Annual and Transition Report (foreign Private Issuer) (20-f)

Date : 03/15/2019 @ 4:10AM
Source : Edgar (US Regulatory)
Stock : CyberArk Software Ltd (CYBR)
Quote : 121.7  1.96 (1.64%) @ 5:41AM
CyberArk Software share price Chart
After Hours
Last Trade
Last $ 121.70 ◊ 0.00 (0.00%)

Annual and Transition Report (foreign Private Issuer) (20-f)


 
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549
 
 
FORM 20-F
 
 
REGISTRATION STATEMENT PURSUANT TO SECTION 12(b) OR (g) OF THE SECURITIES EXCHANGE ACT OF 1934
 
OR
 
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
 
For the fiscal year ended December 31, 2018
 
OR
 
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
 
OR
 
SHELL COMPANY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
 
Commission file number 001-36625
 

 
CYBERARK SOFTWARE LTD.
(Exact name of Registrant as specified in its charter)
 
 
ISRAEL
 
(Jurisdiction of incorporation or organization)
9 Hapsagot St.
Park Ofer B, P.O. BOX 3143
 Petach-Tikva 4951040, Israel
 (Address of principal executive offices)
 

 
Joshua Siegel
Chief Financial Officer
Telephone: +972 (3) 918-0000
CyberArk Software Ltd.
9 Hapsagot St.
Park Ofer B, P.O. BOX 3143
 Petach-Tikva 4951040, Israel
 (Name, telephone, e-mail and/or facsimile number and address of company contact person)
 
Securities registered or to be registered pursuant to Section 12(b) of the Act:

Title of each class
 
Name of each exchange on which registered
Ordinary shares, par value NIS 0.01 per share
 
The NASDAQ Stock Market LLC
 
Securities registered or to be registered pursuant to Section 12(g) of the Act: None.
 
Securities for which there is a reporting obligation pursuant to Section 15(d) of the Act: None.
 
 
Indicate the number of outstanding shares of each of the issuer’s classes of capital or common stock as of the close of the period covered by the annual report: As of December 31, 2018, the registrant had outstanding 36,838,523 ordinary shares, par value NIS 0.01 per share.
 
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.
 
Yes ☒          No ☐
 
If this report is an annual or transition report, indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934.
 
Yes ☐          No ☒
 
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.
 
Yes ☒          No ☐
 
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).
 
Yes ☒          No ☐
 
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.

Large accelerated filer ☒
Accelerated filer  ☐
Non-accelerated filer ☐
   
Emerging growth company ☐
 
If an emerging growth company that prepares its financial statements in accordance with U.S. GAAP, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards† provided pursuant to Section 13(a) of the Exchange Act.     ☐
 
† The term “new or revised financial accounting standard” refers to any update issued by the Financial Accounting Standards Board to its Accounting Standards Codification after April 5, 2012.
 
Indicate by check mark which basis of accounting the registrant has used to prepare the financial statements included in this filing:
 
U.S. GAAP ☒
International Financial Reporting Standards as issued by the
International Accounting Standards Board ☐
Other ☐
 
If “Other” has been checked in response to the previous question, indicate by check mark which financial statement item the registrant has elected to follow.
 
☐ Item 17          ☐ Item 18
 
If this is an annual report, indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).
 
Yes ☐          No ☒

 
CYBERARK SOFTWARE LTD.
 
FORM 20-F
ANNUAL REPORT FOR THE FISCAL YEAR ENDED DECEMBER 31, 2018
 
TABLE OF CONTENTS
 
1
   
1
 
   
     
2
     
2
     
2
     
30
     
40
     
40
     
62
     
79
     
81
     
82
     
82
     
93
     
94
     
 
   
95
     
95
     
95
     
96
     
96
     
96
     
97
     
97
     
97
     
97
     
97
     
     
97
     
97
     
98


INTRODUCTION
 
In this annual report, the terms “CyberArk,” “we,” “us,” “our” and “the company” refer to CyberArk Software Ltd. and its subsidiaries. 
 
This annual report includes statistical, market and industry data and forecasts, which we obtained from publicly available information and independent industry publications and reports that we believe to be reliable sources. These publicly available industry publications and reports generally state that they obtain their information from sources that they believe to be reliable, but they do not guarantee the accuracy or completeness of the information. Although we believe that these sources are reliable, we have not independently verified the information contained in such publications. Certain estimates and forecasts involve uncertainties and risks and are subject to change based on various factors, including those discussed under the headings “Special Note Regarding Forward-Looking Statements” and “Item 3.D Risk Factors” in this annual report. 
 
Throughout this annual report, we refer to various trademarks, service marks and trade names that we use in our business. The “CyberArk” design logo is the property of CyberArk Software Ltd. CyberArk® is our registered trademark in the United States. We have several other trademarks, service marks and pending applications relating to our solutions. In particular, although we have omitted the “®” and “™” trademark designations in this annual report from each reference to our Privileged Access Security Solution, Enterprise Password Vault, Privileged Session Manager, Privileged Threat Analytics, CyberArk Privilege Cloud, Application Access Manager, Conjur, Endpoint Privilege Manager, On-Demand Privileges Manager, secure Digital Vault, Web Management Interface, Master Policy Engine and Discovery Engine, DNA, and C 3 Alliance, all rights to such names and trademarks are nevertheless reserved. Other trademarks and service marks appearing in this annual report are the property of their respective holders. 
 
SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS
 
In addition to historical facts, this annual report contains forward-looking statements within the meaning of Section 27A of the U.S. Securities Act of 1933, as amended, or the Securities Act, Section 21E of the U.S. Securities Exchange Act of 1934, as amended, or the Exchange Act, and the safe harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to risks and uncertainties, and include information about possible or assumed future results of our business, financial condition, results of operations, liquidity, plans and objectives. In some cases, you can identify forward-looking statements by terminology such as “believe,” “may,” “estimate,” “continue,” “anticipate,” “intend,” “should,” “plan,” “expect,” “predict,” “potential,” or the negative of these terms or other similar expressions. The statements we make regarding the following matters are forward-looking by their nature:
 
our expectations regarding revenues generated by our hybrid sales model;
 
our expectations regarding our operating and net profit margins;
 
our expectations regarding significant drivers of our future growth;
 
our plans to continue to invest in research and development to enhance and develop existing and new on-premises and cloud-based products and services;
 
our plans to continue to invest in sales and marketing efforts and expand our channel partnerships across existing and new geographies;
 
our plans to hire additional new employees;
 
our plans to pursue and integrate additional strategic acquisitions;
 
our plans to leverage our global footprint in existing and new industry verticals to further expand our market share;
 
our plans to pursue incremental sales to existing customers;
 
our plans to further diversify our product deployments and licensing options; and
 
 
our expectations regarding our tax classifications.
 
1

The preceding list is not intended to be an exhaustive list of all of our forward-looking statements. The forward-looking statements are based on our beliefs, assumptions and expectations of future performance, taking into account the information currently available to us. These statements are only predictions based upon our current expectations and projections about future events. There are important factors that could cause our actual results, levels of activity, performance or achievements to differ materially from the results, levels of activity, performance or achievements expressed or implied by the forward-looking statements. In particular, you should consider the risks provided under “Item 3.D Risk Factors” in this annual report. 
 
You should not rely upon forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee that future results, levels of activity, performance and events and circumstances reflected in the forward-looking statements will be achieved or will occur. Except as required by law, we undertake no obligation to update publicly any forward-looking statements for any reason after the date of this annual report, to conform these statements to actual results or to changes in our expectations.
 
PART I
 
I TEM 1.
IDENTITY OF DIRECTORS, SENIOR MANAGEMENT AND ADVISERS
 
Not applicable.
 
I TEM 2.
OFFER STATISTICS AND EXPECTED TIMETABLE 
 
Not applicable. 
 
I TEM 3.
KEY INFORMATION 
 
  A.            Selected Financial Data 
 
The following tables set forth our selected consolidated financial data. You should read the following selected consolidated financial data in conjunction with “Item 5. Operating and Financial Review and Prospects” and our consolidated financial statements and related notes included elsewhere in this annual report. Historical results are not necessarily indicative of the results that may be expected in the future. Our financial statements have been prepared in accordance with U.S. Generally Accepted Accounting Principles, or U.S. GAAP. 
 
2

The selected consolidated statements of operations data for each of the years in the three-year period ended December 31, 2018 and the consolidated balance sheet data as of December 31, 2017 and 2018 are derived from our audited consolidated financial statements appearing elsewhere in this annual report. The consolidated statements of operations data for the years ended December 31, 2014 and 2015 and the consolidated balance sheet data as of December 31, 2014, 2015 and 2016 are derived from our audited consolidated financial statements that are not included in this annual report.
 
   
Year ended December 31,
 
   
2014
   
2015
   
2016
   
2017
   
2018(1)
 
   
(in thousands except share and per share data)
 
Consolidated Statements of Operations:
                             
Revenues:
                             
License          
 
$
61,320
   
$
100,113
   
$
131,530
   
$
147,640
   
$
192,514
 
Maintenance and professional services
   
41,679
     
60,699
     
85,083
     
114,061
     
150,685
 
Total revenues          
   
102,999
     
160,812
     
216,613
     
261,701
     
343,199
 
Cost of revenues:
                                       
License          
   
2,654
     
5,088
     
4,726
     
7,911
     
10,526
 
Maintenance and professional services
   
12,053
     
17,572
     
25,425
     
33,937
     
37,935
 
Total cost of revenues(2)          
   
14,707
     
22,660
     
30,151
     
41,848
     
48,461
 
Gross profit          
   
88,292
     
138,152
     
186,462
     
219,853
     
294,738
 
Operating expenses:
                                       
Research and development(2)          
   
14,400
     
21,734
     
34,614
     
42,389
     
57,112
 
Sales and marketing(2)          
   
44,943
     
66,206
     
93,775
     
126,739
     
148,290
 
General and administrative(2)          
   
8,495
     
16,990
     
22,117
     
30,399
     
42,044
 
Total operating expenses          
   
67,838
     
104,930
     
150,506
     
199,527
     
247,446
 
Operating income          
   
20,454
     
33,222
     
35,956
     
20,326
     
47,292
 
Financial income (expenses), net          
   
(5,988
)
   
(1,479
)
   
245
     
4,103
     
4,551
 
Income before taxes on income          
   
14,466
     
31,743
     
36,201
     
24,429
     
51,843
 
Taxes on income          
   
(4,512
)
   
(5,949
)
   
(8,077
)
   
(8,414
)
   
(4,771
)
Net income          
 
$
9,954
   
$
25,794
   
$
28,124
   
$
16,015
   
$
47,072
 
Basic net income per ordinary share(3)
 
$
0.46
   
$
0.80
   
$
0.83
   
$
0.46
   
$
1.30
 
Diluted net income per ordinary share(3)
 
$
0.34
   
$
0.73
   
$
0.78
   
$
0.44
   
$
1.27
 
Weighted average number of ordinary shares used in computing basic net income per ordinary share(3)
   
13,335,059
     
32,124,772
     
33,741,359
     
34,824,312
     
36,174,316
 
Weighted average number of ordinary shares used in computing diluted net income per ordinary share(3)
   
29,704,730
     
35,322,716
     
35,838,863
     
36,175,824
     
37,065,727
 

3

   
As of December 31,
 
   
2014
   
2015
   
2016
   
2017
   
2018(1)
 
   
(in thousands)
 
Consolidated Balance Sheet Data:
                             
Cash, cash equivalents, marketable securities and short-term bank deposits
 
$
177,181
   
$
238,252
   
$
295,475
   
$
330,340
   
$
451,244
 
Deferred revenue, current and long term
   
32,160
     
54,389
     
73,506
     
105,235
     
149,534
 
Working capital(4)          
   
156,829
     
197,095
     
235,010
     
251,247
     
338,340
 
Total assets          
   
210,552
     
334,424
     
403,031
     
502,576
     
673,620
 
Total shareholders’ equity          
   
155,008
     
246,670
     
296,216
     
353,965
     
466,770
 
 
(1)
On January 1, 2018, we adopted Accounting Standard Update (“ASU”) No. 2014-09, Revenue from Contracts with Customers Topic 606 (“ASC No. 606”) using the modified retrospective method. Results for reporting periods beginning after January 1, 2018 are presented under ASC No. 606, while prior period results are not adjusted and continue to be reported in accordance with historic accounting under Revenue Recognition Topic 605 (“ASC No. 605”). See Note 2(n) to our consolidated financial statements included elsewhere in this report for further information.
 
(2)
Includes share-based compensation expense as follows:
 
   
Year ended December 31,
 
   
2014
   
2015
   
2016
   
2017
   
2018
 
   
(in thousands )
 
Cost of revenues          
 
$
137
   
$
499
   
$
1,386
   
$
2,289
   
$
3,350
 
Research and development          
   
172
     
1,507
     
4,660
     
6,110
     
7,922
 
Sales and marketing          
   
347
     
2,214
     
5,765
     
8,642
     
12,708
 
General and administrative          
   
917
     
2,829
     
5,724
     
8,196
     
11,984
 
                                         
Total share-based compensation expenses
 
$
1,573
   
$
7,049
   
$
17,535
   
$
25,237
   
$
35,964
 
 

(3)
Basic and diluted net income per ordinary share is computed based on the weighted average number of ordinary shares outstanding during each period. For additional information, see note 13 to our consolidated financial statements included elsewhere in this annual report.
 
(4)
We define working capital as total current assets minus total current liabilities. In 2015, we adopted ASU No. 2015-17, Income Taxes (Topic 740): Balance Sheet Classification of Deferred Taxes (ASU 2015-17) retrospectively and reclassified all of our current deferred tax assets to noncurrent deferred tax assets on our consolidated balance sheets data for all periods presented. As a result of such reclassifications, certain noncurrent deferred tax liabilities as of December 31, 2014 were netted with noncurrent deferred tax assets.
 
4

Non-GAAP gross profit, non-GAAP operating income and non-GAAP net income are non-GAAP financial measures. We define non-GAAP gross profit, non-GAAP operating income and non-GAAP net income as gross profit, operating income and net income, respectively, which each exclude (i) share-based compensation expense and (ii) amortization of intangible assets related to acquisitions. Non-GAAP operating income also excludes (i) expenses related to the March 2015 public offering of ordinary shares by certain of our shareholders and to the June 2015 public offering of ordinary shares by us and certain of our shareholders, (ii) expenses related to acquisitions and (iii) expenses related to facility exit and transition costs. Non-GAAP net income also excludes (i) financial expenses resulting from the revaluation of warrants to purchase preferred shares, (ii) tax effects related to the non-GAAP adjustments set forth above, (iii) tax effects related to the impact to our deferred tax assets as a result of the U.S. Tax Cuts and Jobs Act 2017 (the “Tax Act”) and (iv) intra-entity intellectual property transfer tax effects. The following tables reconcile operating income and net income, the most directly comparable U.S. GAAP measures, to non-GAAP operating income and non-GAAP net income for the periods presented:
 
   
2014
   
2015
   
2016
   
2017
   
2018
 
   
(in thousands )
 
Reconciliation of Gross Profit to Non-GAAP Gross Profit:
                             
Gross profit          
 
$
88,292
   
$
138,152
   
$
186,462
   
$
219,853
   
$
294,738
 
Share-based compensation - Maintenance and professional services
   
137
     
499
     
1,386
     
2,289
     
3,350
 
Amortization of intangible assets – License
   
-
     
359
     
1,420
     
4,213
     
5,563
 
                                         
Non-GAAP Gross profit          
 
$
88,429
   
$
139,010
   
$
189,268
   
$
226,355
   
$
303,651
 
 
   
2014
   
2015
   
2016
   
2017
   
2018
 
   
(in thousands )
 
Reconciliation of Operating Income to Non-GAAP Operating Income:
                             
Operating income          
 
$
20,454
   
$
33,222
   
$
35,956
   
$
20,326
   
$
47,292
 
Share-based compensation          
   
1,573
     
7,049
     
17,535
     
25,237
     
35,964
 
Public offering related expenses          
   
     
1,568
     
     
     
 
Acquisition related expenses          
   
     
677
     
     
686
     
268
 
Amortization of intangible assets – Cost of revenues
   
     
359
     
1,420
     
4,213
     
5,563
 
Amortization of intangible assets – Research and development
   
     
749
     
1,913
     
     
 
Amortization of intangible assets – Sales and marketing
   
     
17
     
1,190
     
1,046
     
793
 
Facility exit and transition costs
   
     
     
     
342
     
580
 
                                         
Non-GAAP operating income          
 
$
22,027
   
$
43,641
   
$
58,014
   
$
51,850
   
$
90,460
 

5


   
Year ended December 31,
 
   
2014
   
2015
   
2016
   
2017
   
2018
 
   
(in thousands)
 
Reconciliation of Net Income to Non-GAAP Net Income:
                             
Net income          
 
$
9,954
   
$
25,794
   
$
28,124
   
$
16,015
   
$
47,072
 
Share-based compensation          
   
1,573
     
7,049
     
17,535
     
25,237
     
35,964
 
Warrant adjustment          
   
4,309
     
     
     
     
 
Public offering related expenses          
   
     
1,568
     
     
     
 
Acquisition related expenses          
   
     
677
     
     
686
     
268
 
Amortization of intangible assets – Cost of revenues
   
     
359
     
1,420
     
4,213
     
5,563
 
Amortization of intangible assets – Research and development
   
     
749
     
1,913
     
     
 
Amortization of intangible assets – Sales and marketing
   
     
17
     
1,190
     
1,046
     
793
 
Facility exit and transition costs
   
     
     
     
342
     
580
 
Taxes on income related to non-GAAP adjustments
   
     
(951
)
   
(4,937
)
   
(12,226
)
   
(15,485
)
Change in the U.S. federal tax rate
   
     
     
     
6,582
     
 
Intra-entity intellectual property transfer tax effect, net
   
     
     
     
     
1,768
 
                                         
Non-GAAP net income          
 
$
15,836
   
$
35,262
   
$
45,245
   
$
41,895
   
$
76,523
 
 
For a description of how we use non-GAAP gross profit, non-GAAP operating income and non-GAAP net income to evaluate our business, see “Item 5. Operating and Financial Review and Prospects—Key Financial Metrics.” We believe that these non-GAAP financial measures are useful in evaluating our business because of varying available valuation methodologies, subjective assumptions and the variety of equity instruments that can impact a company’s non-cash expenses and because they exclude one-time cash expenditures that do not reflect the performance of our core business. We believe that providing non-GAAP gross profit, non-GAAP operating income and non-GAAP net income that exclude, as appropriate, share-based compensation expenses, expenses relating to public offerings of our ordinary shares, expenses related to facility exit and transition costs, financial expenses resulting from the valuation of warrants to purchase preferred shares, expenses related to acquisitions, amortization of intangible assets related to acquisitions, intra-entity intellectual property transfer tax effects, tax effects related to the impact to our deferred tax assets as a result of the Tax Act and the tax effects related to these non-GAAP adjustments allows for more meaningful comparisons between our operating results from period to period. Share-based compensation expense has been, and will continue to be for the foreseeable future, a significant recurring expense in our business and an important part of the compensation we provide to employees. Additionally, excluding financial expenses with respect to revaluation of warrants to purchase preferred shares allows for more meaningful comparison between our net income from period to period. As these warrants were exercised in connection with our initial public offering, they are no longer revalued at each balance sheet date. We also believe that expenses related to the public offerings of our ordinary shares in March 2015 and June 2015, expenses related to our acquisitions, expenses related to facility exit and transition costs, amortization of intangible assets related to acquisitions, tax effects related to the impact to our deferred tax assets as a result of the Tax Act, intra-entity intellectual property transfer tax effects and the tax effects related to the non-GAAP adjustments set forth above do not reflect the performance of our core business and would impact period-to-period comparability.
 
