAR functionality to prioritize and automate security operations related to user-reported social engineering threats. With these capabilities, security professionals can minimize risk to the organization by quickly responding to and effectively remediating the most severe social engineering threats. All together, these capabilities are designed to reduce the administrative burden of security awareness management and operations on resource-constrained IT and security professionals.
Expansive Library of Engaging and Effective Content
We have built an expansive library of differentiated security awareness content that is continuously refreshed to ensure that our offerings always reflect the expanding range of social engineering threats. We leverage our extensive proprietary data set on human behavior and social engineering attacks, first-party threat environment research and crowd-sourcing methods to update our simulated threat templates, in order to convincingly emulate real-world social engineering methods.
We believe the range and sophistication of our content library and technology makes our platform highly effective in changing human behavior to reduce social engineering risk. We employ dedicated content centers of excellence across geographies to produce differentiated content that reflects themes based on the broader global threat environment, but is highly localized and culturally relevant. The breadth and scope of our content enables it to fully meet the needs of large global enterprises with geographically diverse workforces, driving increased customer satisfaction and retention.
Ease of Platform Deployment and Use
We have designed our platform to be easy to deploy and use, enabling our customers to achieve rapid time-to-value and cost efficiency in security awareness operations. Our cloud-based platform requires minimal implementation efforts, enabling customers to quickly onboard and complete an initial baseline simulated social engineering campaign. We have also developed integrations with mainstream identity platforms, including Active Directory and SCIM, that further streamline platform deployment and ongoing user administration. Our management console offers simple and automated administration of security awareness programs and related workstreams, reducing the resource and expertise requirements on the organization. For employees, the user interface of our platform has also been designed to deliver an intuitive, easy-to-use and high quality experience.
Designed to Serve the Entire Market
The ability to scale our technology to meet the needs of all organizations has been a central tenet of our platform design philosophy from the beginning. As a result, we have designed our products to be both accessible to smaller organizations without dedicated IT departments and scalable to organizations with hundreds of thousands of users and multiple security teams dispersed across the world. Our cloud-based delivery model, scalable multi-tenant architecture and global content centers of excellence allow us to regularly introduce new content and platform features to our customers quickly and seamlessly.
Our Market Opportunity
We estimate the total market opportunity for our platform currently to be approximately $23.0 billion. For our KMSAT, PhishER and Compliance Plus products, we calculate our market opportunity by applying a per employee price by size of business, based on internally generated customer spend data, to an estimated total number of employees across over 50 addressable geographies. For KCM, in the U.S., we apply an average contract value to a set number of organizations using internally generated customer spend data. Internationally, we estimate the size of the market as a multiple of the U.S. market. Our total market opportunity also includes an estimate of the market opportunity related to our future product that will be developed utilizing technology obtained through our acquisition of SecurityAdvisor and integrated into our platform. The sum of the calculated values across KMSAT, PhishER, Compliance Plus, KCM and our future product, as described herein, represents our total estimated market opportunity.
Our Growth Strategy
We believe we have significant opportunities to extend our market leadership. Key elements of our growth strategy include:
Expand Our Customer Base
We believe there is a significant opportunity to invest in our sales and marketing activities to drive broader market knowledge of the importance of security awareness. Increasing category awareness of our market enables us to expand our customer base with less education effort and more efficient go-to-market execution. We believe that businesses of all sizes are exposed to the risks of social engineering and that there is a large opportunity to help both small and medium sized businesses (“SMBs”), and large enterprises defend against this threat. In addition to growing the small to medium sized customer base that we have focused on since inception, we believe that there is significant opportunity to increase penetration in the enterprise segment, which we define as customers with 1,000 or more employees.
The international market represents an expansion opportunity for us. To pursue this opportunity, we are rapidly expanding our international operations and increasing our physical presence through headcount additions in Europe, the Middle East, Asia-Pacific and South America. We are also investing in further localizing our platform through foreign language translation and customized content. Our platform is currently accessible in over 30 languages and we plan to expand this language support in the future, along with increasing our region-specific content offerings.
Grow Our Partner Network
We plan to increase our channel partnerships to help us efficiently reach new territories and opportunities. Growing our international channel partnerships will help us reach new jurisdictions where we have not yet developed extensive brand awareness and local customer relationships. We believe managed service providers or MSPs, and channel partners represent an efficient way to sell to smaller customers, as organizations with limited or no IT departments often rely on MSPs to provide specialized security skills or knowledge. As our business becomes more mature, we believe the revenue contribution from channel partners and MSPs will continue to increase.
Expand Our Existing Customer Relationships
We plan to continue cross-selling products and upselling subscription tiers within our existing customer base. Our extensive existing customer base provides substantial opportunity to expand use of our platform offerings as well as upgrade existing subscriptions to higher tiers. We believe that our integrated platform and the strength of our customer success program are key to our ability to cross-sell and upsell to our existing customers. We plan to create new adjacencies and use cases through investments in our technology and platform and customer success personnel to retain existing customers and drive increased product attachment rates.
Invest in Our Platform and Content
We believe that continued investment in our technology platform and content is important to our ability to maintain and extend our market leadership. We invest in technology and development activities to continuously strengthen our platform and release additional features and products to the market. These development efforts stay true to our core principles that the human layer in cybersecurity is important and that the human layer can be addressed without adding significant complexity to the end user or IT security professional. We believe that our ability to leverage the immense amount of data collected from our customers’ usage and to incorporate their feedback into our platform and content offerings have contributed to our market-leading position. We continue to explore methods to monetize our data assets in the future and to integrate customer feedback into future product development opportunities.
Selectively Pursue Strategic Acquisitions
We plan to pursue strategic acquisitions that we believe will be complementary to our existing platform, enhance our technology and our content, and increase the value proposition we deliver to our customers. For example, we may pursue acquisitions that we believe will help us add new features, accelerate customer growth, enter new markets and add talent and expertise to our organization.
The KnowBe4 security awareness platform consists of:
•Kevin Mitnick Security Awareness Training, or KMSAT, our security awareness training product, which enables continuous assessment of employees through simulated social engineering attacks across multiple mediums and remediation through real-time delivery of highly engaging modules that are curated based on relevant and specific risks;
•Compliance Plus, our compliance training product, which enables organizations to provide their employees with relevant, timely and engaging compliance content across a broad range of topics from data privacy to diversity, equity and inclusion;
•PhishER, our SOAR product, which enables security professionals to prioritize and automate security workstreams in response to attacks targeted at the human layer; and
•KnowBe4 Compliance Manager, or KCM, our governance, risk and compliance product, which enables organizations to analyze security risk and automate the management of compliance and audit functions.
All of our products are built on a cloud-based architecture designed to be easy to deploy across organizations of all sizes. We also build machine learning and artificial intelligence into our products to increase the product’s ability to enable behavioral change and to allow the administration of our products to be streamlined and efficient.
Our platform features integrated capabilities that are designed to enhance the overall value proposition to our customers and their employees. Through advanced analytics and risk scoring capabilities, our platform enables customers to proactively identify social engineering risk within their organizations. When a customer is onboarded, our platform provides a baseline risk assessment based on the performance of individual users in an initial simulated phishing campaign. Based on the risk assessment, our platform can enable the automatic administration of high quality, effective training aimed at mitigating identified risk. Organizations are then able to continuously simulate a
wide array of social engineering attacks, giving users the ability to fail safely, adjust their behavior and learn through action. This continuous cycle creates an active feedback loop and increases engagement which helps prevent users from reverting to risky behavior.
As users become more effective at identifying and reporting potential social engineering attacks, our orchestration, automation and response capabilities help security professionals efficiently manage the workstreams associated with user-reported threats. We leverage a vast repository of proprietary data gathered from user-reported threats that have bypassed infrastructure-based security defenses to evolve our platform, automation capabilities and security content to reflect the latest threat environment. Our dataset continually expands and becomes more valuable as the number of users on the platform and the security awareness of those users increase. This greatly enhances our ability to leverage the data derived from our customer base in improving our platform.
Our platform’s underlying features and capabilities include AI and machine learning, advanced analytics, risk scoring, reporting dashboards and flexible APIs. Organizations utilize these tools to continuously assess the ongoing risk of social engineering, respond to these threats and ultimately automate the enterprise’s defense against human-based cyberattacks. We also offer several free tools that provide IT professionals with the ability to identify and respond to a wide range of social engineering threats as well as to assess general end-user security behaviors. These free tools provide us with lead generation capabilities to focus on exposing organizations to our platform in a cost-efficient way. The capabilities of these tools are distinct from our paid products and focus on highlighting the need for effective security awareness.
Kevin Mitnick Security Awareness Training (KMSAT)
Our flagship Security Awareness Training product, KMSAT, is named after our Chief Hacking Officer, Kevin Mitnick. Kevin’s history as a hacker and as a security consultant gave him unique insights into the social engineering techniques that are used by hackers to target employees and gain access to corporate networks, credentials and information. KMSAT has been recognized by independent industry research firms, including Gartner and Forrester Research, as a leader in Security Awareness Training.
KMSAT is a “new-school” security awareness product that combines automated phishing and social engineering simulation tests with engaging and curated content spanning across a variety of mediums, including email, SMS and voice. Our robust machine learning and data analytics capabilities allow our cyberattack simulations and training curriculum to automatically adapt to learner needs. We have developed advanced technological features including a full randomization feature that simulates the real world – every employee receives a random template at a random time, designed to eliminate the “prairie-dog effect” which occurs when co-workers alert each other of a test. Our patented Smart Groups feature allows organizations to categorize employees based on dynamic or custom groupings to tailor phishing campaigns, training assignments and analytical reporting. The data analysis capabilities offered by our Advanced Reporting features allow organizations to review the outcomes of social engineering and training campaigns across several dimensions and use enterprise-grade APIs to allow for customization of reports, integration with other business systems and ease of executive reporting.
We have also developed a machine learning engine that provides administrators with training recommendations based on the results of simulated social engineering tests and users’ risk scores. Our Virtual Risk Officer ingests and calculates data across a multitude of sources, evaluates the data using machine learning and provides dynamic Risk Scores — assigned to users, groups and organizations as a whole — empowering customers to make data-driven decisions. Calculated using both internal and external factors, including training history, simulation history, breach data and job function, the Risk Score is designed to measure how likely the user is to be targeted with a phishing or social engineering attack, how they would react to these types of events and how severe the consequences would be if they fell for an attack. The user Risk Score dashboard is continually updated to reflect the users’ completion of training and responses to simulated phishing emails, with the goal of providing an accurate view of the individual’s and organization’s overall susceptibility to social engineering attacks over time.
We believe we offer the world’s largest library of security awareness training with over a thousand items of content, including interactive modules, videos, games, posters and newsletters. Our content library is constantly
being updated with new materials created based on the latest social engineering tactics. Our training portal is intuitive and easy to use, and the production value of our premium content is comparable to that of a TV series or film.
KMSAT is offered on a SaaS subscription basis to serve the varying needs of our diverse customer base, from small businesses to large enterprises. We offer a range of subscription tiers at different pricing levels, which provide access to varying levels of functionality and content. Our basic tiers – Silver and Gold – offer access to features that are essential to an organization’s security awareness needs, including unlimited simulated social engineering tests, basic training content, machine learning-based individual security risk scoring and access to add-on features such as the Phish Alert button and phishing email reply tracking. Our Platinum tier provides users access to advanced reporting capabilities, such as reporting APIs and user event APIs, as well as advanced administrative functions, such as Smart Groups and Security Roles that help manage users, groups and various security roles within organizations. Our Platinum users also receive priority-level customer support. Our Diamond tier is our most popular subscription tier and includes access to our Artificial Intelligence-driven Agent, AIDA™, and additional pieces of premium content, including our award-winning The Inside Man series. The vast majority of our KMSAT customers subscribe to our Platinum and Diamond tiers.
The Compliance Plus product brings the “new-school” approach we pioneered with security awareness into the compliance market. Compliance Plus provides organizations’ employees with relevant and engaging content as well as training modules that address compliance topics ranging from data privacy to business ethics to diversity, equity and inclusion. Compliance Plus is accessible through the existing KnowBe4 platform which allows administrators access to robust, existing customization and automation features, such as automatic enrollment and advanced reporting. Additionally, we believe the Compliance Plus product will bring valuable behavioral data to our already data-rich platform, enabling organizations to further focus on mitigating risks presented by their employees. Compliance Plus is offered as a subscription that is paired with a customer’s new or existing KMSAT subscription.
PhishER was created to help security administrators deal with the influx of user-reported social engineering attacks from an employee base that was made increasingly knowledgeable with KMSAT. PhishER allows the IT security team to analyze suspected attacks that employees report by clicking the Phish Alert Button, or PAB, within their email applications. PhishER integrates with major email platforms and related mobile applications, including Microsoft Outlook, Office 365 and G Suite. PhishER continues the remediation work-cycle by providing security incident response teams with a powerful platform to analyze reported emails and respond to threats faster and more effectively.
We designed PhishER to give security teams the ability to evaluate reported threats by using standard prioritization rules embedded in the platform or by creating custom rules to more closely align to their individual organization’s needs. These rules are applied to reported threats to automatically categorize them into “Emergency Rooms.” PhishER Emergency Rooms are built into the platform to show security teams pre-filtered views of reported messages, allowing drill down capabilities to take bulk actions on groups of messages. PhishER leverages our PhishML machine learning engine to analyze, categorize, evaluate threat levels and respond to each reported threat.
A key to the success of PhishER is that the emails used to train PhishML have already made it through email filters and security gateways to land in the end-users’ inboxes. This means that the machine learning model is being fed a unique stream of data that other security measures have failed to address, thereby improving the model’s accuracy and allowing more automated prioritization and decisioning. If an email is determined to be a threat, PhishER searches and, if directed, quarantines similar messages across all inboxes in the organization. Matching messages present in other users’ inboxes are then queued for further analysis, quarantine, or permanent deletion via our PhishRIP feature, which seamlessly integrates with major email platforms. If the user-reported email is determined to be safe and legitimate, it can be returned to the user. We believe the PhishER platform allows the IT Security team to close-the-loop on social engineering with the end-user and protect the organization.
KnowBe4 Compliance Manager (KCM)
KCM was designed to help our customers save time and resources by providing an intuitive user interface with streamlined workflows that enables visibility into the ongoing audit and compliance processes at all levels of the business. To further simplify the user experience, we developed workflow templates that are applicable to a variety of common compliance needs, including the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI-DSS), among others. These templates, along with the ability for users to create their own custom workflows, allow the KCM product to easily scale across a variety of different compliance needs and programs. A recent addition to the KCM product is the Vendor Risk Management module, which allows our customers to centralize their vendor management process. This includes the onboarding of new vendors in a streamlined manner and tracking a vendor’s compliance with policies and procedures throughout the vendor lifecycle. Additionally, KCM dashboards have been specifically designed with automated reminders to equip users with the tool in the timely completion and tracking of compliance activities.
Our current product pipeline includes Security Coach, our future product that will incorporate technology gained through the SecurityAdvisor acquisition to address human behavior risks through HDR. Security Coach will utilize a cloud interface to download and aggregate security alerts from our customers’ existing security products, analyze those alerts and provide actionable messages to users through standard email and messaging applications. These messages are designed to address insecure behaviors in real-time. Additionally, our product code-named PasswordIQ will be used to mitigate risk related to password hygiene issues, such as weak or breached passwords. This product will monitor security risks detected with users’ passwords, organize this risk data on a dashboard and facilitate automatic employee training based on the risks identified.
As part of our go-to-market strategy, we offer a robust set of free tools that add value to our customers and help generate leads for our sales teams. Our free tools help users assess their security vulnerabilities and protect themselves against emerging security threats and challenges. Our strategy is to leverage the free tools as our lead generation engine to drive awareness, increase brand exposure and convert more users to long-term paying customers on our core products. Our free tools also provide important usage data and user feedback for our new product development. Oftentimes, we convert free tools into paid products after adding more functionalities. Our free tools include phishing tools, password tools, email security tools and other security awareness training tools. These tools are designed help organizations assess their vulnerability to various formats of phishing attacks, benchmark their security awareness levels, evaluate password-related risks, assess email-related security threats and help IT teams create and deploy security awareness programs.
We operate within the broader cybersecurity market and we believe we are one of the only companies that is primarily focused on the human layer of cybersecurity. The security awareness market is largely a greenfield market. Certain larger enterprise providers attempt to address the security awareness market through their own infrastructure-centric product offerings; however, these offerings are often tied to other products within their portfolio and do not focus on changing human behavior. While there are some smaller security awareness focused companies in the market, none have grown to a meaningful scale to be considered a material competitor.
We believe that we compete primarily on the following factors:
•our ability to provide an integrated platform for organizations to assess, monitor and mitigate the persistent threat of social engineering;
•the incorporation of artificial intelligence, machine learning, automation and integrations into our platform;
•the overall strength of our sales, marketing and channel relationships;
•our brand awareness and reputation within the market;
•the perceived value of our products relative to the subscription cost;
•the quality and breadth of our content offerings; and
•our ability to provide a seamless customer experience for both IT personnel and individual users of our platform within the organization.
Although certain of our competitors may enjoy greater resources and recognition and customer relationships outside of security awareness, we believe that we compete favorably within our market with respect to these factors.
We define a customer as a separate and distinct buying entity, such as a company, an educational or government institution, or a distinct business unit of a large company that has an active contract with us to access our platform. As security awareness is a fundamental need for all organizations, we represent virtually all industry verticals. We have experienced success in industries where cybersecurity is of particular importance, such as financial services, technology, professional services, healthcare and the public sector. Additionally, we have received Federal Risk and Authorization Management Program, or FedRAMP, authorization to sell our KMSAT product to federal government agencies. We plan to apply for additional FedRAMP certifications for other products on our platform in the future. None of our customers accounted for more than ten percent of our revenues during the years ended December 31, 2021, 2020 or 2019. In addition, we do not have any material dependencies on any specific product, service or particular group or groups.
Sales and Marketing
We operate an inside sales model as well as a network of MSPs and channel partners, both domestically and internationally. Our inside sales representatives and partners are collectively responsible for our initial customer acquisition. Customers typically deploy our platform to their entire end user base upon initial subscription. We utilize our team of customer success managers to ensure onboarding to our platform and help drive adoption of additional features and products. Dedicated pricing specialists are tasked with negotiating customer renewals, along with upselling and cross-selling. Our cloud-based platform enables our inside sales team to seamlessly upgrade subscription tiers and activate additional products on behalf of customers. Additionally, we offer transparent and competitive pricing, which we believe translates into an efficient sales cycle.
Our marketing strategy is highly focused on demand generation driving our opportunity pipeline. This strategy is intended to be applied broadly across all organization sizes and industries; however, some verticals like finance, healthcare and manufacturing have been exceptionally receptive. We offer over a dozen free tools that add value to our customers and help generate leads for our sales teams. Many of these tools integrate directly into our platform to provide additional layers of intelligence and risk data to our customers. These tools increase our sales velocity and are a testing ground for future paid products on our platform. Additionally, we run hundreds of webcasts annually, participate in cybersecurity industry events and utilize our product evangelist team to drive market awareness. We anticipate further building our marketing team and are investing in channel relationships to further penetrate up-market accounts.
Research and Development
Our research and development team is responsible for the design, development, testing and quality of our cloud-based platform. In addition to improving on our features and functionality, this team works to ensure that our platform is available, reliable and stable. We invest substantial resources in research and development to enhance our platform features and functionalities and develop new products designed to expand our presence in the security awareness market. We believe the timely development of new features and the enhancement of our existing platform
is essential to maintaining our competitive position. Our research and development team works closely with our customer success team to collect user feedback to enhance our development process as we continually incorporate suggestions and feedback from our customers into our platform. We also believe our research and development teams’ focus on developing new products that address the continuously evolving risks of social engineering and security awareness will help us maintain our market leading position. We utilize an agile development process to deliver numerous releases, fixes and feature updates each year and capitalize qualifying costs of developing larger scale projects. Our research and development team is primarily based in Clearwater, Florida, but we continue to build out additional research and development capabilities in certain international jurisdictions who supplement our core team.
