UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549
 
 
FORM 20-F
 
 
REGISTRATION STATEMENT PURSUANT TO SECTION 12(b) OR (g) OF THE SECURITIES EXCHANGE ACT OF 1934
 
OR
 
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
 
For the fiscal year ended December 31, 2017
 
OR
 
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
 
OR
 
SHELL COMPANY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
 
Commission file number 001-36625
 

 
CYBERARK SOFTWARE LTD.
(Exact name of Registrant as specified in its charter)
 
 
ISRAEL
 
(Jurisdiction of incorporation or organization)
9 Hapsagot St.
Park Ofer B, P.O. BOX 3143
 Petach-Tikva 4951040, Israel
 (Address of principal executive offices)
 

 
Donna Rahav, Adv.
General Counsel & Corporate Secretary
Telephone: +972 (3) 918-0000
CyberArk Software Ltd.
9 Hapsagot St.
Park Ofer B, P.O. BOX 3143
 Petach-Tikva 4951040, Israel
 (Name, telephone, e-mail and/or facsimile number and address of company contact person)
 
Securities registered or to be registered pursuant to Section 12(b) of the Act:

Title of each class
 
Name of each exchange on which registered
Ordinary shares, par value NIS 0.01 per share
 
The NASDAQ Stock Market LLC
 
Securities registered or to be registered pursuant to Section 12(g) of the Act: None.
 
Securities for which there is a reporting obligation pursuant to Section 15(d) of the Act: None.
 
 
Indicate the number of outstanding shares of each of the issuer’s classes of capital or common stock as of the close of the period covered by the annual report: As of December 31, 2017, the registrant had outstanding 35,274,888 ordinary shares, par value NIS 0.01 per share.
 
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.
 
Yes ☒          No ☐
 
If this report is an annual or transition report, indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934.
 
Yes ☐          No ☒
 
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.
 
Yes ☒          No ☐
 
Indicate by check mark whether the registrant has submitted electronically and posted on its corporate website, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§229.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files).
 
Yes ☒          No ☐
 
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated file, a non-accelerated filer or an emerging growth company. See the definitions of “accelerated filer,” “large accelerated filer” and “emerging growth company” in Rule 12b-2 of the Exchange Act (Check one):

Large accelerated filer ☒
Accelerated filer ☐
Non-accelerated filer ☐
   
Emerging growth company ☐
 
If an emerging growth company that prepares its financial statements in accordance with U.S. GAAP, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards† provided pursuant to Section 13(a) of the Exchange Act. ☐
 
† The term “new or revised financial accounting standard” refers to any update issued by the Financial Accounting Standards Board to its Accounting Standards Codification after April 5, 2012.
 
Indicate by check mark which basis for accounting the registrant has used to prepare the financing statements included in this filing:
 
U.S. GAAP ☒
International Financial Reporting Standards as issued by the
International Accounting Standards Board ☐
Other ☐
 
If “Other” has been checked in response to the previous question, indicate by check mark which financial statement item the registrant has elected to follow.
 
☐ Item 17         ☐ Item 18
 
If this is an annual report, indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).
 
Yes ☐          No ☒

CYBERARK SOFTWARE LTD.
 
FORM 20-F
ANNUAL REPORT FOR THE FISCAL YEAR ENDED DECEMBER 31, 2017
 
TABLE OF CONTENTS
 
1
   
1
 
   
     
2
     
2
     
2
     
29
     
39
     
39
     
62
     
80
     
84
     
85
     
86
     
97
     
98
     
 
   
99
     
99
     
99
     
100
     
100
     
100
     
100
     
101
     
101
     
101
     
101
     
101
     
     
101
     
101
     
101


INTRODUCTION
 
In this annual report, the terms “CyberArk,” “we,” “us,” “our” and “the company” refer to CyberArk Software Ltd. and its subsidiaries. 
 
This annual report includes statistical, market and industry data and forecasts, which we obtained from publicly available information and independent industry publications and reports that we believe to be reliable sources. These publicly available industry publications and reports generally state that they obtain their information from sources that they believe to be reliable, but they do not guarantee the accuracy or completeness of the information. Although we believe that these sources are reliable, we have not independently verified the information contained in such publications. Certain estimates and forecasts involve uncertainties and risks and are subject to change based on various factors, including those discussed under the headings “Special Note Regarding Forward-Looking Statements” and “Item 3.D Risk Factors” in this annual report. 
 
Throughout this annual report, we refer to various trademarks, service marks and trade names that we use in our business. The “CyberArk” design logo is the property of CyberArk Software Ltd. CyberArk® is our registered trademark in the United States. We have several other trademarks, service marks and pending applications relating to our products. In particular, although we have omitted the “®” and “™” trademark designations in this annual report from each reference to our Privileged Account Security Solution, Enterprise Password Vault, Privileged Session Manager, Privileged Threat Analytics, Application Identity Manager, Conjur, Endpoint Privilege Manager, On-Demand Privileges Manager, secure Digital Vault, Web Management Interface, Master Policy Engine and Discovery Engine, and DNA, C 3 Alliance, all rights to such names and trademarks are nevertheless reserved. Other trademarks and service marks appearing in this annual report are the property of their respective holders. 
 
SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS
 
In addition to historical facts, this annual report contains forward-looking statements within the meaning of Section 27A of the U.S. Securities Act of 1933, as amended, or the Securities Act, Section 21E of the U.S. Securities Exchange Act of 1934, as amended, or the Exchange Act, and the safe harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to risks and uncertainties, and include information about possible or assumed future results of our business, financial condition, results of operations, liquidity, plans and objectives. In some cases, you can identify forward-looking statements by terminology such as “believe,” “may,” “estimate,” “continue,” “anticipate,” “intend,” “should,” “plan,” “expect,” “predict,” “potential,” or the negative of these terms or other similar expressions. The statements we make regarding the following matters are forward-looking by their nature:
 
our expectations regarding revenues generated by our hybrid sales model;
 
our expectations regarding our operating and net profit margins;
 
our expectations regarding significant drivers of our future growth;
 
our plans to continue to invest in research and development to develop on-premise and cloud-based products and services for both existing and new products;
 
our plans to invest in sales and marketing efforts and expand our channel partnerships across existing and new geographies;
 
our plans to hire additional new employees;
 
our plans to pursue additional strategic acquisitions;
 
our plans to leverage our global footprint in existing and new industry verticals to further expand our market share;
 
our plans to pursue incremental sales by further expanding our customer success team;
 
our ability to successfully integrate the operations, products and personnel of Conjur, Inc. which we acquired in 2017; and
 
our expectations regarding our tax classifications.
 
1

The preceding list is not intended to be an exhaustive list of all of our forward-looking statements. The forward-looking statements are based on our beliefs, assumptions and expectations of future performance, taking into account the information currently available to us. These statements are only predictions based upon our current expectations and projections about future events. There are important factors that could cause our actual results, levels of activity, performance or achievements to differ materially from the results, levels of activity, performance or achievements expressed or implied by the forward-looking statements. In particular, you should consider the risks provided under “Item 3.D Risk Factors” in this annual report. 
 
You should not rely upon forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee that future results, levels of activity, performance and events and circumstances reflected in the forward-looking statements will be achieved or will occur. Except as required by law, we undertake no obligation to update publicly any forward-looking statements for any reason after the date of this annual report, to conform these statements to actual results or to changes in our expectations.
 
PART I
 
I TEM 1.
IDENTITY OF DIRECTORS, SENIOR MANAGEMENT AND ADVISERS
 
Not applicable.
 
I TEM 2.
OFFER STATISTICS AND EXPECTED TIMETABLE 
 
Not applicable. 
 
I TEM 3.
KEY INFORMATION 
 
A.              Selected Financial Data 
 
The following tables set forth our selected consolidated financial data. You should read the following selected consolidated financial data in conjunction with “Item 5. Operating and Financial Review and Prospects” and our consolidated financial statements and related notes included elsewhere in this annual report. Historical results are not necessarily indicative of the results that may be expected in the future. Our financial statements have been prepared in accordance with U.S. Generally Accepted Accounting Principles, or U.S. GAAP. 
 
2

The selected consolidated statements of operations data for each of the years in the three-year period ended December 31, 2017 and the consolidated balance sheet data as of December 31, 2016 and 2017 are derived from our audited consolidated financial statements appearing elsewhere in this annual report. The consolidated statements of operations data for the years ended December 31, 2013 and 2014 and the consolidated balance sheet data as of December 31, 2013, 2014 and 2015 are derived from our audited consolidated financial statements that are not included in this annual report.
   
Year ended December 31,
 
   
2013
   
2014
   
2015
   
2016
   
2017
 
   
(in thousands except share and per share data)
 
Consolidated Statements of Operations:
                             
Revenues:
                             
License          
 
$
38,907
   
$
61,320
   
$
100,113
   
$
131,530
   
$
147,640
 
Maintenance and professional services
   
27,250
     
41,679
     
60,699
     
85,083
     
114,061
 
Total revenues          
   
66,157
     
102,999
     
160,812
     
216,613
     
261,701
 
Cost of revenues:
                                       
License          
   
1,216
     
2,654
     
5,088
     
4,726
     
7,911
 
Maintenance and professional services
   
7,860
     
12,053
     
17,572
     
25,425
     
33,937
 
Total cost of revenues(1)          
   
9,076
     
14,707
     
22,660
     
30,151
     
41,848
 
Gross profit          
   
57,081
     
88,292
     
138,152
     
186,462
     
219,853
 
Operating expenses:
                                       
Research and development(1)          
   
10,404
     
14,400
     
21,734
     
34,614
     
42,389
 
Sales and marketing(1)          
   
32,840
     
44,943
     
66,206
     
93,775
     
126,739
 
General and administrative(1)          
   
4,758
     
8,495
     
16,990
     
22,117
     
30,399
 
Total operating expenses          
   
48,002
     
67,838
     
104,930
     
150,506
     
199,527
 
Operating income          
   
9,079
     
20,454
     
33,222
     
35,956
     
20,326
 
Financial income (expenses), net          
   
(1,124
)
   
(5,988
)
   
(1,479
)
   
245
     
4,103
 
Income before taxes on income          
   
7,955
     
14,466
     
31,743
     
36,201
     
24,429
 
Taxes on income          
   
(1,320
)
   
(4,512
)
   
(5,949
)
   
(8,077
)
   
(8,414
)
Net income          
 
$
6,635
   
$
9,954
   
$
25,794
   
$
28,124
   
$
16,015
 
Basic net income per ordinary share(2)
 
$
0.25
   
$
0.46
   
$
0.80
   
$
0.83
   
$
0.46
 
Diluted net income per ordinary share(2)
 
$
0.14
   
$
0.34
   
$
0.73
   
$
0.78
   
$
0.44
 
Weighted average number of ordinary shares used in computing basic net income per ordinary share(2)
   
6,900,433
     
13,335,059
     
32,124,772
     
33,741,359
     
34,824,312
 
Weighted average number of ordinary shares used in computing diluted net income per ordinary share(2)
   
10,765,914
     
29,704,730
     
35,322,716
     
35,838,863
     
36,175,824
 

3

   
As of December 31,
 
   
2013
   
2014
   
2015
   
2016
   
2017
 
   
(in thousands)
 
Consolidated Balance Sheet Data:
                             
Cash, cash equivalents, marketable securities and short-term bank deposits
 
$
65,368
   
$
177,181
   
$
238,252
   
$
295,475
   
$
330,340
 
Deferred revenue, current and long term
   
24,478
     
32,160
     
54,389
     
73,506
     
105,235
 
Working capital(3)          
   
48,900
     
156,829
     
197,095
     
235,010
     
251,247
 
Total assets          
   
89,632
     
210,552
     
334,424
     
403,031
     
502,576
 
Preferred share warrant liability          
   
2,134
     
     
     
     
 
Total shareholders’ equity          
   
45,846
     
155,008
     
246,670
     
296,216
     
353,965
 
 
(1)
Includes share-based compensation expense as follows:
 
   
Year ended December 31,
 
   
2013
   
2014
   
2015
   
2016
   
2017
 
   
(in thousands )
 
Cost of revenues          
 
$
39
   
$
137
   
$
499
   
$
1,386
   
$
2,289
 
Research and development          
   
73
     
172
     
1,507
     
4,660
     
6,110
 
Sales and marketing          
   
126
     
347
     
2,214
     
5,765
     
8,642
 
General and administrative          
   
165
     
917
     
2,829
     
5,724
     
8,196
 
                                         
Total share-based compensation expenses
 
$
403
   
$
1,573
   
$
7,049
   
$
17,535
   
$
25,237
 
 

(2)
Basic and diluted net income per ordinary share is computed based on the weighted average number of ordinary shares outstanding during each period. For additional information, see note 13 to our consolidated financial statements included elsewhere in this annual report.
 
(3)
We define working capital as total current assets minus total current liabilities. In 2015, we adopted Accounting Standard Update No. 2015-17, Income Taxes (Topic 740): Balance Sheet Classification of Deferred Taxes (ASU 2015-17) retrospectively and reclassified all of our current deferred tax assets to noncurrent deferred tax assets on our consolidated balance sheets data for all periods presented. As a result of such reclassifications, certain noncurrent deferred tax liabilities as of December 31, 2013 and 2014 were netted with noncurrent deferred tax assets.
 
4

Non-GAAP operating income and non-GAAP net income are non-GAAP financial measures. We define non-GAAP operating income and non-GAAP net income as operating income and net income, respectively, which each exclude (i) share-based compensation expense, (ii) expenses related to the March 2015 public offering of ordinary shares by certain of our shareholders and to the June 2015 public offering of ordinary shares by us and certain of our shareholders, (iii) expenses related to acquisitions, (iv) amortization of intangible assets related to acquisitions and (v) expenses related to facility exit costs. Non-GAAP net income also excludes (i) financial expenses resulting from the revaluation of warrants to purchase preferred shares, (ii) tax effects related to the non-GAAP adjustments set forth above and (iii) tax effects related to the impact to our deferred tax asset as a result of the US Tax Cuts and Jobs Act 2017 (the “Tax Act”). The following tables reconcile operating income and net income, the most directly comparable U.S. GAAP measures, to non-GAAP operating income and non-GAAP net income for the periods presented:

   
2013
   
2014
   
2015
   
2016
   
2017
 
   
(in thousands )
 
Reconciliation of Operating Income to Non-GAAP Operating Income:
                             
Operating income          
 
$
9,079
   
$
20,454
   
$
33,222
   
$
35,956
   
$
20,326
 
Share-based compensation          
   
403
     
1,573
     
7,049
     
17,535
     
25,237
 
Public offering related expenses          
   
     
     
1,568
     
     
 
Acquisition related expenses          
   
     
     
677
     
     
686
 
Amortization of intangible assets – Cost of revenues
   
     
     
359
     
1,420
     
4,213
 
Amortization of intangible assets – Research and development
   
     
     
749
     
1,913
     
 
Amortization of intangible assets – Sales and marketing
   
     
     
17
     
1,190
     
1,046
 
Facility exit costs
   
     
     
     
     
342
 
                                         
Non-GAAP operating income          
 
$
9,482
   
$
22,027
   
$
43,641
   
$
58,014
   
$
51,850
 
 
5

   
Year ended December 31,
 
   
2013
   
2014
   
2015
   
2016
   
2017
 
   
(in thousands)
 
Reconciliation of Net Income to Non-GAAP Net Income:
                             
Net income          
 
$
6,635
   
$
9,954
   
$
25,794
   
$
28,124
   
$
16,015
 
Share-based compensation          
   
403
     
1,573
     
7,049
     
17,535
     
25,237
 
Warrant adjustment          
   
1,446
     
4,309
     
     
     
 
Public offering related expenses          
   
     
     
1,568
     
     
 
Acquisition related expenses          
   
     
     
677
     
     
686
 
Amortization of intangible assets – Cost of revenues
   
     
     
359
     
1,420
     
4,213
 
Amortization of intangible assets – Research and development
   
     
     
749
     
1,913
     
 
Amortization of intangible assets – Sales and marketing
   
     
     
17
     
1,190
     
1,046
 
Facility exit costs
   
     
     
     
     
342
 
Taxes on income related to non-GAAP adjustments
   
     
     
(951
)
   
(4,937
)
   
(12,226
)
Change in the U.S. federal tax rate
   
     
     
     
     
6,582
 
                                         
Non-GAAP net income          
 
$
8,484
   
$
15,836
   
$
35,262
   
$
45,245
   
$
41,895
 
 
For a description of how we use non-GAAP operating income and non-GAAP net income to evaluate our business, see “Item 5. Operating and Financial Review and Prospects—Key Financial Metrics.” We believe that these non-GAAP financial measures are useful in evaluating our business because of varying available valuation methodologies, subjective assumptions and the variety of equity instruments that can impact a company’s non-cash expenses and because they exclude one-time cash expenditures that do not reflect the performance of our core business. We believe that providing non-GAAP operating income and non-GAAP net income that exclude, as appropriate, share-based compensation expenses, expenses relating to public offerings of our ordinary shares, expenses related to facility exit costs, financial expenses resulting from the valuation of warrants to purchase preferred shares, expenses related to acquisitions, amortization of intangible assets related to acquisitions, tax effects related to the impact to our deferred tax asset as a result of the Tax Act and the tax effects related to these non-GAAP adjustments allows for more meaningful comparisons between our operating results from period to period. Share-based compensation expense has been, and will continue to be for the foreseeable future, a significant recurring expense in our business and an important part of the compensation we provide to employees. Additionally, excluding financial expenses with respect to revaluation of warrants to purchase preferred shares allows for more meaningful comparison between our net income from period to period. As these warrants were exercised in connection with our initial public offering, they are no longer revalued at each balance sheet date. We also believe that expenses related to the public offerings of our ordinary shares in March 2015 and June 2015, expenses related to our acquisitions, expenses related to facility exit costs, amortization of intangible assets related to acquisitions, tax effects related to the impact to our deferred tax asset as a result of the Tax Act and the tax effects related to the non-GAAP adjustments set forth above do not reflect the performance of our core business and would impact period-to-period comparability.
 
6

Other companies, including companies in our industry, may calculate non-GAAP operating income and non-GAAP net income differently or not at all, which reduces their usefulness as a comparative measure. You should consider non-GAAP operating income and non-GAAP net income along with other financial performance measures, including operating income and net income, and our financial results presented in accordance with U.S. GAAP.
 
B.              Capitalization and Indebtedness
 
Not applicable.
 
C.              Reasons for the Offer and Use of Proceeds
 
Not applicable.
 
D.             Risk Factors
 
Risks Related to Our Business and Our Industry
 
The IT security market is rapidly evolving within the increasingly challenging cyber threat landscape and the continuing use of hybrid on-premises and cloud-based infrastructure. Our sales may not continue to grow at current rates or may decline, and our share price could decrease as a result of market and industry developments we did not anticipate.
 
We operate in a rapidly evolving industry focused on securing organizations’ IT systems and sensitive data. Our solutions focus on safeguarding privileged accounts, credentials, and secrets which are those accounts within an organization that give users, applications, and machine identities the highest levels of access, or “privileged” access, to IT systems, on-premises and cloud-based infrastructure, industrial control systems, applications and data. While breaches of such privileged accounts continue to gain media attention in recent years, IT security spending within enterprises is often concentrated on endpoint and web security products designed to stop threats from penetrating corporate networks. Organizations that use these security products may allocate all or most of their IT security budgets to these products and may not adopt our solutions in addition to such products. Organizations are moving portions of their data to be managed by third parties, primarily infrastructure, platform and application service providers, and may rely on such providers’ internal security measures. Further, security solutions such as ours, which are focused on disrupting cyber attacks by insiders and external perpetrators that have penetrated an organization’s on-premises infrastructure or cloud estate, represent a security layer designed to respond to advanced threats and more rigorous compliance standards and audit requirements. However, advanced cyber attackers are skilled at adapting to new technologies and developing new methods of gaining access to organizations’ sensitive data. As our customers’ technologies and business plans evolve and become more complex, we expect them to face new and increasingly sophisticated methods of attack. We face significant challenges in ensuring that our solutions effectively identify and respond to such attacks without disrupting the performance of our customers’ IT systems. As a result, we must continually modify and improve our products, services, licensing models and prices in response to market and technology trends to ensure we are meeting market needs and continue providing solutions that can be deployed in a variety of environments, including cloud and hybrid.
 
We cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to develop or acquire product enhancements or new products to meet such needs or opportunities in a timely manner or at all. Even if we are able to anticipate, develop and commercially introduce enhancements and new products, such as our recently introduced Conjur solution which addresses the security challenges in DevOps methodologies, there can be no assurance that such enhancements or new products will achieve widespread market acceptance.
 
7

In addition, any changes in compliance standards or audit requirements that deemphasize the types of controls, security, monitoring and analysis that our solutions provide would adversely impact demand for our offerings. It is therefore difficult to predict how large the market will be for our solutions. If solutions such as ours are not viewed by organizations as necessary, or if customers do not recognize the benefit of our solutions as a critical layer of an effective security strategy, then our revenues may not continue to grow at their current rate or may decline, and our share price could suffer.
 
Our quarterly results of operations may fluctuate for a variety of reasons, including our failure to close significant sales before the end of a particular quarter or unexpected changes in the sales volumes we expect across certain quarters and geographies. We may, as a result, fail to meet publicly announced financial guidance or other expectations about our business, which could cause our ordinary shares to decline in value.

A meaningful portion of our revenues is generated through deals of significant size, and purchases of our products and services often occur at the end of each quarter. We also typically experience seasonality in our sales, particularly demonstrated by increased sales in the last quarter of the year. In addition, our sales cycle can last several months from proof of concept to delivery of our solutions to our customers, and this sales cycle can be even longer, less predictable and more resource-intensive for larger sales. Customers may also require additional internal approvals or seek to test our products for a longer trial period before deciding to purchase our solutions. Furthermore, even if we close a sale during a given quarter, we may be unable to recognize the revenues derived from such sale during the same period due to our revenue recognition policy. See “Item 5.A. Operating and Financial Review and Prospects—Operating Results—Application of Critical Accounting Policies and Estimates—Revenue Recognition.”

As a result, the timing of individual sales or of their respective revenue recognition can be difficult to predict. In some cases, sales have occurred in quarters subsequent to those we anticipated, or have not occurred at all. All of these factors impact our quarterly results and our ability to accurately predict them, and may lead to difficulties in meeting market expectations regarding our actual results. If our financial results for a particular period do not meet our guidance or if we reduce our guidance for future periods, the market price of our ordinary shares may decline.
 
In addition to the sales cycle-related fluctuations set forth above, our results of operations may continue to vary as a result of a number of factors, many of which may be outside of our control or difficult to predict, including:
 
our ability to attract and retain new customers;
 
our ability to sell additional products to current customers;
 
the ability of our service operation to keep pace with license sales to new and existing customers and to satisfy customer demands for consultancy and professional services;
 
the amount and timing of our operating costs;
 
a change in our mix of products and services;
 
the ability of our channel partners to accurately predict the timing and scope of significant sales;
 
increases or decreases in our expenses caused by fluctuations in foreign currency exchange rates or changes in taxes or other applicable regulations (See “—We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations”);
 
introduction of new accounting pronouncements or changes in our accounting policies or practices;
 
changes in the nature and methodology of cyber attacks and other threats to corporate data;
 
changes in customer or channel partner requirements or market needs;
 
changes in the growth rate of the information security market;
 
the timing and success of new product and service introductions by us or our competitors or any other change in the competitive landscape of the information security market, including consolidation among our customers or competitors;
 
8

changes in our pricing policies or those of our competitors;
 
general economic conditions in our markets;
 
a disruption in, or termination of, our relationship with channel partners;
 
our ability to successfully expand our business globally; and
 
reductions in maintenance and SaaS subscription renewal rates.
 
Any of these factors, individually or in the aggregate, may result in significant fluctuations in our financial and other operating results from period to period. These fluctuations could result in our failure to meet our operating plan or the expectations of investors or analysts for any given period. If we fail to meet such expectations for these or other reasons, the market price of our ordinary shares could decrease substantially, and we could face costly lawsuits, including securities class action suits, which could adversely affect our results of operations and business.
 
Our reputation and business could be harmed based on real or perceived shortcomings, defects or vulnerabilities in our solutions or the provision of our services, or due to the failure of our customers, channel partners, managed security service providers, or subcontractors to correctly implement, manage and maintain our solutions, resulting in lawsuits or financial losses.
 
Security products and solutions are complex in design and deployment, and may contain errors that are not capable of being remediated or detected until after their deployment. Any errors, defects, or misconfigurations could cause our products or services to be vulnerable to security attacks, cause them to fail to secure networks, and negatively impact customer operations. If we fail to identify and respond to new and increasingly complex methods of attack on privileged accounts and update our products to detect or prevent such threats effectively, which would require significant resources, our business and reputation will suffer. In particular, we may suffer significant adverse publicity and reputational harm if our solutions (or the services we provide in relation to our solutions) are associated, or are believed to be associated, with a significant breach or a breach at a high profile customer or managed service provider network, or in the event of a breach in third party systems utilized by us as part of our cloud-based security solution.
 
In addition, our Endpoint Privilege Manager product is made available to our customers both as on-premises software and as software as a service (SaaS). Providing SaaS involves storage and transmission of customers’ policies for management of their network and operational proprietary information related to their assets and users, security breaches or product defects in our SaaS solutions could result in loss or alteration of this data, unauthorized access to multiple customers’ data and ultimately lead to downtime or compromise of the customers’ systems on which our SaaS solution is installed. Further, the third party data hosting facilities used for the provision of our SaaS solutions are vulnerable to damages, interruptions or other unanticipated problems that could result in disruption in the provision of these solutions. Any disruptions or other performance problems with our SaaS solutions could harm our reputation and business, damage our customers’ businesses, subject us to potential liability and cause customers to terminate or not renew their subscriptions to our SaaS solutions.
 
False detection of threats (referred to as “false positives”), while typical in our industry, may reduce perception of the reliability of our products and may therefore adversely impact market acceptance of our products. If our solutions restrict legitimate privileged access by authorized personnel to IT systems and applications by falsely identifying those users as an attack or otherwise unauthorized, our customers’ businesses could be harmed. There can be no assurance that, despite our testing efforts, errors will not be found in existing and new versions of our products, resulting in loss of or delay in market acceptance. In such instances, we may be required, or may choose, for customer relations or other reasons, to expend additional resources in order to help correct such problem.
 
As our solutions not only reinforce but also rely on the common security concept of placing multiple layers of security controls throughout an IT system, the failure of our customers, channel partners, managed service providers or subcontractors to correctly implement and effectively manage and maintain our solutions (and the environments in which they are utilized), or to consistently implement and utilize generally accepted and comprehensive, multi-layered security measures and processes in the customer networks, may lessen the efficacy of our solutions. Additionally, our customers or our channel partners may independently develop plug-ins or change existing plug-ins or APIs that we provided to them for interfacing purposes in an incorrect or insecure manner. Such failure or these other customer and partner actions may lead to breaches of our customers’ IT systems and loss or alteration of sensitive data or systems, and potentially to a perception that our solutions failed. Further, our failure to provide our customers and channel partners with adequate services related to the use, implementation and maintenance of our solutions, could lead to claims against us.
 
9

An actual or perceived cyber attack, other security breach or theft of our customers’ data, regardless of whether the breach or theft is attributable to the failure of our products (or the services we provided in relation to our products), could adversely affect the market’s perception of the efficacy of our solutions and current or potential customers may look to our competitors for alternatives to our solutions. An actual or perceived failure of our products, or our failure to provide adequate services to our customers and channel partners, may also subject us to lawsuits, indemnity claims and financial losses, as well as the expenditure of significant financial resources to analyze, correct or eliminate any vulnerabilities. Although our license agreements typically contain provisions that limit our liabilities towards our customers, partners and relevant third parties, there is no assurance these provisions will withstand legal challenges, and certain liabilities may not be limited or capped. It could also cause us to suffer reputational harm, lose existing customers, or deter new and existing customers from purchasing our solutions, additional products or our services.
 
If we are unable to acquire new customers or sell additional products and services to our existing customers, our future revenues and operating results will be harmed.
 
Our success and continued growth depends, in part, on our ability to acquire a sufficient number of new customers. The number of customers that we add in a given period impacts both our short- and long-term revenues. Similarly, a significant portion of our revenues is generated from sales to existing customers. If we are unable to attract a sufficient number of new customers or fail to continue to sell new licenses and incremental licenses to our existing customers, we may be unable to generate revenue growth at desired rates.
 
The IT security market is competitive and many of our competitors have substantial financial, personnel, and other resources that they utilize to develop products and attract customers.
 
We devote significant efforts to developing, marketing and selling additional licenses and associated maintenance and support to existing customers and rely on these efforts for a portion of our revenues, and to a lesser extent, renewing SaaS or term based license agreements. These efforts require a significant investment in building and maintaining customer relationships, as well as significant research and development efforts in order to provide product upgrades and launch new products.
 
As we expand our market reach to gain new business, we may experience difficulties in gaining traction and raising awareness among potential customers regarding the critical role that our solutions play in securing medium-sized businesses and addressing the vulnerabilities associated with emerging types of accounts (such as our expansion into securing DevOps environments), and may face more competitive pressure in such markets. Even if we are successful in promoting the need for securing accounts in DevOps environments, potential customers may prefer to use the open source version of our Conjur solution which we released in 2017, instead of purchasing a license for the comprehensive DevOps security solution we offer and we may be unable to generate revenue growth at desired rates.
 
As a result, it may be difficult for us to add new customers to our customer base and to retain our existing customers. Competition in the marketplace may lead us to acquire fewer new customers or result in us providing discounts and other commercial incentives to new or existing customers.
 
Additional factors that impact our ability to acquire new customers or sell additional products and services to our existing customers include the perceived need for IT security, the size of our prospective and existing customers’ IT budgets, the utility and efficacy of our existing and new offerings, whether proven or perceived, changes in our pricing model that may impact the size of new business transactions, and general economic conditions. These factors may have a material negative impact on future revenues and operating results.

10

 
We face intense competition from a wide variety of IT security vendors operating in different market segments and across diverse IT environments, which may challenge our ability to maintain or improve our competitive position or to meet our planned growth rates.
 
The IT security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies that offer a broad array of IT security products that employ different approaches and delivery models to address these evolving threats.
 
Our current and potential future competitors include CA, Inc., International Business Machines Corporation, One Identity LLC and Oracle Corporation in the access and identity management market. We also compete with smaller companies such as BeyondTrust, Inc., that may offer solutions at lower price points or with a more limited range of functionality than our own offerings, or with smaller companies that operate in specific market segments or in certain geographies Further, we may face competition due to changes in the manner that organizations utilize IT assets and the security solutions applied to them, such as the provision of privileged account security functionalities as part of public cloud providers’ infrastructure offerings, or cloud-based identity management solutions. We also may compete, to a certain extent, with vendors that offer products or services in adjacent or complementary markets to privileged account security. Limited IT budgets may also result in competition with providers of other advanced threat protection solutions such as McAfee, LLC, Palo Alto Networks, RSA Security LLC., and Symantec Corporation. Some of our competitors are large companies that have the technical and financial resources and broad customer bases needed to bring competitive solutions to the market and already have existing relationships as an established vendor for other product offerings. Such companies may use these advantages to offer products and services that are perceived to be as effective as ours at a lower price or for free as part of a larger product package or solely in consideration for maintenance and services fees, which could result in increased market pressure to offer our solutions and services at lower prices. They may also develop different products to compete with our current solutions and respond more quickly and effectively than we do to new or changing opportunities, technologies, standards or client requirements or enjoy stronger sales and service capabilities in certain regions.
 
Our competitors may enjoy potential competitive advantages over us, such as:
 
greater name recognition, a longer operating history and a larger customer base, notwithstanding the increased visibility of our brand in recent years since our initial public offering;
 
larger sales and marketing budgets and resources;
 
broader distribution and established relationships with channel partners, advisory firms and customers;
 
increased effectiveness in protecting, detecting and responding to cyber attacks.
 
greater or localized resources for customer support and provision of services;
 
greater speed at which a solution can be deployed;
 
greater resources to make acquisitions;
 
larger intellectual property portfolios; and
 
greater financial, technical and other resources
 
Our current and potential competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their resources and capabilities. Current or potential competitors may be acquired by third parties with greater resources. As a result of such acquisitions, our current or potential competitors may be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. Larger competitors with more diverse product offerings may reduce the price of products that compete with ours in order to promote the sale of other products or may bundle them with other products, which would lead to increased pricing pressure on our products and could cause the average sales prices for our products to decline. Similarly, we may also face increased competition following an acquisition of new lines of business that compete with providers of such technologies.
 
11

In addition, other IT security technologies exist or could be developed in the future by current or future competitors, and our business could be materially and adversely affected if such technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all. If we fail to keep up with technological changes or to convince our customers and potential customers of the value of our solutions even in light of new technologies, our business, results of operations and financial condition could be materially and adversely affected.
 
Our share price may be adversely affected if our investments in our business do not deliver anticipated growth and we are unable to increase our operating and net income margins.

We have experienced a decrease in our operating and net income margins in recent periods. From the year ended December 31, 2015 to the year ended December 31, 2017, our revenue grew from $160.8 million to $261.7 million, representing a compound annual growth rate of approximately 28%. Over the same period, we experienced declines in our operating and net income margins from 21% to 8% and from 16% to 6%, respectively. The primary driver of the decline in margins has been our investment in expanding our sales force and marketing activity relative to the growth we achieved. We are making significant investments in our business in order to drive future growth. For example, we expect to continue to expand our sales and marketing personnel significantly and face a number of challenges in achieving our hiring and integration goals. It takes time and resources to train and integrate new sales force members across our global operations. Costs associated with adding new personnel to our sales force are expensed before their positive impact on our sales is recognized, and even then a significant portion of any revenues that they generate from maintenance and services are deferred over the delivery period of those services. We have also spent increased amounts on research and development and general and administrative costs associated with scaling our business. Our share price may be adversely affected even if we generate future growth if we are unable to increase our operating and net margins at the same time or if the growth rate generated was less than anticipated causing the operating and net margins to still decline.
 
We may fail to fully integrate, or realize the benefits expected from acquisitions, which may require significant management attention, disrupt our business, dilute shareholder value and adversely affect our results of operations.
 
As part of our business strategy and in order to remain competitive, we continue to evaluate acquiring or making investments in complementary companies, products or technologies. We may not be able to find suitable acquisition candidates or complete such acquisitions on favorable terms. If we do complete acquisitions, we may not ultimately strengthen our competitive position or achieve our goals, and any acquisitions we complete could be viewed negatively by our customers, analysts and investors. In addition, if we are unsuccessful at integrating our acquisitions or the technologies associated with such acquisitions or fail to fully attain the expected benefits of these acquisitions, our revenues and results of operations could be adversely affected. Any integration process may require significant time and resources, and we may not be able to manage the process successfully and may experience a decline in our profitability as we incur expenses prior to fully realizing the benefits of the acquisition. We may not successfully evaluate or utilize the acquired technology or personnel, or accurately forecast the financial impact of an acquisition transaction, including accounting charges and tax liabilities. We could become subject to legal claims following the acquisition, or fail to accurately forecast the potential impact of any pre-existing claims. Further, the issuance of equity or debt to finance any such acquisitions could result in dilution to our shareholders and could subject us to covenants or other restrictions that would impede our ability to manage our operations. While we have experienced some of these types of issues in connection with past acquisitions, none of which has materially affected our operations or financial condition, we cannot guarantee that any such event will not have a material adverse impact on our business and results in the future.
 
12

 
We are subject to a number of risks, including regulatory risks, associated with global sales and operations, which could materially affect our business.
 
We are a global company subject to varied and complex laws, regulations and customs. The application of these laws and regulations to our business is often unclear and may at times conflict. Compliance with these laws and regulations may involve significant costs or require changes in our business practices that result in reduced revenue and profitability. Furthermore, business practices in the global markets that we serve may differ from those in the United States and may require us to include non-standard terms in customer contracts, such as extended payment or warranty terms. To the extent that we enter into customer contracts that include non-standard terms related to payment, warranties, or performance obligations, our results of operations may be adversely impacted.
 
Additionally, our global sales and operations are subject to a number of risks, including the following:
 
higher costs of doing business globally, including costs incurred in maintaining office space, securing adequate staffing and localizing our contracts;
 
fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business (See “—We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations”);
 
Uncertainty of the economic, financial, regulatory, trade, tax and legal implications of the withdrawal of the U.K. from the E.U. (“Brexit”) and how this could affect our business, both globally and specifically in the region;
 
greater difficulty in enforcing contracts and managing collections, as well as longer collection periods;
 
compliance with anti-bribery laws, including, without limitation, compliance with the U.S. Foreign Corrupt Practices Act and the U.K. Anti-Bribery Act;
 
heightened risk of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, or irregularities in, financial statements;
 
risks associated with trade restrictions and foreign legal requirements, including any importation, certification, and localization of our platform that may be required in foreign countries;
 
greater risk of unexpected changes in regulatory practices, tariffs, and tax laws and treaties (See “— Our business may be materially affected by changes to fiscal and tax policies. Potentially negative or unexpected tax consequences of these policies, or the uncertainty surrounding their potential effects, could adversely affect our results of operations and share price;
 
compliance with, and the uncertainty of, laws and regulations that apply to our areas of business, including corporate governance, anti-trust and competition, import and export control, employee and third-party complaints, conflicts of interest, securities regulations and other regulatory requirements affecting trade and investment;
 
reduced or uncertain protection of intellectual property rights in some countries;
 
social, economic and political instability, terrorist attacks and security concerns in general; and
 
management communication and integration problems resulting from cultural and geographic dispersion.
 
These and other factors could harm our ability to generate future global revenues and, consequently, materially impact our business, results of operations and financial condition. Non-compliance could also result in fines, damages, or criminal sanctions against us, our officers or our employees, prohibitions on the conduct of our business, and damage to our reputation.
 
If our internal IT network system is compromised by cyber attackers or other data thieves, or by a critical system failure, our reputation, financial condition and operating results could be materially adversely affected.
 
Our solution and product offerings will not gain market share unless the marketplace is confident that we provide effective IT security protection. As we provide privileged account security products, we may be an attractive target for cyber attackers or other data thieves since a breach of our system could provide data information regarding not only us, but potentially regarding the customers that our solutions protect. Further, we may be targeted by cyber terrorists because we are an Israeli company.
 
13

While, from time to time we encounter intrusion incidents and attempts, none of which to date has resulted in any material adverse impact to our business or operations, we cannot guarantee that any future attacks will not materially adversely affect our business or results of operations. In addition, as our market position continues to grow specifically in the security industry, an increasing number of cyber attackers may begin to focus on finding ways to penetrate our network systems, which might eventually affect our products and services. The risk of cyber attacks to our company may also result from breaches of our contractors, business partners, vendors and other third parties associated with us, or due to human errors of those acting on our behalf.
 
Separately, we may be subject to information technology system failures or network disruptions caused by natural disasters, accidents, power disruptions, telecommunications failures, acts of terrorism, security breaches, wars, computer viruses, or other events or disruptions. System redundancy and other continuity measures may be ineffective or inadequate, and our business continuity and disaster recovery planning may not be sufficient for all eventualities. These events could adversely affect our operation, reputation, financial condition and operating results.
 
In addition, we rely on hosted SaaS technologies from third parties in order to operate critical functions of our business, including customer relationship management and financial operation services (provided by our ERP system). If these services are breached or become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms, our expenses could increase, our ability to manage our operations could be interrupted and our processes for managing sales of our products and services and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated; all of which could materially harm our business.
 
If we experience a significant technology incident, such as a serious product vulnerability, security breach or a failure of a system that is critical for the operations of our business, it could impair our ability to operate our business, including our ability to provide maintenance and support services to our customers. If this happens, our revenues could decline and our business could suffer, and we may need to make significant further investments to protect data and infrastructure. Because we are in the computer security industry, an actual or perceived vulnerability, failure, disruption, or breach of our network or privileged account security in our systems also could adversely affect the market perception of our products and services, or of our expertise in this field, as well as our perception among new and existing customers. Additionally, a significant security breach could subject us to potential liability, litigation and regulatory or other government action. If any of the foregoing were to occur, our business may suffer and our share price may be negatively impacted.
 