Other companies, including companies in our industry, may calculate non-GAAP operating income and non-GAAP net income differently or not at all, which reduces their usefulness as a comparative measure. You should consider non-GAAP operating income and non-GAAP net income along with other financial performance measures, including operating income and net income, and our financial results presented in accordance with U.S. GAAP.
 
6

  B.            Capitalization and Indebtedness
 
Not applicable.
 
  C.            Reasons for the Offer and Use of Proceeds
 
Not applicable.
 
  D.            Risk Factors
 
Risks Related to Our Business and Our Industry
 
The IT security market is rapidly evolving within the increasingly challenging cyber threat landscape and the continuing use of hybrid on-premises and cloud-based infrastructure. Our sales may not continue to grow at current rates or may decline, and our share price could decrease as a result of market and industry developments we do not anticipate.
 
We operate in a rapidly evolving industry focused on securing organizations’ IT systems and sensitive data. Our solutions focus on safeguarding privileged accounts, credentials, and secrets, which are those accounts within an organization that give users, applications, and machine identities the highest levels of access, or “privileged” access, to IT systems, on-premises and cloud-based infrastructure, industrial control systems, applications and data. While breaches of such privileged accounts continue to gain media attention in recent years, IT security spending within enterprises is often concentrated on endpoint and network security products designed to stop threats from penetrating corporate networks. Organizations that use these security products may allocate all or most of their IT security budgets to these products and may not adopt our solutions in addition to such products. Organizations are moving portions of their data to be managed by third parties, primarily infrastructure, platform and application service providers, and may rely on such providers’ internal security measures. Further, security solutions such as ours, which are focused on disrupting cyber attacks by insiders and external perpetrators that have penetrated an organization’s on-premises infrastructure or cloud estate, represent a security layer designed to respond to advanced threats and more rigorous compliance standards and audit requirements. However, advanced cyber attackers are skilled at adapting to new technologies and developing new methods of gaining access to organizations’ sensitive data. As our customers’ technologies and business plans evolve and become more complex, we expect them to face new and increasingly sophisticated methods of attack. We face significant challenges in ensuring that our solutions effectively identify and respond to such attacks without disrupting the performance of our customers’ IT systems. As a result, we must continually modify and improve our products, services, and licensing models in response to market and technology trends to ensure we are meeting market needs and continue providing valuable solutions that can be deployed in a variety of environments, including cloud and hybrid.
 
We cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to develop or acquire product enhancements or new products to meet such needs or opportunities in a timely manner or at all. Even if we are able to anticipate, develop and commercially introduce new products and product enhancements such as CyberArk Privilege Cloud and Privileged Session Manager for Cloud, there can be no assurance that such enhancements or new products will achieve widespread market acceptance. Delays in developing, completing or delivering new or enhanced products could cause our offerings to be less competitive, impair customer acceptance of our solutions and result in delayed or reduced revenue for our solutions.
 
In addition, any changes in compliance standards or audit requirements that reduce the priority for the types of controls, security, monitoring and analysis that our solutions provide would adversely impact demand for our solutions. It is therefore difficult to predict how large the market will be for our solutions. If solutions such as ours are not viewed by organizations as necessary, or if customers do not recognize the benefit of our solutions as a critical layer of an effective security strategy, then our revenues may not continue to grow at their current rate or may decline, which could cause our share price to decrease in value .
 
Our quarterly results of operations may fluctuate for a variety of reasons, including our failure to close significant sales before the end of a particular quarter or unexpected changes in the sales volumes we expect across certain quarters and geographies. We may, as a result, fail to meet publicly announced financial guidance or other expectations about our business, which could cause our ordinary shares to decline in value.
 
A meaningful portion of our quarterly revenues is generated through deals of significant size, and purchases of our products and services often occur at the end of each quarter. We also typically experience seasonality in our sales, particularly demonstrated by increased sales in the last quarter of the year. In addition, our sales cycle can be intensively competitive and last several quarters from proof of concept to delivery of our solutions to our customers. This sales cycle can be even longer, less predictable and more resource-intensive for larger sales, or with customers implementing complex digital transformation strategies or facing a complex set of compliance and user requirements, that need to be met and confirmed during the sales cycle. Customers may also require additional internal approvals or seek to test our products for a longer trial period before deciding to purchase our solutions. Furthermore, even if we close a sale during a given quarter, we may be unable to recognize the revenues derived from such sale during the same period due to our revenue recognition policy. See “Item 5.A. Operating and Financial Review and Prospects—Operating Results—Application of Critical Accounting Policies and Estimates—Revenue Recognition.”
 
7

As a result, the timing of closing sales cycles and the resulting revenue from such sales can be difficult to predict. In some cases, sales have occurred in quarters subsequent to those we anticipated, or have not occurred at all. All of these factors impact our quarterly results and our ability to accurately predict them, and may lead to difficulties in meeting market expectations regarding our actual results. If our financial results for a particular period do not meet our guidance or if we reduce our guidance for future periods, the market price of our ordinary shares may decline.
 
In addition to the sales cycle-related fluctuations set forth above, our results of operations may continue to vary as a result of a number of factors, many of which may be outside of our control or difficult to predict, including:
 
our ability to attract new customers;
 
our ability to retain existing customers by and through renewals of maintenance and subscription license agreements. Additionally, and because we recognize revenue from our software maintenance over the term of the engagement, downturns or upturns in renewals may not be immediately reflected in our operating results until future periods. For example, a decline in renewals for software maintenance in any single quarter may have a small impact on our revenue for that quarter, however, such a decline will negatively affect our revenue in future quarters;
 
our ability to sell additional products to current customers;
 
the ability of our service operation, performed independently or through our service providers, to keep pace with license sales to new and existing customers and to satisfy customer demands for consultancy and professional services;
 
the amount and timing of our operating costs;
 
a change in our mix of products and services;
 
our ability to successfully expand our business globally;
 
a disruption in, or termination of, our relationship with channel partners;
 
the timing and success of new product and service introductions by us or our competitors or any other change in the competitive landscape of the information security market, including consolidation among our customers or competitors;
 
increases or decreases in our expenses caused by fluctuations in foreign currency exchange rates or changes in taxes or other applicable regulations (See “—We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations”);
 
introduction of new accounting pronouncements or changes in our accounting policies or practices;
 
changes in the nature and methodology of cyber attacks and other threats to corporate data;
 
changes in customer or channel partner requirements or market needs;
 
changes in our pricing policies or those of our competitors;
 
changes in the growth rate of the information security market;
 
general economic conditions in our markets; and
 
the size and discretionary nature of our prospective and existing customers’ IT budgets.
 
8

Any of these factors, individually or in the aggregate, may result in significant fluctuations in our financial and other operating results from period to period. These fluctuations could result in our failure to meet our operating plan or the expectations of investors or analysts for any given period. If we fail to meet such expectations for these or other reasons, the market price of our ordinary shares could decrease substantially.

Our reputation and business could be harmed based on real or perceived shortcomings, defects or vulnerabilities in our solutions or the provision of our services, or due to the failure of our customers, channel partners, managed security service providers, or subcontractors to correctly implement, manage and maintain our solutions, resulting in loss of existing or new customers, lawsuits or financial losses.
 
Security products and solutions are complex in design and deployment, and may contain errors that are not capable of being remediated or detected until after their deployment. Any errors, defects, or misconfigurations could cause our products or services to not meet specifications, be vulnerable to security attacks or fail to secure networks and could negatively impact customer operations. If we fail to identify and respond to new and increasingly complex methods of attack on privileged accounts and update our products to detect or prevent such threats effectively, which may require significant resources, our business and reputation will suffer. In particular, we may suffer significant adverse publicity and reputational harm if our solutions (or the services we provide in relation to our solutions) are associated, or are believed to be associated, with a significant breach or a breach at a high profile customer or managed service provider network, or in the event of a breach in third party systems utilized by us as part of our cloud-based security solution.
 
In addition, our Endpoint Privilege Manager and new CyberArk Privilege Cloud solutions are made available to our customers as software as a service (“SaaS”). Providing SaaS involves storage and transmission of customers’ proprietary information related to their assets and users. Security breaches or product defects in our SaaS solutions could result in loss or alteration of this data, unauthorized access to multiple customers’ data and compromise of our networks or our customer’s networks secured by our SaaS solutions . Additionally, if such a security breach occurs that results in the disruption or loss of availability, integrity or confidentiality of customers’ data, we could incur significant liability to our customers and to businesses or individuals whose information was being stored by our customers.
 
Further, the third party data hosting facilities used for the provision of our SaaS solutions are vulnerable to damages, interruptions or other unanticipated problems that could result in disruption in the provision of these solutions. Any disruptions or other performance problems with our SaaS solutions could harm our reputation and business, damage our customers’ businesses, subject us to potential liability, cause customers to terminate or not renew their subscriptions to our SaaS solutions and make it more challenging for us to acquire new customers.
 
False detection of threats (referred to as “false positives”), while typical in our industry, may reduce perception of the reliability of our products and may therefore adversely impact market acceptance of our products. If our solutions restrict legitimate privileged access by authorized personnel to IT systems and applications by falsely identifying those users as an attack or otherwise unauthorized, our customers’ businesses could be harmed. There can be no assurance that, despite our testing efforts, errors will not be found in existing and new versions of our products, resulting in loss of or delay in market acceptance. In such instances, we may be required, or may choose, for customer relations or other reasons, to expend additional resources in order to help correct such problem.
 
As our solutions not only reinforce but also rely on the common security concept of placing multiple layers of security controls throughout an IT system. The failure of our customers, channel partners, managed service providers or subcontractors to correctly implement and effectively manage and maintain our solutions (and the environments in which they are utilized), or to consistently implement and utilize generally accepted and comprehensive, multi-layered security measures and processes in the customer networks, may lessen the efficacy of our solutions. Additionally, our customers or our channel partners may independently develop plug-ins or change existing plug-ins or APIs that we provided to them for interfacing purposes in an incorrect or insecure manner. Such failures or actions may lead to breaches of our customers’ IT systems and loss or alteration of sensitive data or systems, and potentially to a perception that our solutions failed. Further, our failure to provide our customers and channel partners with adequate services or inaccurate product documentation related to the use, implementation and maintenance of our solutions, could lead to claims against us.
 
9

An actual or perceived cyber attack, other security breach or theft of our customers’ data, regardless of whether the breach or theft is attributable to the failure of our products, SaaS solutions or the services we provided in relation thereto, could adversely affect the market’s perception of the efficacy of our solutions, and current or potential customers may look to our competitors for alternatives to our solutions. An actual or perceived failure of our products, SaaS solutions or our failure to provide adequate services to our customers and channel partners, may also subject us to lawsuits, indemnity claims and financial losses, as well as the expenditure of significant financial resources to analyze, correct or eliminate any vulnerabilities. In addition, provisions in our license agreements that attempt to limit our liabilities towards our customers, channel partners and relevant third parties may not withstand legal challenges, and certain liabilities may not be limited or capped. Additionally, any insurance coverage we may have may not adequately cover all claims asserted against us, or cover only a portion of such claims. An actual or perceived cyber attack could also cause us to suffer reputational harm, lose existing customers and potential new customers, or deter new and existing customers from purchasing our solutions, additional products or our services.
 
If we are unable to acquire new customers or sell additional products and services to our existing customers, our future revenues and operating results will be harmed.
 
Our success and continued growth depend, in part, on our ability to acquire a sufficient number of new customers. The number of customers that we add in a given period impacts both our short and long-term revenues. Similarly, a majority of our license revenues is generated from sales to existing customers. If we are unable to attract a sufficient number of new customers or fail to continue to sell new licenses and incremental licenses to our existing customers, we may be unable to generate revenue growth at desired rates.
 
Although we continue to introduce and acquire new products, we derive and expect to continue to derive a substantial majority of our revenue from customers using our Core Privileged Access Security offering. Our inability to increase sales of our Core Privileged Access Security offering, including additional software licenses, associated maintenance and support and professional services, or a decline in prices of our Core Privileged Access Security offering would harm our business and operating results more seriously than if we derived significant revenues from a variety of different products.
 
In addition, we have several other products, including Application Access Manager, Endpoint Privilege Manager and CyberArk Privilege Cloud that make up a smaller portion of our revenue. It is uncertain whether these products will increase their share of revenue generation or gain market acceptance or will compensate for loss of revenues due to any inability to increase sales of our Core Privileged Access Security offering.
 
We devote significant efforts to developing, marketing and selling additional licenses and associated maintenance and support to existing customers and rely on these efforts for a portion of our revenues, and to a lesser extent, renewing term based license agreements. These efforts require a significant investment in building and supporting customer relationships, as well as significant research and development efforts in order to provide product upgrades and launch new products. Further, as part of the natural lifecycle of our products, we may determine that certain products will be reaching their end of development or end of life and will no longer be supported or receive updates and security patches. Failure to effectively manage our product lifecycles could lead to existing customer dissatisfaction and contractual liabilities.
 
As we expand our market reach to gain new business, including expanding sales of our products to medium-sized commercial organizations and securing DevOps environments, we may experience difficulties in gaining traction and raising awareness among potential customers regarding the critical role that our solutions play in securing their organizations, or may face more competitive pressure in such markets. In particular with DevOps, even if we are successful in promoting the need for securing accounts in DevOps environments, potential customers may prefer to use our open source version of the Conjur solution which we released in 2017, instead of purchasing a license for the comprehensive DevOps security solution we offer, and we may be unable to generate revenue growth at desired rates.
 
As a result, it may be difficult for us to add new customers to our customer base and to retain our existing customers. Competition in the marketplace may lead us to acquire fewer new customers or result in us providing discounts and other commercial incentives to new or existing customers.
 
Additional factors that impact our ability to acquire new customers or sell additional products and services to our existing customers include the perceived need for IT security, the size of our prospective and existing customers’ IT budgets, the utility and efficacy of our existing and new offerings, whether proven or perceived, changes in our pricing model that may impact the size of new business transactions, and general economic conditions. These factors may have a material negative impact on future revenues and operating results.
 
10

We face intense competition from a wide variety of IT security vendors operating in different market segments and across diverse IT environments, which may challenge our ability to maintain or improve our competitive position or to meet our planned growth rates.
 
The IT security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies that offer a broad array of IT security products that employ different approaches and delivery models to address these evolving threats.
 
Our current and potential future competitors include BeyondTrust Corporation, One Identity LLC, Thycotic Software Ltd., Microsoft Corporation, Broadcom Inc. (which acquired CA Technologies) and Oracle Corporation in the access and identity management market, some of which may offer solutions at lower price points. Further, we may face competition due to changes in the manner that organizations utilize IT assets and the security solutions applied to them, such as the provision of privileged account security functionalities as part of public cloud providers’ infrastructure offerings, or cloud-based identity management solutions. Limited IT budgets may also result in competition with providers of other advanced threat protection solutions such as McAfee, LLC, Palo Alto Networks, Splunk Inc., and Symantec Corporation. We also may compete, to a certain extent, with vendors that offer products or services in adjacent or complementary markets to privileged account security, including identity management vendors and cloud platform providers such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure. Some of our competitors are large companies and have wider technical and financial resources and broader customer bases used to bring competitive solutions to the market. These companies may already have existing relationships as an established vendor for other product offerings, and certain customers may prefer one single IT vendor for product security procurement rather than purchasing solely based on product performance. Such companies may use these advantages to offer products and services that are perceived to be as effective as ours at a lower price or for free as part of a larger product package or solely in consideration for maintenance and services fees, which could result in increased market pressure to offer our solutions and services at lower prices. They may also develop different products to compete with our current solutions and respond more quickly and effectively than we do to new or changing opportunities, technologies, standards or client requirements or enjoy stronger sales and service capabilities in certain regions.
 
Our competitors may enjoy potential competitive advantages over us, such as:
 
greater name recognition, a longer operating history and a larger customer base, notwithstanding the increased visibility of our brand in recent years since our initial public offering;
 
larger sales and marketing budgets and resources;
 
broader distribution and established relationships with channel partners, advisory firms and customers;
 
increased effectiveness in protecting, detecting and responding to cyber attacks;
 
greater or localized resources for customer support and provision of services;
 
greater speed at which a solution can be deployed;
 
greater resources to make acquisitions;
 
larger intellectual property portfolios; and
 
greater financial, technical and other resources.
 
Our current and potential competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their resources and capabilities. Current or potential competitors have been acquired and consolidated or may be acquired by third parties with greater resources in the future. As a result of such acquisitions, our current or potential competitors may be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. Larger competitors with more diverse product offerings may reduce the price of products that compete with ours in order to promote the sale of other products or may bundle them with other products, which would lead to increased pricing pressure on our products and could cause the average sales prices for our products to decline. Similarly, we may also face increased competition following an acquisition of new lines of business that compete with providers of such technologies or from security vendors or other companies in adjacent markets extending their solution into privilege access management.
 
11

In addition, other IT security technologies exist or could be developed in the future by current or future competitors, and our business could be materially and adversely affected if such technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all. If we fail to keep up with technological changes or to convince our customers and potential customers of the value of our solutions even in light of new technologies, our business, results of operations and financial condition could be materially and adversely affected.
 
Our share price may be adversely affected if our investments in our business do not deliver anticipated growth and we are unable to increase our operating and net income margins.
 
As we invest in the growth of our business, we expect our operating and net income margins to decline compared to prior periods. During the year ended December 31, 2018, we did not experience a decline due to an increase in revenue at a rate that exceeded the increase in expenses; however, in future periods, we expect our operating and net income margins to decline, primarily as a result of the costs associated with expanding our direct and indirect sales forces and marketing activities coupled with our increased costs to provide our professional services and support as well as the increased rate of investment in research and development. We expect that these invested costs will adversely impact our operating and net income margins as we may not be able to increase our revenue at a rate sufficient to offset the expected increase in our costs. From the year ended December 31, 2016 to the year ended December 31, 2018, our revenue grew from $216.6 million to $343.2 million, representing a compound annual growth rate of approximately 26%. We expect to continue to expand our sales and marketing personnel, and we may face a number of challenges in achieving our hiring and integration goals. It takes time and resources to train and integrate new sales force members across our global operations. Costs associated with adding new personnel to our sales force are expensed before their positive impact on our sales is recognized, and even then, a significant portion of any revenues that they generate from maintenance and services are deferred over the delivery period of those services. Our share price may be adversely affected even if we generate future growth if we are unable to increase our operating and net income margins at the same time or if the growth rate generated was less than anticipated causing the operating and net income margins to decline.
 
We may fail to fully integrate, or realize the benefits expected from acquisitions, which may require significant management attention, disrupt our business, dilute shareholder value and adversely affect our results of operations.
 
As part of our business strategy and in order to remain competitive, we continue to evaluate acquiring or making investments in complementary companies, products or technologies. We may not be able to find suitable acquisition candidates or complete such acquisitions on favorable terms. If we do complete acquisitions, we may not ultimately strengthen our competitive position or achieve our goals, and any acquisitions we complete could be viewed negatively by our customers, analysts and investors. In addition, if we are unsuccessful at integrating our acquisitions or the technologies associated with such acquisitions or fail to fully attain the expected benefits of these acquisitions, our revenues and results of operations could be adversely affected. Any integration process may require significant time and resources, and we may not be able to manage the process successfully and may experience a decline in our profitability as we incur expenses prior to fully realizing the benefits of the acquisition. We may not successfully evaluate or utilize the acquired technology or personnel, or accurately forecast the financial impact of an acquisition transaction, including accounting charges and tax liabilities. Further, the issuance of equity to finance any such acquisitions could result in dilution to our shareholders and the issuance of debt could subject us to covenants or other restrictions that would impede our ability to manage our operations. We could become subject to legal claims following the acquisition, or fail to accurately forecast the potential impact of any pre-existing claims. We have experienced some of these types of issues in connection with past acquisitions, none of which materially affected our operations or financial condition. In the future, any of these issues could have a material adverse impact on our business and results in the future.
 