We are subject to various federal, state, local, and foreign laws and regulations, including those relating to data privacy, protection and security, intellectual property, employment and labor, workplace safety, consumer protection, anti-bribery, import and export controls, economic sanctions, immigration, federal securities, and tax. In addition, we are subject to various laws and regulations relating to the formation, administration, and performance of contracts with our customers in heavily regulated industries and the public sector, which affect how we and our partners do business with such customers. Additional laws and regulations relating to these areas likely will be passed in the future, and these or existing laws and regulations may be interpreted or enforced in new or expanded manners, each of which could result in significant limitations on how we operate our business. New and evolving laws and regulations, and changes in their enforcement and interpretation, may require changes to our platform, offerings or business practices, and may significantly increase our compliance costs and otherwise adversely affect our business, financial condition, and results of operations. As our business expands to include additional platform functionalities and offerings, and our operations continue to expand internationally, our compliance requirements and costs may increase, and we may be subject to increased regulatory scrutiny.
See the sections titled “Risk Factors,” including the subsections titled “Risk Factors—Risks Related to Governmental Regulation and Taxation—Complying with evolving privacy and other data related laws and requirements may be expensive and force us to make adverse changes to our business, and failure to comply with such laws and requirements could result in substantial harm to our business,” “Risk Factors—Risks Related to Governmental Regulation and Taxation—We are subject to laws and regulations, including governmental export and import controls, sanctions, anti-boycott regulations and anti-corruption laws that could impair our ability to compete in our markets and subject us to liability if we are not in full compliance with applicable laws,” “Risk Factors—Risks Related to Governmental Regulation and Taxation—Failure to comply with laws and regulations applicable to our business could subject us to fines and penalties,” and “Risk Factors—Risks Related to Governmental Regulation and Taxation—Sales to government entities are subject to a number of challenges and risks” for additional information about the laws and regulations we are subject to and the risks to our business associated with such laws and regulations.
We believe that our intellectual property rights are valuable and important to our business. We rely on trademarks, patents, copyrights, trade secrets and know-how, license agreements, intellectual property assignment agreements, confidentiality procedures, non-disclosure agreements and employee non-disclosure and invention assignment agreements to establish and protect our proprietary rights. Though we rely in part upon these legal and contractual protections, we believe that factors such as the skills and ingenuity of our employees and the functionality and frequent enhancements to our solutions are larger contributors to our success in the marketplace.
As of December 31, 2021, we had 71 issued patents in the United States, 62 patent applications pending in the United States and 5 patent applications pending internationally. Our issued patents expire between February 2037 and September 2040, and 3 of our pending patent applications have been allowed. These patents and patent applications seek to protect our proprietary inventions relevant to our business. We intend to pursue additional intellectual property protection to the extent we believe it would be beneficial and cost-effective. Despite our efforts to protect our intellectual property rights, they may not be respected in the future or may be invalidated, circumvented, or challenged. Our industry is characterized by the existence of a large number of patents and
frequent claims and related litigation based on allegations of patent infringement or other violations of intellectual property rights. We believe that competitors will try to develop products that are similar to ours and that may infringe our intellectual property rights. Our competitors or other third-parties may also claim that our security platform and other products infringe their intellectual property rights. In particular, some companies in our industry have extensive patent portfolios. From time to time, third parties have in the past and may in the future assert claims of infringement, misappropriation and other violations of intellectual property rights against us or our customers, with whom our agreements may obligate us to indemnify against these claims. Successful claims of infringement by a third party could prevent us from offering certain products or features, require us to develop alternate, non-infringing technology, which could require significant time and during which we could be unable to continue to offer our affected products or solutions, require us to obtain a license, which may not be available on reasonable terms or at all, or force us to pay substantial damages, royalties, or other fees.
Human Capital Resources
Our corporate culture is built on the goal of creating an environment where employees feel safe, feel they belong, in an inclusive team environment where they can rise to their full potential, and deliver their top performance in a sane, fun work environment. We strive to reach this goal by placing a focus on recruiting team-oriented, hardworking individuals, training those individuals, developing strong teams and creating an organized, efficient workplace. We believe that retaining employees who consistently contribute to the organization’s success in measurable ways is key to sustaining strong teams. We drive employee retention through our market-based compensation philosophy and the adoption of a holistic employee benefits package. In addition, our strong commitment to promoting diversity and inclusion has fostered a highly collaborative and motivated workforce. As of December 31, 2021, we had 1,366 full-time employees, of which 264 were located outside the United States.
Culture and Employee Engagement
We recognize that people are at the heart of our success and we leverage the broad diversity of our teams’ knowledge and identities to build quality products that reflect the collective experience of our users and surrounding communities. We believe our efforts in managing our workforce have been effective, as evidenced by recent awards including the 2022 Top Workplaces USA award for our size category, which was based solely on employee feedback, 2021 Fortune Best Workplaces for Women and Millennials and 2021 Mogul Top 100 Workplaces for D&I Initiatives, among others. We receive feedback on our culture directly from our employees through our annual, anonymous employee engagement survey. We also monitor external feedback, such as Glassdoor, where we were named on Glassdoor’s 2021 list of “Best Places to Work”.
Recruitment and Talent Development
As part of our recruiting initiatives, we sponsor several scholarship opportunities, including scholarships focused on increasing the presence of women, military veterans and other historically underrepresented minorities within the cybersecurity industry. We also sponsor various development programs to assist with our recruitment efforts including both sales-focused and technical-focused career development programs and internships focused on providing practical skills. training and relevant work experience.
We believe that a positive onboarding experience is foundational to positive employee engagement and rapid productivity. Our onboarding process is dedicated to ensuring all employees understand our culture, policies and products. We focus on the continuous education of our entire employee base by providing opportunities for real-time learning.
Compensation and Benefits
We provide competitive compensation and benefits packages to attract and retain our leading talent, including overall team incentive bonuses and stock compensation. We also offer a wide range of health and well-being programs designed to meet our employees’ physical and mental needs. We believe fair pay is essential to our ability to attract and motivate the highly qualified and diverse employees who are at the center of our current and future success.
Diversity, Equity and Inclusion
We understand the work needed to support and foster a culture of inclusivity and belonging. This is continuous and relies on our three components of (1) building diverse workforces and the accompanying knowledge bases to support our employees, (2) conquering bias, discrimination and inequity, and (3) celebrating diversity and all the intersections of identities that make us who we are. Our diversity, equity, and inclusion programs continue to advance a culture of inclusivity. We have seven employee resource groups or ERGs, including Knowster Parents, Black Knowsters Network, Women in Technology, LGBTQIA+, LatinX, Asian and Asian Pacific Islanders and the Military and Veterans Resource Group, which are employee-led groups that play a vital role in building understanding and awareness. The diversity of our workforce is an example of this vision in action. In 2021, females represented 40.6% of our workforce and approximately 25% of our workforce was made up of underrepresented groups, which we define as employees who identify as Black, Latinx, Indigenous, Multiracial, Asian, American Indian or Alaska Native, Native Hawaiian or Other Pacific Islander.
We have also created four “Start” programs which allow individuals from underrepresented groups or non-traditional backgrounds to transition into our technical support, customer success and research and development teams. These programs are (1) Jump Start, for high school or GED graduates, (2) Re-Start, for individuals looking for a career change, (3) New Start, for members of the military transitioning into civilian life, and (4) Code Start, for individuals interested in engineering careers who do not have traditionally required experience.
Sustainability and Environmental Responsibilities
We take environmental responsibility seriously and are committed to sustainability for the good of our customers, employees and the planet. We are committed to doing our part to reduce environmental impacts of our business. In 2021, we committed to achieve net zero carbon emissions across our business by 2040, to increase our use of clean, renewable energy to at least 25% for all of our offices globally by 2025 and to reach an overall annual average waste diversion rate of 80% in 2022 and 90% by 2023. We also value our role as a good corporate citizen and are dedicated to making a positive social impact through various employee-led initiatives.
We were formed as a limited liability company in Delaware in August 2010 under the name SEQRIT, LLC and subsequently changed our name to KnowBe4, LLC. We then converted into a Delaware corporation under the name KnowBe4, Inc. in January 2016. Our headquarters is located at 33 N. Garden Avenue, Suite 1200, Clearwater, FL 33755 and our telephone number is (855) 566-9234.
Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and other filings with the Securities and Exchange Commission (“SEC”), and all amendments to these filings, can be obtained free of charge from our website at www.knowbe4.com or by contacting our Investor Relations department at our office address listed above following our filing of any of these reports with the SEC. The SEC maintains an internet site that contains reports, proxy and information statements and other information regarding issuers that file electronically with the SEC at www.sec.gov. The contents of these and other websites referenced throughout the filing are not incorporated and do not constitute a part of this filing. Further, the Company’s references to the URLs for these websites are intended to be inactive textual references only.
We announce material information to the public about us, our products and other matters through a variety of means, including filings with the SEC, press releases, public conference calls, webcasts, the investor relations section of our website (investors.knowbe4.com), our Twitter account (@KnowBe4) and our blogs (including blog.knowbe4.com) in order to achieve broad, non-exclusionary distribution of information to the public and for complying with our disclosure obligations under Regulation FD.
Item 1A. Risk Factors
An investment in our Class A common stock involves a high degree of risk. You should carefully consider these risk factors, together with all of the other information included in this Annual Report on Form 10-K, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes, before deciding whether to invest in our Class A common stock. The risks and uncertainties described below may not be the only ones we face. If any of the risks actually occur, our business, financial condition, results of operations, cash flows and prospects could be adversely affected. In that event, the market price of our Class A common stock could decline, and you could lose part or all of your investment.
Risk Factor Summary
Our business is subject to a number of risks, including those outside of our control, that may adversely affect our business, financial condition, results of operations, cash flows and prospects. These risks are discussed more fully below and include, but are not limited to:
Risks Related to Our Business and Industry
•Our limited operating history including history of losses;
•We have experienced rapid growth in recent periods and could experience difficulties managing our future growth;
•Our long-term focus on growth;
•Our ability to attract new customers and retain our existing customers;
•Failure to effectively develop and expand our sales and marketing capabilities or maintain successful relationships with our channel partners;
•Our exposure to risks related to international operations and plans for future international expansion;
•A network, systems or data security incident may allow unauthorized access to our network, systems or data or our customer’s data;
•Our reliance upon Software-as-a-Service, or “SaaS”, technologies from third parties to operate our business;
•The delayed reflection of new sales in our results due to recognizing revenue over the term of our customer contracts;
•The application of or changes in complex accounting rules;
•We must maintain an effective system of internal controls over our financial reporting in order to produce timely and accurate financial statements and comply with applicable regulations;
•The requirements of being a public company may strain our resources and divert management’s attention;
Risks Related to Our Platform and Products
•Our ability to develop or acquire new products and/or provide successful updates, enhancements and features to our technology;
•Interruptions or delays in the services provided by third-party data centers or internet service providers;
•Failure of our platform and/or our products to perform properly;
Risks Related to Our Intellectual Property
•An exposure to an infringement claim or a claim that results in a significant damage award;
•Our ability to protect our proprietary rights;
•Usage of open source software in our products;
•Usage of third party technology and software in our platform and products;
Risks Related to Government Regulations and Taxation
•Our failure to comply with evolving data privacy and other data related laws and requirements;
•Our failure to comply with laws and regulations, including governmental export and import controls, economic sanctions or anti-boycott laws;
•Adverse changes in tax laws or regulations in the various jurisdictions where we are subject to taxation;
Governance Risks and Risks Related to Ownership of Our Class A Common Stock
•The dual-class structure of our common stock, which has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO;
•The volatility of the market price of our Class A common stock;
•We have no intention of paying dividends in the foreseeable future;
•Potential dilution to our existing stockholders due to the issuance of additional stock in connection with financings, acquisitions, investments, or our equity incentive and employee stock purchase plans;
Risks Related to Macroeconomic Conditions
•Adverse economic conditions or reduced IT security spending; and
•The unpredictability of the impact of the COVID-19 pandemic.
Risks Related to Our Business and Industry
We have a limited operating history, which makes it difficult to forecast our revenue and evaluate our business and future prospects.
We have been in existence since 2010 and much of our growth has occurred in recent periods. As a result of our limited operating history, our ability to forecast our future results of operations and model future growth is limited and subject to a number of uncertainties. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly changing industries. Accordingly, we may be unable to prepare accurate internal financial forecasts or replace anticipated revenue that we do not receive as a result of these risks and uncertainties, and our results of operations in future reporting periods may be below the expectations of investors. If we do not address these risks successfully, our results of operations could differ materially from our estimates and forecasts or the expectations of investors, causing our business to suffer and our stock price to decline.
We have a history of losses and may not be able to achieve or sustain profitability in the future.
We have incurred net losses in all annual periods since our inception, and we expect we will continue to incur net losses for the foreseeable future. We experienced net losses of $11.8 million, $2.4 million, and $124.3 million for the years ended December 31, 2021, 2020, and 2019, respectively, and as of December 31, 2021, we had an accumulated deficit of $173.1 million. Because the market for our platform and products has not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase significantly over the next several years, as we continue to hire additional personnel,
particularly in sales and marketing, expand our operations and infrastructure, both domestically and internationally, and continue to develop our platform and products. In addition to the expected costs to grow our business, we also expect to incur significant additional legal, accounting and other expenses as a newly public company. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.
We have experienced rapid growth in recent periods, and if we do not manage our future growth, our business and results of operations will be adversely affected.
We have experienced rapid growth in recent periods and we expect to continue to invest broadly across our organization to support our growth. Although we have experienced rapid growth historically, we may not sustain our current growth rates nor can we assure you that our investments to support our growth will be successful. The growth and expansion of our business will require us to invest significant financial and operational resources and will require the continuous dedication of our management team. We have encountered and will continue to encounter risks and difficulties frequently experienced by rapidly growing companies in evolving industries, including market acceptance of our platform and products, adding new customers, intense competition and our ability to manage our costs and operating expenses. Our future success will depend in part on our ability to manage our growth effectively, and if we fail to do so, our ability to ensure uninterrupted operation of our platform and products, comply with the rules and regulations applicable to our business and adequately address competitive challenges could be impaired. Any of the foregoing could adversely affect our business, financial condition and results of operations.
We believe our long-term value as a company will be greater if we focus on growth, which may negatively impact our profitability in the near term.
Part of our business strategy is to primarily focus on our long-term growth. As a result, our profitability may be lower in the near term than it would be if our strategy were to maximize short-term profitability. Significant expenditures on sales and marketing efforts, growing our platform and products and expanding our research and development, each of which we intend to continue to invest in, may not ultimately grow our business or cause long-term profitability. If we are ultimately unable to achieve profitability at the level anticipated by industry or financial analysts and our stockholders, our stock price may decline.
If we do not expand our current customer base by attracting new customers and retaining our existing customers our business, financial condition and results of operations could be harmed.
Since our customers tend to adopt our platform across their entire organization, to increase our revenue and achieve and maintain profitability, we must expand our customer base by attracting new customers and retaining our existing customers. To attract new customers, we must drive a broader awareness of the pervasive risks of social engineering. We will continue to invest in our inside sales force complemented by a channel strategy designed to increase brand awareness and to enable us to reach new territories and acquire new customers. Numerous factors, however, may impede our ability to acquire new customers, including our failure to recruit talented sales and marketing personnel and to retain and motivate our current sales and marketing personnel, to develop or expand relationships with effective channel partners and managed service providers, or MSPs, to successfully deploy products for new customers, to provide quality customer support once deployed and to execute on our marketing strategies.
Further, our customers have no obligation to renew their subscriptions for our platform and products after the expiration of their contractual period, which is typically one to three years, and in the normal course of business, some customers have elected not to renew. In addition, our customers may renew for fewer products, renew for shorter contract lengths or switch to a lower-cost subscription. If our customers do not renew their subscriptions, we could incur impairment losses related to our deferred contract acquisition costs. It is difficult to accurately predict long-term customer retention because of our varied customer base and given the length of our subscription contracts. Our customer retention and expansion may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our products, our customer support, our prices and pricing plans, our customers’
spending levels, mergers and acquisitions involving our customers, competition and deteriorating general economic conditions.
Failure to effectively develop and expand our sales and marketing capabilities or maintain successful relationships with our channel partners could harm our ability to increase our customer base and achieve broader market acceptance of our products.
Our ability to increase our customer base and achieve broader market acceptance of our platform and products will depend to a significant extent on our ability to expand our sales and marketing operations and to maintain successful relationships with our channel partners. We plan to continue expanding our direct inside sales force and engaging additional channel partners, both domestically and internationally. This expansion will require us to invest significant financial and other resources and our business will be harmed if our efforts do not generate a corresponding increase in revenue. We may not achieve anticipated revenue growth from expanding our direct sales force if we are unable to hire and develop talented direct inside sales personnel, if our new direct inside sales personnel are unable to achieve desired productivity levels in a reasonable period of time or if we are unable to retain our existing direct inside sales personnel.
In order to grow our business, we anticipate that we will continue to depend on our relationships with our channel partners who we rely on, in addition to our direct sales force, to sell and support our products. We utilize channel partners to efficiently increase the scale of our marketing and sales efforts and increase our market penetration to customers who we otherwise might not reach on our own. Our agreements with our channel partners are generally non-exclusive, meaning our channel partners may offer customers competitive products from different companies, and generally allow the channel partner to terminate its agreements with us for any reason upon 30 days’ notice. For example, some of our channel partners also sell or provide integration and administration services for our competitors’ products, and if such channel partners devote greater resources to marketing, reselling and supporting competing products, this could harm our business, financial condition and results of operations. If our channel partners do not effectively market and sell our products, choose to use greater efforts to market and sell their own products or those of others or fail to meet the needs of our customers, our ability to grow our business, sell our products and maintain our reputation may be adversely affected. The loss of key channel partners, our possible inability to replace them or the failure to recruit additional channel partners could materially and adversely affect our results of operations. If we are unable to maintain our relationships with these channel partners, our business, financial condition, results of operations or cash flows could be adversely affected.
Our international operations and plans for future international expansion expose us to significant risks, and failure to manage those risks could adversely impact our business, financial condition and results of operations.
We derived 15.9%, 11.9%, and 9.7% of our total revenue from international customers for the years ended December 31, 2021, 2020 and 2019, respectively. We are continuing to adapt to and develop strategies to address international markets and our growth strategy includes expansion into various international jurisdictions, but there is no guarantee that such efforts will be successful. We expect that our international activities will continue to grow in the future, as we continue to pursue opportunities in international markets. These international operations will require significant management attention and financial resources and are subject to substantial risks, including but not limited to:
•greater difficulty in negotiating contracts with standard terms, enforcing contracts and managing collections and longer collection periods;
•higher costs of doing business internationally, including costs incurred in establishing and maintaining office space and equipment for our international operations;
•management communication and integration problems resulting from cultural and geographic dispersion;
•risks associated with trade restrictions and foreign legal requirements, including any importation, certification and localization of our platform and products that may be required in foreign countries;
•greater risk of unexpected changes in regulatory practices, tariffs and tax laws and treaties;
•compliance with anti-bribery laws;
•heightened risk of unfair or corrupt business practices and of improper or fraudulent sales arrangements;
•the uncertainty of protection for intellectual property rights in some countries;
•general economic and political conditions or events in these foreign markets, including, but not limited to, sanctioned countries, governments and industries around the world and other geopolitical uncertainty and instability, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the United States and other countries, and retaliatory actions taken by Russia in response to such sanctions;
•foreign exchange controls or tax regulations that might prevent us from repatriating cash earned outside the United States;
•double taxation of our international earnings and potentially adverse tax consequences due to changes in the tax laws of the United States or the foreign jurisdictions in which we operate;
•unexpected costs for the localization of our services, including translation into foreign languages and adaptation for local practices and regulatory requirements;
•requirements to comply with foreign privacy, data protection and information security laws and regulations, and the risks and costs of noncompliance;
•greater difficulty in identifying, attracting and retaining local qualified personnel, and the costs and expenses associated with such activities;
•greater difficulty identifying qualified channel partners and maintaining successful relationships with such partners; and
•differing employment practices and labor relations issues.
As we continue to develop and grow our business globally, our success will depend in large part on our ability to anticipate and effectively manage these risks. The expansion of our existing international operations and entry into additional international markets will require significant management attention and financial resources. Our failure to successfully manage our international operations and the associated risks could limit the future growth of our business.