If we do not effectively expand, train and retain our sales and marketing personnel, we may be unable to acquire new customers or sell additional products and services to existing customers, and our business will suffer.
 
We depend significantly on our sales force to attract new customers and expand sales to existing customers. We generate approximately 40% of our revenues from direct sales. As a result, our ability to grow our revenues depends in part on our success in recruiting, training and retaining sufficient numbers of sales personnel to support our growth, particularly in the United States. The number of our sales and marketing personnel increased from 377 as of December 31, 2016 to 491 as of December 31, 2017. We expect to continue to expand our sales and marketing personnel significantly and face a number of challenges in achieving our hiring and integration goals. There is intense competition for individuals with sales training and experience. In addition, the training and integration of a large number of sales and marketing personnel in a short time requires the allocation of significant internal resources. We invest significant time and resources in training new sales force personnel to understand our solutions and growth strategy. Based on our past experience, it takes an average of approximately six to nine months before a new sales force member operates at target performance levels. However, we may be unable to achieve or maintain our target performance levels with large numbers of new sales personnel as quickly as we have done in the past. Our failure to hire a sufficient number of qualified sales force members and train them to operate at target performance levels may materially and adversely impact our projected growth rate.
 
14

We rely on channel partners to generate a significant portion of our revenue, market our solutions and provide necessary services to our customers. If we fail to maintain successful relationships with our channel partners, or if our channel partners fail to perform, our ability to market, sell and distribute our solutions will be limited, and our business, financial position and results of operations will be harmed.
 
In addition to our direct sales force, we rely on our channel partners to market, sell, support and implement our solutions, particularly in Europe and the Asia Pacific and Japan regions. We expect that sales through our channel partners will continue to account for a significant percentage of our revenue. In the year ended December 31, 2017, we generated approximately 60% of our revenues from sales to channel partners such as distributors, systems integrators, value-added resellers and managed security service providers, and we expect that channel partners will represent a substantial portion of our revenues for the foreseeable future. Further, we cooperate with advisory firms in marketing our solutions and providing implementation services to our customers, in both direct and indirect sales. Our agreements with channel partners are non-exclusive, meaning our partners may offer customers IT security products from other companies, including products that compete with our solutions. If our channel partners do not effectively market and sell our solutions, or choose to use greater efforts to market and sell their own products and services or the products and services of our competitors, our ability to grow our business will be adversely affected. Our channel partners may cease or deemphasize the marketing of our solutions with limited or no notice and with little or no penalty. Further, new channel partners require training and may take several months or more to achieve productivity. The loss of key channel partners, the inability to replace them or the failure to recruit additional channel partners could materially and adversely affect our results of operations. Our reliance on channel partners could also subject us to lawsuits or reputational harm if, for example, a channel partner misrepresents the functionality of our solutions to customers, fails to appropriately implement our solutions or violates applicable laws, and may further result in termination of such partner’s agreement and potentially curb future revenues associated with it. Our ability to grow revenues in the future will depend in part on our success in maintaining successful relationships with our channel partners and training our channel partners to independently sell and install our solutions. If we are unable to maintain our relationship with channel partners or otherwise develop and expand our indirect sales channel, or if our channel partners fail to perform, our business, financial position and results of operations could be adversely affected.
 
Failure by us or our channel partners to maintain sufficient levels of customer support could have a material adverse effect on our business, financial condition and results of operations.
 
Our customers depend, in large part, on customer support and professional services delivered through our channel partners or by us to implement and roll out our solutions, and resolve issues relating to their use. Even with our support and that of our channel partners, our customers are ultimately responsible for effectively using our solutions and ensuring that their IT staff and other relevant users are properly trained in the use of our products and complementary security products, methodologies and processes. Failure of our channel partners or ourselves to support and train our customers in the correct use of our solutions, or failure to effectively assist customers in installing our solutions and providing effective ongoing support, may result in an increase in the vulnerability of our customers’ IT systems and sensitive data. Additionally, if our channel partners do not effectively provide support and professional services to the satisfaction of our customers, we may be required to provide support to such customers, which would require us to invest in additional personnel and expend significant time and resources. We may not be able to keep up with demand for our services and support, particularly if the sales of our solutions exceed our internal forecasts. To the extent that we or our channel partners are unsuccessful in hiring, training and retaining adequate support resources, our ability and the ability of our channel partners to provide adequate and timely support and other services to our customers will be negatively impacted, and our customers’ satisfaction with us and our products may be adversely affected. Accordingly, our failure to provide satisfactory maintenance and technical support services, whether directly or through our partners, could have a material and adverse effect on our business and results of operations.
 
15

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.
 
Our functional and reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. In 2017, the majority of our revenues were denominated in U.S. dollars and the remainder primarily in euros and British pounds sterling. In 2017, the substantial majority of our cost of revenues and operating expenses were denominated in U.S. dollars and New Israeli Shekels (NIS) and the remainder primarily in euros and British pounds sterling. Our foreign currency-denominated expenses consist primarily of personnel, rent and other overhead costs. Since a significant portion of our expenses is incurred in NIS and is substantially greater than our revenues in NIS, any appreciation of the NIS relative to the U.S. dollar could materially adversely impact our net income. For example, during 2017, appreciation of NIS relative to the U.S. dollar affected our operating profit by approximately $4.0 million. In addition, since the portion of our revenues generated in euros and British pounds sterling is greater than our expenses incurred in euros and British pounds sterling, respectively, any depreciation of the euro or the British pounds sterling relative to the U.S. dollar would adversely impact our net income. While any such currency exchange rate fluctuations did not have a material impact on our financial condition in 2017, we cannot guarantee that we would not experience adverse impact from currency exchange rate fluctuations in the future. We estimate that a 10% strengthening or weakening in the value of the NIS against the U.S. dollar would have decreased or increased, respectively, our net income by approximately $5.0 million in 2017. We estimate that a 10% strengthening or weakening in the value of the euro against the U.S. dollar would have increased or decreased, respectively, our net income by approximately $2.1 million in 2017. We estimate that a 10% strengthening or weakening in the value of the British pounds sterling against the U.S. dollar would have increased or decreased, respectively, our net income by approximately $0.8 million in 2017. These estimates of the impact of fluctuations in currency exchange rates on our historic results of operations may be different from the impact of fluctuations in exchange rates on our future results of operations since the mix of currencies comprising our revenues and expenses may change. We evaluate periodically the various currencies to which we are exposed and take hedging measures to reduce the potential adverse impact from the appreciation or the depreciation of our non U.S. dollar-denominated operations, as appropriate. We expect that the majority of our revenues will continue to be generated in U.S. dollars with the balance primarily in euros and British pounds sterling for the foreseeable future and that a significant portion of our expenses will continue to be denominated in NIS, U.S. dollars, British pounds sterling and in euros. We cannot provide any assurances that our hedging activities will be successful in protecting us from adverse impacts from currency exchange rate fluctuations. See “Item 11—Quantitative and Qualitative Disclosures About Market Risk—Foreign Currency Risk.”
 
Our research and development efforts may not produce successful products or enhancements to our solutions that result in significant revenue or other benefits in the near future, if at all.
 
We expect to continue to dedicate significant financial and other resources to our research and development efforts in order to maintain our competitive position. For example, in 2017, we increased our dedicated research and development personnel by 22% compared to 2016. However, investing in research and development personnel, developing new products and enhancing existing products is expensive and time consuming, and there is no assurance that such activities will successfully anticipate market needs and result in significant new marketable products or enhancements to our products, design improvements, cost savings, revenues or other expected benefits. If we spend significant time and effort on research and development and are unable to generate an adequate return on our investment, we may not be able to compete effectively and our business and results of operations may be materially and adversely affected.
 
Our investment in product enhancements or new products could fail to attain sufficient market acceptance for many reasons, including:
 
delays in releasing product enhancements or new products;
 
failure to accurately predict market demand and to supply products that meet this demand in a timely fashion;
 
inability to interoperate effectively with the existing or newly introduced technologies, systems or applications of our existing and prospective customers;
 
defects in our products, errors or failures of our solutions to secure and protect privileged accounts against existing and new types of attacks;
 
negative publicity about the performance or effectiveness of our products;
 
introduction or anticipated introduction of competing products by our competitors;
 
installation, configuration or usage errors by our customers; and
 
easing or changing of regulatory requirements related to security.
 
If we fail to anticipate market requirements or fail to develop and introduce product enhancements or new products to meet those needs in a timely manner, it could cause us to lose existing customers and prevent us from gaining new customers, which would significantly harm our business, financial condition and results of operations.
 
16

If we are unable to hire, retain and motivate qualified personnel, our business will suffer.
 
Our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. Our inability to attract or retain qualified personnel or delays in hiring required personnel may seriously harm our business, financial condition and results of operations. Any of our employees may terminate their employment at any time. Competition for highly skilled personnel, specifically engineers for Research & Development positions, is often intense and results in increasing wages, especially in Israel, where we are headquartered, and where several large multinational corporations have entered the market. We may struggle to retain employees, and due to our profile and market position competitors actively seek to hire skilled personnel away from us. Furthermore, from time to time we have been subject to allegations that employees that have been hired from competitors may have been improperly solicited or divulged proprietary or other confidential information.
 
Our business may be materially affected by changes to fiscal and tax policies. Potentially negative or unexpected tax consequences of these policies, or the uncertainty surrounding their potential effects, could adversely affect our results of operations and share price.

As a multinational corporation, we are subject to income taxes, withholding taxes and indirect taxes in numerous jurisdictions worldwide. Significant judgment and management attention and resources are required in evaluating our tax positions and our worldwide provision for taxes. In the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting, and other laws, regulations, principles and interpretations. This may include recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, changes in foreign currency exchange rates, or changes in the valuation of our deferred tax assets and liabilities.

We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes against us. If we experience unfavorable results from one or more such tax audits, there could be an adverse effect on our tax rate and therefore on our net income. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made. Additionally, we are subject to transfer pricing rules and regulations, including those relating to the flow of funds between us and our affiliates, which are designed to ensure that appropriate levels of income are reported in each jurisdiction in which we operate.

The U.S. Tax Cuts and Jobs Act of 2017 (the “Act”), enacted in December 2017, introduced significant changes to the U.S. Internal Revenue Code. While it is still uncertain how these changes will affect us, certain of these changes could have a negative impact on our results of operations and business or the price of our ordinary shares. In addition,   the final impacts of the Act could be different from our expectations.
 
Intellectual property claims may increase our costs or require us to cease selling certain products, which could adversely affect our financial condition and results of operations.
 
The IT security industry is characterized by the existence of a large number of relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. Leading companies in the IT security industry have extensive patent portfolios. From time to time, third-parties have asserted and may assert their patent, copyright, trademark and other intellectual property rights against us, our channel partners or our customers. Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property rights pursuant to our agreements with our customers and channel partners. Such indemnification provisions are customary for our industry. Any claims of intellectual property infringement or misappropriation brought against us, our channel partners or customers, even those without merit, could be expensive and time-consuming to defend, and divert management’s attention. We cannot assure you that we will have the resources to defend against all such claims. Successful claims of infringement or misappropriation by a third-party against us or a third-party that we indemnify could prevent us from distributing certain products or performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others, to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology, to enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights, and to indemnify our customers and partners (and parties associated with them). Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected. Defending against claims of infringement or being deemed to be infringing the intellectual property rights of others could impair our ability to innovate, develop, distribute and sell our current and planned products and services. If we are unable to ensure that we are not violating the intellectual property rights of others, our financial position may be adversely affected.
 
17


If our products fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and results of operations could be materially and adversely affected.
 
We generate a substantial portion of our revenues from our products and services which enable our customers to achieve and maintain compliance with certain government regulations and industry standards, and we expect that to continue for the foreseeable future. This includes third party certifications where our solutions are being utilized by our customers as a control demonstrating compliance with specific elements of certain third party certification standards. These industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses. In addition, governments may also adopt new laws or regulations, or make changes to existing laws or regulations, some of which may conflict with each other, that could impact whether our solutions enable our customers to maintain compliance with such laws or regulations. If we are unable to adapt our solutions to changing government regulations and industry standards in a timely manner, or if our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our products and could switch to products offered by our competitors. In addition, if government regulations and industry standards related to IT security are changed in a manner that makes them less onerous, our customers may view compliance as less critical to their businesses, and our customers may be less willing to purchase our products and services. In either case, our sales and financial results would suffer.
 
Regulatory data privacy concerns, evolving regulations of cloud computing, cross-border data transfer restrictions and other domestic or foreign regulations may limit the use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers or support our current customers, thus reducing our revenues, harming our operating results and adversely affecting our business.
 
Regulation related to the provision of services on the Internet is increasing, as federal, state and foreign governments continue to adopt new laws and regulations addressing cybersecurity, privacy, data protection and the collection, processing, storage and use of personal information. Such laws and regulations, such as the 2016 E.U.-U.S. framework for data transfers known as Privacy Shield or the adoption and implementation of the E.U. General Data Protection Regulation (“GDPR”) which becomes effective in May 2018, are subject to new and differing interpretations and may be inconsistent among jurisdictions. Engineering efforts to build new capabilities to facilitate compliance with the law may entail substantial expense and the diversion of engineering resources from other projects. If we are unable to engineer products that meet our legal duties or help our customers meet their obligations under the GDPR or other data regulations, we might experience reduced demand for our products or services. Non-compliance with such existing or new regulations may result in substantial monetary penalties and compliance reviews by regulators may result in burdensome or inconsistent requirements affecting the location and management of our customer and internal employee data. Compliance may require changes in services, business practices, or internal systems resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with foreign-based firms.
 
These and other regulatory requirements around the privacy or cross-border transfer of personal data could restrict our ability to store and process data as part of our SaaS solutions, or, in some cases, impact our ability to offer our SaaS products in certain jurisdictions. Such laws may also impact our customers’ ability to deploy certain of our solutions globally, to the extent they utilize our products for storing personal information that they store and process. In addition, in many cases these privacy laws apply not only to transfers of information to third parties, but also within an enterprise, including our company or our customers. The costs of compliance with, and other burdens imposed by, such laws, regulations and standards (regardless of whether there was any data breach) may require resources to create new products or modify existing products, lead to us being subject to significant fines, penalties or liabilities for noncompliance, and may slow the pace at which we close sales transactions, any of which could harm our business. Further, mandatory disclosures regarding a breach of certain information are costly to implement and may lead to widespread negative publicity, which may cause customers to lose confidence in the effectiveness of our data security measures and harm our reputation and business.
 
18

If our products do not effectively interoperate with our customers’ existing or future IT infrastructures, installations could be delayed or cancelled, which could harm our business.
 
Our products must effectively interoperate with our customers’ existing or future IT infrastructures, which often have different specifications, utilize multiple protocol standards, deploy products from multiple vendors and contain multiple generations of products that have been added over time. If we find errors in the existing software or defects in the hardware used in our customers’ infrastructure or problematic network configurations or settings, we may have to modify our software so that our products will interoperate with our customers’ infrastructure and business processes. In addition, to stay competitive within certain markets, we may be required to make software modifications in future releases to comply with new statutory or regulatory requirements. These issues could result in longer sales cycles for our products and order cancellations, either of which could adversely affect our business, results of operations and financial condition.
 
If we are unable to adequately protect our proprietary technology and intellectual property rights, our business could suffer substantial harm.
 
The success of our business depends on our ability to protect our proprietary technology, brands and other intellectual property and to enforce our rights in that intellectual property. We attempt to protect our intellectual property under patent, copyright, trademark and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.
 
As of December 31, 2017, we had 14 issued patents in the United States, 2 provisional U.S. patent applications and 26 pending U.S. patent applications. We also had 2 International PCT applications as well as 5 issued patents and 12 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications in the future.
 
The process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way through to the successful issuance of a patent. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not issue as granted patents, that the scope of our issued patents will be insufficient or not have the coverage originally sought, that our issued patents will not provide us with any competitive advantages, and that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation. Finally, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. Our policy is to require our employees (and our consultants and service providers that develop intellectual property included in our products) to execute written agreements in which they assign to us their rights in potential inventions and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such intellectual property), but we cannot be certain that we have adequately protected our rights in every such agreement or that we have executed an agreement with every such party. Finally, in order to benefit from the protection of patents and other intellectual property rights, we must monitor and detect infringement and pursue infringement claims in certain circumstances in relevant jurisdictions, all of which are costly and time-consuming. As a result, we may not be able to obtain adequate protection or to effectively enforce our issued patents or other intellectual property rights.
 
In addition to patents, we rely on trade secret rights, copyrights and other rights to protect our unpatented proprietary intellectual property and technology. Despite our efforts to protect our proprietary technologies and our intellectual property rights, unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information. We generally enter into confidentiality agreements with our employees, consultants, service providers, vendors, channel partners, subcontractors and customers, and generally limit access to and distribution of our proprietary information and proprietary technology through certain procedural safeguards. These agreements may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology. We cannot be certain that the steps taken by us will prevent misappropriation of our intellectual property or technology or infringement of our intellectual property rights. In addition, the laws of some foreign countries where we sell our products do not protect intellectual property rights and technology to the same extent as the laws of the United States, and these countries may not enforce these laws as diligently as government agencies and private parties in the United States. If we are unable to protect our intellectual property, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create the innovative products that have enabled us to be successful to date.
 
19


Our use of open source software, third-party software and other intellectual property may expose us to risks.
 
We license and integrate certain open source software components from third parties into our software and we expect to continue to use open source software in the future. Some open source software licenses require users who distribute or make available as a service open source software as part of their own software product to publicly disclose all or part of the source code of the users’ developed software or to make available any derivative works of the open source code on unfavorable terms or at no cost. While we try to use the open source software in a manner consistent with the relevant license terms that would not require us to disclose our proprietary code or license our proprietary software at no cost, we cannot assure that our efforts will be successful. We may face claims by third parties seeking to enforce the license terms applicable to, such open source software, including by demanding the release of the open source software, derivative works or our proprietary source code that was developed using such software. In addition, if the license terms for the open source code change, we may be forced to re-engineer our software or incur additional costs.
 
Further, some of our products and services include other software or intellectual property licensed from third parties, and we also use software and other intellectual property licensed from third parties in our business. This exposes us to risks over which we may have little or no control. For example, a licensor may have difficulties keeping up with technological changes or may stop supporting the software or other intellectual property that it licenses to us. There can be no assurance that the licenses we use will be available on acceptable terms, if at all. In addition, a third party may assert that we or our customers are in breach of the terms of a license, which could, among other things, give such third party the right to terminate a license or seek damages from us, or both. Our inability to obtain or maintain certain licenses or other rights or to obtain or maintain such licenses or rights on favorable terms, or the need to engage in litigation regarding these matters, could result in delays in releases of new products, and could otherwise disrupt our business, until equivalent technology can be identified, licensed or developed.
 
Prolonged economic uncertainties or downturns in certain regions or industries could materially adversely affect our business.
 
Our business depends on our current and prospective customers’ ability and willingness to invest money in IT security, which in turn is dependent upon their overall economic health. Negative economic conditions in the global economy or certain regions such as U.S. or Europe, including conditions resulting from financial and credit market fluctuations, could cause a decrease in corporate spending on information security software. In 2017, we generated 56% of our revenues from the United States, 31% of our revenues from Europe, the Middle East and Africa and 13% from the rest of the world, which includes countries from Asia Pacific and Japan region, Latin America region and Canada.
 
In addition, a significant portion of our revenues is generated from customers in the financial services industry, including banking and insurance. Negative economic conditions may cause customers generally and in that industry in particular to reduce their IT spending. Customers may delay or cancel IT projects, choose to focus on in-house development efforts or seek to lower their costs by renegotiating maintenance and support agreements. To the extent purchases of licenses for our software are perceived by customers and potential customers to be discretionary, our revenues may be disproportionately affected by delays or reductions in general IT spending. If the economic conditions of the general economy or industries in which we operate worsen from present levels, our results of operation could be adversely affected.