12

We are subject to a number of risks, including regulatory risks, associated with global sales and operations, which could materially affect our business.
 
We are a global company subject to varied and complex laws, regulations and customs. The application of these laws and regulations to our business is often unclear and may at times conflict. Compliance with these laws and regulations may involve significant costs or require changes in our business practices that result in reduced revenue and profitability. Furthermore, business practices in the global markets that we serve may differ from those in the United States and may require us to include non-standard terms in customer contracts, such as extended payment or warranty terms. To the extent that we enter into customer contracts that include non-standard terms related to payment, warranties, or performance obligations, our results of operations may be adversely impacted. Further, there may be higher costs of doing business globally including costs incurred in maintaining office space, securing adequate staffing and localizing our contracts.
 
Additionally, our global sales and operations are subject to a number of risks, including the following:
 
compliance with privacy laws, including, without limitation, compliance with the General Data Protection Regulations 2016/679, or GDPR, and other global data privacy laws (See “—Regulatory data privacy concerns, evolving regulations of cloud computing, cross-border data transfer restrictions and other domestic or foreign regulations may limit the use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers or support our current customers, thus reducing our revenues, harming our operating results and adversely affecting our business”);
 
uncertainty of the economic, financial, regulatory, trade, tax and legal implications of the withdrawal of the U.K. from the E.U. (“Brexit”) and how this could affect our business, both globally and specifically in the region. In particular, a withdrawal from the European Union by the U.K. could, among other potential outcomes, disrupt the free movement of goods, services and people between the U.K. and the European Union and significantly disrupt trade between the U.K. and the European Union and other parties, including by imposing greater taxes, restrictions and regulatory complexities on imports and exports between the U.K. and the European Union;
 
fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business (See “—We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations”);
 
greater difficulty in enforcing contracts and managing collections, as well as longer collection periods;
 
compliance with anti-bribery laws, including, without limitation, compliance with the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act 2010;
 
heightened risk of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements by us or by our channel partners or service providers that may impact financial results and result in restatements of, or irregularities in, financial statements;
 
risks associated with trade restrictions and foreign legal requirements, including any importation, certification, and localization of our platform that may be required in foreign countries;
 
greater risk of unexpected changes in regulatory practices, tariffs, and tax laws and treaties (See “— Our business may be materially affected by changes to fiscal and tax policies. Potentially negative or unexpected tax consequences of these policies, or the uncertainty surrounding their potential effects, could adversely affect our results of operations and share price”);
 
compliance with, and the uncertainty of, laws and regulations that apply to our areas of business, including corporate governance, anti-trust and competition, import and export control, employee and third-party complaints, conflicts of interest, securities regulations and other regulatory requirements affecting trade and investment;
 
reduced or uncertain protection of intellectual property rights in some countries;
 
social, economic and political instability, terrorist attacks and security concerns in general; and
 
management communication and integration problems resulting from cultural and geographic dispersion.
 
13

These and other factors could harm our ability to generate future global revenues and, consequently, materially impact our business, results of operations and financial condition. Non-compliance could also result in fines, damages, or criminal sanctions against us, our officers or our employees, prohibitions on the conduct of our business, and damage to our reputation.
 
If our internal IT network system is compromised by cyber attackers or other data thieves, or by a critical system failure, our reputation, financial condition and operating results could be materially adversely affected.
 
Our solution and product offerings will not gain market share unless the marketplace is confident that we provide effective IT security protection. As we provide privileged account security products, we may be an attractive target for cyber attackers or other data thieves since a breach of our system could provide data information regarding not only us, but potentially regarding the customers that our solutions protect. Further, we may be targeted by cyber terrorists because we are an Israeli company.
 
From time to time we encounter intrusion incidents and attempts, none of which to date has resulted in any material adverse impact to our business or operations. Any such future attacks could materially adversely affect our business or results of operations. In addition, as our market position continues to grow, specifically in the security industry, an increasing number of cyber attackers may focus on finding ways to penetrate our network systems, which might eventually affect our products and services. For example, third parties may attempt to fraudulently induce employees or customers into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our internal networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data. Additionally, the risk of cyber attacks to our company may also result from breaches of our contractors, business partners, vendors and other third parties associated with us, or due to human errors of those acting on our behalf.
 
Separately, we may be subject to information technology system failures or network disruptions caused by natural disasters, accidents, power disruptions, telecommunications failures, acts of terrorism, security breaches, wars, computer viruses, or other events or disruptions. System redundancy and other continuity measures may be ineffective or inadequate, and our business continuity and disaster recovery planning may not be sufficient for all eventualities. These events could adversely affect our operation, reputation, financial condition and operating results.
 
In addition, we rely on hosted SaaS technologies from third parties in order to operate critical functions of our business, including customer relationship management and financial operation services (provided by our ERP system). If these services are breached or become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms, our expenses could increase, our ability to manage our operations could be interrupted and our processes for managing sales of our products and services and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated; all of which could materially harm our business.
 
If we experience a significant technology incident, such as a serious product vulnerability, security breach or a failure of a system that is critical for the operations of our business, it could impair our ability to operate our business, including our ability to provide maintenance and support services to our customers. If this happens, our revenues could decline and our business could suffer, and we may need to make significant further investments to protect data and infrastructure. Because we are in the computer security industry, an actual or perceived vulnerability, failure, disruption, or breach of our network or privileged account security in our systems also could adversely affect the market perception of our products and services, or of our expertise in this field, as well as our perception among new and existing customers. Additionally, a significant security breach could subject us to potential liability, litigation and regulatory or other government action. If any of the foregoing were to occur, our business may suffer and our share price may be negatively impacted.
 
If we do not effectively expand, train and retain our sales and marketing personnel, we may be unable to acquire new customers or sell additional products and services to existing customers, and our business will suffer.
 
We depend significantly on our sales force to attract new customers and expand sales to existing customers. We generate approximately 35% of our revenues from direct sales and the balance from indirect sales. As a result, our ability to grow our revenues depends in part on our success in recruiting, training and retaining sufficient numbers of sales personnel to support our growth. The number of our sales and marketing personnel increased from 491 as of December 31, 2017 to 541 as of December 31, 2018. We expect to continue to expand our sales and marketing personnel significantly and face a number of challenges in achieving our hiring and integration goals. There is intense competition for individuals with sales training and experience. In addition, the training and integration of a large number of sales and marketing personnel in a short time requires the allocation of significant internal resources. We invest significant time and resources in training new sales force personnel to understand our solutions and growth strategy. Based on our past experience, it takes an average of approximately six to nine months before a new sales force member operates at target performance levels. However, we may be unable to achieve or maintain our target performance levels with large numbers of new sales personnel as quickly as we have done in the past. Our failure to hire a sufficient number of qualified sales force members and train them to operate at target performance levels may materially and adversely impact our projected growth rate.
 
14

We rely on channel partners to generate a significant portion of our revenue, market our solutions and provide necessary services to our customers. If we fail to maintain successful relationships with our channel partners, or if our channel partners fail to perform, our ability to market, sell and distribute our solutions will be limited, and our business, financial position and results of operations will be harmed.
 
In addition to our direct sales force, we rely on our channel partners to market, sell, support and implement our solutions, particularly in Europe and the Asia Pacific and Japan regions. We expect that sales through our channel partners will continue to account for a significant percentage of our revenue. In the year ended December 31, 2018, we generated approximately 65% of our revenues from sales to channel partners such as distributors, systems integrators, value-added resellers and managed security service providers, and we expect that channel partners will represent a substantial portion of our revenues for the foreseeable future. Further, we cooperate with advisory firms in marketing our solutions and providing implementation services to our customers, in both direct and indirect sales. Our agreements with channel partners are non-exclusive, meaning our partners may offer customers IT security products from other companies, including products that compete with our solutions. If our channel partners do not effectively market and sell our solutions, or choose to use greater efforts to market and sell their own products and services or the products and services of our competitors, our ability to grow our business will be adversely affected. Our channel partners may cease or deemphasize the marketing of our solutions with limited or no notice and with little or no penalty. Further, new channel partners require training and may take several months or more to achieve productivity. The loss of key channel partners, the inability to replace them or the failure to recruit additional channel partners could materially and adversely affect our results of operations. Our reliance on channel partners could also subject us to lawsuits or reputational harm if, for example, a channel partner misrepresents the functionality of our solutions to customers, fails to appropriately implement our solutions or violates applicable laws, and may further result in termination of such partner’s agreement and potentially curb future revenues associated with it. Our ability to grow revenues in the future will depend in part on our success in maintaining successful relationships with our channel partners and training our channel partners to independently sell and install our solutions. If we are unable to maintain our relationship with channel partners or otherwise develop and expand our indirect sales channel, or if our channel partners fail to perform, our business, financial position and results of operations could be adversely affected.
 
Failure by us, our service providers or our channel partners to maintain sufficient levels of customer support could have a material adverse effect on our business, financial condition and results of operations.
 
Our customers depend, in large part, on customer support and professional services delivered by us, our service providers or our channel partners to implement and roll out our solutions, and resolve issues relating to their use. Even with our support and that of our service providers and channel partners, our customers are ultimately responsible for effectively using our solutions and ensuring that their IT staff and other relevant users are properly trained in the use of our products and complementary security products, methodologies and processes. Our failure or the failure of our service providers or channel partners to support and train our customers in the correct use of our solutions, or failure to effectively assist customers in installing our solutions and providing effective ongoing support, may result in an increase in the vulnerability of our customers’ IT systems and sensitive data. Additionally, if our service providers or channel partners do not effectively provide support and professional services to the satisfaction of our customers, we may be required to provide support to such customers, which would require us to invest in additional personnel and expend significant time and resources. We may not be able to keep up with demand for our services and support, particularly if the sales of our solutions exceed our internal forecasts. To the extent that we, our service providers or our channel partners are unsuccessful in hiring, training and retaining adequate support resources, our ability and the ability of our service providers and channel partners to provide adequate and timely support and other services to our customers will be negatively impacted, and our customers’ satisfaction with us and our products may be adversely affected. Accordingly, our failure to provide satisfactory maintenance and technical support services, whether directly or through our service providers and channel partners, could have a material and adverse effect on our business and results of operations.
 
15

Regulatory data privacy concerns, evolving regulations of cloud computing, cross-border data transfer restrictions and other domestic or foreign regulations may limit the use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers or support our current customers, thus reducing our revenues, harming our operating results and adversely affecting our business.
 
Regulation related to the provision of services on the internet is increasing, as federal, state and foreign governments continue to adopt new laws and regulations addressing cybersecurity, privacy, data protection and the collection, processing, storage and use of personal information. 
 
We are subject to diverse laws and regulations relating to data privacy, including, as a result of our presence in the European Union (EU), GDPR which took effect on May 25, 2018. We and many of our customers will be subject to GDPR, and we are required to expend significant capital and other resources to ensure we are compliant with privacy legislation. Compliance with global data privacy laws including GDPR and certain associated contractual obligations may require changes in services, business practices, or internal systems resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with firms which are not subject to GDPR. For example, GDPR imposes several stringent requirements for controllers and processors of personal data and will increase our obligations including, for example, by requiring more robust disclosures to individuals, strengthening the individual data rights regime, shortening timelines for data breach notifications, requiring detailed internal policies and procedures and limiting retention periods. Compliance may require changes in services and business practices which may lead to the diversion of engineering resources from other projects. As a company that focuses on privilege access security, if we are unable to engineer products that meet our legal duties or help our customers meet their obligations under GDPR or other data regulations, we might experience reduced demand for our products or services. Claims that we have breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business.
 
GDPR also increases the scrutiny applied to transfers of personal data from within the EU to countries that are considered to lack an adequate level of data protection, such as the United States. There are currently a number of legal challenges to the validity of EU mechanisms for adequate data transfers (such as the Privacy Shield Framework and the standard contractual clauses), and our work could be impacted by changes in law as a result of a future review of these transfer mechanisms by European regulators and the European courts under GDPR. In addition, following Brexit, the U.K. will cease to be in the EU, and depending on how and when Brexit occurs (which is still unclear), data flows from the EU to the U.K. may need additional safeguards in place, which could affect our operations in the U.K. These and other regulatory requirements around the privacy or cross-border transfer of personal data could restrict our ability to store and process data as part of our solutions, or, in some cases, impact our ability to offer our solutions or services in certain jurisdictions.
 
In the EU, Directive 2002/58 on Privacy and Electronic Communications (the “ePrivacy Directive”) is also under reform, and will be replaced by a new E-privacy Regulation once agreed. This is likely to impose stricter rules on business to business marketing throughout the EU, requiring fully informed and freely given consent before businesses can market to leads.
 
If we or our service providers fail to comply with applicable data protection laws, we may be subject to litigation, regulatory investigations, negative publicity, potential loss of business, enforcement notices and/or fines (which under GDPR can be up to four percent of global turnover for the preceding financial year or 20 million euros, whichever is higher).
 
16

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.
 
Our functional and reporting currency is the U.S. dollar. In 2018, the majority of our revenues were denominated in U.S. dollars and the remainder primarily in euros and British pounds sterling. In 2018, the substantial majority of our cost of revenues and operating expenses were denominated in U.S. dollars and New Israeli Shekels (NIS) and the remainder primarily in euros and British pounds sterling. Our foreign currency-denominated expenses consist primarily of personnel, marketing programs, rent and other overhead costs. Since a significant portion of our expenses is incurred in NIS and is substantially greater than our revenues in NIS, any appreciation of the NIS relative to the U.S. dollar could materially adversely impact our operating income. In addition, since the portion of our revenues generated in euros and British pounds sterling is greater than our expenses incurred in euros and British pounds sterling, respectively, any depreciation of the euro or the British pounds sterling relative to the U.S. dollar would adversely impact our operating income. We estimate that a 10% strengthening or weakening in the value of the NIS against the U.S. dollar would have decreased or increased, respectively, our operating income by approximately $6.0 million in 2018. We estimate that a 10% strengthening or weakening in the value of the euro against the U.S. dollar would have increased or decreased, respectively, our operating income by approximately $3.4 million in 2018. We estimate that a 10% strengthening or weakening in the value of the British pounds sterling against the U.S. dollar would have increased or decreased, respectively, our operating income by approximately $0.6 million in 2018. These estimates of the impact of fluctuations in currency exchange rates on our historic results of operations may be different from the impact of fluctuations in exchange rates on our future results of operations since the mix of currencies comprising our revenues and expenses may change. We evaluate periodically the various currencies to which we are exposed and take hedging measures to reduce the potential adverse impact from the appreciation or the depreciation of our non U.S. dollar-denominated operations, as appropriate. We expect that the majority of our revenues will continue to be generated in U.S. dollars with the balance primarily in euros and British pounds sterling for the foreseeable future and that a significant portion of our expenses will continue to be denominated in NIS, U.S. dollars, British pounds sterling and in euros. We cannot provide any assurances that our hedging activities will be successful in protecting us from adverse impacts from currency exchange rate fluctuations. In addition, we have monetary assets and liabilities that are denominated in non-U.S. dollar currencies. For example, starting January 1, 2019, in accordance with a new lease accounting standard, we are required to present a significant NIS linked liability related to our operational leases in Israel. As a result, significant exchange rate fluctuations could have a negative effect on our net income. See “Item 11—Quantitative and Qualitative Disclosures About Market Risk—Foreign Currency Risk.”
 
Our research and development efforts may not produce successful products or enhancements to our solutions that result in significant revenue or other benefits in the near future, if at all.
 
We expect to continue to dedicate significant financial and other resources to our research and development efforts in order to maintain our competitive position. For example, in 2018, we increased our dedicated research and development personnel by 15% compared to 2017. However, investing in research and development personnel, developing new products and enhancing existing products is expensive and time consuming, and there is no assurance that such activities will successfully anticipate market needs and result in significant new marketable products or enhancements to our products, design improvements, cost savings, revenues or other expected benefits. If we spend significant time and effort on research and development and are unable to generate an adequate return on our investment, we may not be able to compete effectively, and our business and results of operations may be materially and adversely affected.
 
Our investment in product enhancements or new products could fail to attain sufficient market acceptance for many reasons, including:
 
delays in releasing product enhancements or new products;
 
failure to accurately predict market demand and to supply products that meet this demand in a timely fashion;
 
inability to interoperate effectively with the existing or newly introduced technologies, systems or applications of our existing and prospective customers;
 
defects in our products, errors or failures of our solutions to secure and protect privileged accounts against existing and new types of attacks;
 
negative publicity about the performance or effectiveness of our products;
 
introduction or anticipated introduction of competing products by our competitors;
 
installation, configuration or usage errors by our customers; and
 
easing or changing of regulatory requirements related to security.
 
17

If we fail to anticipate market requirements or fail to develop and introduce product enhancements or new products to meet those needs in a timely manner, it could cause us to lose existing customers and prevent us from gaining new customers, which would significantly harm our business, financial condition and results of operations.
 
Prolonged economic uncertainties or downturns in certain regions or industries could materially adversely affect our business.
 
Our business depends on our current and prospective customers’ ability and willingness to invest money in IT security, which in turn is dependent upon their overall economic health. Negative economic conditions in the global economy or certain regions such as U.S. or Europe, including conditions resulting from financial and credit market fluctuations, could cause a decrease in corporate spending on information security software. In 2018, we generated 55 % of our revenues from the United States, 33% of our revenues from Europe, the Middle East and Africa and 12% from the rest of the world, which includes countries from Asia Pacific and Japan region, Latin America region and Canada.
 
In addition, a significant portion of our revenues is generated from customers in the financial services industry, including banking and insurance. Negative economic conditions may cause customers generally, and in that industry in particular, to reduce their IT spending. Customers may delay or cancel IT projects, choose to focus on in-house development efforts or seek to lower their costs by renegotiating maintenance and support agreements. Additionally, customers or channel partners may be more likely to make late payments in worsening economic conditions which could lead to increased collection efforts and additional associated costs to receive expected revenues. To the extent purchases of licenses for our software are perceived by customers and potential customers to be discretionary, our revenues may be disproportionately affected by delays or reductions in general IT spending. If the economic conditions of the general economy or industries in which we operate worsen from present levels, our results of operation could be adversely affected.
 
If we are unable to hire, retain and motivate qualified personnel, our business will suffer.
 
Our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. Our inability to attract or retain qualified personnel or delays in hiring required personnel may seriously harm our business, financial condition and results of operations. Any of our employees may terminate their employment at any time. Competition for highly skilled personnel, specifically engineers for research and development positions, is often intense and results in increasing wages, especially in Israel, where we are headquartered and most of our research and development positions are located, and where several large multinational corporations have entered the market. We may struggle to retain employees, and due to our profile and market position, competitors actively seek to hire skilled personnel away from us. Furthermore, from time to time, we have been subject to allegations that employees that have been hired from competitors may have been improperly solicited or divulged proprietary or other confidential information.
 
Our business and operations will be negatively affected if we fail to effectively manage our growth.
 
We have experienced significant growth in a relatively short period of time and intend to continue to grow our business. Our revenues grew from $216.6 million in 2016 to $343.2 million in 2018. In addition, the number of customers that we serve has grown significantly over the same period.
 
Our rapid growth has placed significant demands on our management, sales, operational and financial infrastructure, and our growth will continue to place significant demands on these resources. Our headcount has increased from 823 as of December 31, 2016 to 1,146 as of December 31, 2018. We plan to hire additional employees in 2019 across all areas of the organization. Additionally, we believe our corporate culture is a critical component of our growth and success. As we continue to add new employees, we may find it challenging to maintain our corporate culture and that may affect our ability to recruit and retain personnel. 
 