A network, systems or data security incident may allow unauthorized access to our network, systems or data or our customers’ data, harm our reputation, create additional liability and adversely impact our financial results.
Increasingly, companies are subject to a wide variety of attacks on their networks and systems on an ongoing basis. These attacks include, but are not limited to, hacking, the use of phishing and other forms of social engineering, attempts to introduce malicious code (such as viruses, ransomware or other malware) into the systems and networks used in our business, employee or contractor error or intentional acts, including theft or misuse, denial of service or other brute force attacks, and sophisticated attacks perpetrated by nation-state and nation-state supported actors. Despite significant efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks, in particular, as the frequency and sophistication of cyberattacks increases. For example, cybersecurity researchers anticipate an increase in cyberattack activity in connection with the Russia’s actions in Ukraine. The security measures we have integrated into our internal networks and systems, and into our platform and products may not function as expected or may not be sufficient to protect our internal networks, platform and products against certain attacks. In addition, techniques used to sabotage or to obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently and generally are not recognized until launched against a target. As a result, we may be unable to anticipate these techniques or implement adequate measures to prevent an electronic intrusion into our networks or systems, unauthorized access to, loss or unavailability of, or unauthorized alteration, use or disclosure of data or other security breaches or
incidents. We also may face difficulties or delays in identifying, remediating and responding to attacks and actual or perceived security breaches and incidents.
Third parties also may attempt to fraudulently induce employees or customers into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data, which could result in significant legal and financial exposure, the loss, alteration or compromise of our sensitive or otherwise critical business information, a loss of confidence in the security of our platform and products, interruptions or malfunctions in our operations, and, ultimately, harm to our future business prospects and revenue. As a well-known provider of products in the security awareness market, we may be a particularly attractive target for these and other forms of attacks. Further, with many of our employees and other personnel working remotely, the security risks we and our service providers face are heightened.
Our customers’ storage and use of data concerning, among others, their employees, contractors, customers and partners is essential to their use of our platform and products, which stores, transmits and processes customers’ proprietary information and personally identifiable information. If a security breach or incident compromising the security of customer data were to occur or to be perceived to occur, as a result of third-party action, employee or contractor error, malfeasance or otherwise, and the confidentiality, integrity or availability of our customers’ data was disrupted or believed to have been disrupted, we could face claims by and incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers. In addition, a network, systems or other security breach or incident, whether or not impacting or being perceived to impact the confidentiality, integrity or availability of our customers’ data, could result in the loss of customers and make it more challenging to acquire new customers.
In addition, security breaches and incidents impacting our platform and products could result in a risk of loss, unavailability or unauthorized access to or alteration, use, disclosure, or other processing of information maintained on or processed by our platform and products, which, in turn, could lead to claims, litigation, governmental audits and investigations and possible liability, damage our relationships with our existing customers and have a negative impact on our ability to attract and retain new customers. These breaches or incidents or any perceived breach or incident, of our employees, contractors, networks or systems, in particular, because of our position as a security awareness company, may also undermine confidence in our platform or products and result in damage to our reputation, negative publicity, loss of channel partners, customers and sales, increased costs to remedy any problem and costly litigation. In addition, a security breach or incident impacting one of our key channel partners or independent software vendors could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack. If a high profile security breach or incident occurs with respect to another SaaS provider, our customers and potential customers may lose trust in the security of the SaaS business model generally, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these negative outcomes could adversely impact market acceptance of our products and could harm our business, financial condition and results of operations.
We may be required to expend significant capital and financial resources to protect against the foregoing threats and to alleviate problems caused by actual or perceived security breaches or incidents. While we maintain insurance that may cover certain liabilities relating to security breaches or incidents, subject to applicable deductibles and policy limitations, our insurance may be insufficient to cover all liabilities incurred, which could have a material adverse effect on our business, financial condition and results of operations. Additionally, we cannot be certain that insurance coverage will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim.
We rely upon SaaS technologies from third parties to operate our business, and interruptions or performance problems with these technologies may adversely affect our business, financial condition and results of operations.
We rely on hosted SaaS applications from third parties in order to operate critical functions of our business, including platform delivery, enterprise resource planning, customer relationship management, billing, project management and accounting and financial reporting. If these services become unavailable due to extended outages, interruptions or because they are no longer available on commercially reasonable terms, our expenses could
increase, our ability to manage finances could be interrupted and our processes for managing sales of our platform and products and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and implemented, all of which could adversely affect our business, financial condition and results of operations.
We recognize revenue from subscriptions over the term of our customer contracts, and as such, our reported revenue and related metrics may differ significantly in a given period, and our revenue in any period may not be indicative of our financial health and future performance.
A substantial majority of our revenue is recognized over the term of our customer contracts. As a result, much of the revenue we report each quarter is derived from contracts that we entered into with customers in prior periods. Consequently, a decline in new or renewed subscriptions in any quarter will not be fully reflected in revenue or other results of operations in that quarter but will negatively affect our revenue and other results of operations across future quarters. Any increases in the average term of subscriptions would result in revenue for those contracts being recognized over longer periods of time with less positive impact on our results of operations in the near term. Accordingly, our revenue in any given period may not be an accurate indicator of our financial health and future performance.
The market in which we participate is competitive, and if we do not compete effectively, our business, financial condition and results of operations could be harmed.
The market for our platform and products is rapidly evolving and fragmented, and we expect competition to increase in the future. Although we believe competitors who specifically attempt to manage the ongoing problem of social engineering are currently limited, a number of companies have developed, or are developing, products that currently are, or in the future may be, competitive with our offerings. For example, certain larger enterprise providers, such as Proofpoint, Mimecast and Cofense, all attempt to address human risk through a product offering that is often tied to other products and is not given a singular focus. Nevertheless, competition continues to increase in the market segments in which we operate, and we expect competition to further increase in the future. Larger competitors with more diverse product and service offerings may reduce the price of products or subscriptions that compete with ours or may bundle them with other products and subscriptions. These competitive pressures may cause our subscription prices to decline for a variety of reasons, including competitive pricing pressures, discounts, anticipation of the introduction of new products by competitors or promotional programs offered by us or our competitors. As a result, as competition in our market increases, it could result in increased pricing pressure, decreased revenue, increased sales and marketing expenses and loss of market share for us, any of which could adversely affect our business, financial condition and results of operations.
We may experience quarterly fluctuations in our results of operations due to a number of factors, including increasing variability in our sales cycles. These fluctuations make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations.
Our quarterly results of operations fluctuate as a result of a number of factors, many of which are outside of our control and may be difficult to predict, including, but not limited to:
•the level of demand for our platform and products;
•the timing and success of new product introductions by us or our competitors or any other change in the competitive landscape of our market;
•pricing pressure as a result of competition or otherwise;
•the length and predictability of our sales cycle;
•seasonal buying patterns for IT spending;
•errors in forecasting the demand for our products, which could lead to lower revenue, increased costs or both;
•increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;
•credit or other difficulties confronting our channel partners;
•adverse litigation judgments, settlements or other litigation-related costs;
•changes in the legislative or regulatory environment, including with respect to privacy, data protection and security and enforcement by government regulators, including fines, orders or consent decrees;
•system failures or actual or perceived security breaches;
•fluctuations in foreign currency exchange rates;
•costs related to the acquisition of businesses, talent, technologies or intellectual property, including potentially significant amortization costs and possible write-downs; and
•general economic conditions in either domestic or international markets, including geopolitical uncertainty and instability, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the United States and other countries, and retaliatory actions taken by Russia in response to such sanctions.
Any one or more of the factors above may result in significant fluctuations in our results of operations. As we continue to focus on sales to larger organizations, we expect our sales cycles to lengthen and become less predictable. You should not rely on our past results as an indicator of our future performance. The variability and unpredictability of our quarterly results of operations or other operating metrics could result in our failure to meet our expectations or those of analysts that cover us or investors with respect to revenue or other metrics for a particular period. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our Class A common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.
If we fail to maintain an effective system of internal controls over our financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
As a public company, we are subject to the reporting and corporate governance requirements of the Securities Exchange Act of 1934, as amended, or the Exchange Act, the listing requirements of Nasdaq and other applicable securities rules and regulations, including the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Wall Street Reform and Consumer Protection Act. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended and anticipate we will continue to expend significant resources, including accounting-related costs, and provide significant management oversight. Any failure to develop or maintain effective controls, or any difficulties encountered in their implementation or improvement, could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal controls also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports that we will file with the SEC under Section 404 of the Sarbanes-Oxley Act.
We are not currently required to comply with the SEC rules that implement Section 404 of the Sarbanes-Oxley Act, and we are therefore not required to make a formal assessment of the effectiveness of our internal controls over financial reporting for that purpose. As a public company, we are required to comply with certain rules, which require management to certify financial and other information in our quarterly and annual reports and provide an annual management report on the effectiveness of our internal control over financial reporting commencing with our second Annual Report on Form 10-K. Additionally, our independent registered public accounting firm is not required to formally attest to the effectiveness of our internal control over financial reporting until after we are no
longer an emerging growth company. At such time, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed or operating. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the market price of our Class A common stock.
The requirements of being a public company may strain our resources and divert management’s attention.
As a public company, we are subject to the reporting and corporate governance requirements of the Exchange Act, the listing requirements of Nasdaq and other applicable securities rules and regulations. Among other things, the Exchange Act requires that we file annual, quarterly and current reports with respect to our business, financial condition and results of operations and maintain effective disclosure controls and procedures and internal control over financial reporting. Compliance with these rules and regulations will increase our legal and financial compliance costs, make some activities more difficult, time-consuming or costly and increase demand on our systems and resources, particularly after we are no longer an “emerging growth company” as defined in the Jumpstart Our Business Startups Act of 2012, or the JOBS Act. In addition, as a public company, we may be subject to stockholder activism, which can lead to additional substantial costs, distract management and impact the manner in which we operate our business in ways we cannot currently anticipate. As a result of disclosure of information in the filings required of a public company, our business, financial condition and results of operations will become more visible, which may result in threatened or actual litigation, including by competitors and other third parties. These new obligations and constituents will require significant attention from our senior management and could divert their attention away from the day-to-day management of our business, which could adversely affect our business, financial condition, and results of operations.
We depend on our executive officers and other key employees, the loss of whom could adversely affect our business.
We believe that our success is substantially dependent on our ability to attract, retain and motivate the members of our management team and other key employees throughout our organization. Although we have entered into employment agreements with our leadership team, our employees, including our executive officers, work for us on an “at-will” basis, which means they may terminate their employment with us at any time. In particular, we depend on the services of Stu Sjouwerman, our founder and Chief Executive Officer, who is critical to our future vision and strategic direction. We rely on our leadership team in the areas of research and development, operations, security, marketing, sales, customer support and general and administrative functions. If Mr. Sjouwerman or one or more of our key employees or members of our management team resigns or otherwise ceases to provide us with their service, and if we fail to have in place and execute an effective succession plan for key executives, our business could be harmed.
In addition, because our future success is dependent on our ability to continue to refresh and enhance our library of differentiated security awareness content and expand our platform features, we are heavily dependent on our ability to attract and retain qualified personnel with the requisite background and industry experience to drive content creation and product development. As we expand our business domestically and globally, our continued success will also depend on our ability to attract and retain qualified content development personnel capable of creating localized, culturally relevant security awareness content, as well as to attract and retain qualified sales, marketing and operational personnel capable of supporting a larger and more diverse customer base. The loss of the services of a significant number of our content, technology or sales personnel could be disruptive to our content and product development efforts, which could harm our ability to retain existing customers and to expand our global customer base.
The nature of our business requires the application of complex accounting rules, including revenue and expense recognition rules, and any significant changes in current rules, or interpretations thereof, could affect our financial statements and results of operations.
The accounting rules and regulations that we must comply with are complex and subject to interpretation by the Financial Accounting Standards Board, or the FASB, the Securities and Exchange Commission, or the SEC, and various bodies formed to promulgate and interpret appropriate accounting principles. Recent actions and public
comments from the FASB and the SEC have been focused on the integrity of financial reporting and internal controls over financial reporting. Many companies’ accounting policies and practices are being subject to heightened scrutiny by regulators and the public. In addition, the accounting rules and regulations are continually changing in ways that could materially impact our financial statements. We cannot predict the impact of future changes to accounting principles or our accounting policies on our financial statements going forward, which could significantly affect our reported financial results and could affect the reporting of transactions completed before the announcement of the change. Further, if we were to change our critical accounting estimates, our results of operations could be significantly affected.
Any future litigation against us could be costly and time-consuming to defend.
We may become subject to legal proceedings and claims that arise in the ordinary course of business, such as claims brought by our customers in connection with commercial disputes or employment claims made by our current or former employees. Litigation might result in substantial costs and may divert management’s attention and resources, which might seriously harm our business, financial condition and results of operations. Insurance might not cover such claims, might not provide sufficient payments to cover all the costs to resolve one or more such claims and might not continue to be available on terms acceptable to us (including premium increases or the imposition of large deductible or co-insurance requirements). A claim brought against us that is uninsured or underinsured could result in unanticipated costs, potentially harming our business, financial position and results of operations. In addition, we cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or that our insurers will not deny coverage as to any future claim.
Acquisitions, strategic investments, partnerships, or alliances could be difficult to identify, pose integration challenges, divert the attention of management, disrupt our business, dilute stockholder value, and adversely affect our business, financial condition and results of operations.
We have in the past and may in the future seek to acquire or invest in businesses, joint ventures, products and platform capabilities, or technologies that we believe could complement or expand our platform and product offerings, enhance our technical capabilities, or otherwise offer growth opportunities. Any such acquisition or investment may divert the attention of management and cause us to incur various expenses in identifying, investigating and pursuing suitable opportunities, whether or not the transactions are completed, and may result in unforeseen operating difficulties and expenditures. Specifically, we may encounter difficulties integrating the businesses, technologies, platform and product capabilities, or operations of any acquired companies, particularly if the key personnel of an acquired company choose not to work for us, their software is not easily adapted to work with our platform, or we have difficulty retaining the customers of any acquired business due to changes in ownership, management or otherwise. Additionally, any such transactions that we are able to complete may not result in the synergies or other benefits we had expected to achieve, which could result in impairment charges that could be substantial. In addition, we may not be able to find and identify desirable acquisition targets or business opportunities or be successful in entering into an agreement with any particular strategic partner. These transactions could also result in dilutive issuances of equity securities or the incurrence of debt, which could adversely affect our results of operations. In addition, if the resulting business from such a transaction fails to meet our expectations, our business, financial condition and results of operations may be adversely affected or we may be exposed to unknown risks or liabilities.
We may need to raise additional capital to expand our operations and invest in new products, which capital may not be available on terms acceptable to us, or at all, and which could reduce our ability to compete and could harm our business.
While we expect that our existing cash and cash equivalents, cash provided by operating activities, available borrowings under our revolving line of credit, and unbilled amounts related to contracted non-cancelable subscription agreements, which are not reflected on the balance sheet, will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months, retaining or expanding our current levels of personnel and product offerings may require additional funds. Our failure to raise additional capital or generate the significant capital necessary to expand our operations, invest in new products or acquire complementary
businesses and technologies could reduce our ability to compete and could harm our business. Accordingly, we may need to engage in additional equity or debt financings to secure additional funds. If we raise additional equity financing, our stockholders may experience significant dilution of their ownership interests and the market price of our Class A common stock could decline. If we engage in debt financing, the holders of debt may have priority over the holders of our Class A common stock, and we may be required to accept terms that restrict our operations or our ability to incur additional indebtedness or to take other actions that would otherwise be in the interests of the debt holders. Any of the above could harm our business, financial condition and results of operations.
Our Revolving Credit Facility contains financial covenants and other restrictions on our actions that may limit our operational flexibility or otherwise adversely affect our results of operations.
The terms of our Revolving Credit Facility include a number of covenants that limit our ability and our subsidiaries’ ability to, among other things, incur additional indebtedness, grant liens, merge or consolidate with other companies or sell substantially all of our assets, pay dividends, make redemptions and repurchases of stock, make investments, loans and acquisitions, or engage in transactions with affiliates. These terms may restrict our current and future operations and could adversely affect our ability to finance our future operations or capital needs. In addition, complying with these covenants may make it more difficult for us to successfully execute our business strategy, including potential acquisitions, and compete against companies which are not subject to such restrictions.
A failure by us to comply with the covenants or payment requirements specified in our credit agreement could result in an event of default under the agreement, which would give the lenders the right to terminate their commitments to provide additional loans and to declare all borrowings outstanding, together with accrued and unpaid interest and fees, to be immediately due and payable. If debt under our Revolving Credit Facility were to be accelerated, we may not have sufficient cash or be able to borrow sufficient funds to refinance the debt or sell sufficient assets to repay the debt, which could immediately adversely affect our business, cash flows, results of operations, and financial condition. As of December 31, 2021, there were no amounts outstanding under the Revolving Credit Facility.
If we fail to enhance our brand cost-effectively, our ability to expand our customer base will be impaired and our business, financial condition and results of operations may suffer.
We believe that developing and maintaining awareness of our brand in a cost-effective manner is critical to achieving widespread acceptance of our existing and future products and is an important element in attracting new customers. Furthermore, we believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts and on our ability to provide reliable and useful products at competitive prices. In the past, our efforts to build our brand have involved significant expenses. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, or incur substantial expenses in an unsuccessful attempt to promote and maintain our brand, we may fail to attract new customers or retain our existing customers to the extent necessary to realize a sufficient return on our brand-building efforts, and our business, financial condition and results of operations could suffer.
If we cannot maintain our company culture as we grow, we could lose the innovation, teamwork, passion and focus on execution that we believe contribute to our success and our business may be harmed.
We believe that our corporate culture has been a contributor to our success, which we believe fosters innovation, teamwork, passion and focus on building and marketing our platform and products. As we grow and develop the infrastructure of a public company, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could harm our future success, including our ability to retain and recruit personnel, innovate and operate effectively, attract new customers, retain existing customers and execute on our business strategy. Additionally, our productivity and the quality of our products may be adversely affected if we do not integrate and train our new employees quickly and effectively. Any of these effects could adversely affect our business, financial condition and results of operations.
Risks Related to Our Platform and Products
If we are not able to develop or acquire new products and/or provide successful updates, enhancements and features to our technology, our business, financial condition and results of operations could be adversely affected.
Our industry is marked by rapid technological developments and demand for new and enhanced products and features to address the evolving risks associated with social engineering. In particular, cybersecurity threats are becoming increasingly sophisticated and responsive to the new security measures designed to thwart them. If we fail to update our products, through internal development or acquisition, to address such threats, our business and reputation will suffer. Our ability to increase revenue depends in large part on our ability to develop compelling new products to sell to new customers and to cross-sell and upsell to our existing customer base. To do so, we must continue to invest in our technology and platform in order to create new adjacencies and use cases. The success of any new product developments, enhancements, or features that we introduce depends on several factors, including the timely completion, introduction and market acceptance of such enhancements, features or products and integration with our existing platform and products.
We may not be successful in either developing these modifications and enhancements or in bringing them to market in a timely fashion. Furthermore, modifications to existing technologies will increase our research and development expenses. If we are unable to successfully enhance our existing products to meet customer requirements, increase adoption and usage of our products or develop new products, enhancements and features, our business, financial condition and results of operations will be harmed.
Interruptions or delays in the services provided by third-party data centers or internet service providers could impair the delivery of our platform and products, expose us to litigation and negatively impact our relationships with customers, adversely affecting our business.
We host our platform using Amazon Web Services, or AWS, data centers, a provider of cloud infrastructure services, and, therefore, we are vulnerable to service interruptions at AWS, which could impact the ability of our customers to access our platform. All of our products reside on hardware in these locations. Our operations depend on protecting the virtual cloud infrastructure hosted in AWS by maintaining its configuration, architecture and interconnection specifications, as well as the information stored in these virtual data centers, which third-party internet service providers transmit. Although we have disaster recovery plans that utilize multiple AWS locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake, power loss, telecommunications failures, unauthorized intrusion, computer viruses and disabling devices, hacking and other security attacks, natural disasters, war, criminal acts, military actions, terrorist attacks and other similar events beyond our control could negatively affect the security or availability of our platform and products. A prolonged AWS service disruption affecting our platform and products for any reason could damage our reputation with current and potential customers, expose us to liability, cause us to lose customers or otherwise harm our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the AWS services we use.