20

We rely significantly on revenues from maintenance and support contracts, which we recognize ratably over the term of the associated contract and, to a lesser extent, from professional services contracts, which we recognize as services are performed, and any downturns in sales of these contracts would not be immediately reflected in full in our quarterly operating results.
 
Maintenance and support and professional services revenues accounted for 44% of our total revenues in 2017. Sales of maintenance and support and professional services may decline or fluctuate as a result of a number of factors, including the number of product licenses we sell, our customers’ level of satisfaction with our products and services, the prices of our products and services, the prices of products and services offered by our competitors or reductions in our customers’ spending levels. If our sales of maintenance and support and professional services contracts decline, our revenues or revenue growth may decline and our business will suffer. We recognize revenues from maintenance and support contracts ratably on a straight-line basis over the term of the related contract which is typically one year and, to a lesser extent, three years, and from professional services as services are performed. As a result, a meaningful portion of the revenues we report each quarter results from the recognition of deferred revenues from maintenance and support and professional services contracts entered into during previous quarters. Consequently, a decline in the number or size of such contracts in any one quarter will not be fully reflected in revenues in that quarter, but will negatively affect our revenues in future quarters. Accordingly, the effect of significant downturns in maintenance and support and professional services contracts would not be reflected in full in our results of operations until future periods.

A portion of our revenues is generated by sales to government entities, which are subject to a number of challenges and risks, such as increased competitive pressures, administrative delays and additional approval requirements.
 
A portion of our revenues is generated by sales to U.S. and foreign federal, state and local governmental agency customers, and we may in the future increase sales to government entities. Selling to government entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that we will complete a sale or imposing terms of sale which are less favorable than the prevailing market terms. Government demand and payment for our products and services may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our products. Additionally, for purchases by the U.S. government, the government may require certain products to be manufactured in the United States and other high cost manufacturing locations, and we may not manufacture all products in locations that meet the requirements of the U.S. government. Finally, some government entities require our products to be certified by industry-approved security agencies as a pre-condition of purchasing our products. The grant of such certifications depends on the then-current requirements of the certifying agency. We cannot be certain that any certificate will be granted or renewed or that we will be able to satisfying the technological and other requirements to maintain certifications. The loss of any of our product certificates, or the failure to obtain new ones, could cause us to suffer reputational harm, lose existing customers, or deter new and existing customers from purchasing our solutions, additional products or our services.

We are subject to governmental export and import controls that could subject us to liability in the event of non-compliance or impair our ability to compete in international markets.
 
We incorporate encryption capabilities into certain products and these products are subject to U.S. export control requirements. We are also subject to Israeli export controls on encryption technology since our product development initiatives are primarily conducted in Israel. If the applicable U.S. or Israeli requirements regarding the export of encryption technology were to change or if we change the encryption functionality in our products, we may need to satisfy additional requirements or obtain specific permissions (licenses) in the United States or Israel in order to continue to export our products to the same range of customers and countries as we presently do. There can be no assurance that we will be able to satisfy such additional requirements or obtain specific licenses under these circumstances in either the United States or Israel. Furthermore, various other countries regulate the import of certain encryption products and technology, including import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries.
 
21

We are also subject to U.S., Israeli and other applicable export control and economic sanctions laws, which prohibit the export or sale of certain products or services to embargoed or sanctioned countries, governments and persons. Our products could be exported to these sanctioned targets by our channel partners or sold directly by us to such targets despite our due diligence and, in the case of sanctionable activities by our channel partners, the contractual undertakings they have given us, and any such export could have negative consequences, including government investigations, penalties and reputational harm. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products and services would likely adversely affect our business, financial condition and results of operations.
 
In addition, in the future we may be subject to defense-related export controls. For example, currently our solutions are not subject to supervision under the Israeli Defense Export Control Law, 5767-2007, but if they were used for purposes that are classified as defense-related or if they fall under “dual-use goods and technology” as referred to below, we could become subject to such regulation. In particular, under the Israeli Defense Export Control Law, 5767-2007, an Israeli company may not conduct “defense marketing activity” without a defense marketing license from the Israeli Ministry of Defense (MOD) and may be subject to a requirement to obtain a specific license from the MOD for any export of defense related products and/or knowhow. The definition of defense marketing activity is broad and includes any marketing of “defense equipment,” “defense knowhow” or “defense services” outside of Israel, which includes “dual-use goods and technology” (material and equipment intended in principle for civilian use and that can also be used for defensive purposes, such as our cybersecurity solutions) that is specified in the list of Goods and Dual-Use Technology annexed to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, if intended for defense use only, or is specified under Israeli legislation. “Dual-use goods and technology” will be subject to control by the Ministry of Economy if intended for civilian use only. In December 2013, regulations under the Wassenaar Arrangement included for the first time a chapter on cyber-related matters, which chapter was last amended in December 2017. We believe that our products do not fall under this chapter; however, in the future we may become subject to this regulation or similar regulations, which would limit our sales and marketing activities and could therefore have an adverse effect on our results of operations. Similar issues could arise under the U.S. defense/military export controls under the Arms Export Control Act and the International Traffic in Arms Regulations. Accordingly, there can be no assurance whether our solutions would be impacted by any potential new regulations pertaining to cybersecurity products and services similar to those provided by us, and what impact potential new regulations would have on our sales or our costs relating to compliance.
 
Risks Related to Our Ordinary Shares
 
Our share price may be volatile, and you may lose all or part of your investment.
 
Since our initial public offering in September 2014, our ordinary shares have traded on the Nasdaq Global Select Market as high as $76.35 per share and as low as $22.12 per share through February 28, 2018. In addition, the market price of our ordinary shares could be highly volatile and may fluctuate substantially as a result of many factors, some of which are beyond our control, including, but not limited to:
 
actual or anticipated fluctuations in our results of operations and the results of other similar companies;
 
variance in our financial performance from the expectations of market analysts;
 
announcements by us or our competitors of significant business developments, changes in service provider relationships, acquisitions or expansion plans;
 
changes in the prices of our products and services or in our pricing models;
 
our involvement in litigation;
 
our sale of ordinary shares or other securities in the future;
 
market conditions in our industry;
 
changes in key personnel;
 
speculation in the press or the investment community;
 
the trading volume of our ordinary shares;
 
22

changes in the estimation of the future size and growth rate of our markets;
 
any merger and acquisition activities; and
 
general economic and market conditions.
 
In addition, the stock markets have experienced price and volume fluctuations. Broad market and industry factors may materially harm the market price of our ordinary shares, regardless of our operating performance. In the past, following periods of volatility in the market price of a company’s securities, securities class action litigation has often been instituted against that company. If we were involved in any similar litigation we could incur substantial costs and our management’s attention and resources could be diverted, which could materially adversely affect our business.
 
If securities or industry analysts cease to publish research or publish inaccurate or unfavorable research reports about our business, our share price and trading volume could decline.
 
The trading price for our ordinary shares is affected by any research or reports that securities or industry analysts publish about us or our business. If one or more of the analysts who cover us or our business publish inaccurate or unfavorable research reports about us or our business, and in particular, if they downgrade their evaluations of our ordinary shares, the price of our ordinary shares would likely decline. If one or more of these analysts cease coverage of our company, we could lose visibility in the market for our ordinary shares, which in turn could cause our share price to decline.
 
As a foreign private issuer whose shares are listed on the NASDAQ Stock Market, or NASDAQ, we may follow certain home country corporate governance practices instead of otherwise applicable SEC and NASDAQ requirements, which may result in less protection than is accorded to investors under rules applicable to domestic U.S. issuers.
 
As a foreign private issuer whose shares are listed on the NASDAQ Global Select Market, we are permitted to follow certain home country corporate governance practices instead of certain rules of NASDAQ. We currently follow Israeli home country practices with regard to the quorum requirement for shareholder meetings and NASDAQ requirements relating to distribution of our annual report to shareholders. As permitted under the Israeli Companies Law, 5759-1999, or the Companies Law, our articles of association provide that the quorum for any meeting of shareholders shall be the presence of at least two shareholders present in person or by proxy who hold at least 25% of the voting power of our shares instead of 33 1/3% of our issued share capital (as prescribed by NASDAQ’s rules). Further, as permitted by the Companies Law and in accordance with the generally accepted business practice in Israel, we do not distribute our annual report to shareholders but make it available through our public website. We may in the future elect to follow Israeli home country practices with regard to other matters such as director nomination procedures, separate executive sessions of independent directors and the requirement to obtain shareholder approval for certain dilutive events (such as for the establishment or amendment of certain equity-based compensation plans, issuances that will result in a change of control of the company, certain transactions other than a public offering involving issuances of a 20% or more interest in the company and certain acquisitions of the stock or assets of another company). Accordingly, our shareholders may not be afforded the same protection as provided under NASDAQ corporate governance rules. Following our home country governance practices as opposed to the requirements that would otherwise apply to a United States company listed on NASDAQ may provide less protection than is accorded to shareholders of domestic issuers. See “Item16.G. Corporate Governance.”

Our business could be negatively affected as a result of the actions of activist shareholders, and such activism could impact the trading value of our securities.

In recent years, U.S. and non-U.S. companies listed on securities exchanges in the United States have been faced with governance-related demands from activist shareholders, unsolicited tender offers and proxy contests. Although as a foreign private issuer we are not subject to U.S. proxy rules, responding to any action of this type by activist shareholders could be costly and time-consuming, disrupting our operations and diverting the attention of management and our employees. Such activities could interfere with our ability to execute our strategic plans. In addition, a proxy contest for the election of directors at our annual meeting would require us to incur significant legal fees and proxy solicitation expenses and require significant time and attention by management and our board of directors. The perceived uncertainties due to such actions of activist shareholders also could affect the market price of our securities.

23

 
As a foreign private issuer we are not subject to the provisions of Regulation FD or U.S. proxy rules and are exempt from filing certain Exchange Act reports.
 
As a foreign private issuer, we are exempt from a number of requirements under U.S. securities laws that apply to public companies that are not foreign private issuers. In particular, we are exempt from the rules and regulations under the Exchange Act related to the furnishing and content of proxy statements, and our officers, directors and principal shareholders are exempt from the reporting and short-swing profit recovery provisions contained in Section 16 of the Exchange Act. In addition, we are not required under the Exchange Act to file annual and current reports and financial statements with the SEC as frequently or as promptly as U.S. domestic companies whose securities are registered under the Exchange Act and we are generally exempt from filing quarterly reports with the SEC under the Exchange Act. We are also exempt from the provisions of Regulation FD, which prohibits issuers from making selective disclosure of material nonpublic information to, among others, broker-dealers and holders of a company’s securities under circumstances in which it is reasonably foreseeable that the holder will trade in the company’s securities on the basis of the information. Even though we intend to comply voluntarily with Regulation FD, these exemptions and leniencies will reduce the frequency and scope of information and protections to which you are entitled as an investor. For so long as we qualify as a foreign private issuer, we are not required to comply with the proxy rules applicable to U.S. domestic companies, although pursuant to the Companies Law, we disclose the annual compensation of our five most highly compensated office holders (as defined under the Companies Law) on an individual basis, including in this annual report.
 
Since a majority of our voting securities are either directly or indirectly owned of record by residents of the United States, we would lose our foreign private issuer status if any of the following were to occur: (i) the majority of our executive officers or directors were United States citizens or residents, (ii) more than 50 percent of our assets were located in the United States, or (iii) our business was administered principally in the United States. Although we have elected to comply with certain U.S. regulatory provisions, our loss of foreign private issuer status would make such provisions mandatory. The regulatory and compliance costs to us under U.S. securities laws as a U.S. domestic issuer may be significantly higher. We may also be required to modify certain of our policies to comply with good governance practices associated with U.S. domestic issuers. Such conversion and modifications will involve additional costs. In addition, we would lose our ability to rely on the Nasdaq exemptions from certain corporate governance requirements that are available to foreign private issuers.
 
If we sell our ordinary shares in future financings, ordinary shareholders could experience immediate dilution and, as a result, the market price of our ordinary shares may decline.
 
We may from time to time issue additional ordinary shares at a discount from the current trading price of our ordinary shares. As a result, our ordinary shareholders would experience immediate dilution upon the purchase of any ordinary shares sold at such discount. In addition, as opportunities present themselves, we may enter into equity or debt financings or similar arrangements in the future, including the issuance of convertible debt securities, preferred shares or ordinary shares. If we issue ordinary shares or securities convertible into ordinary shares, holders of our ordinary shares could experience dilution.
 
If we are unable to satisfy the requirements of Sections 404(a) and 404(b) of the Sarbanes-Oxley Act of 2002, or the Sarbanes-Oxley Act, or if our internal control over financial reporting is not effective, investors may lose confidence in the accuracy and the completeness of our financial reports   and the trading price of our ordinary shares may be negatively affected.
 
Pursuant to Section 404(a) of the Sarbanes-Oxley Act, we are required to furnish a report by management on the effectiveness of our internal control over financial reporting. Additionally, pursuant to Section 404(b) of the Sarbanes-Oxley Act, we must include an auditor attestation on our internal control over financial reporting.
 
24

To maintain the effectiveness of our disclosure controls and procedures and our internal control over financial reporting, we expect that we will need to continue enhancing existing, and implement new, financial reporting and management systems, procedures and controls to manage our business effectively and support our growth in the future. The process of evaluating our internal control over financial reporting requires an investment of substantial time and resources, including by our Chief Financial Officer and other members of our senior management. As a result, this process may divert internal resources and take a significant amount of time and effort to complete. Additionally, as part of management assessments of the effectiveness of our internal control over financial reporting required by Section 404(a), our management may conclude that our internal control over financial reporting is not effective due to our failure to cure any identified material weakness or otherwise, which would require us to employ remedial actions to implement effective controls. If we identify material weaknesses in our internal control over financial reporting, if we are unable to comply with the requirements of Section 404(a) or 404(b) in a timely manner or to assert that our internal control over financial reporting is effective, or if our independent registered public accounting firm is unable to express an opinion or issues an adverse opinion in its attestation as to the effectiveness of our internal control over financial reporting required by Section 404(b), investors may lose confidence in the accuracy and completeness of our financial reports and the trading price of our ordinary shares could be negatively affected. We could also become subject to investigations by Nasdaq, the SEC or other regulatory authorities, which could require additional financial and management resources.
 
Irrespective of compliance with Sections 404(a) and 404(b), any failure of our internal control could have a material adverse effect on our stated results of operations and harm our reputation. In order to implement changes to our internal control over financial reporting triggered by a failure of those controls, we could experience higher than anticipated operating expenses, as well as higher independent auditor fees during and after the implementation of these changes.
 
As a public company we may become subject to further compliance obligations, which may strain our resources and divert management’s attention.
 
Changing laws, regulations and standards in the United States relating to corporate governance and public disclosure and other matters may be implemented in the future, which may increase our legal and financial compliance costs, make some activities more time consuming and divert management’s time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to practice, regulatory authorities may initiate legal proceedings against us and our business may be harmed. Being a publicly traded company in the United States and being subject to U.S. rules and regulations may make it more expensive for us to obtain director and officer liability insurance, and we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors could also make it more difficult for us to attract and retain qualified members of our board of directors, particularly to serve on our audit committee, and qualified executive officers.
 
Our U.S. shareholders may suffer adverse tax consequences if we are classified as a passive foreign investment company or as a “controlled foreign corporation”.
 
Generally, if for any taxable year 75% or more of our gross income is passive income, or at least 50% of the average quarterly value of our assets (which may be measured in part by the market value of our ordinary shares, which is subject to change) are held for the production of, or produce, passive income, we would be characterized as a passive foreign investment company, or PFIC, for U.S. federal income tax purposes under the Internal Revenue Code of 1986, as amended, or the Code. Based on our gross income and gross assets, and the nature of our business, we believe that we were not classified as a PFIC for the taxable year ended December 31, 2017. Because PFIC status is determined annually based on our income, assets and activities for the entire taxable year, it is not possible to determine whether we will be characterized as a PFIC for the taxable year ending December 31, 2018, or for any subsequent year, until we finalize our financial statements for that year. Furthermore, because the value of our gross assets is likely to be determined in large part by reference to our market capitalization, a decline in the value of our ordinary shares may result in our becoming a PFIC. Accordingly, there can be no assurance that we will not be considered a PFIC for any taxable year. Our characterization as a PFIC could result in material adverse tax consequences for you if you are a U.S. investor, including having gains realized on the sale of our ordinary shares treated as ordinary income, rather than a capital gain, the loss of the preferential rate applicable to dividends received on our ordinary shares by individuals who are U.S. holders, and having interest charges apply to distributions by us and the proceeds of share sales. Certain elections exist that may alleviate some of the adverse consequences of PFIC status and would result in an alternative treatment (such as mark-to-market treatment) of our ordinary shares. Prospective U.S. investors should consult their own tax advisers regarding the potential application of the PFIC rules to them. Prospective U.S. investors should refer to “Item 10.E. Taxation—Certain United States Federal Income Tax Consequences” for discussion of additional U.S. income tax considerations applicable to them based on our treatment as a PFIC.
 
25

Certain U.S. holders of our ordinary shares may suffer adverse tax consequences if we or any of our non-U.S. subsidiaries are characterized as a “controlled foreign corporation”, or a CFC, under Section 957(a) of the Code. Certain changes to the CFC constructive ownership rules under Section 958(b) of the Code introduced by the TCJA may cause one or more of our non-U.S. subsidiaries to be treated as CFCs, may also impact our CFC status, and may affect holders of our ordinary shares that are United States shareholders. Generally, for U.S. shareholders that own 10% or more of the combined vote or combined value of our ordinary shares, this may result in negative U.S. federal income tax consequences and these shareholders may be subject to certain reporting requirements with the U.S. Internal Revenue Service. Any such 10% U.S. shareholder should consult its own tax advisors regarding the U.S. tax consequences of acquiring, owning, or disposing our ordinary shares and the impact of the TCJA, especially the changes to the rules relating to CFCs.
 
Risks Relating to Our Incorporation and Location in Israel
 
Our headquarters, substantially all of research and development activities and other significant operations are located in Israel and, therefore, our results may be adversely affected by political, economic and military instability in Israel.
 
Our headquarters and principal research and development facilities are located in Israel. In addition, the majority of our key employees, officers and directors are residents of Israel. Accordingly, political, economic and military conditions in Israel may directly affect our business. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring countries. In recent years, these have included hostilities between Israel and Hezbollah in Lebanon and Hamas in the Gaza strip, both of which resulted in rockets being fired into Israel causing casualties and disruption of economic activities. In addition, Israel faces threats from more distant neighbors, including, in particular, Iran. Our commercial insurance does not cover losses that may occur as a result of an event associated with the security situation in the Middle East. Although the Israeli government is currently committed to covering the reinstatement value of direct damages that are caused by terrorist attacks or acts of war, we cannot assure you that this government coverage will be maintained, or if maintained, will be sufficient to compensate us fully for damages incurred. Any losses or damages incurred by us could have a material adverse effect on our business. Any armed conflict involving Israel could adversely affect our operations and results of operations.
 
Further, our operations could be disrupted by the obligations of personnel to perform military service. As of December 31, 2017, we had 378 employees based in Israel, certain of which may be called upon to perform up to 54 days in each three year period (and in the case of non-officer commanders or officers, up to 70 or 84 days, respectively, in each three year period) of military reserve duty until they reach the age of 40 (and in some cases, depending on their specific military profession up to 45 or even 49 years of age) and, in certain emergency circumstances, may be called to immediate and unlimited active duty. Our operations could be disrupted by the absence of a significant number of employees related to military service, which could materially adversely affect our business and results of operations.
 
Several countries, principally in the Middle East, restrict doing business with Israel and Israeli companies, and additional countries may impose restrictions on doing business with Israel and Israeli companies whether as a result of hostilities in the region or otherwise. In addition, there have been increased efforts by activists to cause companies and consumers to boycott Israeli goods based on Israeli government policies. Such actions, particularly if they become more widespread, may adversely impact our ability to sell our products. Any hostilities involving Israel or any interruption or curtailment of trade between Israel and its present trading partners, or a significant downturn in the economic or financial condition of Israel, could adversely affect our business, financial condition and results of operations. We may also be targeted by cyber terrorists specifically because we are an Israeli company.
 