Further, in order to manage our current and future growth effectively, we must continue to improve and expand our IT and financial infrastructure, operating and administrative systems and controls as well as efficiently manage headcount, capital and processes. If we are not able to successfully scale or implement these improvements in a manner that keeps pace with our growth, or is timely and efficient, then our failure to do so may materially impact our projected growth rate.
 
18

Intellectual property claims may increase our costs or require us to cease selling certain products, which could adversely affect our financial condition and results of operations.
 
The IT security industry is characterized by the existence of a large number of relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. Leading companies in the IT security industry have extensive patent portfolios. From time to time, third-parties have asserted, and in the future may assert, their patent, copyright, trademark and other intellectual property rights against us, our channel partners or our customers. Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property rights pursuant to our agreements with our customers and channel partners. Such indemnification provisions are customary for our industry. Any claims of intellectual property infringement or misappropriation brought against us, our channel partners or our customers, even those without merit, could be expensive and time-consuming to defend, and divert management’s attention. We cannot assure you that we will have the resources to defend against all such claims. Successful claims of infringement or misappropriation by a third-party against us or a third-party that we indemnify could prevent us from distributing certain products or performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others, to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology, to enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights, and to indemnify our customers and channel partners (and parties associated with them). Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected. Defending against claims of infringement or being deemed to be infringing the intellectual property rights of others could impair our ability to innovate, develop, distribute and sell our current and planned products and services. If we were to violate the intellectual property rights of others, our financial position may be adversely affected.
 
If our products fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and results of operations could be materially and adversely affected.
 
We generate a substantial portion of our revenues from our products and services which enable our customers to achieve and maintain compliance with certain government regulations and industry standards, and we expect that to continue for the foreseeable future. This includes third party certifications where our solutions are being utilized by our customers as a control demonstrating compliance with specific elements of these standards. These industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses, including, without limitations, updates to the Common Criteria for Information Technology Security Evaluation (CC). In addition, governments may also adopt new laws or regulations, or make changes to existing laws or regulations, some of which may conflict with each other, that could impact whether our solutions enable our customers to maintain compliance with such laws or regulations. If we are unable to adapt our solutions to changing government regulations and industry standards in a timely manner, or if our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our products and could switch to products offered by our competitors. In addition, if government regulations and industry standards related to IT security are changed in a manner that makes them less onerous, our customers may view compliance as less critical to their businesses, and our customers may be less willing to purchase our products and services. In either case, our sales and financial results would suffer.
 
If our products do not effectively interoperate with our customers’ existing or future IT infrastructures, installations could be delayed or cancelled, which could harm our business.
 
Our products must effectively interoperate with our customers’ existing or future IT infrastructures, which often have different specifications, utilize multiple protocol standards, deploy products from multiple vendors and contain multiple generations of products that have been added over time. If we find errors in the existing software or defects in the hardware used in our customers’ infrastructure or problematic network configurations or settings, we may have to modify our software so that our products will interoperate with our customers’ infrastructure and business processes. In addition, to stay competitive within certain markets, we may be required to make software modifications in future releases to comply with new statutory or regulatory requirements. These issues could result in longer sales cycles for our products and order cancellations, either of which could adversely affect our business, results of operations and financial condition.
 
19

If we are unable to adequately protect our proprietary technology and intellectual property rights, our business could suffer substantial harm.
 
The success of our business depends on our ability to protect our proprietary technology, brands and other intellectual property and to enforce our rights in that intellectual property. We attempt to protect our intellectual property under patent, copyright, trademark and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.
 
As of December 31, 2018, we had 34 issued patents in the United States, and 41 pending U.S. patent applications. We also had 3 issued patents and 20 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications in the future.
 
The process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way through to the successful issuance of a patent. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not issue as granted patents, that the scope of our issued patents will be insufficient or not have the coverage originally sought, that our issued patents will not provide us with any competitive advantages, and that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation. Finally, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. Our policy is to require our employees (and our consultants and service providers that develop intellectual property included in our products) to execute written agreements in which they assign to us their rights in potential inventions and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such intellectual property), but we cannot be certain that we have adequately protected our rights in every such agreement or that we have executed an agreement with every such party. Finally, in order to benefit from the protection of patents and other intellectual property rights, we must monitor and detect infringement and pursue infringement claims in certain circumstances in relevant jurisdictions. Litigating claims related to the enforcement of intellectual property rights is very expensive and can be burdensome in terms of management time and resources. Any litigation related to intellectual rights or claims against us could result in loss or compromise of our intellectual property rights or could subject us to significant liabilities. As a result, we may not be able to obtain adequate protection or to effectively enforce our issued patents or other intellectual property rights.
 
In addition to patents, we rely on trade secret rights, copyrights and other rights to protect our unpatented proprietary intellectual property and technology. Unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors, channel partners, subcontractors and customers, and generally limit access to and distribution of our proprietary information and proprietary technology through certain procedural safeguards. These agreements may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology. We cannot be certain that the steps taken by us will prevent misappropriation of our intellectual property or technology or infringement of our intellectual property rights. In addition, the laws of some foreign countries where we sell our products do not protect intellectual property rights and technology to the same extent as the laws of the United States, and these countries may not enforce these laws as diligently as government agencies and private parties in the United States. If we are unable to protect our intellectual property, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create the innovative products that have enabled us to be successful to date.
 
Our use of open source software, third-party software and other intellectual property may expose us to risks.
 
We license and integrate certain open source software components from third parties into our software, and we expect to continue to use open source software in the future. Some open source software licenses require users who distribute or make available as a service open source software as part of their own software product to publicly disclose all or part of the source code of the users’ developed software or to make available any derivative works of the open source code on unfavorable terms or at no cost. Our efforts to use the open source software in a manner consistent with the relevant license terms that would not require us to disclose our proprietary code or license our proprietary software at no cost may not be successful. We may face claims by third parties seeking to enforce the license terms applicable to such open source software, including by demanding the release of the open source software, derivative works or our proprietary source code that was developed using such software. In addition, if the license terms for the open source code change, we may be forced to re-engineer our software or incur additional costs.
 
20

Further, some of our products and services include other software or intellectual property licensed from third parties, and we also use software and other intellectual property licensed from third parties in our business. This exposes us to risks over which we may have little or no control. For example, a licensor may have difficulties keeping up with technological changes or may stop supporting the software or other intellectual property that it licenses to us. There can be no assurance that the licenses we use will be available on acceptable terms, if at all. In addition, a third party may assert that we or our customers are in breach of the terms of a license, which could, among other things, give such third party the right to terminate a license or seek damages from us, or both. Our inability to obtain or maintain certain licenses or other rights or to obtain or maintain such licenses or rights on favorable terms, or the need to engage in litigation regarding these matters, could result in delays in releases of new products, and could otherwise disrupt our business, until equivalent technology can be identified, licensed or developed.
 
Our business may be materially affected by changes to fiscal and tax policies. Potentially negative or unexpected tax consequences of these policies, or the uncertainty surrounding their potential effects, could adversely affect our results of operations and share price.
 
As a multinational corporation, we are subject to income taxes, withholding taxes and indirect taxes in numerous jurisdictions worldwide. Significant judgment and management attention and resources are required in evaluating our tax positions and our worldwide provision for taxes. In the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting, and other laws, regulations, principles and interpretations. This may include recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, changes in foreign currency exchange rates, or changes in the valuation of our deferred tax assets and liabilities.
 
We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes against us. If we experience unfavorable results from one or more such tax audits, there could be an adverse effect on our tax rate and therefore on our net income. The final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made. Additionally, we are subject to transfer pricing rules and regulations in various jurisdictions, including those relating to the flow of funds between us and our affiliates, which are designed to ensure that appropriate levels of income are reported in each jurisdiction in which we operate.
 
We rely significantly on revenues from maintenance and support contracts, which we recognize ratably over the term of the associated contract and, to a lesser extent, from professional services contracts, which we recognize as services are performed, and any downturns in sales of these contracts would not be immediately reflected in full in our quarterly operating results.
 
Maintenance and support and professional services revenues accounted for 44% of our total revenues in 2018. Sales of maintenance and support and professional services may decline or fluctuate as a result of a number of factors, including the number of product licenses we sell, our customers’ level of satisfaction with our products and services, the prices of our products and services, the prices of products and services offered by our competitors or reductions in our customers’ spending levels. If our sales of maintenance and support and professional services contracts decline, our revenues or revenue growth may decline, and our business will suffer. We recognize revenues from maintenance and support contracts ratably on a straight-line basis over the term of the related contract which is typically one year and, to a lesser extent, three years, and from professional services as services are performed. As a result, a meaningful portion of the revenues we report each quarter results from the recognition of deferred revenues from maintenance and support and professional services contracts entered into during previous quarters. Consequently, a decline in the number or size of such contracts in any one quarter will not be fully reflected in revenues in that quarter, but will negatively affect our revenues in future quarters. Accordingly, the effect of significant downturns in maintenance and support and professional services contracts would not be reflected in full in our results of operations until future periods.
 
21

A portion of our revenues is generated by sales to government entities, which are subject to a number of challenges and risks, such as increased competitive pressures, administrative delays and additional approval requirements.
 
A portion of our revenues is generated by sales to U.S. and foreign federal, state and local governmental agency customers, and we may in the future increase sales to government entities. Selling to government entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that we will complete a sale or imposing terms of sale which are less favorable than the prevailing market terms. Government demand and payment for our products and services may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions, government shutdowns or delays adversely affecting public sector demand for our products. Additionally, for purchases by the U.S. government, the government may require certain products to be manufactured in the United States and other high cost manufacturing locations, and we may not manufacture all products in locations that meet the requirements of the U.S. government. Finally, some government entities require our products to be certified by industry-approved security agencies as a pre-condition of purchasing our products. The grant of such certifications depends on the then-current requirements of the certifying agency. We cannot be certain that any certificate will be granted or renewed or that we will be able to satisfying the technological and other requirements to maintain certifications. The loss of any of our product certificates, or the failure to obtain new ones, could cause us to suffer reputational harm, lose existing customers, or deter new and existing customers from purchasing our solutions, additional products or our services.
 
We are subject to governmental export and import controls that could subject us to liability in the event of non-compliance or impair our ability to compete in international markets.
 
We incorporate encryption capabilities into certain products and these products are subject to U.S. export control requirements. We are also subject to Israeli export controls on encryption technology since our product development initiatives are primarily conducted in Israel. If the applicable U.S. or Israeli requirements regarding the export of encryption technology were to change or if we change the encryption functionality in our products, we may need to satisfy additional requirements or obtain specific permissions (licenses) in the United States or Israel in order to continue to export our products to the same range of customers and countries as we presently do. There can be no assurance that we will be able to satisfy such additional requirements or obtain specific licenses under these circumstances in either the United States or Israel. Furthermore, various other countries regulate the import of certain encryption products and technology, including import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries.
 
We are also subject to U.S., Israeli and other applicable export control and economic sanctions laws, which prohibit the export or sale of certain products or services to embargoed or sanctioned countries, governments and persons. Our products could be exported to these sanctioned targets by our channel partners or sold directly by us to such targets despite our due diligence and, in the case of sanctionable activities by our channel partners, the contractual undertakings they have given us, and any such export could have negative consequences, including government investigations, penalties and reputational harm. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products and services would likely adversely affect our business, financial condition and results of operations.
 
22

In addition, in the future we may be subject to defense-related export controls. For example, currently our solutions are not subject to supervision under the Israeli Defense Export Control Law, 5767-2007, but if they were used for purposes that are classified as defense-related or if they fall under “dual-use goods and technology” as referred to below, we could become subject to such regulation. In particular, under the Israeli Defense Export Control Law, 5767-2007, an Israeli company may not conduct “defense marketing activity” without a defense marketing license from the Israeli Ministry of Defense (MOD) and may be subject to a requirement to obtain a specific license from the MOD for any export of defense related products and/or knowhow. The definition of defense marketing activity is broad and includes any marketing of “defense equipment,” “defense knowhow” or “defense services” outside of Israel, which includes “dual-use goods and technology” (material and equipment intended in principle for civilian use and that can also be used for defensive purposes, such as our cybersecurity solutions) that is specified in the list of Goods and Dual-Use Technology annexed to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, if intended for defense use only, or is specified under Israeli legislation. “Dual-use goods and technology” will be subject to control by the Ministry of Economy if intended for civilian use only. In December 2013, regulations under the Wassenaar Arrangement included for the first time a chapter on cyber-related matters, which chapter was last amended in December 2018. We believe that our products do not fall under this chapter; however, in the future we may become subject to this regulation or similar regulations, which would limit our sales and marketing activities and could therefore have an adverse effect on our results of operations. Similar issues could arise under the U.S. defense/military export controls under the Arms Export Control Act and the International Traffic in Arms Regulations. Accordingly, there can be no assurance whether our solutions would be impacted by any potential new regulations pertaining to cybersecurity products and services similar to those provided by us, and what impact potential new regulations would have on our sales or our costs relating to compliance.
 
Risks Related to Our Ordinary Shares
 
Our share price may be volatile, and you may lose all or part of your investment.
 
Since our initial public offering in September 2014, our ordinary shares have traded on the NASDAQ Global Select Market (“NASDAQ”) as high as $109.77 per share and as low as $22.12 per share through February 28, 2019. In addition, the market price of our ordinary shares could be highly volatile and may fluctuate substantially as a result of many factors, some of which are beyond our control, including, but not limited to:
 
actual or anticipated fluctuations in our results of operations and the results of other similar companies;
 
variance in our financial performance from the expectations of market analysts;
 
announcements by us or our competitors of significant business developments, changes in service provider relationships, acquisitions or expansion plans;
 
changes in the prices of our products and services or in our pricing models;
 
our involvement in litigation;
 
our sale of ordinary shares or other securities in the future;
 
market conditions in our industry;
 
changes in key personnel;
 
speculation in the press or the investment community;
 
the trading volume of our ordinary shares;
 
changes in the estimation of the future size and growth rate of our markets;
 
any merger and acquisition activities; and
 
general economic and market conditions.
 
In addition, the stock markets have experienced price and volume fluctuations. Broad market and industry factors may materially harm the market price of our ordinary shares, regardless of our operating performance. In the past, following periods of volatility in the market price of a company’s securities, securities class action litigation has often been instituted against that company. If we were involved in any similar litigation we could incur substantial costs and our management’s attention and resources could be diverted, which could materially adversely affect our business.
 
23

If securities or industry analysts cease to publish research or publish inaccurate or unfavorable research reports about our business, our share price and trading volume could decline.
 
The trading price for our ordinary shares is affected by any research or reports that securities or industry analysts publish about us, our business or our industry. If one or more of the analysts who cover us or our business publish inaccurate or unfavorable research reports about us or our business, and in particular, if they downgrade their evaluations of our ordinary shares, the price of our ordinary shares would likely decline. If one or more of these analysts cease coverage of our company, we could lose visibility in the market for our ordinary shares, which in turn could cause our share price to decline. In addition, industry analysts often provide reviews of our offerings, as well as those of our competitors, and perception of our offerings in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors’ products and professional services or compared to prior reviews of our offerings, our brand may be adversely affected.
 
As a foreign private issuer whose shares are listed on NASDAQ, we may follow certain home country corporate governance practices instead of otherwise applicable SEC and NASDAQ requirements, which may result in less protection than is accorded to investors under rules applicable to domestic U.S. issuers.
 
As a foreign private issuer whose shares are listed on NASDAQ, we are permitted to follow certain home country corporate governance practices instead of certain rules of NASDAQ. We currently follow Israeli home country practices with regard to the quorum requirement for shareholder meetings and NASDAQ requirements relating to distribution of our annual report to shareholders. As permitted under the Israeli Companies Law, 5759-1999, or the Companies Law, our articles of association provide that the quorum for any meeting of shareholders shall be the presence of at least two shareholders present in person or by proxy who hold at least 25% of the voting power of our shares instead of 33 1/3% of our issued share capital (as prescribed by NASDAQ’s rules). Further, as permitted by the Companies Law and in accordance with the generally accepted business practice in Israel, we do not distribute our annual report to shareholders but make it available through our public website. We may in the future elect to follow Israeli home country practices with regard to other matters such as director nomination procedures, separate executive sessions of independent directors and the requirement to obtain shareholder approval for certain dilutive events (such as for the establishment or amendment of certain equity-based compensation plans, issuances that will result in a change of control of the company, certain transactions other than a public offering involving issuances of a 20% or more interest in the company and certain acquisitions of the stock or assets of another company). Accordingly, our shareholders may not be afforded the same protection as provided under NASDAQ corporate governance rules. Following our home country governance practices as opposed to the requirements that would otherwise apply to a U.S. company listed on NASDAQ may provide less protection than is accorded to shareholders of domestic issuers. See “Item 16.G. Corporate Governance.”
 
Our business could be negatively affected as a result of the actions of activist shareholders, and such activism could impact the trading value of our securities.
 
In recent years, U.S. and non-U.S. companies listed on securities exchanges in the United States have been faced with governance-related demands from activist shareholders, unsolicited tender offers and proxy contests. Although as a foreign private issuer we are not subject to U.S. proxy rules, responding to any action of this type by activist shareholders could be costly and time-consuming, disrupting our operations and diverting the attention of management and our employees. Such activities could interfere with our ability to execute our strategic plans. In addition, a proxy contest for the election of directors at our annual meeting would require us to incur significant legal fees and proxy solicitation expenses and require significant time and attention by management and our board of directors. The perceived uncertainties due to such actions of activist shareholders also could affect the market price of our securities.
 
As a foreign private issuer we are not subject to the provisions of Regulation FD or U.S. proxy rules and are exempt from filing certain Exchange Act reports.
 
As a foreign private issuer, we are exempt from a number of requirements under U.S. securities laws that apply to public companies that are not foreign private issuers. In particular, we are exempt from the rules and regulations under the Exchange Act related to the furnishing and content of proxy statements, and our officers, directors and principal shareholders are exempt from the reporting and short-swing profit recovery provisions contained in Section 16 of the Exchange Act. In addition, we are not required under the Exchange Act to file annual and current reports and financial statements with the SEC as frequently or as promptly as U.S. domestic companies whose securities are registered under the Exchange Act, and we are generally exempt from filing quarterly reports with the SEC under the Exchange Act. We are also exempt from the provisions of Regulation FD, which prohibits issuers from making selective disclosure of material nonpublic information to, among others, broker-dealers and holders of a company’s securities under circumstances in which it is reasonably foreseeable that the holder will trade in the company’s securities on the basis of the information. Even though we intend to comply voluntarily with Regulation FD, these exemptions and leniencies will reduce the frequency and scope of information and protections to which you are entitled as an investor. For so long as we qualify as a foreign private issuer, we are not required to comply with the proxy rules applicable to U.S. domestic companies, although pursuant to the Companies Law, we disclose the annual compensation of our five most highly compensated office holders (as defined under the Companies Law) on an individual basis, including in this annual report.
 
24

Since a majority of our voting securities are either directly or indirectly owned of record by residents of the United States, we would lose our foreign private issuer status if any of the following were to occur: (i) the majority of our executive officers or directors were U.S. citizens or residents, (ii) more than 50 percent of our assets were located in the United States, or (iii) our business was administered principally in the United States. Although we have elected to comply with certain U.S. regulatory provisions, our loss of foreign private issuer status would make such provisions mandatory. The regulatory and compliance costs to us under U.S. securities laws as a U.S. domestic issuer may be significantly higher. We may also be required to modify certain of our policies to comply with good governance practices associated with U.S. domestic issuers. Such conversion and modifications will involve additional costs. In addition, we would lose our ability to rely on NASDAQ exemptions from certain corporate governance requirements that are available to foreign private issuers.
 
If we sell our ordinary shares in future financings, ordinary shareholders could experience immediate dilution and, as a result, the market price of our ordinary shares may decline.
 