AWS enables us to order and reserve server capacity in varying amounts and sizes distributed across multiple regions. AWS provides us with computing and storage capacity pursuant to an agreement that continues until terminated by either party. AWS may terminate the agreement by providing 30 days prior written notice and may, in some cases, terminate the agreement immediately for cause upon notice. In addition, the failure of AWS data centers or third-party internet service providers to meet our capacity requirements could result in interruptions or delays in access to our platform and products or impede our ability to scale our operations. In the event that our AWS service agreements are terminated, or there is a lapse of service, interruption of internet service provider connectivity or damage to such facilities, we could experience interruptions in access to our platform and products as well as delays and additional expense in arranging new facilities and services.
If our platform and products fail to perform properly, our reputation could be adversely affected and our market share could decline, which could have a material adverse effect on our business, financial condition and results of operations.
Our platform and products are inherently complex and may contain material defects or errors. In the future we may experience website disruptions, outages and other performance problems. These problems may be caused by a variety of factors, including infrastructure changes, human or software errors or negligence, viruses, hacking and other security attacks, fraud, increased resource consumption from expansion or modification to our code and spikes in customer usage. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages and our operations infrastructure may fail to keep pace with increased sales, causing new customers to experience delays. We provide service level commitments under our customer contracts, under which we guarantee specified availability of our platform and products. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service, or face contract termination with refunds of prepaid amounts related to unused subscriptions, which could harm our business, financial condition and results of operations. In light of our historical experience with meeting our service level commitments, we do not currently have any material liabilities accrued on our balance sheet for these commitments. Additionally, any defects in functionality or that cause interruptions in the availability of our platform and products could result in:
•loss or delayed market acceptance and sales;
•breach of warranty or other contractual claims for damages incurred by customers;
•loss of customers;
•diversion of development and customer service resources; and
•injury to our reputation;
any of which could have a material adverse effect on our business, financial condition and results of operations. In addition, the costs incurred in correcting any material defects or errors might be substantial.
Risks Related to Our Intellectual Property
Our results of operations may be harmed if we are subject to a protracted infringement claim or a claim that results in a significant damage award.
A key tenet of our security awareness platform and products is the ability for our customers to perform simulated social engineering attacks on their users as part of our comprehensive training program. These social engineering attacks, typically in the form of simulated phishing emails, often use actual third-party names, logos, marks and other content in order to enhance the effectiveness of the simulation. Although we do not believe that the use of such names, logos, marks and other content for our customers’ internal training purposes infringes upon the trademark rights or other intellectual property rights of others, some third parties have objected to such use in our training program. These third parties have sent requests or demands to remove their names, logos, marks and other content from our platform and products, alleging that such use infringes upon their trademark rights and copyrights, creates actionable claims under state law or causes consumer confusion resulting in harm to their goodwill or reputation.
From time to time, we also register domain names containing typos, third-party names or marks, or variations thereof, to be used in connection with our simulated phishing emails. We register these domain names to serve a limited and specific purpose, and similar to the above-referenced simulated phishing emails, we do not believe that the limited manner and purpose in which any such third-party names, marks and other content are used in the registered domain names infringes upon their trademark rights or intellectual property rights. Some third parties
have, however, sent a privacy service request or initiated a proceeding to cease use of and/or transfer the domain containing their name, mark or variations thereof, including intentional typos, that have been resolved. To date, we have taken a case-by-case approach and worked to resolve all brand-owner demands directly with the individual brand owners. Nonetheless, there is no assurance that legal actions will not result in the future from objecting brand owners.
Additionally, as our presence in the market expands, we may experience such requests or demands with increasing frequency. Any legal action, regardless of their merit, may: require us to expend significant financial resources and attention of management and other personnel; result in injunctions against us that prevent us from using third-party names, logos, marks and other content on our platform and products; or require us to pay monetary fees to third parties; and/or require transfer of the domain name registrations.
Furthermore, because any legal action would likely involve novel questions of law regarding simulated phishing activities for which there is very little or no precedent to date, and, because the outcomes of any such actions may depend on questions of laws that vary from state to state, the outcomes of any such legal actions are uncertain and may ultimately vary widely based on the jurisdictions in which actions are brought. Any such outcomes may adversely impact our relationship with our customers, including prompting them to discontinue their business relationship with us. From time to time, third parties have asserted, or may assert, claims of infringement, misappropriation or other violations of intellectual property rights against us or our customers, with whom our agreements may obligate us to indemnify against these claims. Successful claims of infringement by a third party may prevent us from offering certain products or features, or require us to develop alternate non-infringing technology, which may require significant time, during which we may be: unable to continue offering the affected products or solutions; required to obtain a license that may not be available on reasonable terms, or at all; or forced to pay substantial damages, royalties, or other fees. The occurrence of any of these results may also materially adversely affect our business, financial condition and results of operations.
If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate reduced revenue and incur costly litigation to protect our rights.
Our success is dependent, in part, upon protecting our proprietary information and technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual restrictions to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Despite the precautions we have implemented, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of certain jurisdictions and foreign countries. Further, the laws of some countries do not protect proprietary rights to the same extent as the laws of the United States or the mechanisms for enforcement of intellectual property rights in some foreign countries may be inadequate. To the extent we expand our international activities, our exposure to the unauthorized use of our products and proprietary information may increase. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon or misappropriating our technology and intellectual property.
We rely in part on trade secrets, proprietary know-how and other confidential information to maintain our competitive position. Although we enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances, no assurance can be given that these agreements will be effective in controlling access to, and distribution of, our products and proprietary information. Further, these agreements do not prevent our competitors from independently developing technologies that may be substantially equivalent or superior to our products.
To protect our intellectual property rights, we may be required to spend significant resources to monitor and protect these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation may be costly, time consuming and distracting to management and may result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our
intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, may delay further sales, introductions of new products or implementation of existing products; may impair the functionality of our products; or may result in our substituting inferior or more costly technologies into our products that may injure our reputation. In addition, we may be required to license additional technology from third parties to develop and market new products, and we cannot assure customers we will be able to license that technology on commercially reasonable terms, or at all, and our inability to license this technology may harm our ability to compete.
We use open source software in our products, which could negatively affect our ability to offer our products and subject us to litigation or other actions.
We use open source software in our products and may use more open source software in the future. From time to time, there have been claims challenging the ownership of open source software against companies that incorporate open source software into their products. However, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses may be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, potentially resulting in negative effects on our business, financial condition and results of operations or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with certain open source software in a certain manner, we may, under their specific terms and conditions, be required to release the source code of our proprietary software to the public. This would allow our competitors to create similar products with less development effort and time. If we inappropriately use open source software, or if the license terms for open source software that we use should change, we may be required to re-engineer our products, incur additional costs, discontinue the sale of some or all of our products or take other remedial actions.
In addition to risks related to open source software license requirements, usage of open source software may lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or assurances of title or controls as to the origin of the software. Many of the risks associated with usage of open source software, such as the lack of warranties or assurances of title, cannot be eliminated, and could, if not properly addressed, negatively affect our business. We have established processes to help alleviate these risks, including a review process for screening requests from our development organizations for the use of open source software, but we cannot guarantee that all of our use of open source software is in a manner that is consistent with our current policies and procedures, or will not subject us to liability.
We incorporate technology from third parties into our platform and products, and our inability to obtain or maintain rights to the technology could harm our business.
We license software and other technology from third parties that incorporate into, or integrate with, our platform and products. We cannot be certain that our licensors are not infringing on the intellectual property rights of third parties or that our licensors have sufficient rights to the licensed intellectual property in all jurisdictions in which we may offer our platform and products. In addition, many licenses are non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Some of our agreements with our licensors may be terminated for convenience by them, or otherwise provide for a limited term. If we are unable to continue to license any of this technology for any reason, our ability to develop and offer our platform and products containing such technology may be negatively impacted. Similarly, if we are unable to license necessary technology from third parties now or in the future, we may be forced to acquire or develop an alternative technology, which we may be unable to do in a commercially feasible manner, or at all, and we may be required to use alternative technology of lower quality or performance standards. This may limit or delay our ability to offer new or competitive products and increase our costs of production. As a result, our business and results of operations may be significantly harmed. Additionally, as part of our longer-term strategy, we plan to open our platform and products to third-party developers and applications to further extend their functionality. We cannot be certain that such efforts to grow our business will be successful.
Risks Related to Governmental Regulations and Taxation
Complying with evolving privacy and other data related laws and requirements may be expensive and force us to make adverse changes to our business, and failure to comply with such laws and requirements could result in substantial harm to our business.
Laws and regulations governing data privacy and protection, information security, the use of the Internet as a commercial medium, the use of data in artificial intelligence and machine learning and data sovereignty requirements are rapidly evolving, extensive, complex and include inconsistencies and uncertainties. Examples of recent and anticipated developments that have or could impact our business include the following:
•The General Data Protection Regulation, or GDPR, took effect in May 2018 and established several requirements applicable to the handling of personal data of individuals in the European Economic Area, or EEA. The GDPR is wide-ranging in scope and imposes numerous requirements on companies that process personal data, including imposing accountability obligations requiring data controllers and processors to maintain a record of their data processing and implement policies and procedures as part of its mandated privacy governance framework. It also requires data controllers to be transparent and disclose to data subjects how their personal data will be used; establishes rights for individuals with respect to their personal data, including rights of access and deletion in certain circumstances; imposes limitations on retention of personal data; establishes data breach notification requirements; and sets standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities.
•The GDPR and substantially equivalent legislation in the United Kingdom, or UK, also imposes strict rules applied to the transfer of personal data out of the EEA, Switzerland and the UK to third countries deemed to lack adequate privacy protections (including the United States), unless an appropriate safeguard is implemented, such as the Standard Contractual Clauses, or SCCs, approved by the European Commission, or a derogation applies. The Court of Justice of the European Union, or CJEU, deemed the SCCs valid in July 2020. However, the CJEU ruled that transfers made pursuant to the SCCs and other alternative transfer mechanisms must be analyzed on a case-by-case basis to ensure European Union, or EU, standards of data protection are met in the jurisdiction where the data importer is based, and concerns remain about the potential for the SCCs and other mechanisms to face additional challenges. European regulators have issued guidance following the CJEU ruling that imposes significant new requirements on transferring data outside the EEA and Switzerland, including under an approved transfer mechanism. On June 4, 2021, the European Commission issued new SCCs that account for the CJEU’s decision and other developments, which need to be put in place for new contracts involving the transfer of personal data from the EEA and Switzerland to a third country as of September 27, 2021. Complying with these obligations and applicable guidance could be expensive and time consuming, may require us to modify our data handling policies and procedures and undertake additional measures, including new contractual negotiations, and may ultimately prevent or restrict us from transferring personal data outside the EEA and the UK, which could cause significant business disruption.
•The EU has proposed the Regulation on Privacy and Electronic Communications, or ePrivacy Regulation, which, if adopted, would impose new obligations on the use of personal data in the context of electronic communications, particularly with respect to online tracking technologies and direct marketing.
•In January 2020, the UK formally left the EU. The UK’s withdrawal from the EU, commonly referred to as “Brexit,” became effective December 31, 2020. The UK has implemented legislation that implements and complements the GDPR, and which provides for the implementation of GDPR requirements, including those related to cross-border data transfer. In June 2021, the European Commission announced a decision of “adequacy” concluding that the UK ensures an equivalent level of data protection to the GDPR, which provides some relief regarding the legality of continued personal data flows from the EEA to the UK. Some uncertainty remains, however, as this adequacy determination must be renewed after four years and may be modified or revoked in the interim. Further, on February 2, 2022, the UK’s Information Commissioner’s Office issued new standard contractual clauses to support personal data transfers out of the UK. If approved by the UK Parliament, these standard contractual clauses will become effective March 21, 2022. We cannot
predict how UK data protection laws or regulations may develop in the longer term, including those relating to data transfers. We may be required to take steps to ensure the lawfulness of our data transfers and otherwise to address UK data protection law.
•In January 2020, the California Consumer Privacy Act, or CCPA, took effect, providing California residents increased privacy rights and protections, including the ability to opt out of sales of their personal information. The CCPA went into effect in January 2020 and became enforceable by the California Attorney General in July 2020. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and afford such consumers new rights with respect to their personal information, including the right to request deletion of their personal information, the right to receive the personal information on record for them, the right to know what categories of personal information generally are maintained about them, as well as the right to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation.
•California voters also approved a new privacy law, the California Privacy Rights Act, or CPRA, in the November 3, 2020 election. Effective January 1, 2023, the CPRA imposes additional obligations on covered companies and will significantly modify the CCPA, including by expanding consumers’ rights with respect to certain sensitive personal information. The CPRA also creates a new state agency that will have authority to implement and enforce the CCPA and the CPRA. The effects of the CCPA and the CPRA are significant. They increase our potential exposure to regulatory enforcement and/or litigation and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply. Other U.S. states are considering, and in certain cases have adopted, similar laws. For example, in March 2021, Virginia enacted the Virginia Consumer Data Protection Act, and in July 2021, Colorado enacted the Colorado Privacy Act. These both are comprehensive privacy statutes that will become effective in 2023 and share similarities with the CCPA, the CPRA and legislation proposed in other states. Recently proposed and enacted state privacy legislation beyond the CCPA and CPRA may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies.
Global governments are considering implementing regulations that would restrict cross-border data processing. Additionally, global governments are considering regulating artificial intelligence, machine learning and other technologies. These and other similar legal and regulatory developments could contribute to legal and economic uncertainty, affect how we design, market, sell and operate our platform and products, how our customers process and share data, how we process, transfer and use data, which could negatively impact demand for our platform and products. We may incur substantial costs to comply with such laws and regulations, to meet the demands of our customers relating to their own compliance with applicable laws and regulations and to establish and maintain internal policies, self-certifications, and third-party certifications supporting our compliance programs. Our customers may bind us to certain obligations pursuant to the GDPR or other laws or regulations relating to privacy, data protection or information security, and we may be or become bound by other contractual obligations relating to privacy, data protection or information security. We may be required to expend substantial resources to comply with these obligations. In addition, any actual or perceived non-compliance with applicable laws, regulations, policies, certifications or contractual or other actual or asserted obligations could result in proceedings, investigations or claims against us by regulatory authorities, customers or others, leading to reputational harm, significant fines, litigation costs and damages. For example, if regulators assert that we have failed to comply with the GDPR or the UK’s legislation implementing the GDPR, we may be subject to fines of up to EUR 20 million (or GBP 17.5 million) or 4% of our worldwide annual revenue, whichever is greater, as well as potential data processing restrictions. Authorities have shown a willingness to impose significant fines and issue orders preventing the processing of personal data on non-compliant businesses. Moreover, individuals can claim damages resulting from infringement of the GDPR and other European and UK data protection laws. The GDPR also introduces the right for non-profit organizations to bring claims on behalf of data subjects. In addition to the foregoing, an actual or alleged
breach of the GDPR or other applicable laws, regulations or other actual or asserted obligations related to privacy, data protection or information security could result in regulatory investigations, reputational damage, orders to change our use of data, enforcement notices, or potential civil claims including class action type litigation. All of these impacts could have a material adverse effect on our business, financial condition and results of operations.
We publish privacy policies and other documentation regarding our collection, processing, use and disclosure of personal information, credit card information or other confidential information. Although we endeavor to comply with applicable laws and regulations relating to privacy, data protection, and information security, and our related policies, certifications, representations and documentation, we may at times fail to do so or may be perceived to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving or maintaining compliance if our employees or service providers fail to comply with our policies, certifications, representations and documentation. Such actual or perceived failures can subject us to potential claims, litigation and international, local, state and federal action if they are found or alleged to be deceptive, unfair or to misrepresent our actual practices.
We also collect information about cyber threats from open sources, intermediaries and third parties that we make available to our customers in our industry publications. While we have implemented certain procedures to facilitate compliance with applicable laws and regulations in connection with the collection of this information, we cannot assure you that these procedures have been effective or that we, or third parties, many of whom we do not control, have complied with all laws or regulations in this regard. Failure by our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties to comply with applicable laws and regulations in the collection of this information also could have negative consequences to us, including reputational harm, government investigations and penalties. Although we take precautions to prevent our information collection practices and services from being provided in violation of such laws, our information collection practices and services may have been in the past, and could in the future be, provided in violation of such laws.
We are subject to laws and regulations, including governmental export and import controls, sanctions, anti-boycott regulations and anti-corruption laws that could impair our ability to compete in our markets and subject us to liability if we are not in full compliance with applicable laws.
We are subject to laws and regulations, including governmental export controls, that could subject us to liability or impair our ability to compete in our markets. Our products are subject to U.S. export controls, including the U.S. Department of Commerce’s Export Administration Regulations, and we and our employees, representatives, contractors, agents, intermediaries and other third parties are also subject to various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Furthermore, U.S. export control laws and economic sanctions prohibit the export and provision of certain cloud-based solutions to, and other transactions and dealings with, countries, governments, entities and persons targeted by U.S. sanctions.
In connection with our March 1, 2021 acquisition of MediaPro Holdings, LLC, we identified potential violations related to limited dealings by MediaPro Holdings, LLC in 2016 with Sudatel, a Sudanese telecommunications and internet service provider. As a condition of closing, MediaPro Holdings, LLC filed voluntary self-disclosures with the Office of Foreign Assets Control (“OFAC”) and the Office of Antiboycott Compliance (“OAC”). OFAC issued us a cautionary letter but did not pursue any penalties or take enforcement action. As of the date of this Annual Report on Form 10-K, the OAC case is pending. Although we have technical controls, policies and procedures in place designed to ensure our compliance, there is no guarantee that we will not inadvertently provide our products and services, including our publicly available online free tools, to persons targeted by U.S. sanctions, despite our reasonable efforts to prevent it.
If we or our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties fail to comply with these laws and regulations, we could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may also be adversely affected through reputational harm, loss of access to certain markets, government investigations or otherwise. Obtaining the necessary authorizations including any required license for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities.
Various countries regulate the export and import of certain encryption technology, including through export and import permit and license requirements, and have enacted laws that could limit our ability to distribute our products
or could limit our customers’ ability to implement our products in those countries. Changes in our products or changes in export and import regulations may create delays in the introduction of our products into international markets, prevent our customers with international operations from deploying our products globally or, in some cases, prevent the export or import of our products to certain countries, governments, entities or persons altogether. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations or change in the countries, governments, entities or persons or technologies targeted by such regulations could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations.
We are also subject to the FCPA, Bribery Act and other anti-corruption, anti-bribery, anti-money laundering and similar laws in the United States and other countries in which we conduct activities. Anti-corruption and anti-bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees, agents, intermediaries and other third parties from promising, authorizing, making or offering improper payments or other benefits to government officials and others in the private sector. We leverage third parties, including intermediaries, agents and channel partners, to conduct our business in the United States and abroad to sell subscriptions to our products and to collect information about cyber threats. We and these third parties may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of these third-party business partners and intermediaries, our employees, representatives, contractors, channel partners, agents, intermediaries and other third parties, even if we do not explicitly authorize such activities. While we have policies and procedures to address compliance with the FCPA, Bribery Act and other anti-corruption, sanctions, anti-bribery, anti-money laundering and similar laws, we cannot assure you that they will be effective, or that all of our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties have taken, or will not take, actions in violation of our policies and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase. Noncompliance with these laws could subject us to investigations, severe criminal or civil sanctions, settlements, prosecution, loss of export privileges, suspension or debarment from U.S. government contracts, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, whistleblower complaints, adverse media coverage and other consequences. Any investigations, actions or sanctions could harm our reputation, business, financial condition and results of operations.
Failure to comply with laws and regulations applicable to our business could subject us to fines and penalties.