26

The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase our costs and taxes.
 
We were granted Approved Enterprise status under the Israeli Law for the Encouragement of Capital Investments, 5719-1959, or the Investment Law. We elected the alternative benefits program, pursuant to which income derived from the Approved Enterprise program is tax-exempt for two years and enjoys a reduced tax rate of 10.0% to 25.0% for up to a total of eight years, subject to an adjustment based on the percentage of foreign investors’ ownership. We were also eligible for certain tax benefits provided to Benefited Enterprises under the Investment Law. In March 2013, we notified the Israel Tax Authority that we apply the new tax Preferred Enterprise regime under the Investment Law instead of our Approved Enterprise and Benefited Enterprise. Accordingly, we are eligible for certain tax benefits provided to Preferred Enterprises under the Investment Law. If we do not meet the conditions stipulated in the Investment Law and the regulations promulgated thereunder, as amended, for the Preferred Enterprise, any of the associated tax benefits may be canceled and we would be required to repay the amount of such benefits, in whole or in part, including interest and CPI linkage (or other monetary penalties). Further, in the future these tax benefits may be reduced or discontinued. If these tax benefits are reduced, cancelled or discontinued, our Israeli taxable income would be subject to regular Israeli corporate tax rates which would harm our financial condition and results of operation. Additionally, if we increase our activities outside of Israel through acquisitions, for example, our expanded activities might not be eligible for inclusion in future Israeli tax benefit programs. See “Item 5. Operating and Financial Review and Prospects—Operating Results—Israeli Tax Considerations and Government Programs—Law for the Encouragement of Capital Investments, 5719-1959.”  
 
We may become subject to claims for remuneration or royalties for assigned service invention rights by our employees.
 
We enter into assignment-of-invention agreements with our employees pursuant to which such individuals agree to assign to us all rights to any inventions created in the scope of their employment or engagement with us. A significant portion of our intellectual property has been developed by our employees during the course of their employment by us. Under the Israeli Patent Law, 5727-1967, inventions conceived by an employee during the scope of his or her employment with a company are regarded as “service inventions” which belong to the employer, absent a specific agreement between the employee and employer giving the employee service invention rights. Although our employees have agreed to assign to us service invention rights, as a result of uncertainty under Israeli law with respect to service invention rights and the efficacy of related waivers, including with respect to remuneration and its extent, we may face claims demanding remuneration in consideration for assigned inventions. As a consequence of such claims, we could be required to pay additional remuneration or royalties to our current and/or former employees, or be forced to litigate such claims, which could negatively affect our business.
 
Provisions of Israeli law and our articles of association may delay, prevent or otherwise impede a merger with or an acquisition of us, even when the terms of such a transaction are favorable to us and our shareholders.
 
Our articles of association contain certain provisions that may delay or prevent a change of control. These provisions include that our directors (other than external directors, if applicable) are elected on a staggered basis, and therefore a potential acquirer cannot readily replace our entire board of directors at a single annual general shareholder meeting. In addition, Israeli corporate law regulates acquisitions of shares through tender offers and mergers, requires special approvals for transactions involving directors, officers or significant shareholders and regulates other matters that may be relevant to such types of transactions. See “Item 10.B. Articles of Association—Acquisitions under Israeli Law” for additional information.
 
Furthermore, Israeli tax considerations may make potential transactions unappealing to us or to our shareholders whose country of residence does not have a tax treaty with Israel exempting such shareholders from Israeli tax. For example, Israeli tax law does not recognize tax-free share exchanges to the same extent as U.S. tax law. With respect to mergers involving an exchange of shares, Israeli tax law allows for tax deferral in certain circumstances but makes the deferral contingent on the fulfillment of a number of conditions, including, in some cases, a holding period of two years from the date of the transaction during which sales and dispositions of shares of the participating companies are subject to certain restrictions. Moreover, with respect to certain share swap transactions, the tax deferral is limited in time, and when such time expires, the tax becomes payable even if no disposition of the shares has occurred. These provisions of Israeli law and our articles of association could have the effect of delaying or preventing a change in control in us and may make it more difficult for a third-party to acquire us, even if doing so would be beneficial to our shareholders, and may limit the price that investors may be willing to pay in the future for our ordinary shares.
 
27

It may be difficult to enforce a judgment of a U.S. court against us, our officers and directors or the Israeli auditors named in this annual report in Israel or the United States, to assert U.S. securities laws claims in Israel or to serve process on our officers and directors and these auditors.
 
We are incorporated in Israel. The majority of our directors and executive officers, and the Israeli auditors listed in this annual report reside outside of the United States, and most of our assets and most of the assets of these persons are located outside of the United States. Therefore, a judgment obtained against us, or any of these persons, including a judgment based on the civil liability provisions of the U.S. federal securities laws, may not be collectible in the United States and may not be enforced by an Israeli court. It also may be difficult for you to effect service of process on these persons in the United States or to assert U.S. securities law claims in original actions instituted in Israel. Israeli courts may refuse to hear a claim based on an alleged violation of U.S. securities laws reasoning that Israel is not the most appropriate forum in which to bring such a claim. In addition, even if an Israeli court agrees to hear a claim, it may determine that Israeli law and not U.S. law is applicable to the claim. If U.S. law is found to be applicable, the content of applicable U.S. law must be proven as a fact by expert witnesses, which can be a time consuming and costly process. Certain matters of procedure will also be governed by Israeli law. There is little binding case law in Israel that addresses the matters described above. As a result of the difficulty associated with enforcing a judgment against us in Israel, you may not be able to collect any damages awarded by either a U.S. or foreign court.
 
Your rights and responsibilities as a shareholder are, and will continue to be, governed by Israeli law which differs in some material respects from the rights and responsibilities of shareholders of U.S. companies.
 
The rights and responsibilities of the holders of our ordinary shares are governed by our articles of association and by Israeli law. These rights and responsibilities differ in some material respects from the rights and responsibilities of shareholders in U.S.-based corporations. In particular, a shareholder of an Israeli company has a duty to act in good faith and in a customary manner in exercising its rights and performing its obligations towards the company and other shareholders, and to refrain from abusing its power in the company, including, among other things, in voting at a general meeting of shareholders on matters such as amendments to a company’s articles of association, increases in a company’s authorized share capital, mergers and acquisitions and related party transactions requiring shareholder approval. In addition, shareholders have a general duty to refrain from discriminating against other shareholders and a shareholder who is aware that it possesses the power to determine the outcome of a shareholder vote or to appoint or prevent the appointment of a director or chief executive officer in the company has a duty of fairness toward the company with regard to such vote or appointment. There is limited case law available to assist us in understanding the nature of this duty or the implications of these provisions. These provisions may be interpreted to impose additional obligations and liabilities on holders of our ordinary shares that are not typically imposed on shareholders of U.S. corporations. See “Item 6.C. Board Practices — Approval of Related Party Transactions under Israeli Law—Fiduciary Duties of Directors and Executive Officers.”
 
28

ITEM 4.                    INFORMATION ON THE COMPANY
 
A.
History and Development of the Company
 
Our History
 
We were founded in 1999 with the vision of protecting high-value business data and pioneered our Digital Vault technology, which is the foundation of our primary platform. That same year, we began offering our first product, the Sensitive Information Management Solution (previously called the Sensitive Document Vault), which provides a secure platform through which our customers’ employees can share sensitive files. We believe our early innovation in vaulting technology enabled us to evolve into a company that provides a comprehensive security solution built for privileged accounts. In 2005, we introduced our Privileged Account Security Solution, which has become our leading offering and reflects our emphasis on protecting privileged accounts across an organization. In September 2014, we listed our ordinary shares on the NASDAQ Global Select Market. In 2015, we acquired Viewfinity, a provider of Windows least privilege management and application control software, as well as Cybertinel, a cyber security company specializing in cyber threat detection technology. In May 2017, we acquired Conjur Inc., a provider of DevOps security software, and in March 2018, we acquired certain assets of Vaultive, Inc., a cloud security provider. Based on our continued innovation, today we are a leader in privileged account security, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline.
 
We are a company limited by shares organized under the laws of the State of Israel. We are registered with the Israeli Registrar of Companies. Our registration number is 51-229164-2. Our principal executive offices are located at 9 Hapsagot St., Park Ofer B, POB 3143, Petach-Tikva, 4951040, Israel, and our telephone number is +972 (3) 918-0000. Our website address is www.cyberark.com. Information contained on, or that can be accessed through, our website is not part of this annual report and is not incorporated by reference herein. We have included our website address in this annual report solely for informational purposes. Our agent for service of process in the United States is CyberArk Software, Inc., located at 60 Wells Avenue, Newton, MA 02459, and our telephone number is (617) 965-1544.
 
Principal Capital Expenditures
 
Our capital expenditures for fiscal years 2015, 2016 and 2017 amounted to $2.1 million, $2.8 million and $6.8 million, respectively. Capital expenditures consist primarily of investments in leasehold improvements for our office space and the purchase of computers and related equipment. We anticipate our capital expenditures in fiscal year 2018 to be in a range of $10 million and $11 million, of which approximately $5 million relates to our offices in London, Singapore, the U.S. and the global headquarters in Israel. We anticipate our capital expenditures in 2018 will be financed with cash on hand and cash flow generated from operating activities.
 
B.
Business Overview
 
We are a global leader in privileged account security, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. Our software solutions are focused on protecting privileged accounts, credentials and secrets, which are consistently sought-after by cyber attackers to accomplish their goals. Privileged accounts are pervasive and act as the “keys to the IT kingdom,” providing complete access to, and control of, IT infrastructure (whether located on-premises or in the cloud), applications, DevOps tools, and critical business data. In the hands of an external attacker or malicious insider, privileged credentials allow attackers to take control of and disrupt an organization’s IT environment and industrial control systems, steal confidential information and commit financial fraud. Our comprehensive solutions proactively protect credentials, isolate and monitor sessions, detect and respond to privileged threats, provide applications and DevOps secrets management, and enforce privileged account security on the endpoint. Our customers use our innovative solutions to introduce a critical security layer to protect against, detect and respond to cyber attacks before they strike vital systems, compromise sensitive data and disrupt business operations.
 
Organizations worldwide are experiencing an unprecedented increase in the sophistication, scale and frequency of cyber attacks. The challenge this presents is intensified by the growing adoption of new technologies such as cloud computing, new container and micro-service-based application architectures leveraging DevOps methodologies, enterprise mobility and social networking, which has resulted in increasingly complex and distributed IT environments with significantly larger attack surfaces. Organizations have historically relied upon perimeter-based threat protection solutions such as network and web security tools as the predominant defense against cyber attacks, yet these traditional solutions have a limited ability to stop today’s advanced threats. Many organizations are still in the early stages of adapting their security strategies to address this new threat environment and are evolving their approaches based on the assumption that their network perimeter has been or will be breached. They are therefore increasingly implementing new layers of security inside the network to disrupt attacks before they result in the theft of confidential information or other serious damage. Regulators are also continuing to mandate rigorous compliance standards and audit requirements in response to this evolving threat landscape.
 
29

We believe that the implementation of a privileged account security solution is one of the most critical layers of an effective security strategy. Privileged accounts, credentials and secrets represent some of the most vulnerable aspects of an organization’s IT infrastructure. Privileged accounts are used by system administrators, third-party and cloud service providers, applications and business users, and they exist in nearly every connected device, server, hypervisor, container, operating system, database, application and endpoint. Due to the broad access and control they provide, privileged account exploitation has become a critical stage of the cyber attack lifecycle. The typical cyber attack involves an attacker effecting an initial breach, escalating privileges to access target systems, moving laterally through the IT infrastructure to identify valuable targets, and exfiltrating, or stealing, the desired information.
 
Our solutions can be deployed in traditional on-premises data centers, public, private or hybrid cloud environments. Our innovative software solutions are the result of over 18 years of research and expertise, combined with valuable knowledge we have gained from working with our diverse population of customers and from our acquisitions of Viewfinity, Cybertinel and Conjur.
 
The CyberArk Privileged Account Security Solution provides the most comprehensive approach to securing privileged credentials on-premises and in the cloud, from every endpoint and application, and throughout the DevOps pipeline. The solution consists of our Core offering for credential protection, session isolation and monitoring, and privileged threat detection and prevention. The Core offering can be extended with least privilege control for Linux, Unix, and Windows servers and domain control protection. The solution also includes application credential and DevOps secrets management with Application Identity Manager and Conjur and protection of privilege on endpoints with Endpoint Privilege Manager.
 
Every product in the CyberArk Privileged Account Security Solution is stand-alone and can be managed independently while still sharing resources and data from common infrastructure, and integrates out of the box with over 100 types of IT assets in the datacenter or the cloud.
 
At the core of the infrastructure are an isolated vault server, a unified policy engine, a discovery engine and layers of security that provide scalability, reliability and unmatched security for privileged accounts, credentials and secrets.
 
Our   solution complement other vendors’ IT, security and cloud solutions in two significant ways. First, through enhancing the security of these solutions by reducing the misuse potential of privileged accounts used by or incorporated within these solutions and second, through the sharing of valuable information between the solutions, for improved detection, protection and response in the event of a cyber attack.
 
In April 2016, we announced the launch of the C 3  Alliance, CyberArk’s global technology partner program, which brings together enterprise software, IT Security and services providers to build on the power of privileged account security to better protect customers from cyber threats. The program establishes a product integration foundation with our C 3  Alliance technology partners for the benefit of our mutual customers.
 
As of December 31, 2017, we had approximately 3,650 customers, including approximately 50% of the Fortune 100 companies and approximately 30% of the Global 2000 companies. We define a customer to include a distinct entity, division or business unit of a company. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies. We sell our solutions through a high touch, channel fulfilled hybrid sales model that combines the leverage of channel sales as well as advisory firm influence with the account control of direct sales. This provides us with significant opportunities to grow our current customer base. This approach allows us to maintain close relationships with our customers and benefit from the global reach of our channel and advisory firm partners. Additionally, we continue to enhance our product offerings and go-to-market strategy by establishing technology alliances within the IT infrastructure and security vendor ecosystem.
 
30

Industry Background
 
The continuous string of targeted, damaging breaches executed by both external attackers and malicious insiders, along with an increase in the attack surface due to the growing complexity and distributed nature of IT environments, have made it extremely challenging for enterprises and government agencies around the world to protect sensitive information and infrastructure. These challenges are driving the need for privileged account security solutions that provide a critical layer of IT security and complement traditional threat protection technologies by protecting privileged accounts, credentials and secrets.
 
Our Products
 
Our products secure organizations’ high-value data and critical IT assets by providing proactive protection against external and internal cyber threats and enabling real-time detection and neutralization of attacks.
 
Privileged Account Security Solution
 
 
The comprehensive, purpose-built CyberArk Privileged Account Security Solution provides our customers with a set of products that enable them to secure, manage and monitor privileged account access and activities. Our solution consists of a Core Privileged Account Security offering , application credential and DevOps secrets management with Application Identity Manager and Conjur, and endpoint protection with Endpoint Privilege Manager. These products share a common technology platform that includes our secure Digital Vault, Web Management Interface, Master Policy Engine and Discovery Engine. We also offer over 100+ certified joint solutions with leading cloud, security, and IT management providers via our C 3 Alliance program.
 
Core Privileged Account Security
 
CyberArk’s Core Privileged Account Security offering includes credential protection and management; session isolation and monitoring; and privileged analytics and threat detection. This offering includes CyberArk’s industry leading Enterprise Password Vault, Privileged Session Manager and Privileged Threat Analytics.
 
Enterprise Password Vault. The Core Privileged Account Security offering helps prevent the malicious use of privileged user passwords and SSH keys, and protects vulnerable accounts. It secures privileged credentials based on an organization’s privileged account security policies and controls who can access which credentials and when. This automated process also reduces the time of manually tracking and updating privileged credentials to meet audit and compliance standards.
 
Privileged Session Manager. The Core Privileged Account Security offering secures, isolates, controls and monitors privileged user access and activities to critical Unix, Linux, and Windows-based systems, databases, virtual machines, network devices, mainframes, websites, SaaS applications, and more. It provides a single-access control point, helps prevent malware from jumping to a target system through the isolation of end users, and records every keystroke and mouse click for continuous monitoring. Detailed session recordings and the ability to search, locate, and alert of sensitive events without having to filter through logs simplifies compliance audits and accelerates forensic investigations. Real-time monitoring helps provide continuous protection for privileged access as well as automatic suspension and termination of privileged sessions if any activity is deemed suspicious. The solution also provides full integration with third-party SIEM solutions with alerts on unusual activity. It also provides AD Bridge capabilities that enable organizations to centrally manage Unix users and accounts that are linked to AD through the CyberArk platform.
 
31

Privileged Threat Analytics . The Core Privileged Account Security offering enables organizations to detect, alert and respond to anomalous privileged activity indicating an in-progress attack. The solution collects a targeted set of data from multiple sources, including the CyberArk Digital Vault, SIEM and the network. Then, the solution applies statistical and deterministic algorithms, enabling organizations to detect indications of compromise early in the attack lifecycle by identifying malicious privileged account activity.
 
The Core Privileged Account Security offering can be extended to secure least privilege on Linux, Unix, and Windows servers and protect domain controllers.
 
Least Privilege Management. The CyberArk Core Privileged Account Security offering allows privileged users to use administrative commands from their native Unix/Linux session while eliminating unneeded root access or admin rights. This solution provides unified and correlated logging of all super user activity linking it to a personal username while providing the freedom needed to perform job functions. Granular access control is given while continuously monitoring all administrative commands super users run based on their role and task. The solution also enables organizations to block and contain attacks on Windows servers to reduce the risk of information being stolen or encrypted and held for ransom.
 
Domain Controller Protection. CyberArk offers an ultra-light weight Windows agent that performs network behavior analytics to detect a range of potential threats including suspected credential theft, lateral movement and privilege escalation on domain controllers. It provides the ability to enforce granular controls for least privilege and application control on domain controllers and to detect a variety of in-progress Kerberos attacks including Golden Ticket, Overpass-the-Hash and Privilege Attribute Certificate (PAC) manipulation.
 
Application Credential and DevOps Secrets Management
 
CyberArk offers Application Credential and DevOps Secrets Management with Application Identity Manager and Conjur. These offerings can be used together or on their own to secure credentials in commercial off-the-shelf applications as well as applications built on containers and micro-services using DevOps methodologies.
 
Application Identity Manager. The solution eliminates hard-coded passwords and locally stored SSH keys from commercial off-the-shelf applications and scripts. The CyberArk Application Identity Manager meets enterprises requirements for availability and business continuity, including within complex and distributed network environments. The product helps eliminate embedded application credentials, often without requiring code changes or affecting application performance.
 
Conjur. CyberArk Conjur is a secrets management solution tailored to meet the specific infrastructure requirements of native cloud and DevOps environments. The solution helps information security and DevOps organizations secure and manage secrets used by users and machine identities such as DevOps and PaaS tools, cloud-native applications, micro-services and containers. Designed for cloud-scale, Conjur is based on a distributed, high availability architecture. Conjur provides comprehensive secrets management for sensitive data used by DevOps tools and cloud-native applications such as API keys, certificates, passwords, SSH keys and tokens. Conjur integrates with the DevOps toolchain and helps secure and manage secrets used by CI/CD tools such as Ansible, Chef, Jenkins and Puppet and container orchestration software such as Docker. Conjur is available in open source and enterprise versions.
 
Endpoint Protection
 
Endpoint Privilege Manager. CyberArk Endpoint Privilege Manager secures privileges on the endpoint (Windows and Mac desktops) and helps contain attacks early in their lifecycle. It enables revocation of local administrator rights, while minimizing impact on user productivity, by seamlessly elevating privileges for authorized applications or tasks. Application control, with automatic policy creation, allows organizations to prevent malicious applications from executing, and runs unknown applications in a restricted mode. This, combined with credential theft protection, helps prevent malware such as ransomware from gaining a foothold and contains attacks on the endpoint. CyberArk Endpoint Privilege Manager is available through on-premises and SaaS deployments.
 