We may from time to time issue additional ordinary shares at a discount from the current trading price of our ordinary shares. As a result, our ordinary shareholders would experience immediate dilution upon the purchase of any ordinary shares sold at such discount. In addition, as opportunities present themselves, we may enter into equity or debt financings or similar arrangements in the future, including the issuance of convertible debt securities, preferred shares or ordinary shares. If we issue ordinary shares or securities convertible into ordinary shares, holders of our ordinary shares could experience dilution.
 
If we are unable to satisfy the requirements of Sections 404(a) and 404(b) of the Sarbanes-Oxley Act of 2002 or if our internal control over financial reporting is not effective, investors may lose confidence in the accuracy and the completeness of our financial reports   and the trading price of our ordinary shares may be negatively affected.
 
Pursuant to Section 404(a) of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley Act”), we are required to furnish a report by management on the effectiveness of our internal control over financial reporting. Additionally, pursuant to Section 404(b) of the Sarbanes-Oxley Act, we must include an auditor attestation on our internal control over financial reporting.
 
To maintain the effectiveness of our disclosure controls and procedures and our internal control over financial reporting, we expect that we will need to continue enhancing existing, and implement new, financial reporting and management systems, procedures and controls to manage our business effectively and support our growth in the future. The process of evaluating our internal control over financial reporting requires an investment of substantial time and resources, including by our Chief Financial Officer and other members of our senior management. As a result, this process may divert internal resources and take a significant amount of time and effort to complete. Additionally, as part of management assessments of the effectiveness of our internal control over financial reporting required by Section 404(a), our management may conclude that our internal control over financial reporting is not effective due to our failure to cure any identified material weakness or otherwise, which would require us to employ remedial actions to implement effective controls. If we identify material weaknesses in our internal control over financial reporting, if we are unable to comply with the requirements of Section 404(a) or 404(b) in a timely manner or to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion or issues an adverse opinion in its attestation as to the effectiveness of our internal control over financial reporting required by Section 404(b), investors may lose confidence in the accuracy and completeness of our financial reports and the trading price of our ordinary shares could be negatively affected. We could also become subject to investigations by NASDAQ, the SEC or other regulatory authorities, which could require additional financial and management resources.
 
Irrespective of compliance with Sections 404(a) and 404(b), any failure of our internal control over financial reporting could have a material adverse effect on our stated results of operations and harm our reputation. In order to implement changes to our internal control over financial reporting triggered by a failure of those controls, we could experience higher than anticipated operating expenses, including higher independent auditor fees during and after the implementation of these changes.
 
25

As a public company we may become subject to further compliance obligations, which may strain our resources and divert management’s attention.
 
Changing laws, regulations and standards in the United States relating to corporate governance and public disclosure and other matters may be implemented in the future, which may increase our legal and financial compliance costs, make some activities more time consuming and divert management’s time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to practice, regulatory authorities may initiate legal proceedings against us and our business may be harmed. Being a publicly traded company in the United States and being subject to U.S. rules and regulations may make it more expensive for us to obtain director and officer liability insurance, and we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors could also make it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit committee, and qualified executive officers.
 
Our U.S. shareholders may suffer adverse tax consequences if we are classified as a “passive foreign investment company.”
 
Generally, if for any taxable year, after the application of certain look-through rules, 75% or more of our gross income is passive income, or at least 50% of the average quarterly value of our assets (which may be measured in part by the market value of our ordinary shares, which is subject to change) are held for the production of, or produce, passive income (as defined in the relevant provisions of the Code), we would be characterized as a “passive foreign investment company,” or PFIC, for U.S. federal income tax purposes under the Code. Based on our market capitalization and our income, assets, and the nature of our business, we believe that we were not classified as a PFIC for the taxable year that ended December 31, 2018. Because PFIC status is determined annually and requires a factual determination that depends on, among other things, the composition of our income, assets and activities in each taxable year, and can only be made annually after the close of each taxable year, it is not possible to determine whether we will be characterized as a PFIC for the current taxable year, or for any subsequent year. Furthermore, because the value of our gross assets is likely to be determined in large part by reference to our market capitalization, a decline in the value of our ordinary shares may result in our becoming a PFIC. Accordingly, there can be no assurance that we will not be considered a PFIC for any taxable year. Our characterization as a PFIC could result in material adverse tax consequences for you if you are a U.S. Holder (as defined in “Item 10.E. Taxation—Certain United States Federal Income Tax Consequences”), including upon a sale, exchange, or other disposition of our ordinary shares, or upon the receipt of distributions in respect of our ordinary shares. We cannot provide any assurances in determining whether we or any of our non-U.S. subsidiaries are a PFIC for any taxable year. Prospective U.S. Holders should consult their own tax advisers regarding the potential application of the PFIC rules to them. Prospective U.S. investors should refer to “Item 10.E. Taxation—Certain United States Federal Income Tax Consequences” for discussion of additional U.S. income tax considerations applicable to them based on our treatment as a PFIC.
 
If a United States person is treated as owning at least 10% of our ordinary shares, such holder may be subject to adverse U.S. federal income tax consequences.
 
Depending upon the aggregate value and voting power of our shares that U.S. persons are treated as owning (directly, indirectly, or constructively), we could be treated as a controlled foreign corporation (“CFC”). Additionally, because our group consists of one or more U.S. subsidiaries, under recently enacted rules, certain of our non U.S. subsidiaries could be treated as CFCs, regardless of whether or not we are treated as a CFC (although there is currently a pending legislative proposal to significantly limit the application of these rules). If a U.S. person is treated as owning (directly, indirectly or constructively) at least 10% of the value or voting power of our shares, such person may be treated as a “U.S. shareholder” with respect to each CFC in our group (if any), which may subject such person to adverse U.S. federal income tax consequences. Specifically, a U.S. shareholder of a CFC may be required to annually report and include in its U.S. taxable income its pro rata share of each CFC’s “Subpart F income,” “global intangible low taxed income” and investments in U.S. property, whether or not we make any distributions of profits or income of a CFC to such U.S. shareholder. If you are treated as a U.S. shareholder of a CFC, failure to comply with these reporting obligations may subject you to significant monetary penalties and may prevent the statute of limitations with respect to your U.S. federal income tax return for the year for which reporting was due from starting. We cannot provide any assurances in determining whether we or any of our non U.S. subsidiaries are treated as CFCs or whether any investor is treated as a U.S. shareholder with respect to any of such CFC, nor do we expect to furnish to any U.S. shareholders information that may be necessary to comply with the aforementioned reporting and tax paying obligations. U.S. investors should consult their own advisors regarding the potential application of these rules to their investment in our ordinary shares.
 
26

 
We do not intend to pay dividends on our ordinary shares for the foreseeable future so any returns will be limited to changes in the value of our ordinary shares.
 
We have never declared or paid any cash dividends on our ordinary shares. We currently anticipate that we will retain future earnings for the development, operation, and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to shareholders will therefore be limited to the increase, if any, of our share price, which may or may not occur.
 
Risks Relating to Our Incorporation and Location in Israel
 
Our headquarters, substantially all of research and development activities and other significant operations are located in Israel and, therefore, our results may be adversely affected by political, economic and military instability in Israel.
 
Our headquarters and principal research and development facilities are located in Israel. In addition, a large number of our key employees and certain directors are residents of Israel. Accordingly, political, economic and military conditions in Israel may directly affect our business. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring countries. In recent years, these have included hostilities between Israel and Hezbollah in Lebanon and Hamas in the Gaza strip, both of which resulted in rockets being fired into Israel causing casualties and disruption of economic activities. In addition, Israel faces threats from more distant neighbors, including, in particular, Iran. Our commercial insurance does not cover losses that may occur as a result of an event associated with the security situation in the Middle East. In addition, the Israeli government’s commitment to covering the reinstatement value of direct damages caused by terrorist attacks or acts of war, could be eliminated or may not be sufficient to compensate us fully for damages incurred. Any losses or damages incurred by us could have a material adverse effect on our business. Any armed conflict involving Israel could adversely affect our operations and results of operations.
 
Further, our operations could be disrupted by the obligations of personnel to perform military service. As of December 31, 2018, we had 429 employees based in Israel, certain of which may be called upon to perform up to 54 days in each three year period (and in the case of non-officer commanders or officers, up to 70 or 84 days, respectively, in each three year period) of military reserve duty until they reach the age of 40 (and in some cases, depending on their specific military profession up to 45 or even 49 years of age) and, in certain emergency circumstances, may be called to immediate and unlimited active duty. Our operations could be disrupted by the absence of a significant number of employees related to military service, which could materially adversely affect our business and results of operations.
 
Several countries, principally in the Middle East, restrict doing business with Israel and Israeli companies, and additional countries may impose restrictions on doing business with Israel and Israeli companies whether as a result of hostilities in the region or otherwise. In addition, there have been increased efforts by activists to cause companies and consumers to boycott Israeli goods based on Israeli government policies. Such actions, particularly if they become more widespread, may adversely impact our ability to sell our products. Any hostilities involving Israel or any interruption or curtailment of trade between Israel and its present trading partners, or a significant downturn in the economic or financial condition of Israel, could adversely affect our business, financial condition and results of operations. We may also be targeted by cyber terrorists specifically because we are an Israeli company.
 
27

The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase our costs and taxes.
 
We were granted Approved Enterprise status under the Israeli Law for the Encouragement of Capital Investments, 5719-1959, or the Investment Law. We elected the alternative benefits program, pursuant to which income derived from the Approved Enterprise program is tax-exempt for two years and enjoys a reduced tax rate of 10.0% to 25.0% for up to a total of eight years, subject to an adjustment based on the percentage of foreign investors’ ownership. We were also eligible for certain tax benefits provided to Benefited Enterprises under the Investment Law. In March 2013, we notified the Israel Tax Authority that we apply the new tax Preferred Enterprise regime under the Investment Law instead of our Approved Enterprise and Benefited Enterprise. Accordingly, we are eligible for certain tax benefits provided to Preferred Enterprises under the Investment Law. If we do not meet the conditions stipulated in the Investment Law and the regulations promulgated thereunder, as amended, for the Preferred Enterprise, any of the associated tax benefits may be canceled, and we would be required to repay the amount of such benefits, in whole or in part, including interest and CPI linkage (or other monetary penalties). Starting from 2017, we are eligible for the Technological Preferred Enterprise regime, a sub-category of the Preferred Enterprise regime, which grants enhanced tax benefits to enterprises with significant research and development activities. Further, in the future these tax benefits may be reduced or discontinued. If these tax benefits are reduced, cancelled or discontinued, our Israeli taxable income would be subject to regular Israeli corporate tax rates which would harm our financial condition and results of operation. Additionally, if we increase our activities outside of Israel through acquisitions, for example, our expanded activities might not be eligible for inclusion under future Israeli tax benefit regimes. See “Item 5. Operating and Financial Review and Prospects—Operating Results—Israeli Tax Considerations and Government Programs—Law for the Encouragement of Capital Investments, 5719-1959.”  
 
We may become subject to claims for remuneration or royalties for assigned service invention rights by our employees.
 
We enter into assignment-of-invention agreements with our employees pursuant to which such individuals agree to assign to us all rights to any inventions created in the scope of their employment or engagement with us. A significant portion of our intellectual property has been developed by our employees during the course of their employment by us. Under the Israeli Patent Law, 5727-1967, inventions conceived by an employee during the scope of his or her employment with a company are regarded as “service inventions” which belong to the employer, absent a specific agreement between the employee and employer giving the employee service invention rights. Although our employees have agreed to assign to us service invention rights, as a result of uncertainty under Israeli law with respect to service invention rights and the efficacy of related waivers, including with respect to remuneration and its extent, we may face claims demanding remuneration in consideration for assigned inventions. As a consequence of such claims, we could be required to pay additional remuneration or royalties to our current and/or former employees, or be forced to litigate such claims, which could negatively affect our business.
 
Provisions of Israeli law and our articles of association may delay, prevent or otherwise impede a merger with or an acquisition of us, even when the terms of such a transaction are favorable to us and our shareholders.
 
Our articles of association contain certain provisions that may delay or prevent a change of control. These provisions include that our directors (other than external directors, if applicable) are elected on a staggered basis, and therefore a potential acquirer cannot readily replace our entire board of directors at a single annual general shareholder meeting. In addition, Israeli corporate law regulates acquisitions of shares through tender offers and mergers, requires special approvals for transactions involving directors, officers or significant shareholders and regulates other matters that may be relevant to such types of transactions. See “Item 10.B. Articles of Association—Acquisitions under Israeli Law” for additional information.
 
Furthermore, Israeli tax considerations may make potential transactions unappealing to us or to our shareholders whose country of residence does not have a tax treaty with Israel exempting such shareholders from Israeli tax. For example, Israeli tax law does not recognize tax-free share exchanges to the same extent as U.S. tax law. With respect to mergers involving an exchange of shares, Israeli tax law allows for tax deferral in certain circumstances but makes the deferral contingent on the fulfillment of a number of conditions, including, in some cases, a holding period of two years from the date of the transaction during which sales and dispositions of shares of the participating companies are subject to certain restrictions. Moreover, with respect to certain share swap transactions, the tax deferral is limited in time, and when such time expires, the tax becomes payable even if no disposition of the shares has occurred. These provisions of Israeli law and our articles of association could have the effect of delaying or preventing a change in control in us and may make it more difficult for a third-party to acquire us, even if doing so would be beneficial to our shareholders, and may limit the price that investors may be willing to pay in the future for our ordinary shares.
 
28

It may be difficult to enforce a judgment of a U.S. court against us, our officers and directors or the Israeli auditors named in this annual report in Israel or the United States, to assert U.S. securities laws claims in Israel or to serve process on our officers and directors and these auditors.
 
We are incorporated in Israel. The majority of our directors and executive officers, and the Israeli auditors listed in this annual report reside outside of the United States, and most of our assets and most of the assets of these persons are located outside of the United States. Therefore, a judgment obtained against us, or any of these persons, including a judgment based on the civil liability provisions of the U.S. federal securities laws, may not be collectible in the United States and may not be enforced by an Israeli court. It also may be difficult for you to effect service of process on these persons in the United States or to assert U.S. securities law claims in original actions instituted in Israel. Israeli courts may refuse to hear a claim based on an alleged violation of U.S. securities laws reasoning that Israel is not the most appropriate forum in which to bring such a claim. In addition, even if an Israeli court agrees to hear a claim, it may determine that Israeli law and not U.S. law is applicable to the claim. If U.S. law is found to be applicable, the content of applicable U.S. law must be proven as a fact by expert witnesses, which can be a time consuming and costly process. Certain matters of the procedure will also be governed by Israeli law. There is little binding case law in Israel that addresses the matters described above. As a result of the difficulty associated with enforcing a judgment against us in Israel, you may not be able to collect any damages awarded by either a U.S. or foreign court.
 
Your rights and responsibilities as a shareholder are, and will continue to be, governed by Israeli law which differs in some material respects from the rights and responsibilities of shareholders of U.S. corporations.
 
The rights and responsibilities of the holders of our ordinary shares are governed by our articles of association and by Israeli law. These rights and responsibilities differ in some material respects from the rights and responsibilities of shareholders in U.S. corporations. In particular, a shareholder of an Israeli company has a duty to act in good faith and in a customary manner in exercising its rights and performing its obligations towards the company and other shareholders, and to refrain from abusing its power in the company, including, among other things, in voting at a general meeting of shareholders on matters such as amendments to a company’s articles of association, increases in a company’s authorized share capital, mergers and acquisitions and related party transactions requiring shareholder approval. In addition, shareholders have a general duty to refrain from discriminating against other shareholders and a shareholder who is aware that it possesses the power to determine the outcome of a shareholder vote or to appoint or prevent the appointment of a director or chief executive officer in the company has a duty of fairness toward the company with regard to such vote or appointment. There is limited case law available to assist us in understanding the nature of this duty or the implications of these provisions. These provisions may be interpreted to impose additional obligations and liabilities on holders of our ordinary shares that are not typically imposed on shareholders of U.S. corporations. See “Item 6.C. Board Practices — Approval of Related Party Transactions under Israeli Law—Fiduciary Duties of Directors and Executive Officers.”
 
29


ITEM 4.                    INFORMATION ON THE COMPANY
 
A.
History and Development of the Company
 
Our History
 
CyberArk Software Ltd. was founded in 1999 with the vision of protecting high-value business data and pioneered our Digital Vault technology, which is the foundation of our primary platform. That same year, we began offering our first product, the Sensitive Information Management Solution (previously called the Sensitive Document Vault), which provides a secure platform through which our customers’ employees can share sensitive files. We believe our early innovation in vaulting technology enabled us to evolve into a company that provides a comprehensive security solution built for privileged access management. In 2005, we introduced our Privileged Access Security Solution, which has become our leading offering and reflects our emphasis on protecting privileged access across an organization. In September 2014, we listed our ordinary shares on NASDAQ. In 2015, we acquired Viewfinity, a provider of Windows least privilege management and application control software, as well as Cybertinel, a cybersecurity company specializing in cyber threat detection technology. In May 2017, we acquired Conjur Inc., a provider of DevOps security software, and in March 2018, we acquired Vaultive, Ltd., a cloud security provider. Based on our continued innovation, today we are the leader in privileged access security, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline.
 
We are a company limited by shares organized under the laws of the State of Israel. We are registered with the Israeli Registrar of Companies. Our registration number is 51-229164-2. Our principal executive offices are located at 9 Hapsagot St., Park Ofer B, POB 3143, Petach-Tikva, 4951040, Israel, and our telephone number is +972 (3) 918-0000. Our website address is www.cyberark.com. Information contained on, or that can be accessed through, our website is not part of this annual report and is not incorporated by reference herein. We have included our website address in this annual report solely for informational purposes. Our SEC filings are available to you on the SEC’s website at http://www.sec.gov. This site contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC. The information on that website is not part of this annual report and is not incorporated by reference herein. Our agent for service of process in the United States is CyberArk Software, Inc., located at 60 Wells Avenue, Newton, MA 02459, and our telephone number is (617) 965-1544.
 
Principal Capital Expenditures
 
Our cash capital expenditures for fiscal years 2016, 2017 and 2018 amounted to $2.8 million, $6.8 million and $8.6 million, respectively. Capital expenditures consist primarily of investments in leasehold improvements for our office space and the purchase of furniture, computers and related equipment. We anticipate our capital expenditures in fiscal year 2019 to be in a range of $6 million to $8 million. We anticipate our capital expenditures in 2019 will be financed with cash on hand and cash provided by operating activities.
 
B.
Business Overview
 
We are the global leader in privileged access security, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. Our software solutions are focused on protecting privileged accounts, credentials and secrets, which are consistently sought-after by cyber attackers to accomplish their goals. Privileged accounts are pervasive and act as the “keys to the IT kingdom,” providing complete access to, and control of, IT infrastructure (whether located on-premises or in the cloud), applications, DevOps tools, and critical business data. In the hands of an external attacker or malicious insider, privileged credentials allow attackers to take control of and disrupt an organization’s IT environment and industrial control systems, steal confidential information and commit financial fraud. Our comprehensive solutions proactively protect credentials, isolate and monitor sessions, detect and respond to privileged threats, provide secrets management for commercial off the shelf applications and applications built using DevOps methodologies, and enforce privileged access security on the endpoint. Our customers use our innovative solutions to introduce a critical security layer to protect against, detect and respond to cyber attacks before they strike vital systems, compromise sensitive data and disrupt business operations.
 