Our business is subject to regulation by various federal, state, local and foreign governmental agencies, including, but not limited to, agencies responsible for monitoring and enforcing privacy, data protection and information security laws and regulations, employment and labor laws, workplace safety, product safety, environmental laws, consumer protection laws, anti-bribery laws, import and export controls, economic sanctions, federal securities laws and tax laws and regulations. In certain jurisdictions, these regulatory requirements may be more stringent than in the United States. Actual or alleged noncompliance by us, our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties with applicable regulations or requirements could subject us to:
•investigations, enforcement actions and sanctions;
•mandatory changes to our platform, products or business practices;
•disgorgement of profits, fines and damages;
•civil and criminal penalties or injunctions;
•claims for damages by our customers or channel partners;
•termination of contracts;
•loss of intellectual property rights; and
•temporary or permanent debarment from sales to government organizations.
In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. If any governmental sanctions or enforcement actions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, financial condition and results of operations could be adversely affected.
In addition, we endeavor to properly classify employees as exempt versus non-exempt under applicable law. Although there are no pending or threatened material claims or investigations against us asserting that some employees are improperly classified as exempt, the possibility exists that some of our current or former employees could have been incorrectly classified as exempt employees.
Sales to government entities are subject to a number of challenges and risks.
A number of our customers are U.S., state or foreign government entities. Such entities may demand contract terms that are less favorable than standard arrangements with private sector customers and may have statutory, contractual or other legal rights to terminate contracts with us or our partners for convenience or for other reasons. Generally, the laws, regulations and policies that govern our ability to contract with government customers impose added costs on our business, and failure by us, our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties to comply with applicable regulations and requirements could lead to claims for damages, penalties, termination of contracts, loss of exclusive rights in our intellectual property and temporary suspension or permanent debarment from government contracting. Any such damages, penalties, disruptions or limitations in our ability to do business with the public sector could result in reduced sales of our products, reputational damage, penalties and other sanctions, any of which could harm our reputation, business, financial condition and results of operations.
In addition, as a vendor for government entities, we must comply with laws, regulations and policies governing such governmental bodies, including those related to their cybersecurity practices. For example, the State of California Office of Information Security Phishing Exercise Standard (SIMM 5320-A), released in October 2020, established specific requirements for California state entities and agencies to coordinate phishing exercises with the California Department of Technology Office of Information Security and the California Cybersecurity Integration Center and other requirements for execution. Other states and jurisdictions may adopt versions of this standard or consider other new cybersecurity or data protection measures in the future, imposing additional compliance burdens on us and our customers.
Delaware law and provisions in our amended and restated certificate of incorporation and amended and restated bylaws could make a merger, tender offer or proxy contest difficult, thereby depressing the market price of our Class A common stock.
Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may make the acquisition of our company more difficult, including the following:
•our board of directors is classified into three classes of directors with staggered three-year terms, and directors are only able to be removed from office for cause;
•certain amendments to our amended and restated certificate of incorporation require the approval of at least 66-2/3% of the voting power of the outstanding shares of our stock entitled to vote generally in the election of directors, voting together as a single class;
•our dual class common stock structure provides pre-IPO stockholders with the ability to significantly influence the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the shares of our outstanding capital stock;
•our stockholders are only able to take action at a meeting of stockholders and are not able to take action by written consent for any matter;
•our amended and restated certificate of incorporation does not provide for cumulative voting;
•vacancies on our board of directors may be filled only by our board of directors and not by stockholders;
•a special meeting of our stockholders may only be called by the chairperson of our board of directors, our Chief Executive Officer or a majority of our board of directors;
•certain litigation against us can only be brought in Delaware;
•our amended and restated certificate of incorporation authorizes undesignated preferred stock, the terms of which may be established and shares of which may be issued without further action by our stockholders; and
•advance notice procedures apply for stockholders to nominate candidates for election as directors or to bring matters before an annual meeting of stockholders.
In addition, while we have opted out of Section 203 of the Delaware General Corporation Law, or the DGCL, our amended and restated certificate of incorporation contains similar provisions providing that we may not engage in certain “business combinations” with any “interested stockholder” for a three year period following the time that the stockholder became an interested stockholder, unless:
•prior to such time, our board of directors approved either the business combination or the transaction that resulted in the stockholder becoming an interested stockholder;
•upon consummation of the transaction that resulted in the stockholder becoming an interested stockholder, the interested stockholder owned at least 85% of the votes of our voting stock outstanding at the time the transaction commenced, excluding certain shares; or
•at or subsequent to that time, the business combination is approved by our board of directors and by the affirmative vote of holders of at least 66-2/3% of the votes of our outstanding voting stock that is not owned by the interested stockholder.
Generally, a “business combination” includes a merger, asset or stock sale or other transaction resulting in a financial benefit to the interested stockholder. Subject to certain exceptions, an “interested stockholder” is a person who, together with that person’s affiliates and associates, owns, or within the previous three years owned, 15% or more of the votes of our outstanding voting stock. For purposes of this provision, “voting stock” means any class or series of stock entitled to vote generally in the election of directors. Our amended and restated certificate of incorporation provides that any interested stockholder who became an interested stockholder prior to our IPO and Mr. Sjouwerman and any of their respective direct or indirect designated transferees (other than in certain market transfers and gifts) and any group of which such persons are a party do not constitute “interested stockholders” for purposes of this provision.
Under certain circumstances, this provision will make it more difficult for a person who would be an “interested stockholder” to effect various business combinations with our company for a three year period. This provision may encourage companies interested in acquiring us to negotiate in advance with our board of directors because the stockholder approval requirement would be avoided if our board of directors approves either the business combination or the transaction that results in the stockholder becoming an interested stockholder. These provisions also may have the effect of preventing changes in our board of directors and may make it more difficult to accomplish transactions that stockholders may otherwise deem to be in their best interests.
These provisions, alone or together, could discourage, delay or prevent a transaction involving a change in control of our company. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors of their choosing and to cause us to take other corporate actions they desire, any of which, under certain circumstances, could limit the opportunity for our stockholders to receive a premium for their shares of our Class A common stock, and could also affect the price that some investors are willing to pay for our Class A common stock.
Our amended and restated bylaws designate a state or federal court located within the State of Delaware and the federal district courts of the United States as the exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers or employees.
Our amended and restated bylaws provide that, unless we consent in writing to the selection of an alternative forum, to the fullest extent permitted by law, the sole and exclusive forum for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (iii) any action arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws, or (iv) any other action asserting a claim that is governed by the internal affairs doctrine shall be the Court of Chancery of the State of Delaware (or, if the Court of Chancery does not have jurisdiction, the federal district court for the District of Delaware), in all cases subject to the court having jurisdiction over indispensable parties named as defendants. Our amended and restated bylaws further provide that the federal district courts of the United States will be the exclusive forum for resolving any complaints asserting a cause of action arising under the Securities Act of 1933, as amended, or the Securities Act.
Any person or entity purchasing or otherwise acquiring any interest in any of our securities shall be deemed to have notice of and consented to this provision. This exclusive forum provision may limit a stockholder’s ability to bring a claim in a judicial forum of its choosing for disputes with us or our directors, officers or other employees, which may discourage lawsuits against us and our directors, officers and other employees. This exclusive forum provision will not apply to any causes of action arising under the Securities Act or the Exchange Act or any other claim for which the federal courts have exclusive jurisdiction. Further, the enforceability of similar choice of forum provisions in other companies’ charter documents has been challenged in legal proceedings, and it is possible that a court could find these types of provisions to be inapplicable or unenforceable. For example, the Court of Chancery of the State of Delaware recently determined that a provision stating that U.S. federal district courts are the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act is not enforceable. However, this decision may be reviewed and ultimately overturned by the Delaware Supreme Court. If a court were to find either exclusive forum provision in our amended and restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the dispute in other jurisdictions, which could harm our results of operations.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
As of December 31, 2021, we had U.S. federal and state net operating loss carryforwards of $59.6 million and $41.8 million, respectively, and we had a U.S. federal research and development credit carryforward of $2.7 million. Realization of these net operating loss and research and development credit carryforwards depends on future income, and there is a risk that our existing carryforwards could expire unused and be unavailable to offset future income tax liabilities, which could adversely affect our results of operations.
In addition, under Sections 382 and 383 of the Internal Revenue Code, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in ownership by “5 percent shareholders” over a rolling three-year period, the corporation’s ability to use its pre-change net operating loss carryovers and other pre-change tax attributes, such as research and development credits, to offset its post-change income or taxes may be limited. We may experience ownership changes in the future as a result of shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change net operating loss carryforwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us.
Changes in tax laws or regulations in the various tax jurisdictions we are subject to that are applied adversely to us or our customers could increase the costs of our products and harm our business.
New income, sales, use or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time. Those enactments could harm our domestic and international business operations, and our business and financial performance. Further, existing tax laws, statutes, rules, regulations or ordinances could be interpreted, changed,
modified or applied adversely to us. These events could require us or our customers to pay additional tax amounts on a prospective or retroactive basis, as well as require us or our customers to pay fines and/or penalties and interest for past amounts deemed to be due. Additionally, new, changed, modified or newly interpreted or applied tax laws could increase our customers’ and our compliance, operating and other costs, as well as the costs of our products. Further, these events could decrease the capital we have available to operate our business. Any or all of these events could harm our business, financial condition and results of operations.
Our business may be subject to additional obligations to collect and remit sales tax and other taxes, and we may be subject to tax liability for past sales. Any successful action by state, foreign or other authorities to collect additional or past sales tax could harm our business.
States and some local taxing jurisdictions have differing rules and regulations governing sales and use taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our platform and products in various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as state tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. Liability for past taxes may also include substantial interest and penalty charges. Any successful action by state, foreign or other authorities to compel us to collect and remit sales, use or other taxes, either retroactively, prospectively or both, could harm our business, financial condition and results of operations.
We are a multinational organization faced with increasingly complex tax issues in many jurisdictions, and we could be obligated to pay additional taxes in various jurisdictions.
As a multinational organization, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents, which could have a material adverse effect on our liquidity and results of operations. Furthermore, one or more jurisdictions in which we do not believe we are currently subject to tax payment, withholding or filing requirements could assert that we are subject to such requirements. Any of these claims or assertions could have a material impact on us and our financial condition and results of operations.
Governance Risks Related to Ownership of Our Class A Common Stock
The dual-class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our initial public offering (IPO), which will limit your ability to influence the outcome of important transactions, including a change in control.
Our Class B common stock has ten votes per share, and our Class A common stock, has one vote per share. Because of the ten-to-one voting ratio between our Class B common stock and Class A common stock, as of December 31, 2021 the holders of our Class B common stock collectively held approximately 94.2% of the combined voting power of our outstanding capital and will therefore, if acting together, be able to control all matters submitted to our stockholders for approval until the earlier of the fifth anniversary of the filing and effectiveness of our amended and restated certificate of incorporation or the affirmative vote of the holders of 66-2/3% of the voting power of our outstanding Class B common stock. This concentrated control will limit or preclude a potential investor’s ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets or other major corporate transactions requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.
Future transfers by holders of shares of our Class B common stock will generally result in those shares converting to Class A common stock, subject to limited exceptions, including but not limited to, transfers effected for estate planning purposes and transfers among affiliates, to the extent the transferee continues to remain an affiliate. The conversion of Class B common stock to Class A common stock will have the effect, over time, of
increasing the relative voting power of those individual holders of Class B common stock who retain their shares in the long term.
The market price of our Class A common stock may be volatile, and you could lose all or part of your investment.
The market price of our Class A common stock could be subject to fluctuations in response to various factors, some of which are beyond our control and could cause you to lose all or part of your investment in our Class A common stock. Factors that could cause fluctuations in the market price of our Class A common stock include the following:
•price and volume fluctuations in the overall stock market from time to time;
•volatility in the market prices and trading volumes of technology stocks;
•changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
•sales of shares of our Class A common stock by us or our stockholders;
•failure of securities analysts to maintain coverage of us, changes in financial estimates by securities analysts who follow our company or our failure to meet these estimates or the expectations of investors;
•the financial projections we may provide to the public, any changes in those projections or our failure to meet those projections;
•announcements by us or our competitors of new offerings or platform features;
•the public’s reaction to our press releases, other public announcements and filings with the SEC;
•rumors and market speculation involving us or other companies in our industry;
•short selling of our Class A common stock or related derivative securities;
•actual or anticipated changes or fluctuations in our results of operations;
•actual or anticipated developments in our business, our competitors’ businesses or the competitive landscape generally;
•announced or completed acquisitions of businesses, offerings or technologies by us or our competitors;
•developments or disputes concerning our intellectual property or other proprietary rights;
•litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors;
•new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
•system failures or actual or perceived privacy or security incidents;
•changes in accounting standards, policies, guidelines, interpretations or principles;
•any significant change in our management; and
•general economic conditions and slow or negative growth of our markets.
In addition, the stock market has experienced substantial price and volume volatility that is often seemingly unrelated to the operating performance of particular companies. These broad market fluctuations may cause the trading price of our Class A common stock to decline. Furthermore, the trading price of our Class A common stock may be adversely affected by third-parties trying to drive down the price. In addition, in the past, following periods of volatility in the overall market and the market price of a particular company’s securities, securities class action
litigation has often been instituted against these companies. This litigation, if instituted against us, would result in substantial costs and a diversion of our management’s attention and resources.
We are an “emerging growth company” and we cannot be certain if the reduced disclosure requirements applicable to emerging growth companies will make our Class A common stock less attractive to investors.
For so long as we remain an “emerging growth company” as defined in the JOBS Act, we may take advantage of certain exemptions from various requirements that are applicable to public companies that are not “emerging growth companies,” including, but not limited to, not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements and exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved. We may take advantage of these exemptions until we are no longer an emerging growth company. We would cease to be an emerging growth company upon the earliest to occur of: (i) the first fiscal year following the fifth anniversary of our initial public offering; (ii) the first fiscal year after our annual gross revenue is $1.07 billion or more; (iii) the date on which we have, during the previous three-year period, issued more than $1.0 billion in non-convertible debt securities; or (iv) the date we qualify as a “large accelerated filer,” which means the end of any fiscal year in which the market value of our Class A common stock held by non-affiliates exceeded $700.0 million as of the end of the second quarter of that fiscal year. We cannot predict if investors will find our Class A common stock less attractive because we may rely on these exemptions. If some investors find our Class A common stock less attractive as a result, there may be a less active trading market for our Class A common stock and our stock price may be more volatile.
If securities or industry analysts do not publish research or publish inaccurate or unfavorable research about us, our business or our market, or if they change their recommendations regarding our Class A common stock adversely, the market price and trading volume of our Class A common stock could decline.
The trading market for our Class A common stock depends, in part, on the research and reports that securities or industry analysts publish about us, our business, our market or our competitors. The analysts’ estimates are based upon their own opinions and are often different from our estimates or expectations. If any of the analysts who cover us change their recommendation regarding our Class A common stock adversely, provide more favorable relative recommendations about our competitors or publish inaccurate or unfavorable research about our business, the price of our securities would likely decline. If few securities analysts commence coverage of us, or if one or more of these analysts cease coverage of us or fail to publish reports on us regularly, we could lose visibility in the financial markets and demand for our securities could decrease, which could cause the price and trading volume of our Class A common stock to decline.
We do not intend to pay dividends for the foreseeable future.
We currently intend to retain any future earnings to finance the operation and expansion of our business, and we do not expect to declare or pay any dividends in the foreseeable future. In addition, our Revolving Credit Facility contains restrictions on our ability to pay dividends. As a result, stockholders must rely on sales of their Class A common stock after price appreciation as the only way to realize any future gains on their investment.
The issuance of additional stock in connection with financings, acquisitions, investments, our equity incentive plans or otherwise will dilute all other stockholders.
Our amended and restated certificate of incorporation authorizes us to issue up to 1,000,000,000 shares of Class A common stock, up to 500,000,000 shares of Class B common stock and up to 100,000,000 shares of preferred stock with such rights and preferences as may be determined by our board of directors. Subject to compliance with applicable rules and regulations, we may issue shares of Class A common stock or securities convertible into shares of our Class A common stock from time to time in connection with a financing, acquisition, investment, our equity incentive plans, or otherwise. Any such issuance could result in substantial dilution to our existing stockholders and cause the market price of our Class A common stock to decline.
We cannot predict the impact our dual class structure may have on the market price of our Class A common stock.
We cannot predict whether our dual class structure will result in a lower or more volatile market price of our Class A common stock or in adverse publicity or other adverse consequences. For example, certain index providers have restrictions on including companies with multiple-class share structures in certain of their indexes. In July 2017, FTSE Russell and Standard & Poor’s announced that they would cease to allow most newly public companies utilizing dual or multi-class capital structures to be included in their indices. Affected indices include the Russell 2000 and the S&P 500, S&P MidCap 400 and S&P SmallCap 600, which together make up the S&P Composite 1500. Under these policies, our dual class capital structure would make us ineligible for inclusion in certain indices, and as a result, mutual funds, exchange-traded funds and other investment vehicles that attempt to passively track those indices will not be investing in our stock. Because of our dual class structure, we will likely be excluded from certain of these indexes and we cannot assure you that other stock indexes will not take similar actions. Given the sustained flow of investment funds into passive strategies that seek to track certain indexes, exclusion from stock indexes would likely preclude investment by many of these funds and could make our Class A common stock less attractive to other investors. As a result, the market price of our Class A common stock could be adversely affected.
Risks Related to Macroeconomic Conditions
Adverse economic conditions and reduced IT security spending may adversely impact our revenue and profitability.
Our operations and performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on IT networking and security solutions. Our business depends on the overall demand for these solutions and on the economic health and general willingness of our current and prospective customers to purchase our platform and products. Weak economic conditions, including conditions resulting from financial and credit market fluctuations, changes in economic policy, trade uncertainty, including changes in tariffs, sanctions, international treaties and other trade restrictions, the occurrence of a natural disaster or global public health crisis, or armed conflicts, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the U.S. and other countries, and retaliatory actions taken by Russia in response to such sanctions, and a reduction in IT security spending could materially and adversely affect our business, financial condition and results of operations in a number of ways, including by reducing sales, lengthening sales cycles and lowering prices for our platform and products.
We are unable to predict with certainty the extent to which the global COVID-19 pandemic may continue to impact our business, financial condition or results of operations.
The ongoing COVID-19 pandemic and efforts to mitigate its impact have caused social and economic disruption and financial market volatility. Concerns over the ultimate economic impact of COVID-19 have caused and may continue to cause extreme volatility in financial and other capital markets, which may adversely affect our stock price and our ability to access capital markets in the future.
We believe that the conditions caused by the pandemic have not significantly affected demand for our platform and products; therefore, although the COVID-19 pandemic has caused us to experience, in some cases, longer sales cycles and an increase in certain prospective and current customers seeking lower prices or other more favorable contract terms, we do not believe these developments have been substantial enough to cause a significantly negative impact on our results of operations. Additionally, we have not seen significant negative impacts on collections of accounts receivable or attrition rates of our customers. Conversely, the long term work-from-home policies, which have stemmed from the COVID-19 pandemic, have resulted in employees accessing their companies’ systems remotely, which has increased cybersecurity, privacy and data protection risks for these companies and may lead to heightened interest in our platform and products. There is no assurance that the levels of interest, demand and use of our platform and products will continue or will not decrease in the future. Any such decrease could have an adverse effect on our growth and the success of our platform and products.
We may face exposure to foreign currency exchange rate fluctuations.
Today, our international contracts are sometimes denominated in local currencies; however, the majority of our international costs are denominated in local currencies. Over time, an increasing portion of our international contracts may be denominated in local currencies. Therefore, fluctuations in the value of the U.S. dollar and foreign currencies may affect our results of operations when translated into U.S. dollars. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.
Catastrophic events may disrupt our business.
Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce and the global economy, and thus could harm our business. We have a large employee presence in Clearwater, Florida and the east coast of the United States is often subject to seasonal hurricanes. In the event of a major hurricane, earthquake or other catastrophic event such as fire, power loss, telecommunications failure, cyber-attack, acts of war, including Russia’s actions in Ukraine, or terrorist attack, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our application development, lengthy interruptions in our products, breaches of data security and loss, alteration or compromise of critical data, all of which could harm our business, financial condition and results of operations. In addition, the insurance we maintain may not be adequate to cover our losses resulting from disasters or other business interruptions.