32

Shared Technology Platform . Our shared technology platform is the foundation of the CyberArk Privileged Account Security Solution and includes our secure Digital Vault, Web Management Interface, Master Policy Engine and Discovery Engine. Our Digital Vault is an encrypted server that only responds to preset vault protocols to promote security throughout an organization’s network. CyberArk solutions use the Digital Vault to safely store, audit and manage passwords, privileged credentials and secrets, policy information and privileged account session data. Our proprietary vault protocol technology enables distributed deployments across global networks for central management and auditing while providing enterprise-wide global coverage. Our Web Management Interface provides a single, user-friendly interface for customers to set, manage and monitor privileged account security policies across an entire organization in a matter of minutes while allowing for granular level exceptions to meet the organization’s specific operational needs. Organizations can also leverage REST APIs to automate privileged account security tasks and quickly integrate CyberArk solutions with existing security, operations and DevOps tools. Our Master Policy Engine and Discovery Engine enable organizations to understand the scope of privileged account risk and helps ensure that all privileged account activity is accounted for by automatically discovering new privileged accounts or changes to existing accounts.
 
Our Services
 
Maintenance and Support
 
Our customers typically purchase one year or, to a lesser extent, three years, of software maintenance and support, in conjunction with their initial purchase of perpetual licenses for our products. Thereafter, they can renew such maintenance and support for additional one or three-year periods. These two alternative maintenance and support periods are common in the software industry. Customers pay for each alternative in full at the beginning of their terms. The substantial majority of our contracts sold are for a one-year term. For example, for the years 2015 through 2017 approximately 85% of the renewal contracts were for a one year term.
 
Our global customer support organization has expertise in our software and how it interacts with complex IT environments. When sales are made to customers directly, we typically also provide any necessary maintenance and support pursuant to a maintenance and support contract directly with the customer. When sales are made through channels, the channel partner (primarily in the EMEA and Asia Pacific and Japan regions) typically provides the first and second level support and we typically provide third level support if the issue cannot be resolved by the channel partner.
 
Our maintenance and support program provides customers the right to software bug repairs, the latest system enhancements and updates on an if-and-when available basis during the maintenance period, and access to our technical support services. Our technical support services are provided via our online support center, which enables customers to submit new support queries and monitor the status of open and past queries. Our online support system also provides customers with access to our CyberArk Knowledge Base, an online user-driven information repository that provides customers the ability to address their own queries. Additionally, we offer email and telephone support during business hours to customers that purchase a standard support package and 24/7 availability to customers that purchase our 24/7 support package.
 
Professional Services
 
Our products are designed for customers to be able to download, install and deploy on their own. CyberArk solutions are highly configurable and many customers will select either one of our many trained channel partners or our CyberArk Security Services team to provide expert professional services. Our Security Services team can be contracted to assist customers in planning, installing and configuring our solution to meet the needs of their security and IT environment. Our Security Services team provides ongoing consulting services regarding best practices in privileged account security, and recommended ways to implement our solutions to meet specific customer requirements. Additionally, they share best practices associated with privileged account security to educate customers and partners on such best practices through virtual classroom, live face-to-face, or self-paced classes.
 
33

Our Technology
 
The comprehensive CyberArk Privileged Account Security Solution relies on a set of proprietary technologies that provide a high level of security, scalability and reliability. The core technologies included in our solution are as follows.
 
Secure Digital Vault Technology. Our proprietary Digital Vault technology provides a highly secure, isolated environment, independent of other software, and is engineered with multiple layers of security. Our Digital Vault provides a data encryption mechanism that eliminates the need for encryption key management by the end user, while each object in our Digital Vault is encrypted with its own unique encryption key. To ensure security throughout the network, our Digital Vault communicates within an organization’s network and over the internet through a proprietary and highly protected Vault Protocol, enabling an organization to implement the centrally managed Privileged Account Security Solution with products located in multiple datacenters and geographic locations. Our Digital Vault provides an additional level of protection by preventing the vault administrator from accessing or discovering protected data stored within it. In addition, our Digital Vault database is embedded, isolated and self-managed as part of our Digital Vault software, thereby blocking database administrator access to our Digital Vault database to further eliminate threats. Our Privileged Account Security Solution’s additional products use the highly secured Digital Vault to safely store, audit and manage passwords, privileged credentials, policy information and privileged account session data.
 
Sophisticated Threat Analytics Algorithms .   Our team of cyber experts and development engineers has developed proprietary algorithms that are at the core of our privileged analytics and threat detection solution. These algorithms were developed using our deep understanding of cybersecurity and cyber attack techniques, together with over a decade of rich experience in analyzing privileged account activities. Our solution uses these proprietary algorithms to construct a behavioral profile for privileged users within an organization and continuously updates the profile based on normal changes in behavior. Once a behavioral profile is established, the threat analytics algorithms provide the ability to look for deviations from that profile in order to identify anomalies in user behavior. It then scores each individual anomaly and determines the level of threat based on the correlation of such anomalous events. Additionally, agents can be deployed to analyze and to detect Kerberos-based attacks in real-time. These attacks are particularly dangerous since they enable attackers to gain unrestricted access and control to the entire IT infrastructure.   Alerts with full details of the incident, including the probability of malicious intent, can be raised immediately, allowing an organization’s incident response team to review the potential threat and take action when necessary.
 
Strong Application Authentication and Credential Management. The Conjur and Application Identity Manager architecture allows an organization to eliminate hard-coded application credentials, such as passwords and encryption keys, from applications and scripts. Our secure, proprietary technology permits authentication of an application during run-time, based on any combination of the application’s signature, executable path or IP address, and operating system user. Following application authentication, the authenticated application uses a secure application programming interface, or API, to request privileged account credentials during run-time and, based on the application permissions in our Privileged Account Security Solution, up-to-date credentials are provided to the application. To ensure business continuity, and high availability and performance even within complex and distributed network environments, our advanced product architecture provides a secure local credentials cache on the application server, eliminating the dependency on network availability and traffic during a run-time application credential request. Our proprietary architecture provides even higher value in application server environments, allowing an organization to eliminate application credentials without the need to perform any code changes or impacting application availability.
 
Privileged Session Recording and Controls. Our innovative privileged session recording and control mechanisms provide the ability to isolate an organization’s IT systems from end-user desktops, while monitoring and recording the privileged session activities. Our proprietary architecture provides a highly secure, proxy-based solution that does not require agent installation on the target systems and provides a single-access control point to the target systems. The architecture blocks direct communication between an end-user’s desktop and a target system, thus preventing potential malware on the desktop from infiltrating the target system. This architecture further ensures that privileged credentials will remain protected and will not be exposed to the end-user or reach the desktop. Comprehensive recording capabilities provide the ability to record every keystroke and mouse click on the privileged session, and also provide DVR-like recordings with search, locate and alert capabilities. Risk scoring can be applied to each recorded session, automating the review of all privileged sessions and enabling auditors to prioritize and deprioritize workloads based on the associated risk.
 
34

Endpoint Privilege Manager   Server and Endpoint Agents. Following the acquisition of Viewfinity, Inc. in 2015, we began offering endpoint agent technology, which provides policy-based privilege management, application control and credential theft protection capabilities. The agent is able to detect the privileged commands, and application installation or invocation on the endpoint, and to validate whether it is permissible by the organization’s security policy, otherwise blocking the operation. Having users operate in a least privilege mode together with the Endpoint Privilege Manager agent-technology effectively reduces the surface that attackers or malware can exploit. The Endpoint Privilege Manager server provides policy-based agent management and consolidated reporting, which allows organizations to manage privileges and handle application control. The Endpoint Privilege Manager server can also leverage third party threat and reputation information to enrich the policy and black-list definitions to further strengthen controls and block bad or malicious applications based on such security intelligence.
 
Our Customers
 
As of December 31, 2017, we had approximately 3,650 customers, including approximately 50% of the Fortune 100 companies and approximately 30% of the Global 2000 companies. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies
 
Our business is not dependent on any particular customer. No customer in 2015, 2016 and 2017 and no channel partner in 2015 and 2017 accounted for more than 10% of our revenues. In 2016, our largest channel partner accounted for approximately 12.1% of our revenues. Our diverse global footprint is evidenced by the fact that in 2017, we generated 55.6% of our revenues from customers in the United States, 31.2% from the EMEA region and 13.2% from the rest of the world, including countries in North and South America other than the United States and countries in the Asia Pacific region.
 
Sales and Marketing
 
Sales
 
We believe that our hybrid sales model, which combines the leverage of high touch, channel sales with the account control of direct sales, has played an important role in the growth of our customer base to date. We maintain a highly trained sales force that is responsible for developing and closing new business, the management of relationships with our channel partners and the support and expansion of relationships with existing customers. Our sales organization is organized by geographic regions, consisting of the Americas, EMEA and Asia Pacific and Japan regions. As of December 31, 2017, our global network of channel partners consisted of approximately 370 resellers, distributors and managed service providers. Our channel partners generally complement our sales efforts by helping identify potential sales targets, maintaining relationships with certain customers and introducing new products to existing customers and offering post-sale professional services and technical support. In 2017, we generated approximately 40% of our revenues from direct sales from our field offices located throughout the world. Approximately 50% of our sales in the United States are direct while the substantial majority of our sales in the EMEA region and the rest of the world are through channel partners. We work with many global systems integration partners and several leading regional security value added resellers, such as Optiv Security Inc., Computacenter PLC, Orange S.A. Business Services (Orange Cyberdefense), M.Tech, NCC Group, Sirius Computer Solutions, Inc. and Netpoleon Solutions These companies were each among our top 15 channel partners in 2016 and 2017 by revenues and we have derived a meaningful amount from sales to each of them during the last two years.
 
Our sales cycle varies by size of the customer, the number of products purchased and the complexity of the customer’s IT infrastructure, ranging from several weeks for incremental sales to existing customers to many months for sales to new customers or large deployments. To support our broadly dispersed global channel and customer base, as of December 31, 2017, we had sales personnel in 35 countries. We plan to continue investing in our sales organization to support both the growth of our channel partners and our direct sales organization.
 
Marketing
 
Our marketing strategy is focused on building our brand strength, communicating the benefits of our solutions, developing leads and increasing sales to existing customers. We market our software as a solution to stop cyber threats before they have the chance to stop business. We execute our strategy by leveraging a combination of internal marketing professionals and a network of channel partners to communicate the value proposition and differentiation for our products, generating qualified leads for our sales force and channel partners. Our marketing efforts also include public relations in multiple regions and extensive content development available through our website. We are focused on ongoing thought-leadership campaigns to reinforce our positioning as the privileged account security leader. Our marketing team is expanding its efforts by investing in analytics-driven lead development, stronger global coordination, quick response to current events and proactive and consistent communication with market analysts.
 
35

Research and Development
 
Continued investment in research and development is critical to our business. Our research and development efforts are focused primarily on improving and continuing to enhance existing products and services, as well as developing new products, features and functionality to meet market needs. We believe the timely development of new products and capabilities is essential to maintaining our competitive position. We regularly release new versions of our software which incorporate new features and enhancements to existing ones. We also maintain a dedicated CyberArk Labs team that researches reported advanced cyber attacks, the attackers’ techniques and post-exploit methods that lead to new security development initiatives for our products, and provides thought-leadership on targeted attack mitigation.
 
As of December 31, 2017, we had 250 employees focused on research and development. We conduct our research and development activities primarily in Israel. We believe this provides us with access to world class engineering talent. Our research and development expenses were $21.7 million, $34.6 million and $42.4 million in 2015, 2016 and 2017, respectively.
 
Intellectual Property
 
We rely on a combination of patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions to protect our technology and the related intellectual property.
 
As of December 31, 2017, we had 14 issued patents in the United States, 2 provisional U.S. patent applications and 26 pending U.S. patent applications. We also had 2 International PCT applications as well as 5 issued patents and 12 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications.
 
The claims for which we have sought patent protection relate to current and future elements of our products and technology, including the Digital Vault, Discovery & Audit tool, Privileged Threat Analytics, Privileged Session Manager, Endpoint Privilege Manager and Application Identity Manager.
 
We generally enter into confidentiality agreements with our employees, consultants, service providers, resellers and customers and generally limit internal and external access to, and distribution of, our proprietary information and proprietary technology through certain procedural safeguards. These agreements and measures may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology.
 
Our industry is characterized by the existence of a large number of relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. In particular, leading companies in the security industry have extensive patent portfolios. If we become more successful, we believe that competitors will be more likely to try to develop products that are similar to ours and that may infringe our proprietary rights. It may also be more likely that competitors or third parties will claim that our products infringe their proprietary rights. From time to time, third parties have asserted and may assert their patent, copyright, trademark and other intellectual property rights against us, our channel partners, users or customers, whom our standard license and other agreements obligate us to indemnify against such claims under certain circumstances. Successful claims of infringement or misappropriation by a third party could prevent us from distributing certain products or performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees. Such claims also could require us to cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others, or to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology; enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and to indemnify our customers and partners (and parties associated with them). Even if third parties may offer a license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license could cause our business, results of operations or financial condition to be materially and adversely affected.
 
36

Competition
 
The IT security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies that offer a broad array of IT security products that employ different approaches and delivery models to address these evolving threats.
 
Our current and potential future competitors include CA, Inc., International Business Machines Corporation, One Identity LLC. and Oracle Corporation in the access and identity management market. We also compete with smaller companies such as BeyondTrust, Inc. that may offer solutions at lower price points often with a more limited range of functionality than our own offerings, or with smaller companies that operate in specific market segments or in certain territories or regions. Further, we may face competition due to changes in the manner that organizations utilize IT assets and the security solutions applied to them, such as the provision of privileged account security functionalities as part of public cloud providers’ infrastructure offerings, or cloud-based identity management solutions. We also may compete to a certain extent with vendors who offer products or services in adjacent or complementary markets to privileged account security. Limited IT budgets may also result in competition with providers of other advanced threat protection solutions such as McAfee, LLC, Palo Alto Networks, RSA Security LLC. and Symantec Corporation.
 
The principal competitive factors in our market include:
 
the breadth and completeness of a security solution;
 
reliability and effectiveness in protecting, detecting and responding to cyber attacks;
 
analytics and accountability at an individual user level;
 
ability of customers to achieve and maintain compliance with compliance standards and audit requirements;
 
strength of sale and marketing efforts, including advisory firms and channel partner relationships;
 
global reach and customer base;
 
scalability and ease of integration with an organization’s existing IT infrastructure and security investments;
 
brand awareness and reputation;
 
innovation and thought leadership;
 
quality of customer support and professional services;
 
speed at which a solution can be deployed; and
 
price of a solution and cost of maintenance and professional services.
 
We believe we compete favorably with our competitors on the basis of these factors. However, some of our current and potential future competitors may enjoy potential competitive advantages, such as greater name recognition, longer operating history, larger market share, larger existing user base and greater financial, technical and other resources.
 
37

Properties
 
Our corporate headquarters are located in Petach Tikva, Israel in an office consisting of approximately 97,424 square feet to which we moved in September 2017. The current lease expires in June 2022 with the option to extend for two successive one year periods. Our U.S. headquarters are located in Newton, Massachusetts in an office consisting of approximately 22,000 square feet. In February 2018, we signed a lease amendment to expand our rights to an additional 9,000 square feet in the same building for a term of seven and a half years with an option to extend for an additional seven year period. The lease for the main portion of the office expires, based on the lease amendment, in April 2024 with the option to extend for two successive five year periods. We maintain additional sales offices in England, France, Germany, Singapore, Australia, Japan, Italy, Netherlands and Turkey. We believe that our facilities are sufficient to meet our current needs and that if we require additional space to accommodate our growth we will be able to obtain additional facilities on commercially reasonable terms.
 
Internal Cybersecurity
 
As we provide privileged account security products, we are sensitive as to the possibility of cyber attacks and data theft, since a breach of our system could provide data information regarding not only us, but potentially regarding the customers that our solutions protect. Further, we may be targeted by cyber terrorists because we are an Israeli company. We are also aware of the impact of an actual or perceived breach of our network may have on the market perception of our products and services and potential liability.
 
We are focused on implementing new technologies and solutions to assist in prevention of potential and attempted cyber attacks, as well as protective measures and contingency plans in the event of an existing attack. We have made certain updates to our IT infrastructure to enhance our ability to prevent and respond to such threats and we routinely test the infrastructure for vulnerabilities.
 
We conduct periodic trainings for our employees in this respect on phishing, malware and other cybersecurity risks to the Company and we have mechanisms in place designed to ensure prompt internal reporting of potential or actual cybersecurity breaches. Finally, our agreements with third parties also typically contain provisions that reduce or limit our exposure to liability.
 
Legal Proceedings
 
See “Item 8.A. Financial Information—Consolidated Financial Statements and Other Financial Information—Legal proceedings.”
 
C.
Organizational Structure
 
The legal name of our company is CyberArk Software Ltd. and we are organized under the laws of the State of Israel.
 
The following table sets forth our key subsidiaries all of which are 100% owned directly or indirectly by CyberArk Software Ltd.:
 
Name of Subsidiary
 
Place of Incorporation
CyberArk Software, Inc.
 
Delaware, United States
Cyber-Ark Software (UK) Limited
 
United Kingdom
CyberArk Software (Singapore) PTE. LTD.
 
Singapore
Cyber-Ark Software (DACH) GmbH
 
Germany
CyberArk Software Italy S.r.l.
 
Italy
CyberArk Software (France) SARL
 
France
CyberArk Software (Netherlands) B.V.
 
Netherlands
CyberArk Software (Australia) Pty Ltd.
 
Australia
CyberArk Software (Japan) K.K.
 
Japan
CyberArk Software Canada Inc.
  Canada
Conjur, Inc.
 
Delaware, United States
Vaultive, Ltd.
 
Israel
 
D.
Property, Plants and Equipment
 
See “Item 4.B.—Business Overview—Property” for a discussion of property, plants and equipment.
 
38

ITEM 4A.                 UNRESOLVED STAFF COMMENTS
 
Not applicable.
 
ITEM 5.
OPERATING AND FINANCIAL REVIEW AND PROSPECTS
 
Company Overview
 
We are a global leader in privileged account security, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. Our software solutions are focused on protecting privileged accounts, credentials and secrets, which are consistently sought-after by cyber attackers to accomplish their goals. Privileged accounts are pervasive and act as the “keys to the IT kingdom” providing complete access to, and control of, IT infrastructure (whether located on-premises or in the cloud), applications, DevOps tools, and critical business data. In the hands of an external attacker or malicious insider, privileged credentials allow attackers to take control of and disrupt an organization’s IT environment and industrial control systems, steal confidential information and commit financial fraud. Our comprehensive solutions proactively protect credentials, isolate and monitor sessions, detect and respond to privileged threats, provide applications and DevOps secrets management, and enforce privileged account security on the endpoint. Our customers use our innovative solutions to introduce acritical security layer to protect against, detect and respond to cyber attacks before they strike vital systems, compromise sensitive data and disrupt business operations.
 
We have a history of innovation. We started operations in 1999 with the vision of protecting high-value business data and pioneered our Digital Vault technology, which is the foundation of our primary platform. That same year, we began offering our first product, the Sensitive Information Management Solution (previously called the Sensitive Document Vault), which provides a secure platform through which our customers’ employees can share sensitive files. We believe our early innovation in vaulting technology enabled us to evolve into a company that provides comprehensive security solutions built for privileged accounts. In 2005, we introduced our Privileged Account Security Solution, which has become our leading offering and reflects our emphasis on protecting privileged accounts across an organization. In May 2017, we acquired Conjur Inc., a provider of DevOps security software and in March 2018, we acquired certain assets of Vaultive, Inc., a cloud security provider.
 
Our Privileged Account Security Solution consists of three main product areas. The first is our Core Privileged Account Security offering which includes the Enterprise Password Vault, Privileged Session Manager, and Privileged Threat Analytics with add-on options for domain controller protection and least privilege control for Linux, Unix, and Windows servers. We also offer Application Identity Manager and Conjur for application and DevOps secrets management and Endpoint Privilege Manager to secure endpoints.
 
We derive our revenues from licensing our cybersecurity software, selling maintenance and support contracts, and providing professional services to the extent requested by customers. Our license revenues consist primarily of revenues from sales of our Privileged Account Security Solution. Our customers typically purchase one year and, to a lesser extent, three years, of maintenance and support in conjunction with their initial purchase of perpetual licenses for our products. Thereafter, they can renew such maintenance and support for additional one or three-year periods.
 