30

Organizations worldwide are experiencing an unprecedented increase in the sophistication, scale and frequency of cyber attacks. The challenge this presents is intensified by the growing adoption of modern technologies such as cloud computing, new container and micro-service-based cloud native application architectures leveraging DevOps methodologies, enterprise mobility and social networking, which has resulted in increasingly complex and distributed IT environments with significantly larger attack surfaces. Organizations have historically relied upon perimeter-based threat protection solutions such as network and web security tools as the predominant defense against cyber attacks, yet these traditional solutions have a limited ability to stop today’s advanced threats. Many organizations are still in the early stages of adapting their security strategies to address this new threat environment and are evolving their approaches based on the assumption that their network perimeter has been or will be breached. They are therefore increasingly implementing privileged access management as a new layer of protection to disrupt attacks against their on-premises and cloud-based assets before they result in the loss of confidential information or other serious damage. Regulators are also mandating rigorous compliance   with new laws that call for heavy fines for not protecting the security and privacy of customer’s personally identifiable information.
 
We believe that the implementation of a privileged access security solution is the most critical component of an effective security strategy. Privileged accounts, credentials and secrets represent some of the most vulnerable aspects of an organization’s IT infrastructure. Privileged accounts are used by system administrators, third-party and cloud service providers, applications and business users, and they exist in nearly every connected device, server, hypervisor, container, operating system, database, application and endpoint. Due to the broad access and control they provide, privileged access exploitation has become a critical stage of the cyber attack lifecycle. The typical cyber attack involves an attacker effecting an initial breach, escalating privileges to access target systems, moving laterally through the IT infrastructure to identify valuable targets, and exfiltrating, or stealing, the desired information.
 
Our solutions can be deployed in traditional on-premises data centers, public, private or hybrid cloud environments. Our innovative software solutions are the result of 20 years of research and expertise, combined with valuable knowledge we have gained from working with our diverse population of customers and from our acquisitions of Viewfinity, Cybertinel, Conjur, and Vaultive.
 
The CyberArk Privileged Access Security solution provides the most comprehensive approach to securing privileged credentials on-premises and in the cloud, from every endpoint and application, and throughout the DevOps pipeline. The Core Privileged Access Security offering provides risk-based credential protection, session isolation and monitoring to detect and prevent attacks involving privileged access. This solution can be extended with least privilege control for Linux, Unix, and Windows servers as well as domain control protection. CyberArk also provides application credential and DevOps secrets management with Application Access Manager and protection of privilege on endpoints with Endpoint Privilege Manager. CyberArk supports standard deployment methodologies (on-premises, hybrid, and in the cloud) with multiple licensing options including perpetual as well as subscription licensing available for each of these deployments. In addition, CyberArk Privilege Cloud is offered as a SaaS deployment and Endpoint Privilege Manager is available for on-premises and SaaS deployments.
 
Every product in the CyberArk Privileged Access Security solution is stand-alone and can be managed independently while still sharing resources and data from common infrastructure, and integrates out of the box with over 100 types of IT assets.
 
At the core of the infrastructure are an isolated vault server, a unified policy engine, a discovery engine and layers of security that provide scalability, reliability and unmatched security for privileged accounts, credentials and secrets.
 
Our   solution complements other vendors’ IT, security and cloud solutions in two significant ways. First, through enhancing the security of these solutions by reducing the misuse potential of privileged accounts used by or incorporated within these solutions and second, through the sharing of valuable information between the solutions, for improved detection, protection and response in the event of a cyber attack.
 
In April 2016, we announced the launch of the C 3  Alliance, CyberArk’s global technology partner program, which brings together enterprise software, IT Security and services providers to build on the power of privileged access security to better protect customers from cyber threats. The program establishes a product integration foundation with our C 3  Alliance technology partners for the benefit of our mutual customers. We launched the CyberArk Marketplace in April 2018 to provide a trusted platform for customers to easily find and deploy integrations from the C 3 Alliance, partners, and community members.
 
31

As of December 31, 2018, we had more than 4,450 customers, including more than 50% of the Fortune 500 companies and more than 30% of the Global 2000 companies. We define a customer to include a distinct entity, division or business unit of a company. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies. We sell our solutions through a high touch hybrid model that includes direct sales, channel sales, managed security service providers, as well as advisory firm partners. This provides us with significant opportunities to grow our current customer base. Further, the relationships developed with our channel and advisory firms allow us to benefit from their global reach and maintain close relationships with our customers. Additionally, we continue to enhance our product offerings and go-to-market strategy by establishing technology alliances within the IT infrastructure and security vendor ecosystem.
 
Industry Background
 
The continuous string of targeted, damaging breaches executed by both external attackers and malicious insiders, along with an increase in the attack surface due to the growing complexity and distributed nature of IT environments, have made it extremely challenging for enterprises and government agencies around the world to protect sensitive information and infrastructure. These challenges, along with the increasing amount of data security regulations, are driving the need for security solutions that provide a critical layer of IT security and complement traditional threat protection technologies by protecting privileged accounts, credentials and secrets.
 
Our Solutions
 
Our solutions secure organizations’ high-value data and critical IT assets by providing proactive protection against external and internal cyber threats and enabling real-time detection and neutralization of attacks involving privileged access.
 
 
Our solutions consist of Core Privileged Access Security for risk-based credential security and session management with advanced add-on options for least privilege server and domain controller protection. Customers can also purchase Application Access Manager for secrets management for applications, tools, containers and DevOps, and Endpoint Privilege Manager for least privilege and credential theft protection for workstations. Application Access Manager is a new offering introduced in early 2019 that combines the former Application Identity Manager and Conjur Enterprise. Conjur continues to be available to developers as open source software. CyberArk offers least privilege and credential theft protection for workstations with Endpoint Privilege Manager. These solutions leverage a common technology platform that includes our secure Digital Vault, Web Management Interface, Master Policy Engine and Discovery Engine. We also offer over 100 certified joint solutions with leading cloud, security, and IT management providers via our C 3 Alliance program.
 
32

Core Privileged Access Security
 
CyberArk’s Core Privileged Access Security offering includes risk-based credential security and session management to protect against attacks involving privileged access. This offering includes CyberArk’s industry leading Enterprise Password Vault for credential protection; Privileged Session Manager for session management; and Privileged Threat Analytics to detect and proactively respond to privileged access threats. We began selling these three products together as Core Privileged Access Security starting in January 2018. CyberArk’s Core Privileged Access Security can be deployed in an on-premises data center, in a hybrid cloud or a public cloud environment either as a perpetual or a term based license. In addition, Core Privilege Access Security is available as a SaaS solution with the CyberArk Privilege Cloud. CyberArk Privilege Cloud is designed for commercial customers and includes credential protection and session management.
 
The Core Privileged Access Security solution secures and rotates passwords, credentials, and SSH keys to prevent the malicious use of privileged access by external attackers and malicious insiders. The solution manages, secures, and automatically rotates privileged credentials based on an organization’s security policies; and enforces granular access controls and workflows to protect who can access which credentials and when. Automated processes reduce the time it takes to manually track and update privileged credentials to meet audit and compliance standards.
 
The solution also   secures, isolates, controls and monitors privileged user sessions to critical Unix, Linux, and Windows-based systems, databases, virtual machines, network devices, mainframes, websites, SaaS applications, cloud platforms, DevOps tools and more. It provides a single-access control point, helps prevent malware from jumping to a target system through the isolation of end users, and records every keystroke and mouse click for continuous monitoring. Detailed session recordings and the ability to search, locate, and alert on sensitive events without having to filter through logs simplifies compliance audits and accelerates forensic investigations. Real-time monitoring helps provide continuous protection for privileged access as well as automatic suspension and termination of privileged sessions if any activity presents a high-level of risk to the organization. The solution provides full two-way integration with third-party SIEM solutions with automated alerting on anomalous activity. It also provides Active Directory (AD) Bridge capabilities that enable organizations to centrally manage Unix users and accounts that are linked to AD through the CyberArk platform. Native access to supported targets simplifies adoption by end users while enabling organizations to maintain a strong security posture. With the acquisition of Vaultive in March 2018 and the launch of Privileged Session Manager for Cloud in October 2018, CyberArk now offers native access for web-based applications, including support for leading cloud platforms, PaaS providers, SaaS, and social media applications.
 
Lastly,   the Core Privileged Access Security offering enables organizations to detect, alert and respond to anomalous privileged activity indicating an in-progress attack. The solution collects a targeted set of data from multiple sources, including the CyberArk Digital Vault, SIEM and the network. A combination of machine learning, behavioral analysis, and statistical and deterministic algorithms enables organizations to detect indications of compromise early in the attack lifecycle by identifying malicious privileged access activity across on-premises and cloud environments.
 
The Core Privileged Access Security offering can be extended to secure least privilege on Linux, Unix, and Windows servers and protect domain controllers.
 
Least Privilege Server Protection. The CyberArk Core Privileged Access Security offering allows privileged users to use administrative commands from their native Linux/Unix and Windows sessions while eliminating unneeded root access or admin rights. This solution provides unified and correlated logging of all super user activity linking it to a personal username while providing the freedom needed to perform job functions. Granular access control is enforced while continuously monitoring all administrative commands executed by super users based on their role and task.
 
Domain Controller Protection. CyberArk offers an ultra-light weight Windows agent that performs network behavior analytics to detect a range of potential threats including suspected credential theft, lateral movement and privilege escalation on domain controllers. It provides the ability to enforce granular controls for least privilege and application control on domain controllers and to detect a variety of in-progress Kerberos attacks including Golden Ticket, Overpass-the-Hash and Privilege Attribute Certificate (PAC) manipulation.
 
33

Application Access Manager
 
CyberArk offers privileged access, credential and secrets management for applications with Application Access Manager. The offerings can be used to secure credentials in commercial off-the-shelf applications as well as applications built on containers and micro-services using DevOps methodologies. Application Access Manager incorporates the capabilities previously provided by Application Identity Manager and Conjur Enterprise, and was first made available in 2019.
 
For commercial off-the-shelf applications, Application Access Manager can be used to eliminate hard-coded application scripts and credentials without requiring code changes while meeting enterprise requirements for performance and availability. Application Access Manager supports a broad range of commercial off-the-shelf applications including application servers, IT management software, security applications such as vulnerability scanners, and Robotic Process Automation tools on variety of platforms from z/OS to Linux and Windows.
 
For cloud native applications built using DevOps methodologies, Application Access Manager manages secrets and credentials used by non-human users including DevOps and PaaS tools, micro-services and containers. Application Access Manager is based on a distributed, high availability architecture that is architected for dynamic and elastic cloud environments. Application Access Manager integrates with CyberArk’s Enterprise Password Vault, DevOps tools such as Ansible, Chef, Jenkins and Puppet, PaaS platforms such as Red Hat OpenShift and Pivotal Cloud Foundry and container orchestration platforms such as Kubernetes.
 
Endpoint Protection
 
Endpoint Privilege Manager. CyberArk Endpoint Privilege Manager secures privileges on the endpoint (Windows and Mac desktops) and helps contain attacks early in their lifecycle. It enables revocation of local administrator rights, while minimizing impact on user productivity, by seamlessly elevating privileges for authorized applications or tasks. Application control, with automatic policy creation, allows organizations to prevent malicious applications from executing, and runs unknown applications in a restricted mode. This, combined with credential theft protection, helps prevent malware such as ransomware from gaining a foothold and contains attacks on the endpoint. CyberArk Endpoint Privilege Manager is available through on-premises and SaaS deployments.
 
Our Services
 
Maintenance and Support
 
Our customers typically purchase one year or, to a lesser extent, three years, of software maintenance and support, in conjunction with their initial purchase of perpetual licenses for our products. Thereafter, they can renew such maintenance and support for additional one or three-year periods. These two alternative maintenance and support periods are common in the software industry. Customers pay for each alternative in full at the beginning of their terms. The substantial majority of our contracts sold are for a one-year term. For example, for the years 2016 through 2018 approximately 85% of the renewal contracts were for a one year term.
 
Our global customer support organization has expertise in our software and how it interacts with complex IT environments. When sales are made to customers directly, we typically also provide any necessary maintenance and support pursuant to a maintenance and support contract directly with the customer. When sales are made through channels, the channel partner (primarily in the EMEA and Asia Pacific and Japan regions) typically provides the first and second level support, and we typically provide third level support if the issue cannot be resolved by the channel partner.
 
Our maintenance and support program provides customers the right to software bug repairs, the latest system enhancements and updates on an if-and-when available basis during the maintenance period, and access to our technical support services. Our technical support services are provided via our online support center, which enables customers to submit new support queries and monitor the status of open and past queries. Our online support system also provides customers with access to our CyberArk Knowledge Base, an online user-driven information repository that provides customers the ability to address their own queries. Additionally, we offer email and telephone support during business hours to customers that purchase a standard support package and 24/7 availability to customers that purchase our 24/7 support package.
 
34

Professional Services
 
Our products are designed to allow customers to download, install and deploy them on their own. CyberArk solutions are highly configurable and many customers will select either one of our many trained channel partners or our CyberArk Security Services team to provide expert professional services. Our Security Services team can be contracted to assist customers in planning, installing and configuring our solution to meet the needs of their security and IT environment, and provide technical account management services. Our Security Services team provides ongoing consulting services regarding best practices in privileged access security, and recommended ways to implement our solutions to meet specific customer requirements. Additionally, they share best practices associated with privileged access security to educate customers and partners on such best practices through virtual classroom, live face-to-face, or self-paced classes.
 
Our Technology
 
Our comprehensive solutions rely on a set of proprietary technologies that provide a high level of security, scalability and reliability. The core technologies included in our solutions are as follows.
 
Shared Technology Platform . Our shared technology platform is the foundation of the CyberArk Privileged Access Security Solution and includes our secure Digital Vault, Web Management Interface, Master Policy Engine and Discovery Engine. Our Digital Vault is an encrypted server that only responds to preset vault protocols to promote security throughout an organization’s network. CyberArk solutions use the Digital Vault to safely store, audit and manage passwords, privileged credentials and secrets, policy information and privileged account session data. Our proprietary vault protocol technology enables distributed deployments across global networks for central management and auditing while providing enterprise-wide global coverage. Our Web Management Interface provides a single, user-friendly interface for customers to set, manage and monitor privileged access security policies across an entire organization in a matter of minutes while allowing for granular level exceptions to meet the organization’s specific operational needs. Organizations can also leverage REST APIs to automate privileged access security tasks and quickly integrate CyberArk solutions with existing security, operations and DevOps tools. Our Master Policy Engine and Discovery Engine enable organizations to understand the scope of privileged access risk and help ensure that all privileged activity is accounted for by automatically discovering new privileged accounts or changes to existing accounts.
 
Secure Digital Vault Technology. Our proprietary Digital Vault technology provides a highly secure, isolated environment, independent of other software, and is engineered with multiple layers of security. Our Digital Vault provides a data encryption mechanism that eliminates the need for encryption key management by the end user, while each object in our Digital Vault is encrypted with its own unique encryption key. To ensure security throughout the network, our Digital Vault communicates within an organization’s network and over the internet through a proprietary and highly protected Vault Protocol, enabling an organization to implement the centrally managed Privileged Access Security Solution with products located in multiple datacenters and geographic locations. Our Digital Vault provides an additional level of protection by preventing the vault administrator from accessing or discovering protected data stored within it. In addition, our Digital Vault database is embedded, isolated and self-managed as part of our Digital Vault software, thereby blocking database administrator access to our Digital Vault database to further eliminate threats. Our Privileged Access Security Solution’s additional products use the highly secured Digital Vault to safely store, audit and manage passwords, privileged credentials, policy information and privileged access session data.
 
Sophisticated Threat Analytics Algorithms .   Our team of cyber experts and development engineers has developed proprietary algorithms that are at the core of our privileged analytics and threat detection solution. These algorithms were developed using our deep understanding of cybersecurity and cyber attack techniques, together with over a decade of rich experience in analyzing privileged access activities. Our solution uses these proprietary algorithms to construct a behavioral profile for privileged users within an organization and continuously updates the profile based on normal changes in behavior. Once a behavioral profile is established, the threat analytics algorithms provide the ability to look for deviations from that profile in order to identify anomalies in user behavior. It then scores each individual anomaly and determines the level of threat based on the correlation of such anomalous events. Additionally, agents can be deployed to analyze and to detect Kerberos-based attacks against domain controllers in real-time. These attacks are particularly dangerous since they enable attackers to gain unrestricted access and control to the entire IT infrastructure.   Alerts with full details of the incident, including the probability of malicious intent, can be raised immediately, allowing an organization’s incident response team to review the potential threat and take action when necessary.
 
35

Strong Application Authentication and Credential Management. The Application Access Manager architecture allows an organization to eliminate hard-coded application credentials, such as passwords and encryption keys, from applications and scripts. Our secure, proprietary technology permits authentication of an application during run-time, based on any combination of the application’s signature, executable path or IP address, and operating system user. Following application authentication, the authenticated application uses a secure application programming interface, or API, to request privileged account credentials during run-time and, based on the application permissions in our Privileged Access Security Solution, up-to-date credentials are provided to the application. To ensure business continuity, and high availability and performance even within complex and distributed network environments, our advanced product architecture provides a secure local credentials cache on the application server, eliminating the dependency on network availability and traffic during a run-time application credential request. Our proprietary architecture provides even higher value in application server environments, allowing an organization to eliminate application credentials without the need to perform any code changes or impacting application availability.
 
Privileged Session Recording and Controls. Our innovative privileged session recording and control mechanisms provide the ability to isolate an organization’s IT systems from end-user desktops, while monitoring and recording the privileged session activities. Our proprietary architecture provides a highly secure, proxy-based solution that does not require agent installation on the target systems and provides a single-access control point to the target systems. The architecture blocks direct communication between an end-user’s desktop and a target system, thus preventing potential malware on the desktop from infiltrating the target system. This architecture further ensures that privileged credentials will remain protected and will not be exposed to the end-user or reach the desktop. CyberArk session monitoring solutions support native connectivity to Windows and other graphical platforms via native RDP tools, and Linux/Unix using native SSH tools. Additionally, following the acquisition of Vaultive the solution provides native access to SaaS applications, cloud consoles, DevOps tools, social media platforms and more. Native access not only streamlines the connection process and workflow, but more importantly it unifies and enforces organizational security policy across disparate targets. Comprehensive recording capabilities provide the ability to record every keystroke and mouse click on the privileged session, and also provide DVR-like recordings with search, locate and alert capabilities. Risk scoring can be applied to each recorded session, automating the review of all privileged sessions and enabling auditors to prioritize and deprioritize workloads based on risk.
 
Strong Endpoint Security. Following the acquisition of Viewfinity, Inc. in 2015, we began offering endpoint agent technology, which provides policy-based privilege management, application control and credential theft protection capabilities. The agent is able to detect privileged commands, and application installation or invocation on the endpoint, and to validate whether it is permissible by the organization’s security policy, otherwise blocking the operation or allowing it to run in a restricted mode (via application whitelisting, blacklisting and greylisting). Having users operate in a least privilege mode together with our agent-based technology effectively reduces the attack surface that attackers or malware can exploit. The solution leverages third party threat and reputation information to enrich the policy and black-list definitions to further strengthen controls and block bad or malicious applications based on such security intelligence.
 
Our Customers
 
As of December 31, 2018, we had more than 4,450 customers, including more than 50% of the Fortune 500 companies and more than 30% of the Global 2000 companies. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies.
 
Our business is not dependent on any particular customer. No customer in 2016, 2017 and 2018 and no channel partner in 2017 and 2018 accounted for more than 10% of our revenues. In 2016, our largest channel partner accounted for approximately 12.1% of our revenues. Our diverse global footprint is evidenced by the fact that in 2018, we generated 54.7% of our revenues from customers in the United States, 32.7% from the EMEA region and 12.6% from the rest of the world, including countries in North and South America other than the United States and countries in the Asia Pacific region.
 