Item 1B. Unresolved Staff Comments
Item 2. Properties
Our corporate headquarters is located in the Tampa Bay, Florida area, where we currently lease approximately 154,300 square feet of space under lease agreements that expire between 2022 and 2027. We also maintain offices in multiple international locations, including Australia, Brazil, Germany, Japan, the Netherlands, Norway, Singapore, South Africa, the United Arab Emirates and the United Kingdom. We lease all of our offices and do not own any real property. We expect to add additional office space as we grow our employee base and expand geographically. We believe that our offices are adequate to meet our needs for the immediate future and that, should it be needed, suitable additional space will be available to accommodate expansion of our operations.
Item 3. Legal Proceedings
From time to time, we may be subject to legal proceedings arising in the ordinary course of business. In addition, from time to time, third parties may assert intellectual property infringement claims against us in the form of letters and other forms of communication. As of the date of this Annual Report on Form 10-K , we are not a party to any litigation the outcome of which, if determined adversely to us, would individually or in the aggregate be reasonably expected to have a material adverse effect on our results of operations, prospects, cash flows, financial position, or brand.
Item 4. Mine Safety Disclosures
Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Market Information for Common Stock
Our Class A common stock is listed on the Nasdaq Global Select Market, or Nasdaq, under the symbol “KNBE” since April 26, 2021. Prior to that date, there was no public market for our Class A common stock. There is no public market for our Class B common stock.
Holders of Record
As of March 4, 2022, we had 45 and 49 holders of record of our Class A common stock and Class B common stock, respectively. Because many of our shares of Class A common stock are held by brokers and other institutions on behalf of shareholders, we are unable to estimate the total number of beneficial owners of our Class A common stock represented by these holders.
We anticipate that we will retain any earnings to support operations and to finance the growth and development of our business. Accordingly, although we paid a one-time special dividend in the year ended December 31, 2019, we do not expect to pay cash dividends on our Class A common stock or Class B common stock in the foreseeable future. In addition, the terms of our Revolving Credit Facility contain restrictions on our ability to declare and pay cash dividends on our capital stock.
Use of Proceeds
On April 26, 2021, we completed an IPO of our Class A common stock, in which we issued and sold 10,425,000 shares of Class A common stock, including 1,425,000 shares resulting from the exercise in full of the underwriters’ option to purchase additional shares, at an IPO price of $16.00 per share for net proceeds to the Company of $156.0 million. Upon recording the proceeds from the transaction, we reclassified $2.2 million of offering costs into stockholders’ equity (deficit) as a reduction of the net proceeds received from the IPO. All of the shares issued and sold in our IPO were registered under the Securities Act pursuant to a registration statement on Form S-1 (File No. 333‑254518), which was declared effective by the SEC on April 21, 2021. There has been no material change in the planned use of proceeds from our IPO from those disclosed in the final prospectus for our IPO dated as of April 16, 2019 and filed with the SEC pursuant to Rule 424(b)(4) on April 23, 2021.
Stock Performance Graph
The graph below compares the cumulative total return to our shareholders between April 22, 2021 (the date our Class A common stock commenced trading on the Nasdaq stock exchange) through December 31, 2021 in comparison to Nasdaq Global Select Index and Nasdaq CTA Cybersecurity Index.
The graph assumes $100 was invested in each of our Class A common stock, the Nasdaq Global Select and the Nasdaq CTA Cybersecurity. The comparisons are based on historical data and are not indicative of, nor intended to, forecast the future performance of our Class A common stock.
This performance graph shall not be deemed incorporated by reference into any of our other filings under the Securities Exchange Act of 1934, as amended, or the Securities Act of 1933, as amended.
Recent Sales of Unregistered Securities
On November 1, 2021, we issued 1,194,957 shares of Class A common stock to SecurityAdvisor Technologies, Inc. (“SecurityAdvisor”) in connection with our acquisition of SecurityAdvisor for cash and equity consideration.
Issuer Purchases of Equity Securities
Item 6. [ Reserved ]
Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and the related notes to those statements included elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion and analysis contains forward-looking statements based upon current expectations that involve risks, uncertainties and assumptions. Our actual results and timing of selected events may differ materially from those anticipated in these forward-looking statements as a result of many factors, including those discussed under “Risk Factors” and elsewhere in this Annual Report on Form 10-K.
KnowBe4 has developed the leading security awareness platform enabling organizations to assess, monitor and minimize the ongoing cybersecurity threat of social engineering attacks. We are pioneering an integrated approach to security awareness that incorporates cloud-based software, machine learning, artificial intelligence, advanced analytics and insights with engaging content. Our platform is designed to drive awareness, change human behavior and enable a security-minded culture that results in a reduction of social engineering risks.
KnowBe4 was founded in 2010 by cybersecurity veterans based on the observation that social engineering tactics targeted at the human level often allowed attackers to bypass and evade security infrastructure defenses. Attackers often use low-cost, high-volume social engineering methods to gain access to systems during the initial phase of broader, multi-stage cyberattacks that can result in devastating security breaches. Social engineering
represents a universal cybersecurity risk, as it specifically targets the employees rather than the infrastructure of an organization. As such, social engineering affects organizations of all sizes and across all industries, regardless of their level of security infrastructure spend.
We began selling our initial product, which was the precursor to our Kevin Mitnick Security Awareness Training product, or KMSAT, in 2011 and began experiencing more significant market adoption in 2014, which coincides with the emergence of ransomware attacks spread via social engineering tactics. Our initial product provided the foundation for our future offerings, as it focused on enabling organizations to assess their social engineering risks and provided security awareness training to mitigate these risks. Over time, we have developed additional functionality to enhance management and risk assessment capabilities of our platform, as well as additional content to improve the efficacy of our security awareness modules. We later released KnowBe4 Compliance Manager, or KCM, a product enabling organizations to manage compliance and audit cycles. In December 2018, we released PhishER, our security orchestration and automation product, that enables security operations teams to prioritize and automate security workstreams in order to respond to and remediate social engineering attacks. Compliance Plus, our most recent product, was launched in June 2021 and expands our platform to include compliance training, with relevant and engaging content and training modules addressing compliance topics ranging from data privacy to diversity, equity and inclusion. We generate substantially all of our revenue from the sale of subscriptions to access our cloud-based platform. Our platform is priced individually by product then based on the subscription tier and number of subscribed users.
Our platform is designed to be powerful, yet highly scalable, intuitive and easy to deploy, in order to reduce the administrative burden of managing social engineering risk on security and IT professionals. Customers typically deploy our platform quickly across their entire organization to monitor and reduce the cybersecurity risk associated with their employees’ behavior. Because our products are designed to change human behavior within the entire organization, rollout of our products is performed organization-wide at the onset of a contract rather than focused on certain departments or portions of an organization. We utilize our team of customer success managers to ensure successful adoption and use of our products, while dedicated pricing specialists are tasked with negotiating customer renewals, along with upselling and cross-selling.
We sell our products to customers of all sizes both directly through our dedicated inside sales teams for enterprise and small and medium businesses (“SMBs”), and indirectly through channel partners and managed service providers, or MSPs. Our deeply integrated ecosystem of channel partners significantly expands our market reach and ability to expand our sales efforts. Our inside sales representatives work alongside our network of channel partners to engage in joint marketing activities. As a result of our ongoing MSP and channel development efforts, our partners have increasingly driven net new business, particularly in our international markets.
We have established a significant market presence, with more than 47,000 customers as of December 31, 2021, across virtually all industries and multiple geographies. No single direct customer represented more than 10% of our annual revenue for the year ended December 31, 2021.
Our business has experienced significant growth with total revenue of $246.3 million, $174.9 million and $120.6 million for the years ended December 31, 2021, 2020 and 2019, respectively. As of the ends of the same periods, we had annual recurring revenue, or ARR, of $285.4 million, $198.4 million and $145.4 million, respectively. For the years ended December 31, 2021, 2020 and 2019, we had net losses of $11.8 million, $2.4 million, and $124.3 million, respectively, which included $29.3 million, $5.2 million and $118.1 million of stock compensation expense, respectively. See the sections titled “—Key Business Metrics—Annual Recurring Revenue” for additional information regarding ARR.
We have built our business with a focus on cash flow generation. Our net cash provided by operating activities was $76.8 million, $44.9 million and $29.7 million and our free cash flow was $71.2 million, $36.7 million and $18.9 million for the years ended December 31, 2021, 2020 and 2019, respectively. See the sections titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Non-GAAP Financial Measures—Free Cash Flow” for additional information regarding free cash flow and for a reconciliation of free cash flow to the most directly comparable financial measure calculated in accordance with U.S. generally accepted accounting principles, or GAAP.
Key Factors Affecting Our Performance
Market Adoption and Technology Leadership
Our future success depends in large part on the growth in the market for security awareness which encompasses all products designed to address the risks of social engineering. Many organizations have yet to deploy technology to address the risks associated with the human layer; as such, we view this market as a largely greenfield opportunity.
Maintaining our market-leading position in the emerging market for security awareness is a key to our future success. Our position is, in large part, attributable to the combination of software, content and data analytics on our platform, thoughtful design of our products, prioritization of content development and a focus on customer service. To maintain our position as a market leader, we intend to continue to innovate our existing product features and develop new products that complement our existing offerings and further address the ongoing risks of social engineering. Additionally, we plan to generate training content that is responsive in near real-time to the current threat environment and is localized to the geographies where we plan to expand.
Investment in Customer Acquisition and Retention
Our results of operations depend significantly on our ability to acquire new customers, which we plan to do by continuing to make significant investments in sales and marketing and brand awareness. Our ability to attract new customers will depend on a number of factors, including our success in recruiting, training and retaining talented salespeople while scaling our sales and marketing organization and competitive dynamics in our target markets. We intend to expand both our direct inside sales force and our channel partnerships, with a focus on increasing sales to enterprise customers, which we define as customers with greater than 1,000 employees. We expect new customer acquisition, which is measured through number of customers and ARR, to drive significant growth in the near term.
Our potential for growth further depends on our ability to retain existing customers. Our dollar-based net retention rate as of December 31, 2021 was 108.4% representing an increase over our dollar-based net retention rates as of December 31, 2020 of 102.8%. We do not believe our dollar-based net retention rate as of December 31, 2019 provides a meaningful comparison to more current rates based on the evolution of our product offerings and customer adoption of our products since that time. We calculate our dollar-based net retention rate as ARR at the end of the current reporting period for customers who were also active at the end of the same reporting period in the prior year divided by ARR for the same reporting period in the prior year. Our dollar-based net retention rate measures our ability to increase revenue across our existing customer base through expanded use of our platform, offset by customers whose subscriptions with us are not renewed or are renewed at a lower amount. We believe the momentum in dollar-based net retention over prior periods reflects the investments we have made across our platform and within our customer success teams. Our management believes dollar-based net retention is an indicator of our ability to cross sell our products and has become increasingly important as we have expanded our platform through the introduction of new products.
We employ a business model centered around offering products that are easy to adopt and have a very short time to value. As of December 31, 2021, 2020 and 2019, approximately 22.1%, 13.7% and 7.7%, respectively, of our customers were using more than one product. We believe these metrics indicate strong momentum in the uptake of our newer products.
Expansion of International Operations
A substantial portion of our revenue from international customers has been generated through the establishment of our international sales operations and MSPs and channel partnerships. Additionally, our recent acquisitions have resulted in further international revenue growth. We believe that there is significant opportunity to continue to grow our international business through these sales operations and further development of our international channel partnerships. We believe that global demand for our platform and products will continue to increase as international market awareness grows. We have invested, and plan to continue to invest, ahead of this potential demand, in sales, marketing and support personnel.
Key Business Metrics
We regularly monitor a number of financial and operating metrics, including the following key metrics, in order to measure our current performance and estimate our future performance, as follows:
|(annual recurring revenue in thousands)|
|Number of customers||47,174 ||36,753 ||30,259 |
|Year-over-year growth||28.4 ||%||21.5 ||%||34.4 ||%|
|Annual recurring revenue||$||285,437 ||$||198,369 ||$||145,369 |
|Year-over-year growth||43.9 ||%||36.5 ||%||64.0 ||%|
Number of Customers
We believe that our ability to increase and retain the number of customers on our platform is an indicator of our market penetration, the growth of our business and potential future business opportunities. Increasing awareness of our platform and products, combined with further overall awareness of the need to address the human risk within cybersecurity, has continued to expand our customer base to include organizations of all sizes across all industries. We define a customer as a separate and distinct buying entity, such as a company, an educational or government institution or a distinct business unit of a large company that has an active contract with us to access our platform. We do not consider our channel partners as separate customers as our contracts are executed with the end user, and we treat MSPs, who may purchase our products on behalf of multiple companies, as a single customer. Our number of customers increased on an absolute basis, but there has been a decrease in growth rate since December 31, 2019 as a result of an increased focus on enterprise customers and MSPs, which are subject to longer sales cycles. Additionally, as our customer base grows and as our market penetration increases, we do not expect to continue to grow at the same year-over-year rate.
Annual Recurring Revenue
We believe that ARR is a key metric to measure our business performance because it is driven by our ability to acquire new customers and to maintain and expand our relationship with existing customers. We define ARR as the annualized value of all contractual subscription agreements as of the end of the period. We perform this calculation on an individual contract basis by dividing the total dollar amount of a contract by the total contract term stated in months and multiplying this amount by twelve to annualize. Calculated ARR for each individual contract is then aggregated to arrive at total ARR. ARR does not have a standardized meaning and therefore may not be comparable to similarly titled measures presented by other companies. ARR should be viewed independently of revenue, deferred revenue and remaining performance obligations and is not intended to be combined with or to replace any of those items. Specifically, ARR, as calculated under the definition herein, does not adjust for the timing impact of revenue recognition for specific performance obligations identified within a contract. ARR is not a forecast and the active contracts at the date used in calculating ARR may or may not be extended by our customers. We expect ARR in total dollars to continue to grow as we execute on our growth strategies and increase our market penetration, but we do not expect to continue to grow at the same year-over-year rate as we become a larger, more mature business.
Non-GAAP Financial Measures
In addition to our results determined in accordance with GAAP, we believe the following non-GAAP measures are useful in evaluating our operating performance. We believe that non-GAAP financial information, when taken collectively, may be helpful to investors because it provides consistency and comparability with past financial performance. However, non-GAAP financial information is presented for supplemental informational purposes only, has limitations as an analytical tool, and should not be considered in isolation or as a substitute for financial information presented in accordance with GAAP. Other companies, including companies in our industry, may calculate similarly-titled non-GAAP measures differently or may use other measures to evaluate their performance, all of which could reduce the usefulness of our non-GAAP financial measures as tools for comparison. A reconciliation is provided below for each non-GAAP financial measure to the most directly comparable financial
measure stated in accordance with GAAP. Investors are encouraged to review the related GAAP financial measures and the reconciliation of these non-GAAP financial measures to their most directly comparable GAAP financial measures and not rely on any single financial measure to evaluate our business.
Non-GAAP Gross Profit
We define non-GAAP gross profit as GAAP gross profit excluding stock compensation expense, amortization of acquired technology and intangible assets and acquisition and integration related costs. Costs associated with acquisitions and integration include legal, accounting and other professional fees, changes in the fair value of contingent consideration obligations and other costs related to the transition of the acquired business. We believe non-GAAP gross profit provides our management and investors consistency and comparability with our past financial performance and facilitates period-to-period comparisons of our results of operations, as this metric generally eliminates the effects of certain variables unrelated to our overall operating performance.
|Year Ended December 31,|
|Gross profit||$||211,183 ||$||148,156 ||$||99,996 |
|Add: Stock compensation expense||470 ||188 ||83 |
|Add: Amortization of acquired technology and intangible assets||848 ||240 ||164 |
|Non-GAAP gross profit||$||212,501 ||$||148,584 ||$||100,243 |
Non-GAAP Operating Income (Loss)
We define non-GAAP operating income (loss) as GAAP operating loss excluding stock compensation expense, amortization of acquired technology and intangible assets and acquisition and integration related costs. Costs associated with acquisitions and integration include legal, accounting and other professional fees, as well as changes in the fair value of contingent consideration obligations and other costs related to the transition of the acquired business. We believe non-GAAP operating income (loss) provides our management and investors consistency and comparability with our past financial performance and facilitates period-to-period comparisons of operations, as this metric generally eliminates the effects of certain variables unrelated to our overall operating performance.
|Year Ended December 31,|
|Add: Stock compensation expense||29,345 ||5,234 ||118,105 |
|Add: Amortization of acquired technology and intangible assets||1,397 ||332 ||247 |
|Add: Acquisition and integration related costs||4,271 ||— ||292 |
|Non-GAAP operating income (loss)||$||28,425 ||$||4,024 ||$||(6,888)|
Free Cash Flow
We define free cash flow as net cash provided by operating activities, the most directly comparable financial measure calculated in accordance with GAAP, less purchases of property and equipment, amounts capitalized for internal-use software and principal payments on finance leases. We believe that free cash flow is a meaningful indicator of liquidity to management and investors about the amount of cash generated from our operations that,
after the investments in property, equipment and capitalized internal-use software, can be used for strategic initiatives.
|Year Ended December 31,|
|Net cash provided by operating activities ||$||76,778 ||$||44,864 ||$||29,718 |
|Less: Purchases of property and equipment||(3,010)||(5,426)||(5,573)|
|Less: Capitalized internal-use software||(2,506)||(2,682)||(5,223)|
|Less: Principal payments on finance leases||(40)||(35)||— |
|Free cash flow||$||71,222 ||$||36,721 ||$||18,922 |
Components of Our Operating Results
We derive substantially all of our revenue from subscription services fees paid by customers for access to our cloud-based platform, which includes support services and feature upgrades throughout the duration of the customer’s contract. While contracts with our customers do not provide the customer with the right to take possession of software operating on our global cloud-based platform, certain arrangements allow our customers the ability to download and use our content within their own learning management systems. Our content is only available to customers throughout the duration of their subscription and is accessed through our cloud-based platform. Subscription services fees and access to content for download are considered separate performance obligations. Invoiced amounts are allocated between subscription services fees and access to content and are recorded as deferred revenue and revenue, respectively. Deferred revenue primarily consists of amounts invoiced to customers for our subscription services and is generally recognized ratably over the subscription period while revenue related to content downloads is recognized at contract inception.
Subscription terms typically range from one year to three years and generally begin on the date access to our platform is made available to the customer. Our subscriptions are generally invoiced upfront for the duration of the contract term or in annual installments. Our arrangements are primarily noncancellable and nonrefundable. We collect our receivables in advance of the subscription service period and often issue renewal invoices in advance of the renewal service period.
Because we recognize revenue ratably over the terms of our subscription contracts, a substantial portion of the revenue that we report in each period is attributable to the recognition of deferred revenue relating to agreements that we entered into during previous periods. Consequently, increases or decreases in new sales or renewals in any one period may not be immediately reflected as revenue for that period. Accordingly, the effect of downturns in sales and market acceptance of our platform, and potential changes in our rate of renewals, may not be fully reflected in our results of operations until future periods.
Cost of Revenues and Gross Margin
Cost of revenues consists of costs associated with delivering our platform and providing support. These costs include employee-related costs such as salaries and bonuses, stock compensation expense and benefits costs associated with our operations and support personnel, costs associated with third-party hosting services, amortization of acquired technology, amortization of capitalized internal-use software and content and allocated overhead. We expect cost of revenues to increase in absolute dollars and as a percentage of revenue, relative to the extent of the growth of our business and reflective of the impacts of wage inflation seen in the market as a whole.
Gross margin is gross profit expressed as a percentage of total revenue. Our gross margin has been and will continue to be affected by various factors, including the timing and amount of costs associated with supporting our platform, the extent to which we expand our customer success team and the rate at which we develop or acquire new products, significant features and additional content to be added to our platform. We intend to continue to invest
additional resources in our platform, content development and support services which we expect to result in steady gross margin over time.
Sales and Marketing
Sales and marketing expenses consist primarily of employee-related costs, including salaries and wages, stock compensation expenses and sales commissions, costs of general marketing programs and promotional activities, travel-related expenses and allocated overhead. Sales commissions earned by our sales force that are considered to be incremental to the cost of acquiring a customer are deferred and amortized over the estimated period of benefit. Marketing programs consist of advertising, events, including our KB4-CON customer conference, which has historically been held during the second quarter of each year, corporate communications, brand building and product marketing activities. We expect our sales and marketing expenses to increase on an absolute dollar basis as we continue to make significant investments in our sales and marketing organization to drive additional revenue, increase market share and expand our global customer base.