We seek to foster long-term relationships with our customers. We have a significant opportunity to generate additional revenues from our existing customers by helping them identify and address gaps in their current privileged account security strategy. Our solution provides our customers flexibility to initially deploy one or more of our products for a single use case and then expand usage over time to address more use cases, to add incremental licenses for more users or systems or to license additional products from our comprehensive solution. We measure the perpetual license maintenance renewal rate for our customers over a 12-month period, based on a dollar renewal rate of contracts expiring during that time period. Our renewal rate for each of the years ended December 31, 2015, 2016 and 2017 was over 90%. Our key strategies to maintain our renewal rate include focusing on the quality and reliability of our product updates and our technical support services.
 
We sell our products directly and through a global network of channel partners, including distributors and resellers, who then sell to their end customers. In 2017, we generated approximately 60% of our revenues through sales made by our global network of channel partners, with the balance being generated through our direct sales force. When analyzing our business, we refer to end customers as our customers throughout this annual report. We believe that our hybrid sales model, which combines the leverage of channel sales with the account control of direct sales, will continue to play an important role in the growth of our customer base. Our hybrid sales model has aided our global growth by allowing us to partner with local distributors while being able to use our direct sales team in locations where that approach is advantageous to our business.
 
39

We market and sell our solutions to organizations in a variety of industries and geographies. As of December 31, 2017, we had approximately 3,650 customers, including approximately 50% of the Fortune 100 companies and approximately 30% of the Global 2000 companies. We define a customer to include a distinct entity, division or business unit of a company. The growth of our business and our future success depend on our ability to expand our customer base and increase our sales to existing customers, which depend on many factors, including our ability to expand our sales force, introduce new products and grow our relationships with channel partners. While each of these areas presents significant opportunities for us, they also pose important challenges and risks that we must successfully address in order to sustain the growth of our business and improve our results of operations. Additionally, the IT security market in which we operate is characterized by intense competition, constant innovation and evolving security needs, each of which may impact our ability to grow our business.
 
We have experienced significant growth over the last several years, as evidenced by a compound annual growth rate in revenues of 27.6% from 2015 to 2017. We have also increased our number of employees and subcontractors from 644 as of December 31, 2015 to 1,015 as of December 31, 2017. We intend to continue to execute on our strategy of growing our business to meet the needs of our customers and to pursue opportunities in new and existing verticals, geographies and products. We intend to continue to invest in the development of our sales and marketing teams, with a particular focus on expanding our channel partnerships, targeting new customers, creating technology partnerships and solidifying relationships with existing customers. We also plan to continue to invest in research and development in order to continue to develop technology for both existing and new on- premise, cloud-based products and services and products to secure the DevOps pipeline, containers and microservices.
 
During the years ended December 31, 2015, 2016 and 2017, our revenues were $160.8 million, $216.6 million and $261.7 million, respectively, representing year-over-year growth of 34.7% and 20.8% in 2016 and 2017, respectively, and with maintenance and professional services comprising 39.3% and 43.6% of our revenues in 2016 and 2017, respectively. Our net income for the years ended December 31, 2015, 2016 and 2017 was $25.8 million, $28.1 million and $16.0 million, respectively.
 
Key Financial Metrics
 
We monitor several key financial metrics to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies. The key financial metrics that we monitor are as follows:

   
Year ended December 31,
 
   
2015
   
2016
   
2017
 
   
(in thousands)
 
Revenues           
 
$
160,812
   
$
216,613
   
$
261,701
 
Non-GAAP operating income(1)           
   
43,641
     
58,014
     
51,850
 
Non-GAAP net income(1)           
   
35,262
     
45,245
     
41,895
 
Net cash provided by operating activities           
   
59,160
     
56,310
     
80,737
 
Total deferred revenues (as of period-end)           
   
54,389
     
73,506
     
105,235
 
 

 
(1)
For a reconciliation of non-GAAP operating income to operating income and of non-GAAP net income to net income, the nearest comparable GAAP measures, see “Item 3.A. Selected Financial Data.”
 
Revenues. We derive our revenues from licensing our cybersecurity software, selling maintenance and support contracts, and providing professional services to the extent requested by customers. We review our revenues generally to assess the overall health of our business and our license revenues in particular to assess the adoption of our software and our growth in the markets we serve.
 
40

We consider our license revenues to be particularly important in assessing our results of operations because license fees impact both our short-term and long-term revenues. License purchases, whether by new customers or due to expansion by existing customers, impact our revenues favorably in the short-term because we recognize substantially all license fees immediately upon delivery. License purchases further contribute significantly to our revenues in the long term because the size of our maintenance and support contracts is directly related to our licenses revenues but revenues from maintenance and support contracts are recognized on a straight-line basis over the term of the related contract. This fact, coupled with the high renewal rate for our maintenance and support contracts, means that a meaningful portion of the revenues we report each period are recognized from deferred revenues generated by maintenance and support contracts entered into during previous quarters.
 
The amount that a customer pays for a license can vary from a few thousand dollars to many millions of dollars depending on its scope. We generally license our products on a price per user or price per server basis; however, our license agreements with a small number of our largest customers do not contain any limit on the number of users or servers in recognition of the size of the overall agreement. We also license certain of our products based on the number of concurrent sessions monitored or endpoints secured. As a result, we do not track, and are unable to track, the amount of license revenues we generate on per user or per server basis. We do, however, maintain internal price guidelines for different size transactions and, since our cost of license revenues is negligible, we generate incremental profit from every license. Although we are focused on growing our customer base, we also do not focus on the exact number of customers that we add in a given period because our revenues are also a function of the size of initial sales to new customers and the size of upsells or cross sells to existing customers. We seek to increase the number of large transactions that we enter into because they better leverage our operating expense base, and particularly our sales and marketing expenses, and also generate larger maintenance and support contracts to drive future revenues and margins.
 
Because the size of our maintenance and support contracts is directly related to our licenses revenues and because the rates that we charge for professional services fluctuate very little, the drivers of changes in these sources of revenues have to date been volume-based. Historically, there has been little fluctuation in price when we renew a contract for maintenance and support or for professional services. While the demand for professional services is expected to increase as our customers and license base grow, we expect that our channel partners will increase the amount of such services that they provide. Therefore, while we expect an increase in the dollar amount of our professional services revenue, we do not expect our professional services revenues to increase materially as a percentage of total revenues.
 
See “—Components of Statements of Operations—Revenues” for more information.
 
Non-GAAP Operating Income and Non-GAAP Net Income. Non-GAAP operating income and non-GAAP net income are non-GAAP financial measures. We define non-GAAP operating income and non-GAAP net income as operating income and net income, respectively, which each exclude (i) share-based compensation expense, (ii) expenses related to the March 2015 public offering of ordinary shares by certain of our shareholders and to the June 2015 public offering of ordinary shares by us and certain of our shareholders, (iii) expenses related to acquisitions, (iv) expenses related to facility exit costs and (v) amortization of intangible assets related to acquisitions. Non-GAAP net income also excludes (i) tax effects related to the non-GAAP adjustments set forth above and (ii) tax effects related to the impact to our deferred tax asset as a result of the Tax Act.
 
We believe that providing non-GAAP operating income and non-GAAP net income that exclude, as appropriate, share-based compensation expenses, expenses relating to public offerings of our ordinary shares, expenses related to acquisitions, amortization of intangible assets related to acquisitions, the tax effects related to these non-GAAP adjustments and the tax effects related to the impact to our deferred tax asset as a result of the Tax Act allows for more meaningful comparisons between our financial results from period to period. Share-based compensation expense has been, and will continue to a significant recurring expense in our business and an important part of the compensation we provide to employees for the foreseeable future. Share-based compensation expense has varying available valuation methodologies, subjective assumptions and the variety of equity instruments that can impact a company’s non-cash expense. We also believe that expenses related to the public offerings of our ordinary shares in March 2015 and June 2015, expenses related to our acquisitions, amortization of intangible assets related to acquisitions, facility exit costs and the impact of the Tax Act, do not reflect the performance of our core business and would impact period-to-period comparability. Each of our non-GAAP financial measures is an important tool for financial and operational decision making and for evaluating our own financial results over different periods of time. In particular, these financial measures reflect our operating expenses, the largest of which is currently sales and marketing. Accordingly, we assess the effectiveness of our sales and marketing efforts in part by considering whether increases in such expenditures are reflected in increased revenues and increased non-GAAP operating income and non-GAAP net income. The material factors driving changes in these financial measures are discussed under the subheading “—Comparison of Period to Period Results of Operations.” As well as under “Item 3.A. Selected Financial Data.”
 
41

Net Cash Provided by Operating Activities. We monitor net cash provided by operating activities as a measure of our overall business performance. Our net cash provided by operating activities is driven in large part by net income and from up-front payments for maintenance and support contracts and professional services. Monitoring net cash provided by operating activities enables us to analyze our financial performance as it includes our deferred revenues and removes the non-cash effects of certain items such as depreciation, amortization and share-based compensation expense, thereby allowing us to better understand and manage the cash needs of our business. The material factors driving changes in our net cash provided by operating activities are discussed under “Liquidity and Capital Resources.”
 
Total Deferred Revenues. Our total deferred revenues consist of amounts that have been collected but that have not yet been recognized as revenues because they do not meet the applicable criteria. The substantial majority of our deferred revenues consists of the unrecognized portion of upfront payments associated with maintenance and support contracts. The remaining balance of our deferred revenues consists of payments for licenses, and, to a lesser extent, professional services that could not yet be recognized. We monitor our total deferred revenues because it represents a significant portion of revenues to be recognized in future periods. Substantially all of the increase in our total deferred revenues has been from growth in our maintenance and support contracts which, in turn, is driven by growth of our license revenues. The material factors driving changes in our license revenues are discussed under “—Comparison of Period to Period Results of Operations.”
 
A.              Operating Results
 
The following discussion and analysis should be read in conjunction with the section titled “Item 3.A. Selected Financial Data” of this annual report and our consolidated financial statements and the related notes contained elsewhere in this annual report. This discussion and analysis may contain forward-looking statements based upon current expectations that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those set forth in “Item 3.D. Risk Factors” of this annual report. Our financial statements have been prepared in accordance with U.S. GAAP.
 
Components of Statements of Operations
 
Revenues
 
Our revenues consist of the following:
 
License Revenues. License revenues are generated primarily from sales of licenses for our cybersecurity software: Privileged Account Security Solution and Sensitive Information Management Solution.
 
Privileged Account Security Solution – the substantial majority of our license revenues has been from sales of our Privileged Account Security Solution. Customers can purchase Enterprise Password Vault, Privileged Session Manager, Privileged Threat Analytics, Application Identity Manager, Conjur, Endpoint Privilege Manager and On-Demand Privileges Manager. We license our Enterprise Password Vault to our customers based on the number of privileged account users. We offer customers the choice of licensing our Privileged Session Manager based on the number of devices secured or the number of concurrent sessions it monitors. We license our Application Identity Manager, Conjur and On-Demand Privileges Manager to our customers based on the number of servers that each such product protects. We license our Privileged Threat Analytics to customers based on the number of protected endpoints, such as servers, desktops, databases or mobile devices. We license our Endpoint Privilege Manager to our customers based on the number of protected endpoints such as servers and desktops.
 
Sensitive Information Management Solution–we generate additional license revenues through sales of our Sensitive Information Management Solution, our first product to market. Customers license the Sensitive Information Management Solution based on the permitted number of users of the software.
 
42

Maintenance and Professional Services Revenues . Maintenance revenues are generated from maintenance and support contracts purchased by our customers in order to gain access to the latest software enhancements and updates on an ‘if and when available’ basis and to telephone and email technical support. We also offer professional services focused on both deployment and training our customers to fully leverage the use of our products.
 
Geographic Breakdown of Revenues
 
The United States is our biggest market, with the balance of our revenues generated from the EMEA region and the rest of the world, including North and South America (excluding the United States) as well as countries in the Asia Pacific and Japan region. The following table sets forth the geographic breakdown of our revenues by region for the periods indicated:

   
Year ended December 31,
 
   
2015
   
2016
   
2017
 
   
Amount
   
% of Revenues
   
Amount
   
% of Revenues
   
Amount
   
% of Revenues
 
   
(in thousands)
 
United States          
 
$
92,034
     
57.2
%
 
$
125,749
     
58.1
%
 
$
145,453
     
55.6
%
EMEA          
   
50,644
     
31.5
%
   
68,094
     
31.4
%
   
81,778
     
31.2
%
Rest of World          
   
18,134
     
11.3
%
   
22,770
     
10.5
%
   
34,470
     
13.2
%
                                                 
Total revenues          
 
$
160,812
     
100.0
%
 
$
216,613
     
100.0
%
 
$
261,701
     
100.0
%
 
Cost of Revenues
 
Our total cost of revenues consists of the following:
 
Cost of License Revenues. Cost of license revenues consists primarily of amortization of intangible assets, payments to third-party software vendors and shipping costs associated with delivery of our software. We expect the absolute cost of license revenues to increase as our license revenues increase.
 
Cost of Maintenance and Professional Services Revenues. Cost of maintenance and professional services revenues primarily consists of personnel costs for our global customer support and professional services organization. Such costs consist of salaries, benefits, bonuses, share-based compensation and subcontractors’ fees. We expect the absolute cost of maintenance and professional services revenues to increase as our customer base grows and as we hire additional professional services and technical support personnel.
 
Gross Profit and Gross Margin
 
Gross profit is total revenues less total cost of revenues. Gross margin is gross profit expressed as a percentage of total revenues. Our gross margin has historically fluctuated slightly from period to period as a result of changes in the mix of license revenues and maintenance and professional services revenues and we expect this pattern to continue.
 
43

Operating Expenses
 
Our operating expenses are classified into three categories: research and development, sales and marketing and general and administrative. For each category, the largest component is personnel costs, which consists of salaries, employee benefits (including commissions and bonuses) and share-based compensation expense. Operating expenses also include allocated overhead costs for facilities as well as depreciation and amortization. Allocated costs for facilities primarily consist of rent and office maintenance and utilities. Operating expenses are generally recognized as incurred. We expect personnel and all allocated costs to continue to increase in absolute dollars as we hire new employees and add facilities to continue to grow our business. We continue to expect operating margins to decline in the near term compared to prior periods as we further increase our headcount to support the future growth of our business.
 
Research and Development. Research and development expenses consist primarily of personnel costs attributable to our research and development personnel and consultants as well as allocated overhead costs, amortization and depreciation. We expense research and development expenses as incurred. We continue to expect that our research and development expenses will continue to increase in absolute dollars as we continue to grow our research and development headcount to further strengthen our technology platform and invest in the development of both existing and new products.
 
Sales and Marketing. Sales and marketing expenses are the largest component of our operating expenses and consist primarily of personnel costs, including variable compensation, as well as marketing and business development costs, product certifications, travel expenses, allocated overhead costs, depreciation and amortization of intangibles assets. We expect that sales and marketing expenses will continue to increase in absolute dollars as we plan to expand our sales and marketing efforts globally. We continue to expect sales and marketing expenses will remain our largest category of operating expenses.
 
General and Administrative. General and administrative expenses consist primarily of personnel costs for our executive, finance, human resources, legal and administrative personnel. General and administrative expenses also include external legal, accounting and other professional service fees. We continue to expect that general and administrative expense will increase in absolute dollars as we grow and expand our operations and operate as a public company, including higher corporate insurance, investor relations and accounting expenses, and the additional costs relating to our ongoing regulatory compliance efforts.
 
Financial Income (Expenses), Net
 
Financial income (expenses), net consists of interest income, foreign currency exchange gains or losses and foreign exchange forward transactions expenses. Interest income consists of interest earned on our cash, cash equivalents, short- and long-term bank deposits and marketable securities. We expect interest income to vary depending on our average investment balances and market interest rates during each reporting period. Foreign currency exchange changes reflect gains or losses related to transactions denominated in currencies other than the U.S. dollar.
 
Taxes on Income
 
The standard corporate tax rate in Israel is currently 23.0%, and was 26.5%, 25.0% and 24.0% for 2015, 2016 and 2017, respectively.
 
As discussed in greater detail below under “Israeli Tax Consideration and Government Programs”, we have received various tax benefits under the Investment Law. Under the Investment Law, our effective tax rate to be paid with respect to our eligible Israeli taxable income under these benefits programs is 16.0% for 2015 and 2016 and 12.0% for 2017.
 
Under the Investment Law and other Israeli legislation, we are entitled to certain additional tax benefits, including accelerated depreciation and amortization rates for tax purposes on certain assets and deduction of public offering expenses in three equal annual installments. 
 
Our non-Israeli subsidiaries are taxed according to the tax laws in their respective jurisdictions of organization. Due to our multi-jurisdictional operations, we apply significant judgment to determine our consolidated income tax position.
 
44

 
Comparison of Period to Period Results of Operations
 
The following table sets forth our results of operations in dollars and as a percentage of revenues for the periods indicated:
 
   
Year ended December 31,
 
   
2015
   
2016
   
2017
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
 
   
($ in thousands)
 
Revenues:
                                   
License          
 
$
100,113
     
62.3
%
 
$
131,530
     
60.7
%
 
$
147,640
     
56.4
%
Maintenance and professional services
   
60,699
     
37.7
     
85,083
     
39.3
     
114,061
     
43.6
 
                                                 
Total revenues          
   
160,812
     
100.0
     
216,613
     
100.0
     
261,701
     
100.0
 
                                                 
Cost of revenues:
                                               
License          
   
5,088
     
3.2
     
4,726
     
2.2
     
7,911
     
3.0
 
Maintenance and professional services
   
17,572
     
10.9
     
25,425
     
11.7
     
33,937
     
13.0
 
                                                 
Total cost of revenues          
   
22,660
     
14.1
     
30,151
     
13.9
     
41,848
     
16.0
 
                                                 
Gross profit          
   
138,152
     
85.9
     
186,462
     
86.1
     
219,853
     
84.0
 
                                                 
Operating expenses:
                                               
Research and development          
   
21,734
     
13.5
     
34,614
     
16.0
     
42,389
     
16.2
 
Sales and marketing          
   
66,206
     
41.2
     
93,775
     
43.3
     
126,739
     
48.4
 
General and administrative          
   
16,990
     
10.6
     
22,117
     
10.2
     
30,399
     
11.6
 
                                                 
Total operating expenses          
   
104,930
     
65.3
     
150,506
     
69.5
     
199,527
     
76.2
 
                                                 
Operating income          
   
33,222
     
20.6
     
35,956
     
16.6
     
20,326
     
7.8
 
Financial income (expenses), net          
   
(1,479
)
   
(0.9
)
   
245
     
0.1
     
4,103
     
1.5
 
                                                 
Income before taxes on income          
   
31,743
     
19.7
     
36,201
     
16.7
     
24,429
     
9.3
 
Taxes on income          
   
(5,949
)
   
(3.7
)
   
(8,077
)
   
(3.7
)
   
(8,414
)
   
(3.2
)
                                                 
Net income          
 
$
25,794
     
16.0
%
 
$
28,124
     
13.0
%
 
$
16,015
     
6.1
%

45


Year Ended December 31, 2016 Compared to Year Ended December 31, 2017
 
Revenues
                                     
   
Year ended December 31,
 
   
2016
   
2017
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Revenues:
                                   
License          
 
$
131,530
     
60.7
%
 
$
147,640
     
56.4
%
 
$
16,110
     
12.2
%
Maintenance and professional services
   
85,083
     
39.3
     
114,061
     
43.6
     
28,978
     
34.1
 
                                                 
Total revenues          
 
$
216,613
     
100.0
%
 
$
261,701
     
100.0
%
 
$
45,088
     
20.8
%
 
Revenues increased by $45.1 million, or 20.8%, from $216.6 million in 2016 to $261.7 million in 2017. This increase was due to increased sales of our solutions. This increase was also driven by growth in both our license revenues and our maintenance and professional services revenues. This growth was most pronounced in the United States, where revenues increased by $19.7 million and in EMEA with an increases of $13.7 million compared to $11.7 million in the rest of the world. The significant increase in revenues from the United States and EMEA primarily resulted from a higher volume of deals including large transactions of greater than $1.0 million each that together accounted for $36.6 million. Multiple large transactions or even a single large transaction in a specific period could materially impact relative growth rates among our different regions for a particular period. We increased our number of customers from approximately 3,100 as of December 31, 2016 to approximately 3,650 as of December 31, 2017.
 