36

Sales and Marketing
 
Sales
 
We believe that our hybrid sales model, which combines the leverage of high touch, channel sales with the account control of direct sales, has played an important role in the growth of our customer base to date. We maintain a highly trained sales force that is responsible for developing and closing new business, the management of relationships with our channel partners and the support and expansion of relationships with existing customers. Our sales organization is organized by geographic regions, consisting of the Americas, EMEA and Asia Pacific and Japan regions. As of December 31, 2018, our global network of channel partners consisted of more than 400 resellers, distributors and managed service providers. Our channel partners generally complement our sales efforts by helping identify potential sales targets, maintaining relationships with certain customers and introducing new products to existing customers and offering post-sale professional services and technical support. In 2018, we generated approximately 35% of our revenues from direct sales from our field offices located throughout the world. Approximately 50% of our sales in the United States are direct while the substantial majority of our sales in the EMEA region and the rest of the world are through channel partners. We work with many global systems integration partners and several leading regional security value added resellers, such as Optiv Security Inc., Computacenter PLC, Orange S.A. Business Services (Orange Cyberdefense), Atos SE, M.Tech, NCC Group, Guidepoint Security LLC, Netpoleon Solutions, and Edvance. These companies were each among our top 15 channel partners in 2017 and 2018 by revenues and we have derived a meaningful amount of revenues from sales to each of them during the last two years. Further, we work with advisory firms such as Deloitte and KPMG in marketing our solutions and providing implementation services to our customers.
 
Our sales cycle varies by size of the customer, the number of products purchased and the complexity of the customer’s IT infrastructure, ranging from several weeks for incremental sales to existing customers to many months for sales to new customers or large deployments. To support our broadly dispersed global channel and customer base, as of December 31, 2018, we had sales personnel in 35 countries. We plan to continue investing in our sales organization to support both the growth of our channel partners and our direct sales organization.
 
Marketing
 
Our marketing strategy is focused on building our brand strength, communicating the benefits of our solutions, developing leads and increasing sales to existing customers. We market ourselves as the global leader in privileged access security, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. We execute our strategy by leveraging a combination of internal marketing professionals and a network of channel partners to communicate the value proposition and differentiation for our products, generating qualified leads for our sales force and channel partners. Our marketing efforts also include public relations in multiple regions and extensive content development available through our website. We are focused on ongoing thought-leadership campaigns to reinforce our positioning as the privileged access security leader. Our marketing team is expanding its efforts by investing in analytics-driven lead development, stronger global coordination, quick response to current events and proactive and consistent communication with market analysts.
 
Research and Development
 
Continued investment in research and development is critical to our business. Our research and development efforts are focused primarily on improving and continuing to enhance existing products and services, as well as developing new products, features and functionality to meet market needs. We believe the timely development of new products and capabilities is essential to maintaining our competitive position. We regularly release new versions of our software which incorporate new features and enhancements to existing ones. We also maintain a dedicated CyberArk Labs team that researches reported advanced cyber attacks, the attackers’ techniques and post-exploit methods that lead to new security development initiatives for our products, and provides thought-leadership on new product capabilities and targeted attack mitigation.
 
As of December 31, 2018, we had 287 employees focused on research and development. We conduct our research and development activities primarily in Israel. We believe this provides us with access to world class engineering talent. Our research and development expenses were $34.6 million, $42.4 million, and $57.1 million in 2016, 2017 and 2018, respectively.
 
37

Intellectual Property
 
We rely on a combination of patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions to protect our technology and the related intellectual property.
 
As of December 31, 2018, we had 34 issued patents in the United States, and 41 pending U.S. patent applications. We also had 3 issued patents and 20 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications.
 
The inventions for which we have sought patent protection relate to current and future elements of our products and technology. The following list of products identifies some of those with patent-protected features but other products may also be protected by one or more patents: Digital Vault, Discovery & Audit tool, Privileged Threat Analytics, Privileged Session Manager, Endpoint Privilege Manager and Application Access Manager.
 
We generally enter into confidentiality agreements with our employees, consultants, service providers, resellers and customers and generally limit internal and external access to, and distribution of, our proprietary information and proprietary technology through certain procedural safeguards. These agreements and measures may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology.
 
Our industry is characterized by the existence of a large number of relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. In particular, leading companies in the security industry have extensive patent portfolios. As our market position continues to grow, we believe that competitors will be more likely to try to develop products that are similar to ours and that may infringe our proprietary rights. It may also be more likely that competitors or third parties will claim that our products infringe their proprietary rights. From time to time, third parties have asserted and may assert their patent, copyright, trademark and other intellectual property rights against us, our channel partners, users or customers, whom our standard license and other agreements may obligate us to indemnify against such claims under certain circumstances. Successful claims of infringement or misappropriation by a third party could prevent us from developing, distributing, licensing, using certain products, performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology; enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and to indemnify our customers and partners (and parties associated with them). Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected.
 
Competition
 
The IT security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies that offer a broad array of IT security products that employ different approaches and delivery models to address these evolving threats.
 
Our current and potential future competitors include BeyondTrust Corporation, One Identity LLC, Thycotic Software Ltd., Microsoft Corporation, Broadcom Inc. (which acquired CA Technologies) and Oracle Corporation in the access and identity management market, some of which may offer solutions at lower price points. Further, we may face competition due to changes in the manner that organizations utilize IT assets and the security solutions applied to them, such as the provision of privileged account security functionalities as part of public cloud providers’ infrastructure offerings, or cloud-based identity management solutions. Limited IT budgets may also result in competition with providers of other advanced threat protection solutions such as McAfee, LLC, Palo Alto Networks, Splunk Inc., and Symantec Corporation. We also may compete, to a certain extent, with vendors that offer products or services in adjacent or complementary markets to privileged account security, including identity management vendors and cloud platform providers such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure.
 
The principal competitive factors in our market include:
 
the breadth and completeness of a security solution;
 
38

reliability and effectiveness in protecting, detecting and responding to cyber attacks;
 
analytics and accountability at an individual user level;
 
ability of customers to achieve and maintain compliance with compliance standards and audit requirements;
 
strength of sale and marketing efforts, including advisory firms and channel partner relationships;
 
global reach and customer base;
 
scalability and ease of integration with an organization’s existing IT infrastructure and security investments;
 
brand awareness and reputation;
 
innovation and thought leadership;
 
quality of customer support and professional services;
 
speed at which a solution can be deployed; and
 
price of a solution and cost of maintenance and professional services.
 
We believe we compete favorably with our competitors on the basis of these factors. However, some of our current and potential future competitors may enjoy potential competitive advantages, such as greater name recognition, longer operating history, larger market share, larger existing user base and greater financial, technical and other resources.
 
Properties
 
Our corporate headquarters are located in Petach Tikva, Israel in an office consisting of approximately 111,341 square feet to which we moved in September 2017. The current lease expires in June 2022 with an extension option for two successive one year periods. Our U.S. headquarters are located in Newton, Massachusetts in an office consisting of approximately 32,463 square feet. The lease expires in June 2026 with an extension option for two successive five year periods. We maintain additional offices in the U.K. and Singapore along with regional sales offices in France, Germany, Australia, Japan, Italy, Netherlands, Spain and Turkey and a second research and development office in Israel of approximately 3,660 square feet following the acquisition of Vaultive . We believe that our facilities are sufficient to meet our current needs and that if we require additional space to accommodate our growth we will be able to obtain additional facilities on commercially reasonable terms.
 
Internal Cybersecurity
 
As we provide privileged access security products, we are sensitive as to the possibility of cyber attacks and data theft, since a breach of our system could provide data information regarding not only us, but potentially regarding the customers that our solutions protect. Further, we may be targeted by cyber terrorists because we are an Israeli company. We are also aware of the impact of an actual or perceived breach of our network may have on the market perception of our products and services and potential liability.
 
We are focused on implementing new technologies and solutions to assist in prevention of potential and attempted cyber attacks, as well as protective measures and contingency plans in the event of an existing attack. We have made certain updates to our IT infrastructure to enhance our ability to prevent and respond to such threats and we routinely test the infrastructure for vulnerabilities.
 
We conduct periodic trainings for our employees in this respect on phishing, malware and other cybersecurity risks and we have mechanisms in place designed to ensure prompt internal reporting of potential or actual cybersecurity breaches. Finally, our agreements with third parties also typically contain provisions that reduce or limit our exposure to liability.
 
Legal Proceedings
 
See “Item 8.A. Financial Information—Consolidated Financial Statements and Other Financial Information—Legal Proceedings.”
 
39

C.
Organizational Structure
 
The legal name of our company is CyberArk Software Ltd. and we are organized under the laws of the State of Israel.
 
The following table sets forth our key subsidiaries all of which are 100% owned directly or indirectly by CyberArk Software Ltd.:
 
Name of Subsidiary
Place of Incorporation
CyberArk Software, Inc.
Delaware, United States
Cyber-Ark Software (UK) Limited
United Kingdom
CyberArk Software (Singapore) PTE. LTD.
Singapore
Cyber-Ark Software (DACH) GmbH
Germany
CyberArk Software Italy S.r.l.
Italy
CyberArk Software (France) SARL
France
CyberArk Software (Netherlands) B.V.
Netherlands
CyberArk Software (Australia) Pty Ltd.
CyberArk Software (Japan) K.K.
CyberArk Software Canada Inc.
CyberArk USA Engineering, LP
Australia
Japan
Canada
Delaware, United States
 
D.
Property, Plants and Equipment
 
See “Item 4.B.—Business Overview—Property” for a discussion of property, plants and equipment.
 
ITEM 4A.                 UNRESOLVED STAFF COMMENTS
 
Not applicable.
 
ITEM 5.
OPERATING AND FINANCIAL REVIEW AND PROSPECTS
 
Company Overview
 
We are a global leader in privileged access security, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. Our software solutions are focused on protecting privileged accounts, credentials and secrets, which are consistently sought-after by cyber attackers to accomplish their goals. Privileged accounts are pervasive and act as the “keys to the IT kingdom” providing complete access to, and control of, IT infrastructure (whether located on-premises or in the cloud), applications, DevOps tools, and critical business data. In the hands of an external attacker or malicious insider, privileged credentials allow attackers to take control of and disrupt an organization’s IT environment and industrial control systems, steal confidential information and commit financial fraud. Our comprehensive solutions provide risk-based credential and session management to detect and protect against attacks involving privileged access, secure secrets used by applications, and enforce privileged access security on the endpoint. Our customers use our innovative solutions to introduce a critical security layer to protect against, detect and respond to cyber attacks before they strike vital systems, compromise sensitive data and disrupt business operations.
 
We derive our revenues from licensing our cybersecurity software, selling maintenance and support contracts, and providing professional services to the extent requested by customers. Our license revenues consist primarily of revenues from sales of our Core Privileged Access Security Solution. Our customers typically purchase one year and, to a lesser extent, three years, of maintenance and support in conjunction with their initial purchase of perpetual licenses for our products. Thereafter, they can renew such maintenance and support for additional one or three-year periods.
 
40

We have experienced significant growth over the last several years, as evidenced by a compound annual growth rate in revenues of 25.9% from 2016 to 2018. We have also increased our number of employees and subcontractors from 823 as of December 31, 2016 to 1,146 as of December 31, 2018. We intend to continue to execute on our strategy of growing our business to meet the needs of our customers and to pursue opportunities in new and existing verticals, geographies and products. We intend to continue to invest in the development of our sales and marketing teams, with a particular focus on expanding our channel partnerships, targeting new customers, creating technology partnerships and solidifying relationships with existing customers. We also plan to continue to invest in research and development in order to continue to develop technology to protect modern enterprises from privileged access security risk from hybrid to cloud-native environments
 
During the years ended December 31, 2016, 2017 and 2018, our revenues were $216.6 million, $261.7 million and $343.2 million, respectively, representing year-over-year growth of 20.8% and 31.1% in 2017 and 2018, respectively, and with maintenance and professional services comprising 43.6% and 43.9% of our revenues in 2017 and 2018, respectively. Our net income for the years ended December 31, 2016, 2017 and 2018 was $28.1 million, $16.0 million and $47.1 million, respectively.
 
Key Financial Metrics
 
We monitor several key financial metrics to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies. The key financial metrics that we monitor are as follows:

   
Year ended December 31,
 
   
2016
   
2017
   
2018
 
   
(in thousands)
 
Revenues           
 
$
216,613
   
$
261,701
   
$
343,199
 
                         
Gross profit
   
186,462
     
219,853
     
294,738
 
Non-GAAP gross profit(1)
   
189,268
     
226,355
     
303,651
 
                         
Operating income           
   
35,956
     
20,326
     
47,292
 
Non-GAAP operating income(1)           
   
58,014
     
51,850
     
90,460
 
                         
Net income           
   
28,124
     
16,015
     
47,072
 
Non-GAAP net income(1)           
   
45,245
     
41,895
     
76,523
 
                         
Net cash provided by operating activities           
   
56,310
     
80,737
     
130,125
 
Total deferred revenues (as of period-end)           
   
73,506
     
105,235
     
149,534
 
 

(1)
For a reconciliation of non-GAAP gross profit, non-GAAP operating income to operating income and of non-GAAP net income to net income, the most directly comparable GAAP measures, see “Item 3.A. Selected Financial Data.”
 
Revenues. We derive our revenues from licensing our cybersecurity software, selling maintenance and support contracts, and providing professional services to the extent requested by customers. We review our revenues generally to assess the overall health of our business and our license revenues in particular to assess the adoption of our software and our growth in the markets we serve.
 
We consider our license revenues to be particularly important in assessing our results of operations because license fees impact both our short-term and long-term revenues. License purchases, whether by new customers or due to expansion by existing customers, impact our revenues favorably in the short-term because we recognize substantially all license fees immediately upon delivery. License purchases further contribute significantly to our revenues in the long term because the size of our maintenance and support contracts is directly related to our licenses revenues, but revenues from maintenance and support contracts are recognized on a straight-line basis over the term of the related contract. This fact, coupled with the high renewal rate for our maintenance and support contracts, means that a meaningful portion of the revenues we report each period are recognized from deferred revenues generated by maintenance and support contracts entered into during previous quarters.
 
41

The amount that a customer pays for a license can vary from a few thousand dollars to many millions of dollars depending on its scope. We generally license our products on a price per user or price per server basis; however, our license agreements with a small number of our largest customers do not contain any limit on the number of users or servers in recognition of the size of the overall agreement. We also license certain of our products based on the number of concurrent sessions monitored or endpoints secured. As a result, we do not track, and are unable to track, the amount of license revenues we generate on per user or per server basis. We do, however, maintain internal price guidelines for different size transactions and, since our cost of license revenues is negligible, we generate incremental profit from every license. Although we are focused on growing our customer base, our revenues are a function of both the size of initial sales to new customers and the size of upsells or cross sells to existing customers. We seek to increase the number of large transactions that we enter into because they better leverage our operating expense base, and particularly our sales and marketing expenses, and also generate larger maintenance and support contracts to drive future revenues and margins.
 
Because the size of our maintenance and support contracts is directly related to our licenses revenues and because the rates that we charge for professional services fluctuate very little, the drivers of changes in these sources of revenues have to date been volume-based. Historically, there has been little fluctuation in price when we renew a contract for maintenance and support or for professional services. While the demand for professional services is expected to increase as our customers and license base grow, we expect that our channel partners will increase the amount of such services that they provide. Therefore, while we expect an increase in the dollar amount of our professional services revenue, we do not expect our professional services revenues to increase materially as a percentage of total revenues.
 
See “—Components of Statements of Operations—Revenues” for more information.
 
Non-GAAP Gross Profit , non-GAAP Operating Income and Non-GAAP Net Income. Non-GAAP gross profit, Non-GAAP operating income and non-GAAP net income are non-GAAP financial measures. We define non-GAAP gross profit, non-GAAP operating income and non-GAAP net income as gross profit, operating income and net income, respectively, which each exclude (i) share-based compensation expense and (ii) amortization of intangible assets related to acquisitions. Non-GAAP operating income also excludes (i) expenses related to acquisitions, and (ii) expenses related to facility exit and transitions costs. Non-GAAP net income also excludes (i) tax effects related to the non-GAAP adjustments set forth above, (ii) tax effects related to the impact to our deferred tax assets as a result of the Tax Act and (iii) intra-entity intellectual property transfer tax effects.
 
We believe that providing non-GAAP gross profit, non-GAAP operating income and non-GAAP net income that exclude, as appropriate, share-based compensation expense, expenses related to acquisitions, amortization of intangible assets related to acquisitions, the tax effects related to these non-GAAP adjustments, intra-entity intellectual property transfer tax effects and the tax effects related to the impact to our deferred tax assets as a result of the Tax Act allows for more meaningful comparisons between our financial results from period to period. Share-based compensation expense has been, and will continue to be a significant recurring expense in our business and an important part of the compensation we provide to employees for the foreseeable future. Share-based compensation expense has varying available valuation methodologies, subjective assumptions and the variety of equity instruments that can impact a company’s non-cash expense. We also believe that expenses related to our acquisitions, amortization of intangible assets related to acquisitions, facility exit and transitions costs, intra-entity intellectual property transfer tax effects and the impact of the Tax Act, do not reflect the performance of our core business and would impact period-to-period comparability. Each of our non-GAAP financial measures is an important tool for financial and operational decision making and for evaluating our own financial results over different periods of time. In particular, these financial measures reflect our operating expenses, the largest of which is currently sales and marketing. Accordingly, we assess the effectiveness of our sales and marketing efforts in part by considering whether increases in such expenditures are reflected in increased revenues and increased non-GAAP operating income and non-GAAP net income. The material factors driving changes in these financial measures are discussed under the subheading “—Comparison of Period to Period Results of Operations.” As well as under “Item 3.A. Selected Financial Data.”
 
Net Cash Provided by Operating Activities. We monitor net cash provided by operating activities as a measure of our overall business performance. Our net cash provided by operating activities is driven in large part by net income and from up-front payments for maintenance and support contracts and to a lesser extent professional services. Monitoring net cash provided by operating activities enables us to analyze our financial performance as it includes our deferred revenues and removes the non-cash effects of certain items such as depreciation, amortization and share-based compensation expense, thereby allowing us to better understand and manage the cash needs of our business. The material factors driving changes in our net cash provided by operating activities are discussed under “—Liquidity and Capital Resources.”
 
42

Total Deferred Revenues. Our total deferred revenues consist of amounts that have been collected but that have not yet been recognized as revenues because they do not meet the applicable criteria. The substantial portion of our deferred revenues consists of the unrecognized portion of upfront payments associated with maintenance and support contracts. We monitor our total deferred revenues because it represents a significant portion of revenues to be recognized in future periods. Substantially all of the increase in our total deferred revenues has been from growth in our maintenance and support contracts which, in turn, is driven by growth of our license revenues. The material factors driving changes in our license revenues are discussed under “—Comparison of Period to Period Results of Operations.”
 
A.
Operating Results
 
The following discussion and analysis should be read in conjunction with the section titled “Item 3.A. Selected Financial Data” of this annual report and our consolidated financial statements and the related notes contained elsewhere in this annual report. This discussion and analysis may contain forward-looking statements based upon current expectations that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those set forth in “Item 3.D. Risk Factors” of this annual report. Our financial statements have been prepared in accordance with U.S. GAAP.
 