Technology and Development
Technology and development costs consist primarily of research and development activities, non-capitalizable costs of developing platform features and content and certain overhead allocations. These costs include employee-related costs, including salaries and wages and stock compensation expenses, consulting services, expenses related to the design, development, testing and enhancements of our subscription services. Technology and development costs are expensed as incurred. From a unit cost standpoint, our technology and development costs are lower primarily due to favorable costs of living in the geographic locations in which our offices are based but could be impacted in the future by the ongoing trend towards remote work and overall wage inflation. We expect that our technology and development expenses will increase in absolute dollars and may increase as a percentage of our revenue as we continue to enhance our platform functionality and develop new content and features. Additionally, our technology and development expense may fluctuate as a percentage of our revenue from period to period depending on the timing and nature of development activities.
General and Administrative
General and administrative expenses consist primarily of employee-related costs for accounting, finance, legal, IT and human resources personnel and also include expenses related to consulting services, audit fees, tax services, legal services and other general corporate items. Our general and administrative costs also include our investment in internal initiatives and tools which we believe promotes our corporate culture and helps us attract and retain talent. We expect our general and administrative expenses to increase in absolute dollars in future periods as we continue to expand our operations, hire additional personnel, see the ongoing impact of overall wage inflation and incur costs to support the requirements of being a public company.
Interest and Other Income
Interest and other income primarily consists of interest earned on overnight cash deposits and fluctuates with market rates of interest and overall cash balances.
Interest expense primarily relates to imputed interest calculated on certain contingent consideration obligations arising from our historical business combinations along with fees associated with our revolving line of credit.
Income Tax (Expense) Benefit
Income tax (expense) benefit consists of federal and state income taxes in the United States and income taxes in certain foreign jurisdictions. Our provision for income taxes has not historically been significant to our business as we have incurred operating losses to date. We maintain a valuation allowance on our U.S. federal, state and certain
foreign deferred tax assets as we have concluded that it is not more likely than not that the deferred assets will be realized.
Results of Operations
The following table is a summary of our consolidated statements of operations:
|Year Ended December 31,|
|Revenues, net||$||246,298 ||$||174,886 ||$||120,575 |
Cost of revenues(1)
|35,115 ||26,730 ||20,579 |
|Gross profit||211,183 ||148,156 ||99,996 |
Sales and marketing(1)
|107,519 ||82,188 ||69,090 |
Technology and development(1)
|28,110 ||19,804 ||10,662 |
General and administrative(1)
|82,142 ||47,706 ||145,776 |
|Total operating expenses||217,771 ||149,698 ||225,528 |
|Other income (expense):|
|Interest income||57 ||197 ||799 |
|Other (loss) income||(1,030)||807 ||90 |
|Loss before income tax (expense) benefit||(7,957)||(598)||(124,690)|
|Income tax (expense) benefit||(3,888)||(1,832)||367 |
(1)Amounts include stock compensation expense as follows:
|Year Ended December 31,|
|Cost of revenues||$||470 ||$||188 ||$||83 |
|Sales and marketing||8,474 ||1,579 ||5,750 |
|Technology and development||1,706 ||896 ||162 |
|General and administrative||18,695 ||2,571 ||112,110 |
|Total stock compensation expense||$||29,345 ||$||5,234 ||$||118,105 |
Comparison of the Years Ended December 31, 2021 and 2020
|Year Ended December 31,||Change|
|Revenues, net||$||246,298 ||$||174,886 ||$||71,412 ||40.8 ||%|
Revenues increased by $71.4 million, or 40.8%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. Due to the nature of our subscription-based business model, a large portion of our revenues in a given period results from the recognition of revenues deferred in prior periods. As such, $37.7 million of the year-over-year increase in revenue is related to the recognition of deferred revenues from the accumulation of
contracts entered into during prior periods. Revenues earned in foreign jurisdictions has increased by $18.3 million compared to the prior year. The remaining increase is attributable to revenues from new customers combined with revenues from cross-selling additional products into our existing customer base. Our customer base grew by 28.4% and the number of customers with active subscriptions to more than one of our products has increased to 22.1% of our total customer base.
Cost of Revenues and Gross Margin
|Year Ended December 31,||Change|
|Cost of revenues||$||35,115 ||$||26,730 ||$||8,385 ||31.4 ||%|
|Gross margin||85.7 ||%||84.7 ||%|
Cost of revenues increased by $8.4 million, or 31.4%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. The overall increase in cost of revenues is in line with our increase in revenues over the same period, while maintaining our margin position. The total dollar value increase in cost of revenues is primarily driven by approximately $6.3 million of additional personnel and other allocated costs related to a combination of headcount expansion, comparatively higher performance bonuses resulting from the growth in revenues over the period and higher overhead allocations. Additionally, $1.2 million of the increase relates to increased costs of hosting our platform with the remaining cost increases attributable the amortization of both our acquired and internally developed technology and content. Gross margin slightly increased compared to the prior year period as we continue to scale our customer support functions.
Sales and Marketing
|Year Ended December 31,||Change|
|Sales and marketing||$||107,519 ||$||82,188 ||$||25,331 ||30.8 ||%|
Sales and marketing expenses increased by $25.3 million, or 30.8%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. The increase in sales and marketing expenses primarily relates to increased personnel costs of $21.2 million, including salaries, commissions and performance bonus costs primarily driven by a corresponding increase in headcount which is consistent with our overall business growth. These personnel costs include an increase in stock compensation expense of $6.9 million, the majority of which relates to the issuance of RSUs to certain executives in conjunction with our initial public offering or IPO in April 2021. Additionally, $2.6 million of the increase primarily relates to marketing campaigns to support new product launches and public relations efforts to evangelize the need to address the human risk in cybersecurity. The remaining increases are attributable to overall growth in the business, including overhead allocations, of approximately $1.3 million.
Technology and Development
|Year Ended December 31,||Change|
|Technology and development||$||28,110 ||$||19,804 ||$||8,306 ||41.9 ||%|
Technology and development expenses increased by $8.3 million, or 41.9%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. The increase in technology and development costs is primarily driven by $7.5 million of additional personnel costs as we increase developer headcount to support our
product development initiatives combined with higher performance bonuses. The increased developer headcount has also led to higher subscription costs and overhead allocations which make up the remaining increase. These expenses have remained consistent as a percentage of revenue as they align to growth in our business.
General and Administrative
|Year Ended December 31,||Change|
|General and administrative||$||82,142 ||$||47,706 ||$||34,436 ||72.2 ||%|
General and administrative expenses increased by $34.4 million, or 72.2%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. This increase is driven by $29.6 million of additional personnel costs, which includes additional stock compensation expense of $16.1 million the majority of which relates to the issuance of RSUs to certain executives in conjunction with the completion of our IPO in April 2021. The remaining increase in personnel costs is driven by increases in headcount across our administrative functions, such as legal, finance and human resources, to support overall business growth and costs of operating as a public company. An additional $2.7 million of the increase relate to consulting and professional fees incurred primarily to support the completion of our IPO, secondary offerings and the two business combinations completed during the year ended December 31, 2021.
Income Tax Expense
|Year Ended December 31,||Change|
|Income tax expense||$||(3,888)||$||(1,832)||$||(2,056)||112.2 ||%|
Income tax expense increased by $2.1 million, or 112.2%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. This increase is due to additional deferred tax expense recognized in our foreign jurisdictions due to growth in our international operations.
Comparison of the Years Ended December 31, 2020 and 2019
|Year Ended December 31,||Change|
|Revenues, net||$||174,886 ||$||120,575 ||$||54,311 ||45.0 ||%|
Revenues increased by $54.3 million, or 45.0%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. Due to the nature of our subscription-based business model, a large portion of our revenues in a given period results from the recognition of revenues deferred in prior periods. As such, $39.0 million of the year-over-year increase in revenue is related to the recognition of deferred revenues from the accumulation of contracts entered into during prior periods. The remaining increase is attributable to revenues from new customers combined with revenues from cross-selling additional products into our existing customer base, including substantial increases in revenues earned in foreign jurisdictions. Our customer base grew by 21.5% and the number of customers with active subscriptions to more than one of our products has increased to 13.7% of our total customer base.
Cost of Revenues and Gross Margin
|Year Ended December 31,||Change|
|Cost of revenues||$||26,730 ||$||20,579 ||$||6,151 ||29.9 ||%|
|Gross margin||84.7 ||%||82.9 ||%|
Cost of revenues increased by $6.2 million, or 29.9%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. The overall increase in cost of revenues is primarily driven by increased headcount to support our overall business growth combined with increases in amortization related to our developed technology and content assets. The year-over-year increase in cost of revenues is slightly less than the increase in revenues over the same period due to efficiencies experienced in our customer support functions which contributed to the increase in gross margins for the year ended December 31, 2020 when compared to December 31, 2019.
Sales and Marketing
|Year Ended December 31,||Change|
|Sales and marketing||$||82,188 ||$||69,090 ||$||13,098 ||19.0 ||%|
Sales and marketing expenses increased by $13.1 million, or 19.0%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. The increase in sales and marketing expenses relates to a $8.4 million increase in employee-related costs, including salaries and commissions, primarily driven by increased headcount during the year, a $2.6 million increase in software license fees and additional increases in expenditures for marketing and promotional activities and allocated overhead.
Technology and Development
|Year Ended December 31,||Change|
|Technology and development||$||19,804 ||$||10,662 ||$||9,142 ||85.7 ||%|
Technology and development expenses increased by $9.1 million, or 85.7%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. The increase in technology and development costs is driven by an $8.0 million increase in employee-related research and development costs associated with the development of new platform features and preliminary development activity related to new products. The increase is further attributable to increased overhead allocations and production expenses which are in line with the overall growth of our business.
General and Administrative
|Year Ended December 31,||Change|
|General and administrative||$||47,706 ||$||145,776 ||$||(98,070)||(67.3)||%|
General and administrative expenses decreased by $98.1 million, or (67.3)%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. The decrease is primarily due to $110.6 million of stock compensation expense recognized in conjunction with the Series C and C-1 Preferred Stock transactions during the
year ended December 31, 2019. Excluding the impact of these transactions, the change in general and administrative expenses was an increase of $12.5 million or 35.4%. These increases in general and administrative expenses as compared to the prior year relate to $9.4 million in additional employee-related expenses within our administrative functions along with an additional $3.1 million of costs to support overall growth in the business including professional fees and other general operating costs, such as depreciation and amortization expenses, lease and utilities costs.
Income Tax Benefit (Expense)
|Year Ended December 31,||Change|
|Income tax (expense) benefit||$||(1,832)||$||367 ||$||(2,199)||(599.2)||%|
Income tax expense increased by $2.2 million, or (599.2)%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. This increase is primarily due to a $2.7 million valuation allowance recorded as a result of continuing losses generated at our German subsidiary.
Quarterly Results of Operations
The following tables set forth selected unaudited quarterly statements of operations data for each of the eight quarters ended December 31, 2021, as well as the percentage of total revenue that each line item represents for each quarter. The information for each of these quarters has been prepared on the same basis as the audited annual consolidated financial statements included elsewhere in this Annual Report on Form 10-K and, in the opinion of management, includes all adjustments, which consist only of normal recurring adjustments, necessary for the fair presentation of the results of operations for these periods. This data should be read in conjunction with our audited
consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10-K. These quarterly results are not necessarily indicative of our results of operations to be expected for any future period.
|Three Months Ended|
|December 31, 2021||September 30, 2021||June 30, 2021||March 31, 2021||December 31, 2020||September 30, 2020||June 30, 2020||March 31, 2020|
|(in thousands, except customer data)|
|Revenues, net||$||69,307 ||$||64,091 ||$||59,350 ||$||53,550 ||$||49,287 ||$||44,932 ||$||41,489 ||$||39,178 |
Cost of revenues (1)
|9,572 ||9,609 ||8,591 ||7,343 ||7,466 ||6,918 ||6,303 ||6,043 |
|Gross profit||59,735 ||54,482 ||50,759 ||46,207 ||41,821 ||38,014 ||35,186 ||33,135 |
Sales and marketing (1)
|25,207 ||27,731 ||31,510 ||23,071 ||21,934 ||20,752 ||19,875 ||19,627 |
Technology and development (1)
|8,029 ||7,579 ||6,760 ||5,742 ||5,685 ||4,822 ||4,391 ||4,906 |
General and administrative (1)
|19,377 ||19,852 ||28,284 ||14,629 ||13,170 ||13,440 ||10,976 ||10,120 |
|Total operating expenses||52,613 ||55,162 ||66,554 ||43,442 ||40,789 ||39,014 ||35,242 ||34,653 |
|Operating income (loss)||7,122 ||(680)||(15,795)||2,765 ||1,032 ||(1,000)||(56)||(1,518)|
|Other income (expense):|
|Interest income||16 ||16 ||7 ||18 ||38 ||20 ||14 ||125 |
|Other (expense) income||(585)||114 ||(416)||(143)||665 ||29 ||80 ||33 |
|Income (loss) before income tax (expense) benefit||6,486 ||(617)||(16,270)||2,444 ||1,720 ||(967)||22 ||(1,373)|
|Income tax (expense) benefit||(2,088)||(963)||(593)||(244)||(1,516)||(735)||407 ||12 |
|Net income (loss)||$||4,398 ||$||(1,580)||$||(16,863)||$||2,200 ||$||204 ||$||(1,702)||$||429 ||$||(1,361)|
|Number of customers||47,174 ||44,319 ||41,601 ||38,975 ||36,753 ||34,604 ||33,056 ||31,823 |
Annual recurring revenue(2)
|$||285,437 ||$||262,172 ||$||240,595 ||$||222,270 ||$||198,369 ||$||181,924 ||$||169,003 ||$||157,919 |
Free cash flow(2)
|$||19,562 ||$||17,910 ||$||12,789 ||$||20,961 ||$||4,117 ||$||11,017 ||$||11,201 ||$||10,386 |
(1)Amounts include stock compensation expense as follows:
|Three Months Ended|
|December 31, 2021||September 30, 2021||June 30, 2021||March 31, 2021||December 31, 2020||September 30, 2020||June 30, 2020||March 31, 2020|
|Cost of revenues||$||217 ||$||124 ||$||76 ||$||53 ||$||66 ||$||70 ||$||31 ||$||21 |
|Sales and marketing||1,197 ||726 ||5,662 ||889 ||754 ||423 ||251 ||151 |
|Technology and development||1,176 ||242 ||148 ||140 ||573 ||153 ||100 ||70 |
|General and administrative||3,483 ||1,652 ||12,983 ||577 ||588 ||588 ||934 ||461 |
|Total stock compensation expense||$||6,073 ||$||2,744 ||$||18,869 ||$||1,659 ||$||1,981 ||$||1,234 ||$||1,316 ||$||703 |
(2)See the sections entitled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Key Business Metrics—Annual Recurring Revenue” for additional information regarding ARR and “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Non-GAAP Financial Measures—Free Cash Flow” for additional information regarding free cash flow and for a reconciliation of free cash flow to the most directly comparable financial measure calculated in accordance with U.S. generally accepted accounting principles, or GAAP.”
Percentage of Revenues Data
All values from the statement of operations, expressed as percentage of total revenues are as follows:
|Three Months Ended|
|December 31, 2021||September 30, 2021||June 30, 2021||March 31, 2021||December 31, 2020||September 30, 2020||June 30, 2020||March 31, 2020|
|Revenues, net||100.0 ||%||100.0 ||%||100.0 ||%||100.0 ||%||100.0 ||%||100.0 ||%||100.0 ||%||100.0 ||%|
|Cost of revenues||13.8 ||%||15.0 ||%||14.5 ||%||13.7 ||%||15.1 ||%||15.4 ||%||15.2 ||%||15.4 ||%|
|Gross margin||86.2 ||%||85.0 ||%||85.5 ||%||86.3 ||%||84.9 ||%||84.6 ||%||84.8 ||%||84.6 ||%|
|Sales and marketing||36.4 ||%||43.3 ||%||53.1 ||%||43.1 ||%||44.5 ||%||46.2 ||%||47.9 ||%||50.1 ||%|
|Technology and development||11.6 ||%||11.8 ||%||11.4 ||%||10.7 ||%||11.5 ||%||10.7 ||%||10.6 ||%||12.5 ||%|
|General and administrative||28.0 ||%||31.0 ||%||47.7 ||%||27.3 ||%||26.7 ||%||29.9 ||%||26.5 ||%||25.8 ||%|
|Total operating expenses||75.9 ||%||86.1 ||%||112.1 ||%||81.1 ||%||82.8 ||%||86.8 ||%||84.9 ||%||88.5 ||%|
|Operating income (loss)||10.3 ||%||(1.1)||%||(26.6)||%||5.2 ||%||2.1 ||%||(2.2)||%||(0.1)||%||(3.9)||%|
|Other income (expense):|
|Interest income||— ||%||— ||%||— ||%||— ||%||0.1 ||%||— ||%||— ||%||0.3 ||%|
|Interest expense||(0.1)||%||(0.1)||%||(0.1)||%||(0.4)||%||— ||%||— ||%||— ||%||— ||%|
|Other (expense) income||(0.8)||%||0.2 ||%||(0.7)||%||(0.3)||%||1.3 ||%||0.1 ||%||0.2 ||%||0.1 ||%|
|Income (loss) before income tax (expense) benefit||9.4 ||%||(1.0)||%||(27.4)||%||4.6 ||%||3.5 ||%||(2.2)||%||0.1 ||%||(3.5)||%|
|Income tax (expense) benefit||(3.0)||%||(1.5)||%||(1.0)||%||(0.5)||%||(3.1)||%||(1.6)||%||1.0 ||%||— ||%|
|Net income (loss)||6.3 ||%||(2.5)||%||(28.4)||%||4.1 ||%||0.4 ||%||(3.8)||%||1.0 ||%||(3.5)||%|
Our quarterly revenue increased in each of the periods presented due to the combination of increases in the number of new customers, contract renewals with existing customers and sales of our newer products. Additionally, our fourth quarter has historically been our strongest quarter for new business and renewals, driven by the overall timing of existing customer contract renewals and customer budget timing. The effect of this seasonality in both invoicing patterns and overall new and renewal business causes the value of invoices that we generate in the fourth quarter for both new business and renewals to increase as a proportion of our total annual invoices.
Cost of revenues has increased in the majority of the periods presented. This overall increase in cost of revenues is in line with our increase in revenue and is primarily driven by increased headcount to support our overall business growth, particularly within our customer success team, combined with increases in amortization related to both our internally developed and acquired assets and costs of hosting our technology platform. Gross margin has slightly improved over the periods presented due to achieving some scale with our customer success team. We expect margins to remain steady in the future as we continue to build out our customer support structure to support our overall business growth.
Our operating expenses have generally increased over the periods presented primarily due to increases in headcount and other related expenses to support our growth. Any periods in which operating expenses have not increased sequentially were due to variability in our stock compensation expense. Additionally, our technology and development expenses fluctuate quarter to quarter based on the timing and extent of research and development and content production activities while our sales and marketing expenses can be impacted by the timing of industry events. Excluding the impact of the non-recurring stock compensation expense, our general and administrative expenses remain relatively consistent quarter over quarter when considering the growth in our business and impact of non-recurring transactions, such as business combinations and public offerings.
Liquidity and Capital Resources
At December 31, 2021, our principal sources of liquidity were cash and cash equivalents totaling $273.7 million and accounts receivable of $54.1 million. Our cash and cash equivalents are comprised of time deposits with financial institutions. To date, we have financed our operations primarily through payments received from customers using our platform supplemented by proceeds from private placements of our equity securities and our recent IPO. Our positive cash flows from operations enable us to make continued investments in the growth of our business. We expect our operating cash flows to further improve over the intermediate to long term as we increase our operational efficiency and experience economies of scale.