Components of Statements of Operations
 
Revenues
 
Our revenues consist of the following:
 
License Revenues. License revenues are generated primarily from sales of licenses for our Privileged Access Security, Application Access Manager and Endpoint Privilege Manager solutions. The substantial majority of our license revenues has been from sales of our Privileged Access Security solution. Customers can purchase our standard Core Privileged Access Security solution which provides risk-based credential security and session management with advanced add-on options for least privilege server protection and domain controller protection. Customers can also purchase Application Access Manager for secrets management for all application types, including DevOps, and Endpoint Privilege Manager for least privilege and credential theft protection for workstations. The standard Core Privileged Access Security solution is licensed per privileged user or per server; the add-on advanced options for least privilege server protection and domain controller protection are licensed by target system. Endpoint Privilege Manager is also licensed by system. Application Access Manager has two different licensing approaches based on deployment model. The first model is licensed by agent for mission-critical applications like application servers that require the highest levels of performance and availability. The second model is agentless for more dynamic cloud native applications; for this model, Application Access Manager is licensed by calling system for smaller configurations and is licensed by site/region for larger installations. We also generate a small amount of our license revenues through sales of Sensitive Information Management solution, our first product to market, licensed by the permitted number of users of the software.
 
Maintenance and Professional Services Revenues . Maintenance revenues are generated from maintenance and support contracts purchased by our customers in order to gain access to the latest software enhancements and updates on an ‘if and when available’ basis and to telephone and email technical support. We also offer professional services focused on both deployment and training our customers to fully leverage the use of our products.
 
43

Geographic Breakdown of Revenues
 
The United States is our biggest market, with the balance of our revenues generated from the EMEA region and the rest of the world, including Canada, Central and South America, as well as the Asia Pacific and Japan region. The following table sets forth the geographic breakdown of our revenues by region for the periods indicated:
 
   
Year ended December 31,
 
   
2016
   
2017
   
2018
 
   
Amount
   
% of Revenues
   
Amount
   
% of Revenues
   
Amount
   
% of Revenues
 
   
(in thousands)
 
United States          
 
$
125,749
     
58.1
%
 
$
145,453
     
55.6
%
 
$
187,704
     
54.7
%
EMEA          
   
68,094
     
31.4
%
   
81,778
     
31.2
%
   
112,086
     
32.7
%
Rest of World          
   
22,770
     
10.5
%
   
34,470
     
13.2
%
   
43,409
     
12.6
%
                                                 
Total revenues          
 
$
216,613
     
100.0
%
 
$
261,701
     
100.0
%
 
$
343,199
     
100.0
%
 
Cost of Revenues
 
Our total cost of revenues consists of the following:
 
Cost of License Revenues. Cost of license revenues consists primarily of amortization of intangible assets, costs incurred by third-party software vendors and shipping costs associated with delivery of our software. We expect the absolute cost of license revenues to increase as our license revenues increase.
 
Cost of Maintenance and Professional Services Revenues. Cost of maintenance and professional services revenues primarily consists of personnel costs for our global customer support and professional services organization. Such costs consist of salaries, benefits, bonuses, share-based compensation and subcontractors’ fees. We expect the absolute cost of maintenance and professional services revenues to increase as our customer base grows and as we hire additional professional services and technical support personnel.
 
Gross Profit and Gross Margin
 
Gross profit is total revenues less total cost of revenues. Gross margin is gross profit expressed as a percentage of total revenues. Our gross margin has historically fluctuated slightly from period to period as a result of changes in the mix of license revenues and maintenance and professional services revenues and we expect this pattern to continue.
 
Operating Expenses
 
Our operating expenses are classified into three categories: research and development, sales and marketing and general and administrative. For each category, the largest component is personnel costs, which consists of salaries, employee benefits (including commissions and bonuses) and share-based compensation expense. Operating expenses also include allocated overhead costs for facilities as well as depreciation and amortization. Allocated costs for facilities primarily consist of rent and office maintenance and utilities. We expect personnel and all allocated costs to continue to increase in absolute dollars as we hire new employees and add facilities to continue to grow our business.
 
Research and Development. Research and development expenses consist primarily of personnel costs attributable to our research and development personnel and consultants as well as allocated overhead costs, amortization and depreciation. We continue to expect that our research and development expenses will continue to increase in absolute dollars and at least in line with our revenue growth rate as we continue to grow our research and development headcount to further strengthen our technology platform and invest in the development of both existing and new products.
 
Sales and Marketing. Sales and marketing expenses are the largest component of our operating expenses and consist primarily of personnel costs, including variable compensation, as well as marketing and business development costs, product certifications, travel expenses, allocated overhead costs, depreciation and amortization of intangibles assets. We expect that sales and marketing expenses will continue to increase in absolute dollars and at least in line with our revenue growth rate as we plan to expand our sales and marketing efforts globally. We continue to expect sales and marketing expenses will remain our largest category of operating expenses.
 
44

General and Administrative. General and administrative expenses consist primarily of personnel costs for our executive, finance, human resources, legal and administrative personnel. General and administrative expenses also include external legal, accounting and other professional service fees. We continue to expect that general and administrative expense will increase in dollars and at least in line with our revenue growth rate as we grow and expand our operations and operate as a public company, including higher corporate insurance, investor relations and accounting expenses, and the additional costs relating to our ongoing regulatory compliance efforts.
 
Financial Income (Expenses), Net
 
Financial income (expenses), net consists of interest income, foreign currency exchange gains or losses and foreign exchange forward transactions expenses. Interest income consists of interest earned on our cash, cash equivalents, short and long-term bank deposits and marketable securities. We expect interest income to vary depending on our average investment balances and market interest rates during each reporting period. Foreign currency exchange changes reflect gains or losses related to transactions denominated in currencies other than the U.S. dollar.
 
Taxes on Income
 
The standard corporate tax rate in Israel is currently 23.0%, and was 25.0% and 24.0% for 2016 and 2017, respectively.
 
As discussed in greater detail below under “Israeli Tax Considerations and Government Programs”, we have been entitled for various tax benefits under the Investment Law. Under the Investment Law, our tax rate to be paid with respect to our eligible Israeli taxable income under these benefits programs is 16.0% for 2016 and 12.0% for 2017 onwards.
 
Under the Investment Law and other Israeli legislation, we are entitled to certain additional tax benefits, including accelerated deduction of research and development expenses, accelerated depreciation and amortization rates for tax purposes on certain intangible assets and deduction of public offering expenses in three equal annual installments. 
 
Our non-Israeli subsidiaries are taxed according to the tax laws in their respective jurisdictions of organization. Due to our multi-jurisdictional operations, we apply significant judgment to determine our consolidated income tax position.
 
45

Comparison of Period to Period Results of Operations
 
The following table sets forth our results of operations in dollars and as a percentage of revenues for the periods indicated:
 
   
Year ended December 31,
 
   
2016
   
2017
   
2018(1)
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
 
   
($ in thousands)
 
Revenues:
                                   
License          
 
$
131,530
     
60.7
%
 
$
147,640
     
56.4
%
 
$
192,514
     
56.1
%
Maintenance and professional services
   
85,083
     
39.3
     
114,061
     
43.6
     
150,685
     
43.9
 
                                                 
Total revenues          
   
216,613
     
100.0
     
261,701
     
100.0
     
343,199
     
100.0
 
                                                 
Cost of revenues:
                                               
License          
   
4,726
     
2.2
     
7,911
     
3.0
     
10,526
     
3.1
 
Maintenance and professional services
   
25,425
     
11.7
     
33,937
     
13.0
     
37,935
     
11.0
 
                                                 
Total cost of revenues          
   
30,151
     
13.9
     
41,848
     
16.0
     
48,461
     
14.1
 
                                                 
Gross profit          
   
186,462
     
86.1
     
219,853
     
84.0
     
294,738
     
85.9
 
                                                 
Operating expenses:
                                               
Research and development          
   
34,614
     
16.0
     
42,389
     
16.2
     
57,112
     
16.6
 
Sales and marketing          
   
93,775
     
43.3
     
126,739
     
48.4
     
148,290
     
43.2
 
General and administrative          
   
22,117
     
10.2
     
30,399
     
11.6
     
42,044
     
12.3
 
                                                 
Total operating expenses          
   
150,506
     
69.5
     
199,527
     
76.2
     
247,446
     
72.1
 
                                                 
Operating income          
   
35,956
     
16.6
     
20,326
     
7.8
     
47,292
     
13.8
 
Financial income, net          
   
245
     
0.1
     
4,103
     
1.5
     
4,551
     
1.3
 
                                                 
Income before taxes on income          
   
36,201
     
16.7
     
24,429
     
9.3
     
51,843
     
15.1
 
Taxes on income          
   
(8,077
)
   
(3.7
)
   
(8,414
)
   
(3.2
)
   
(4,771
)
   
(1.4
)
                                                 
Net income          
 
$
28,124
     
13.0
%
 
$
16,015
     
6.1
%
 
$
47,072
     
13.7
%
 
(1)
On January 1, 2018, we adopted ASC No. 606 using the modified retrospective method. Results for reporting periods beginning after January 1, 2018 are presented under ASC No. 606, while prior period results are not adjusted and continue to be reported in accordance with historic accounting under ASC No. 605. See Note 2(n) to our consolidated financial statements included elsewhere in this report for further information.
 
46

Year Ended December 31, 2017 Compared to Year Ended December 31, 2018
 
Revenues
 
   
Year ended December 31,
 
   
2017
   
2018
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Revenues:
                                   
License          
 
$
147,640
     
56.4
%
 
$
192,514
     
56.1
%
 
$
44,874
     
30.4
%
Maintenance and professional services
   
114,061
     
43.6
     
150,685
     
43.9
     
36,624
     
32.1
 
                                                 
Total revenues          
 
$
261,701
     
100.0
%
 
$
343,199
     
100.0
%
 
$
81,498
     
31.1
%
 
Revenues increased by $81.5 million, or 31.1%, from $261.7 million in 2017 to $343.2 million in 2018. This increase was due to increased sales of our solutions driving growth in both our license revenues and our maintenance and professional services revenues. The increase in revenues includes a benefit of $5.2 million following the adoption of ASC No. 606. See Note 2(n) to our consolidated financial statement included elsewhere in this report for further information. Revenues growth was largest in the United States, where revenues increased by $42.3 million and in EMEA with an increases of $30.3 million compared to $8.9 million in the rest of the world. The significant increase in revenues from the United States and EMEA primarily resulted from a higher volume of deals including large transactions of greater than $1.0 million each that together accounted for $40.4 million. Multiple large transactions or even a single large transaction in a specific period could materially impact relative growth rates among our different regions for a particular period. We increased our number of customers from approximately 3,650 as of December 31, 2017 to more than 4,450 as of December 31, 2018.
 
License revenues increased by $44.9 million, or 30.4%, from $147.6 million in 2017 to $192.5 million in 2018. In 2018, approximately 60% of license revenues were generated from sales to customers from whom we had generated revenues before this period. Substantially all of the license revenue growth resulted from increased sales of our Core Privileged Access Security as well as strong growth from Endpoint Privilege Manager and Application Access Manager.
 
Maintenance and professional services revenues increased by $36.6 million, or 32.1%, from $114.1 million in 2017 to $150.7 million in 2018. Maintenance revenues increased by $31.1 million from $92.9 million in 2017 to $124.0 million in 2018, with renewals accounting for approximately $10.7 million and initial maintenance contracts for approximately $20.4 million, respectively, of this increase. Professional services revenues increased by $5.5 million from $21.2 million in 2017 to $26.7 million in 2018 primarily due to the provision of more services to customers.
 
Cost of Revenues and Gross Profit
 
   
Year ended December 31,
 
   
2017
   
2018
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Cost of revenues:
                                   
License          
 
$
7,911
     
3.0
%
 
$
10,526
     
3.1
%
 
$
2,615
     
33.1
%
Maintenance and professional services
   
33,937
     
13.0
     
37,935
     
11.0
     
3,998
     
11.8
 
                                                 
Total cost of revenues          
 
$
41,848
     
16.0
%
 
$
48,461
     
14.1
%
 
$
6,613
     
15.8
%
                                                 
Gross profit          
 
$
219,853
     
84.0
%
 
$
294,738
     
85.9
%
 
$
74,885
     
34.1
%
 
Cost of license revenues increased by $2.6 million, or 33.1%, from $7.9 million in 2017 to $10.5 million in 2018. The increase in cost of license revenues was driven primarily from amortization of intangible assets.
 
47

Cost of maintenance and professional services revenues increased by $4.0 million, or 11.8%, from $33.9 million in 2017 to $37.9 million in 2018. The increase in cost of maintenance and professional services revenues was driven primarily by a $4.6 million increase in personnel costs and related expenses and a $0.3 million increase in facility costs offset by a $1.4 million decrease in the use of third party contractors for services. O ur technical support and professional services headcount grew from 188 at the end of 2017 to 214 at the end of 2018.
 
Gross profit increased by $74.9 million, or 34.1%, from $219.9 million in 2017 to approximately $294.8 million in 2018. Gross margins increased from 84.0% in 2017 to 85.9% in 2018. This was driven by our revenue growth outpacing the growth of our cost of revenue as well as higher utilization of our professional services team.
 
Operating Expenses
 
   
Year ended December 31,
 
   
2017
   
2018
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Operating expenses:
                                   
Research and development          
 
$
42,389
     
16.2
%
 
$
57,112
     
16.6
%
 
$
14,723
     
34.7
%
Sales and marketing          
   
126,739
     
48.4
     
148,290
     
43.2
     
21,551
     
17.0
 
General and administrative          
   
30,399
     
11.6
     
42,044
     
12.3
     
11,645
     
38.3
 
                                                 
Total operating expenses          
 
$
199,527
     
76.2
%
 
$
247,446
     
72.1
%
 
$
47,919
     
24.0
%
 
Research and Development. Research and development expenses increased by $14.7 million, or 34.7%, from $42.4 million in 2017 to $57.1 million in 2018. This increase was primarily attributable to a $13.5 million increase in personnel costs and related expenses, as we increased our research and development team headcount from 250 at the end of 2017 to 287 at the end of 2018 to support continued investment in our future product and service offerings. The increase was also attributable to a $0.8 million increase related to facility costs.
 
Sales and Marketing. Sales and marketing expenses increased by $21.6 million, or 17.0%, from $126.7 million in 2017 to $148.3 million in 2018. This increase was primarily attributable to an $18.0 million increase in personnel costs and related expenses due to increased headcount in all regions to expand our sales and marketing organization. The increase in personnel costs and related expenses was net of a benefit due to deferred contract costs of $12.8 million following the adoption of ASC No. 606. See Note 2(n) to our consolidated financial statements included elsewhere in this report for further information. The increase was also attributable to a $2.1 million increase in expenses related to our marketing programs and a $0.7 million increase in facility costs. Our sales and marketing headcount grew from 491 at the end of 2017 to 541 at the end of 2018.
 
General and Administrative . General and administrative expenses increased by $11.6 million, or 38.3%, from $30.4 million in 2017 to $42.0 million in 2018. This increase was primarily attributable to an increase of $9.0 million in personnel costs and related expenses due to increased headcount coupled with a $0.9 million increase in services fees due to external legal counsels, accounting and insurance costs and a $0.7 million increase in facility costs. Our General and administrative headcount grew from 86 at the end of 2017 to 104 at the end of 2018.
 
Financial Income (Expenses), Net . Financial income (expenses), net changed by $0.5 million from $4.1 million of income in 2017 to $4.6 million of income in 2018. This change resulted primarily from an increase of $3.2 million in interest income from investments in marketable securities and short and long-term bank deposits offset by a $2.8 million loss from foreign currency exchange differences.
 
Taxes on Income . Taxes on income decreased from $8.4 million in 2017 to $4.8 million in 2018. Our effective tax rate was 34.4% in 2017 and 9.2% in 2018. The higher effective tax rate in 2017 in comparison to 2018 was mainly attributed to a $6.5 million tax expense from adjustment to our deferred tax assets as a result of the Tax Act.

48

Year Ended December 31, 2016 Compared to Year Ended December 31, 2017
 
Revenues
 
   
Year ended December 31,
 
   
2016
   
2017
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Revenues:
                                   
License          
 
$
131,530
     
60.7
%
 
$
147,640
     
56.4
%
 
$
16,110
     
12.2
%
Maintenance and professional services
   
85,083
     
39.3
     
114,061
     
43.6
     
28,978
     
34.1
 
                                                 
Total revenues          
 
$
216,613
     
100.0
%
 
$
261,701
     
100.0
%
 
$
45,088
     
20.8
%
 
Revenues increased by $45.1 million, or 20.8%, from $216.6 million in 2016 to $261.7 million in 2017. This increase was due to increased sales of our solutions. This increase was also driven by growth in both our license revenues and our maintenance and professional services revenues. This growth was most pronounced in the United States, where revenues increased by $19.7 million and in EMEA with an increases of $13.7 million compared to $11.7 million in the rest of the world. The significant increase in revenues from the United States and EMEA primarily resulted from a higher volume of deals including large transactions of greater than $1.0 million each that together accounted for $36.6 million. Multiple large transactions or even a single large transaction in a specific period could materially impact relative growth rates among our different regions for a particular period. We increased our number of customers from approximately 3,100 as of December 31, 2016 to approximately 3,650 as of December 31, 2017.
 
License revenues increased by $16.1 million, or 12.2%, from $131.5 million in 2016 to $147.6 million in 2017. In 2017, approximately 60% of license revenues were generated from sales to customers from whom we had generated revenues before this period. Substantially all of the license revenue growth resulted from increased sales of our Privileged Access Security solution, driven by increased demand for our Enterprise Password Vault and Privileged Session Manager as well as strong growth from Endpoint Privilege Manager and Application Identity Manager.
 
Maintenance and professional services revenues increased by $29.0 million, or 34.1%, from $85.1 million in 2016 to $114.1 million in 2017. Maintenance revenues increased by $23.5 million from $69.4 million in 2016 to $92.9 million in 2017, with renewals accounting for approximately $17.0 million and initial maintenance contracts for approximately $6.5 million, respectively, of this increase. Professional services revenues increased by $5.5 million from $15.7 million in 2016 to $21.2 million in 2017 primarily due to the provision of more services to customers.
 
Cost of Revenues and Gross Profit
 
   
Year ended December 31,
 
   
2016
   
2017
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Cost of revenues:
                                   
License          
 
$
4,726
     
2.2
%
 
$
7,911
     
3.0
%
 
$
3,185
     
67.4
%
Maintenance and professional services
   
25,425
     
11.7
     
33,937
     
13.0
     
8,512
     
33.5
 
                                                 
Total cost of revenues          
 
$
30,151
     
13.9
%
 
$
41,848
     
16.0
%
 
$
11,697
     
38.8
%
                                                 
Gross profit          
 
$
186,462
     
86.1
%
 
$
219,853
     
84.0
%
 
$
33,391
     
17.9
%
 
49

 
Cost of license revenues increased by $3.2 million, or 67.4%, from $4.7 million in 2016 to $7.9 million in 2017. The increase in cost of license revenues was driven primarily from amortization of intangible assets.
 
Cost of maintenance and professional services revenues increased by $8.5 million, or 33.5%, from $25.4 million in 2016 to $33.9 million in 2017. The increase in cost of maintenance and professional services revenues was driven primarily by a $6.2 million increase in personnel costs and related expenses as our technical support and professional services headcount grew from 166 at the end of 2016 to 188 at the end of 2017. The increase was also attributable to a $1.1 million increase related to third party consultants.
 
Gross profit increased by $33.4 million, or 17.9%, from $186.5 million in 2016 to $219.9 million in 2017. Gross margins decreased from 86.1% in 2016 to 84.0% in 2017. This was driven by an increase in expenses for amortization of intangible assets from our acquisitions as well as planned increases in expenses for third party software and an increase in the use of third party contractors for services.
 
Operating Expenses
 
   
Year ended December 31,
 
   
2016
   
2017
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Operating expenses:
                                   
Research and development          
 
$
34,614
     
16.0
%
 
$
42,389
     
16.2
%
 
$
7,775
     
22.5
%
Sales and marketing          
   
93,775
     
43.3
     
126,739
     
48.4
     
32,964
     
35.2
 
General and administrative          
   
22,117
     
10.2
     
30,399
     
11.6
     
8,282
     
37.4