We typically invoice our subscription customers annually in advance. Therefore, a substantial source of our cash is from customer prepayments, which are included on our consolidated balance sheets as deferred revenue. Deferred revenue consists of invoiced fees for our subscription services, prior to satisfying the criteria for revenue recognition, which are subsequently recognized as revenue in accordance with our revenue recognition policy. As of December 31, 2021, we had deferred revenue of $265.8 million, of which $81.3 million was recorded as a current liability and is expected to be recorded as revenue in the next 12 months, provided all other revenue recognition criteria are met.
Our remaining performance obligation represents contracted revenue that has not yet been recognized and includes deferred revenue, which has been invoiced and is recorded on the consolidated balance sheets, and unbilled amounts that are not recorded on the consolidated balance sheets, that will be recognized as revenue in future periods. As of December 31, 2021, our remaining performance obligation was $323.7 million.
On March 12, 2021, we entered into a three-year $100.0 million revolving credit facility with Bank of America, or the Revolving Credit Facility. Interest on any borrowings under the revolving credit facility bear interest, at our option, at (i) a base rate equal to the highest of (a) the federal funds rate plus 0.50%, (b) the rate of interest in effect for such date as publicly announced from time to time by Bank of America as its “prime rate”, or (c) the eurodollar rate plus 1.0%, provided that such rate will not be less than 0.5%. We are obligated to pay other customary fees for a credit facility of this size and type, including letter of credit fees, an upfront fee, and an unused commitment fee. The terms of our Revolving Credit Facility include a number of covenants that limit our ability and our subsidiaries’ ability to, among other things, incur additional indebtedness, grant liens, merge or consolidate with other companies or sell substantially all of our assets, pay dividends, make redemptions and repurchases of stock, make investments, loans and acquisitions, or engage in transactions with affiliates. We expect to use the revolving credit facility for general corporate purposes, including potential future acquisitions and expansions. As of December 31, 2021, we were in compliance with all covenants and there were no amounts outstanding under this facility.
On April 26, 2021, we completed our IPO, in which we sold 10,925,000 shares of our Class A common stock at a price to the public of $16.00 per share, including 1,425,000 shares pursuant to the exercise in full of the underwriters’ option to purchase additional shares and 500,000 shares of our Class A common stock sold by certain selling stockholders. We received net proceeds of $153.0 million, after deducting underwriting discounts and commissions of $10.8 million and offering expenses paid by us of approximately $3.0 million.
We believe our existing cash and cash equivalents, cash provided by operating activities, available borrowings under our Revolving Credit Facility, and unbilled amounts related to contracted non-cancelable subscription agreements, which are not reflected on the balance sheets, will be sufficient to meet our working capital and capital expenditure needs over the next 12 months. In the future, we may enter into arrangements to acquire or invest in complementary businesses, products and technologies, and intellectual property rights, though we currently have no agreements or commitments to do so. To facilitate these acquisitions or investments, we may seek additional equity or debt financing, which may not be available on terms favorable to us or at all, impacting our ability to complete subsequent acquisitions or investments.
The following table presents a summary of our consolidated cash flows from operating, investing and financing activities.
|Year Ended December 31,|
|Net cash provided by operating activities||$||76,778 ||$||44,864 ||$||29,718 |
|Net cash used in investing activities||$||(39,340)||$||(8,108)||$||(15,766)|
|Net cash provided by (used in) financing activities||$||151,232 ||$||(436)||$||(9,612)|
Our largest source of cash flows from operations is cash collections from our customers for subscription services while our primary use of cash for operating activities is for employee-related expenses, including salaries, commissions and monthly performance bonuses. We have historically generated positive cash flows from operations as a result of our efficient sales model and period-over-period growth in subscription services.
Net cash provided by operating activities during the year ended December 31, 2021 was $76.8 million, which consisted of net loss of $11.8 million, adjusted for non-cash charges of $57.7 million and net cash inflows of $30.9 million provided by changes in our operating assets and liabilities. Non-cash charges primarily consisted of $19.5 million of amortization of deferred commissions, $13.6 million of depreciation and amortization of our capital assets and $29.3 million of stock compensation expense, which was primarily incurred in conjunction with our initial public offering (IPO). Cash outflows from changes in operating assets and liabilities primarily resulted from a $14.5 million increase in the total deferred commissions balance, a $15.4 million increase in the accounts receivable balance and a $4.5 million increase in the prepaid and other assets balance. The increases in our deferred commissions balance is due to the addition of new customers and renewal of existing contracts during the period while the increase in accounts receivable is due to the timing of billings and collections combined with growth in sales. The increase in prepaid and other assets is primarily due to a payroll tax credit recorded during the current year of $3.2 million and additional director and officer insurance costs. Cash inflows from changes in operating assets and liabilities primarily relate to a $80.1 million increase in the total deferred revenue balance resulting from the sale of additional subscription services under our standard advanced invoicing practices and an $18.4 million increase in accounts payable and accrued expense balances due primarily to increases in payroll related accruals resulting from payment timing and overall headcount growth.
Net cash provided by operating activities during the year ended December 31, 2020 was $44.9 million, which consisted of a net loss of $2.4 million, adjusted for non-cash charges of $26.9 million and net cash inflows of $20.4 million provided by changes in our operating assets and liabilities. Non-cash charges primarily consisted of $5.3 million of stock compensation expense, $14.2 million of amortization of deferred commissions and $11.8 million of depreciation and amortization of our capital assets. Cash outflows from changes in operating assets and liabilities primarily resulted from a $6.7 million increase in the accounts receivable balance and a $8.0 million increase in the total deferred commissions balance. The increase in both accounts receivable and deferred commissions balances is due to the addition of new customers and renewal of existing contracts during the period. The accounts receivable balance is also impacted by the timing of cash collections received. Cash inflows from changes in operating assets and liabilities primarily relate to an $46.7 million increase in the total deferred revenue balance resulting from the sale of additional subscription services under our standard advanced invoicing practices.
Net cash provided by operating activities during the year ended December 31, 2019 was $29.7 million, which consisted of a net loss of $124.3 million, adjusted for non-cash charges of $131.3 million and net cash inflows of $22.7 million provided by changes in our operating assets and liabilities. Non-cash charges primarily consisted of $118.1 million of stock compensation expense, $12.3 million of amortization of deferred commissions and $7.9 million of depreciation and amortization of our capital assets. Cash outflows from changes in operating assets and liabilities primarily resulted from an $11.8 million increase in the accounts receivable balance and a $10.1 million increase in the total deferred commissions balance. The increase in both accounts receivable and deferred
commissions balances is due to the addition of new customers and renewal of existing contracts during the period. The accounts receivable balance is also impacted by the timing of cash collections received. Cash inflows from changes in operating assets and liabilities primarily relate to a $55.3 million increase in the total deferred revenue balance resulting from the sale of additional subscription services under our standard advanced invoicing practices.
Net cash used in investing activities during the year ended December 31, 2021 primarily related to the $11.2 million of net cash paid for the acquisition of MediaPro Holdings, LLC, which closed on March 1, 2021, and the $22.6 million of net cash paid for the acquisition of SecurityAdvisor Technologies, Inc., which closed on November 1, 2021, combined with $2.5 million and $3.0 million of capital expenditures for internal-use software and the purchase of property and equipment, respectively.
Net cash used in investing activities during the year ended December 31, 2020 related to $2.7 million and $5.4 million of capital expenditures for internal-use software and the purchase of property and equipment, respectively.
Net cash used in investing activities during the year ended December 31, 2019 related to $5.0 million of business combinations completed during the year, combined with $5.2 million and $5.6 million of capital expenditures for internal-use software and the purchase of property and equipment, respectively.
Net cash provided by financing activities during the year ended December 31, 2021 primarily related to $156.0 million of net proceeds received from the issuance of common stock in connection with the IPO, as well as $5.8 million of cash received upon the issuance of common stock from the exercise of stock options and $3.3 million cash received from the issuance of common stock under the employee stock purchase plan. These financing activities proceeds were offset by $12.3 million paid for taxes related to the net share settlement of our outstanding equity instruments and $1.2 million paid to repurchase shares of our common stock, prior to the IPO.
Net cash used in financing activities during the year ended December 31, 2020 primarily related to $4.9 million paid for the repurchase of common stock and options offset by $4.3 million of cash received upon the issuance of common stock from the exercise of stock options.
Net cash used in financing activities during the year ended December 31, 2019 primarily related to a $10.0 million one-time dividend payment issued to our existing shareholders offset by the net impact of the Series C and C-1 Preferred Stock transactions where we received proceeds of $340.4 million for the issuance of preferred stock and paid $339.9 million to repurchase existing common stock and outstanding stock options.
Our backlog is made up of remaining performance obligations associated with our customer contracts. These remaining performance obligations represent all future revenue under contract that has not yet been recognized which includes deferred revenue and unbilled amounts.
Our subscription agreements generally contain standard indemnification obligations. Pursuant to these agreements, we will indemnify, defend and hold the other party harmless with respect to a claim, suit, or proceeding brought against the other party by a third party alleging that our intellectual property infringes upon the intellectual property of the third party, or results from a breach of our representations and warranties or covenants, or that results from any acts of negligence or willful misconduct. The term of these indemnification agreements is generally perpetual any time after the execution of the agreement. Typically, these indemnification provisions do not provide for a maximum potential amount of future payments we could be required to make. However, in the past we have not been obligated to make significant payments for these obligations and no liabilities have been recorded for these obligations on our consolidated balance sheets as of December 31, 2021 or December 31, 2020.
We also indemnify our officers and directors for certain events or occurrences, subject to certain limits, while the officer is or was serving at our request in such capacity. The maximum amount of potential future indemnification is unlimited. However, our director and officer insurance policy limits our exposure and enables us to recover a portion of any future amounts paid. Historically, we have not been obligated to make any payments for these obligations and no liabilities have been recorded for these obligations on our consolidated balance sheets as of December 31, 2021 or December 31, 2020.
Critical Accounting Policies and Estimates
We prepare our consolidated financial statements in accordance with GAAP. In the preparation of these consolidated financial statements, we are required to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenue, costs and expenses, and related disclosures. To the extent that there are material differences between these estimates and actual results, our financial condition or results of operations would be affected. We base our estimates on past experience and other assumptions that we believe are reasonable under the circumstances, and we evaluate these estimates on an ongoing basis. We refer to accounting estimates of this type as critical accounting policies and estimates, which we discuss below.
We account for revenue in accordance with Accounting Standards Codification, or ASC, Topic 606 - Revenue from Contracts with Customers, and apply the following five-step approach for considering contracts:
1.Identification of the contract, or contracts, with the customer.
2.Identification of the performance obligations in the contract.
3.Determination of the transaction price.
4.Allocation of the transaction price to the performance obligations in the contract.
5.Recognition of revenue when, or as, we satisfy a performance obligation.
We recognize revenue at the time the related performance obligation is satisfied by transferring the service to a customer in an amount that reflects the consideration we expect to be entitled to in exchange for those services, net of any sales or other tax. Our subscription contracts typically vary from one year to three years and are generally noncancellable and nonrefundable.
Subscription services revenue consists of subscription fees earned from providing access to our cloud-based platform, including support services and feature upgrades, if and when available. Our cloud-based platform also includes training content which can be downloaded by the customer during their subscription term. Our subscription service contracts do not provide customers with the right to take possession of the software operating on the cloud platform and, as a result, are accounted for as service arrangements. Our customers’ ability to access our platform represents a series of distinct services, which fulfills our performance obligation over the subscription term. Accordingly, the amounts invoiced related to the ratable portion of subscription revenue are recorded as deferred revenue and recognized on a straight-line basis over the contract term, beginning on the date that the service is made available to the customer.
Additionally, our customers’ ability to access and download the content hosted within our KMSAT product is considered distinct and accounted for as a separate performance obligation, as our customers benefit from the use of the content independent of the KMSAT product through the download. The portion of the transaction price allocated to the downloadable content performance obligation is recognized as revenue at contract inception when the customer gains access to the downloadable content.
The transaction price is allocated to the separate performance obligations on a relative stand-alone selling price, or SSP, basis. The SSP for the ratable portion of subscription revenue is determined using observable stand-alone sales data, including adjustments for standard discounting practices. As it relates to the content available for download, we determine SSP using an adjusted market assessment approach , which requires significant judgment.
The calculation of SSP primarily utilizes suggested royalty rates, assumptions regarding content production costs and other industry pricing data.
We capitalize sales commissions and associated payroll taxes and benefits paid to internal sales personnel that are considered incremental to the acquisition of customer contracts. These costs are recorded as deferred commissions on the consolidated balance sheets upon invoicing to the customer and are paid upon cash collection from the customer. We determine whether costs should be deferred based on sales compensation plans if the commissions are incremental and would not have occurred absent the customer contract. Sales commissions related to an initial subscription contract are considered incremental to the acquisition of the customer contract to the extent that they exceed commissions earned on renewal sales. Sales commissions related to the renewal of a subscription contract are not considered commensurate with the commissions paid for the acquisition of the initial subscription contract given the substantive difference in commission rate between new and renewal contracts.
The portion of commissions paid upon the initial acquisition of a contract that are incremental to acquisition of the customer contract are amortized over an estimated period of benefit of six years. The portion of commissions paid upon initial acquisition that are commensurate with those paid on a renewal contract and commissions paid related to renewal contracts are amortized over the average length of the related revenue contract. An estimate of the portion of commissions related to the downloadable content performance obligation is made, which is recognized at contract inception consistent with the pattern of revenue recognition. This estimate is made in a consistent manner to the SSP allocated to the related portion of revenue, which requires judgment. Judgment is also required when determining the period of benefit for commissions paid for the acquisition of the initial subscription contract. We evaluate both qualitative and quantitative factors including the initial estimated customer life, the technological life of our platform and related significant features, customer attrition and industry practices.
We allocate the fair value of purchase consideration to the tangible assets acquired, liabilities assumed, and intangible assets acquired based on their estimated fair values. The excess of the fair value of purchase consideration over the fair values of these identifiable assets and liabilities is recorded as goodwill. Such valuations require management to make significant estimates and assumptions, especially with respect to intangible assets. Significant estimates in valuing certain intangible assets include, but are not limited to, future expected cash flows from acquired customers, acquired technology, trade names from a market participant perspective, useful lives and discount rates. Additionally, contingent consideration arrangements are considered to be part of the purchase consideration and are measured at their acquisition date fair value which is determined using complex valuation methodologies. The inputs to the valuation methodologies used to determine management’s estimates of fair value are based upon assumptions believed to be reasonable, but which are inherently uncertain and unpredictable and, as a result, actual results may differ from estimates. During the measurement period, which is one year from the acquisition date, we may record adjustments to the assets acquired and liabilities assumed, with the corresponding offset to goodwill. Upon the conclusion of the measurement period, any subsequent adjustments are recorded in the consolidated statement of operations.
Prior to our IPO and before there was an active market for our Class A common stock, we primarily issued stock options and estimated the fair value of those stock options using the Black-Scholes option-pricing model. The most significant estimate utilized in the model was the fair value of our common stock which was historically determined by the board of directors who exercised judgment and considered numerous objective and subjective factors to determine the best estimate of the fair value of our common stock including (i) valuations performed at or near the time of grant; (ii) rights, preferences, and privileges of our redeemable convertible preferred stock relative to those of our common stock; (iii) our actual operating and financial performance at the time of the option grant; (iv) likelihood of achieving a liquidity event, such as an IPO or a merger or acquisition of our business; (v) the value of comparable companies with respect to industry, business model, stage of growth, financial risk or other factors; (vi) our stage of development and future financial projections; (vii) market transactions at or near the time of grant;
and (viii) the lack of marketability of our common stock. Following the IPO, there is an active market for our Class A common stock, and we are no longer estimating the fair value of our common stock.
Recent Accounting Pronouncements
See Note 2 to our consolidated financial statements “Summary of Significant Accounting Policies” for more information.
Item 7A. Quantitative and Qualitative Disclosures About Market Risk
We have operations in the United States and internationally and we are exposed to market risk in the ordinary course of business.
Interest Rate Risk
Our cash and cash equivalents primarily consist of cash on hand and highly liquid investments in money market funds, including overnight investments. As of December 31, 2021, we had cash and cash equivalents of $273.7 million. The carrying amount of our cash equivalents reasonably approximates fair value, due to the short maturities of these instruments. The primary objectives of our investment activities are the preservation of capital, the fulfillment of liquidity needs and the fiduciary control of cash and investments. We do not enter into investments for trading or speculative purposes. Our investments are exposed to market risk due to fluctuations in interest rates, which may affect our interest income and the fair market value of our investments. However, due to the short-term nature of our investment portfolio, we do not believe an immediate 10% increase or decrease in interest rates would have a material effect on the fair market value of our portfolio. We therefore do not expect our operating results or cash flows to be materially affected by a sudden change in market interest rates.
Foreign Currency Risk
The vast majority of our sales contracts are denominated in U.S. dollars, with a small number of contracts denominated in foreign currencies. A portion of our operating expenses are incurred outside the United States, denominated in foreign currencies and subject to fluctuations due to changes in foreign currency exchange rates, particularly changes in the British Pound, Euro, Brazilian Real and South African Rand. Additionally, fluctuations in foreign currency exchange rates may cause us to recognize transaction gains and losses in our consolidated statements of operations. During the years ended December 31, 2021, 2020 and 2019, a hypothetical 10% change in foreign currency exchange rates applicable to our business would not have had a material impact on our consolidated financial statements. As the impact of foreign currency exchange rates has not been material to our historical operating results, we have not entered into derivative or hedging transactions, but we may do so in the future if our exposure to foreign currency becomes more significant.
Item 8. Financial Statements and Supplementary Data
INDEX TO CONSOLIDATED FINANCIAL STATEMENTS
REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
To the Stockholders and Board of Directors
Opinion on the Consolidated Financial Statements
We have audited the accompanying consolidated balance sheets of KnowBe4, Inc. and subsidiaries (the Company) as of December 31, 2021 and 2020, the related consolidated statements of operations, comprehensive loss, stockholders’ equity (deficit), and cash flows for each of the years in the three‑year period ended December 31, 2021, and the related notes (collectively, the consolidated financial statements). In our opinion, the consolidated financial statements present fairly, in all material respects, the financial position of the Company as of December 31, 2021 and 2020, and the results of its operations and its cash flows for each of the years in the three‑year period ended December 31, 2021, in conformity with U.S. generally accepted accounting principles.
Basis for Opinion
These consolidated financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on these consolidated financial statements based on our audits. We are a public accounting firm registered with the Public Company Accounting Oversight Board (United States) (PCAOB) and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures to assess the risks of material misstatement of the consolidated financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements. We believe that our audits provide a reasonable basis for our opinion.
We have served as the Company’s auditor since 2017.
March 10, 2022
CONSOLIDATED BALANCE SHEETS
(in thousands, except share and per share amounts)
|December 31, 2021||December 31, 2020|
|Cash and cash equivalents||$||273,723 ||$||85,582 |
|Accounts receivable, net of allowance for doubtful accounts||54,071 ||38,664 |
|Current portion of deferred commissions||17,842 ||13,177 |
|Prepaid and other current assets||10,580 ||6,124 |
|Total current assets||356,216 ||143,547 |
|Deferred commissions, net of current portion||33,869 ||24,022 |
|Capitalized software and content, net||27,074 ||15,523 |
|Property and equipment, net||9,120 ||10,284 |
|Operating lease right of use assets, net||12,998 ||12,067 |
|Intangible assets, net||7,992 ||2,985 |
|Goodwill||89,329 ||8,605 |
|Other assets||1,080 ||1,177 |
|537,678 ||218,210 |
|Liabilities and stockholders’ equity (deficit)|
|Accounts payable and accrued expenses||37,642 ||19,265 |
|Current portion of deferred revenue||184,496 ||127,043 |
|Current portion of operating lease liabilities||2,938 ||2,651 |
|Total current liabilities||225,076 ||148,959 |
|Deferred revenue, net of current portion||81,278 ||58,653 |
|Operating lease liabilities, net of current portion||10,484 ||9,766 |
|Other non-current liabilities||3,573 ||3,991 |
|320,411 ||221,369 |
|Stockholders’ equity (deficit)|
Preferred stock, $0.00001 par value, 0 shares authorized, issued, and outstanding at December 31, 2021 and 114,164,600 shares authorized, issued and outstanding (Liquidation value $