License revenues increased by $16.1 million, or 12.2%, from $131.5 million in 2016 to $147.6 million in 2017. In 2017, approximately 60% of license revenues were generated from sales to customers from whom we had generated revenues before this period. Substantially all of the license revenue growth resulted from increased sales of our Privileged Account Security Solution, driven by increased demand for our Enterprise Password Vault and Privileged Session Manager as well as strong growth from Endpoint Privilege Manager and Application Identity Manager.
 
Maintenance and professional services revenues increased by $29.0 million, or 34.1%, from $85.1 million in 2016 to $114.1 million in 2017. Maintenance revenues increased by $23.5 million from $69.4 million in 2016 to $92.9 million in 2017, with renewals accounting for approximately $17.0 million and initial maintenance contracts for approximately $6.5 million, respectively, of this increase. Professional services revenues increased by $5.5 million from $15.7 million in 2016 to $21.2 million in 2017 primarily due to the provision of more services to customers.
 
46

Cost of Revenues and Gross Profit
                                     
   
Year ended December 31,
 
   
2016
   
2017
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Cost of revenues:
                                   
License          
 
$
4,726
     
2.2
%
 
$
7,911
     
3.0
%
 
$
3,185
     
67.4
%
Maintenance and professional services
   
25,425
     
11.7
     
33,937
     
13.0
     
8,512
     
33.5
 
                                                 
Total cost of revenues          
 
$
30,151
     
13.9
%
 
$
41,848
     
16.0
%
 
$
11,697
     
38.8
%
                                                 
Gross profit          
 
$
186,462
     
86.1
%
 
$
219,853
     
84.0
%
 
$
33,391
     
17.9
%
 
Cost of license revenues increased by $3.2 million, or 67.4%, from $4.7 million in 2016 to $7.9 million in 2017. The increase in cost of license revenues was driven primarily from amortization of intangible assets.
 
Cost of maintenance and professional services revenues increased by $7.8 million, or 44.7%, from $17.6 million in 2015 to $25.4 million in 2016. The increase in cost of maintenance and professional services revenues was driven primarily by a $6.2 million increase in personnel costs and related expenses as our technical support and professional services headcount grew from 166 at the end of 2016 to 188 at the end of 2017.The increase was also attributable to a $1.1 million increase related to third party consultants.
 
Gross profit increased by $33.4 million, or 17.9%, from $186.5 million in 2016 to $219.9 million in 2017. Gross margins decreased from 86.1% in 2016 to 84.0% in 2017. This was driven by an increase in expenses for amortization of intangible assets from our acquisitions as well as planned increases in expenses for third party software and an increase in the use of third party contractors for services.
 
Operating Expenses
                                     
   
Year ended December 31,
 
   
2016
   
2017
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Operating expenses:
                                   
Research and development          
 
$
34,614
     
16.0
%
 
$
42,389
     
16.2
%
 
$
7,775
     
22.5
%
Sales and marketing          
   
93,775
     
43.3
     
126,739
     
48.4
     
32,964
     
35.2
 
General and administrative          
   
22,117
     
10.2
     
30,399
     
11.6
     
8,282
     
37.4
 
                                                 
Total operating expenses          
 
$
150,506
     
69.5
%
 
$
199,527
     
76.2
%
 
$
49,021
     
32.6
%

47


Research and Development. Research and development expenses increased by $7.8 million, or 22.5%, from $34.6 million in 2016 to $42.4 million in 2017. This increase was primarily attributable to a $0.6 million increase in subcontractor and consultant expenses and a $7.3 million increase in personnel costs and related expenses, as we increased our research and development team headcount from 205 at the end of 2016 to 250 at the end of 2017 to support continued investment in our future product and service offerings. The increase was also attributable to a $0.7 million increase related to overhead cost offset by a $2.0 million decrease in amortization of intangible assets from our acquisitions.
 
Sales and Marketing. Sales and marketing expenses increased by $32.9 million, or 35.2%, from $93.8 million in 2016 to $126.7 million in 2017. This increase was primarily attributable to a $25.9 million increase in personnel costs and related expenses due to increased headcount in all regions to expand our sales and marketing organization coupled with a $3.5 million increase in expenses related to our marketing programs, $2.0 million increase in travel and related expenses and a $0.5 million increase in facility costs. Our sales and marketing headcount grew from 377 at the end of 2016 to 491 at the end of 2017.
 
General and Administrative . General and administrative expenses increased by $8.3 million, or 37.4%, from $22.1 million in 2016 to $30.4 million in 2017. This increase was primarily attributable to an increase of $4.2 million in personnel costs and related expenses due to increased headcount coupled with a $2.0 million increase in services fees due to consultants, external counsel, accounting and other professionals.
 
Financial Income (Expenses), Net . Financial income (expenses), net changed by $3.9 million from $0.2 million of income in 2016 to $4.1 million of income in 2017. This change resulted primarily from an increase of $1.1 million in interest income from investments in marketable securities and short- and long-term bank deposits and from an increase of $2.7 million due to gains from foreign currency exchange.
 
Taxes on Income . Taxes on income increased from $8.1 million in 2016 to $8.4 million in 2017. Our effective tax rate was 22.3% in 2016 and 34.4% in 2017. The higher effective tax rate in 2017 in comparison to 2016 is mainly attributed to a $6.5 million tax expense from adjustment to our deferred tax assets as a result of the new Tax Act partially offset by the stock based compensation benefit recognized as a result of the adoption of Accounting Standards Update No.2016-09.
 
Year Ended December 31, 2015 Compared to Year Ended December 31, 2016
 
Revenues
                                     
   
Year ended December 31,
 
   
2015
   
2016
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Revenues:
                                   
License          
 
$
100,113
     
62.3
%
 
$
131,530
     
60.7
%
 
$
31,417
     
31.4
%
Maintenance and professional services
   
60,699
     
37.7
     
85,083
     
39.3
     
24,384
     
40.2
 
                                                 
Total revenues          
 
$
160,812
     
100.0
%
 
$
216,613
     
100.0
%
 
$
55,801
     
34.7
%
 
48

 
Revenues increased by $55.8 million, or 34.7%, from $160.8 million in 2015 to $216.6 million in 2016. This increase was due to increased sales of our solutions. This increase was also driven by growth in both our license revenues and our maintenance and professional services revenues. This growth was most pronounced in the United States, where revenues increased by $33.7 million compared to increases of $17.5 million in EMEA and $4.6 million in the rest of the world. The significant increase in revenues from the United States primarily resulted from a higher volume of deals including large transactions of greater than $1.0 million each that together accounted for $21.6 million. Multiple large transactions or even a single large transaction in a specific period could materially impact relative growth rates among our different regions for a particular period. We increased our number of customers from approximately 2,500 as of December 31, 2015 to approximately 3,100 as of December 31, 2016.
 
License revenues increased by $31.4 million, or 31.4%, from $100.1 million in 2015 to $131.5 million in 2016. In 2016, approximately 60.0% of license revenues were generated from sales to customers from whom we had generated revenues before this period. Substantially all of the license revenue growth resulted from increased sales of our Privileged Account Security Solution, driven by increased demand for our Enterprise Password Vault and Privileged Session Manager.
 
Maintenance and professional services revenues increased by $24.4 million, or 40.2%, from $60.7 million in 2015 to $85.1 million in 2016. Maintenance revenues increased by $21.3 million from $48.1 million in 2015 to $69.4 million in 2016, with renewals accounting for approximately $11.9 million and initial maintenance contracts for approximately $9.4 million, respectively, of this increase. Professional services revenues increased by $3.1 million from $12.6 million in 2015 to $15.7 million in 2016 primarily due to the provision of more services to customers.
 
Cost of Revenues and Gross Profit
                                     
   
Year ended December 31,
 
   
2015
   
2016
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Cost of revenues:
                                   
License          
 
$
5,088
     
3.2
%
 
$
4,726
     
2.2
%
 
$
(362
)
   
(7.1
)%
Maintenance and professional services
   
17,572
     
10.9
     
25,425
     
11.7
     
7,853
     
44.7
 
                                                 
Total cost of revenues          
 
$
22,660
     
14.1
%
 
$
30,151
     
13.9
%
 
$
7,491
     
33.1
%
                                                 
Gross profit          
 
$
138,152
     
85.9
%
 
$
186,462
     
86.1
%
 
$
48,310
     
35.0
%
 
Cost of license revenues decreased by $0.4 million, or 7.1%, from $5.1 million in 2015 to $4.7 million in 2016. The decrease in cost of license revenues was driven primarily by the contribution of our in-house Endpoint Privilege Manager product compared to the third-party product resold in 2015.
 
Cost of maintenance and professional services revenues increased by $7.8 million, or 44.7%, from $17.6 million in 2015 to $25.4 million in 2016. The increase in cost of maintenance and professional services revenues was driven primarily by a $6.2 million increase in personnel costs and related expenses as our technical support and professional services headcount grew from 118 at the end of 2015 to 166 at the end of 2016.
 
49

Gross profit increased by $48.3 million, or 35.0%, from $138.2 million in 2015 to $186.5 million in 2016. Gross margins increased from 85.9% in 2015 to 86.1% in 2016. This increase was driven by our revenue growth outpacing the growth of our cost of revenue as well as higher margin contribution of our in-house Endpoint Privilege Manager product compared to the third-party product resold in 2015.
 
Operating Expenses
                                     
   
Year ended December 31,
 
   
2015
   
2016
   
Change
 
   
Amount
   
% of
Revenues
   
Amount
   
% of
Revenues
   
Amount
   
%
 
   
($ in thousands)
 
Operating expenses:
                                   
Research and development          
 
$
21,734
     
13.5
%
 
$
34,614
     
16.0
%
 
$
12,880
     
59.3
%
Sales and marketing          
   
66,206
     
41.2
     
93,775
     
43.3
     
27,569
     
41.6
 
General and administrative          
   
16,990
     
10.6
     
22,117
     
10.2
     
5,127
     
30.2
 
                                                 
Total operating expenses          
 
$
104,930
     
65.3
%
 
$
150,506
     
69.5
%
 
$
45,576
     
43.4
%
 
Research and Development. Research and development expenses increased by $12.9 million, or 59.3%, from $21.7 million in 2015 to $34.6 million in 2016. This increase was primarily attributable to a $10.3 million increase in personnel costs and related expenses as we increased our research and development team headcount from 176 at the end of 2015 (including approximately 30 employees who joined us following the acquisitions of Cybertinel and Viewfinity which occurred in the second half of 2015) to 205 at the end of 2016 to support continued investment in our future product and service offerings. The increase was also attributable to a $1.2 million increase related to amortization of intangible assets from our acquisitions.
 
Sales and Marketing. Sales and marketing expenses increased by $27.6 million, or 41.6%, from $66.2 million in 2015 to $93.8 million in 2016. This increase was primarily attributable to a $19.6 million increase in personnel costs and related expenses due to increased headcount in all regions to expand our sales and marketing organization coupled with a $3.1 million increase in expenses related to our marketing programs and a $1.6 million increase in travel and related expenses. The increase was also attributable to a $1.2 million increase related to amortization of intangible assets from our acquisitions. Our sales and marketing headcount grew from 294 at the end of 2015 to 377 at the end of 2016.
 
General and Administrative . General and administrative expenses increased by $5.1 million, or 30.2%, from $17.0 million in 2015 to $22.1 million in 2016. This increase was primarily attributable to an increase of $4.3 million in personnel costs and related expenses due to increased headcount.
 
Financial Income (Expenses), Net . Financial income (expenses), net changed by $1.7 million from $1.5 million of expenses in 2015 to $0.2 million of income in 2016. This change resulted primarily from an increase of $1.4 million in interest income from investments in marketable securities and short and long term deposits.
 
Taxes on Income . Taxes on income increased from $5.9 million in 2015 to $8.1 million in 2016. This increase was attributable to the increase in pre-tax income coupled with certain tax benefits we were able to recognize in 2015 resulting from acquisitions.
 
50

Application of Critical Accounting Policies and Estimates
 
Our accounting policies and their effect on our financial condition and results of operations are more fully described in our consolidated financial statements included elsewhere in this annual report. We have prepared our financial statements in conformity with U.S. GAAP, which requires management to make estimates and assumptions that in certain circumstances affect the reported amounts of assets and liabilities, revenues and expenses and disclosure of contingent assets and liabilities. These estimates are prepared using our best judgment, after considering past and current events and economic conditions. While management believes the factors evaluated provide a meaningful basis for establishing and applying sound accounting policies, management cannot guarantee that the estimates will always be consistent with actual results. In addition, certain information relied upon by us in preparing such estimates includes internally generated financial and operating information, external market information, when available, and when necessary, information obtained from consultations with third-parties. Actual results could differ from these estimates and could have a material adverse effect on our reported results. See “Item 3.D. Risk Factors” for a discussion of the possible risks which may affect these estimates.
 
We believe that the accounting policies discussed below are critical to our financial results and to the understanding of our past and future performance, as these policies relate to the more significant areas involving management’s estimates and assumptions. We consider an accounting estimate to be critical if: (1) it requires us to make assumptions because information was not available at the time or it included matters that were highly uncertain at the time we were making our estimate; and (2) changes in the estimate could have a material impact on our financial condition or results of operations.
 
Revenue Recognition
 
We account for our software licensing sales in accordance with the Financial Accounting Standards Board, or FASB, Accounting Standards Codification, or ASC, 985-605, “Software Revenue Recognition.” ASC 985-605 generally requires revenue earned on software arrangements involving multiple elements to be allocated to each element based on the relative fair value of the elements when Vendor Specific Objective Evidence, or VSOE, of fair value exists for all elements and to be allocated to the different elements in the arrangement under the “residual method” when VSOE of fair value exists for all undelivered elements and no VSOE exists for the delivered elements.
 
Maintenance and professional services are sold separately and therefore the selling price (VSOE) is based on stand-alone transactions.
 
Under the residual method, at the outset of the arrangement with the customer, we defer revenues for the fair value of our undelivered elements and recognizes revenue for the remainder of the arrangement fee attributable to the elements initially delivered in the arrangement (software element) when all other criteria in ASC 985-605 have been met. Any discount in the arrangement is allocated to the delivered element.
 
We recognize software license revenues when persuasive evidence of an arrangement exists, the software license has been delivered, there are no uncertainties surrounding product acceptance, there are no significant future performance obligations, the license fees are fixed or determinable and collection of the license fee is considered probable. Fees for arrangements with payment terms extending beyond customary payment terms are considered not to be fixed or determinable, in which case revenue is deferred and recognized when payments become due from the customer provided that all other revenue recognition criteria have been met.
 
We recognize revenues from the sale of term license arrangements, ratably, on a straight-line basis, over the term of the underlying contract and is typically one year or, to a lesser extent, three years.
 
Revenues from maintenance and support contracts are recognized ratably on a straight-line basis over the term of the related contract and revenues from professional services consist mostly of time and material services which are recognized as the services are performed. Our agreements with resellers are non-exchangeable, non-refundable, non-returnable and carry no rights of price protection. Accordingly, we consider resellers as customers.
 
Professional services are not considered to be essential to the functionality of the software.
 
We do not grant a right of return to our customers.
 
51

Deferred revenue includes unearned amounts received under maintenance and support contracts, professional services and amounts received from customers for licenses that do not meet the revenue recognition criteria as of the balance sheet date.
 
Derivative instruments
 
ASC No. 815, “Derivative and Hedging”, requires companies to recognize all of their derivative instruments as either assets or liabilities on the balance sheet at fair value. For those derivative instruments that are designated and qualify as hedging instruments, a company must designate the hedging instrument, based upon the exposure being hedged, as a fair value hedge, cash flow hedge or a hedge of a net investment in a foreign operation.
 
For derivative instruments that are designated and qualify as a cash flow hedge (i.e., hedging the exposure to variability in expected future cash flows that is attributable to a particular risk), the effective portion of the gain or loss on the derivative instrument is reported as a component of other comprehensive income and reclassified into earnings in the same period or periods during which the hedged transaction affects earnings. The remaining gain or loss on the derivative instrument in excess of the cumulative change in the present value of future cash flows of the hedged item, if any, is recognized in current earnings during the period of change.
 
To hedge against the risk of changes in cash flows resulting from foreign currency salary payments during the year, we have instituted a foreign currency cash flow hedging program. We hedge a portion of our forecasted expenses denominated in NIS. These forward and option contracts are designated as cash flow hedges, as defined by ASC 815, and are all effective, as their critical terms match underlying transactions being hedged.
 
In addition to the derivatives that are designated as hedges as discussed above, we also enter into certain foreign exchange forward transactions to economically hedge certain account receivables in Euros and GBP. Gains and losses related to such derivative instruments are recorded in financial income (expenses), net.
 
Share-Based Compensation
 
Option Valuations
 
Under U.S. GAAP, we account for share-based compensation for employees in accordance with the provisions of the FASB’s ASC Topic 718 “Compensation—Stock Based Compensation,” or ASC 718, which requires us to measure the cost of options based on the fair value of the award on the grant date.
 
We selected the Black-Scholes-Merton option pricing model as the most appropriate method for determining the estimated fair value of options. The resulting cost of an equity incentive award is recognized as an expense over the requisite service period of the award, which is usually the vesting period. We recognize compensation expense over the vesting period using the straight-line method and classify these amounts in the consolidated financial statements based on the department to which the related employee reports.
 
The determination of the grant date fair value of options using the Black-Scholes-Merton option pricing model is affected by estimates and assumptions regarding a number of complex and subjective variables. These variables include the expected volatility of our share price over the expected term of the options, share option exercise, risk-free interest rates and expected dividends, which are estimated as follows:
 
Expected Term . The expected term of options granted represents the period of time that options granted are expected to be outstanding, and is determined based on the simplified method in accordance with ASC No. 718-10-S99-1, (SAB No. 110), as adequate historical experience is not available to provide a reasonable estimate;
 
Volatility. The expected share price volatility was based on the historical equity volatility of our ordinary shares as well as comparable companies that are publicly traded;
 
Risk-free Rate. The risk-free interest rate is based on the yield from U.S. Treasury zero-coupon bonds with a term equivalent to the contractual life of the options; and
 
Dividend Yield. We have never declared or paid any cash dividends and do not presently plan to pay cash dividends in the foreseeable future. Consequently, we used an expected dividend yield of zero.
 
52

 
Goodwill and other Intangible Assets
 
Goodwill and certain other purchased intangible assets have been recorded in our financial statements as a result of acquisitions. Goodwill represents excess of the purchase price in a business combination over the fair value of identifiable tangible and intangible assets acquired of businesses acquired. Goodwill is not amortized, but rather is subject to an impairment test.
 
ASC No. 350, “Intangible—Goodwill and other” (“ASC 350”) requires goodwill to be tested for impairment at least annually and, in certain circumstances, between annual tests. We operate as one reporting unit. Therefore, goodwill is tested for impairment by comparing the fair value of the reporting unit with its carrying value. We elect to perform an annual impairment test of goodwill as of October 1 of each year, or more frequently if impairment indicators are present.
 
For the years ended December 31, 2015, 2016 and 2017, no impairment losses were identified.
 
Purchased intangible assets with finite lives are carried at cost, less accumulated amortization. Amortization is computed over the estimated useful lives of the respective assets which range from two to eleven years. Acquired customer relationship and backlog are amortized over their estimated useful lives in proportion to the economic benefits realized. Other intangible assets consist primarily of technology are amortized over their estimated useful lives on a straight-line basis.
 
Income Taxes
 
We account for income taxes in accordance with ASC No. 740-10, “Income Taxes” (“ASC No. 740-10”). ASC No. 740-10 prescribes the use of the asset and liability method whereby deferred tax asset and liability account balances are determined based on temporary differences between financial reporting and tax bases of assets and liabilities and are measured using the enacted tax rates and laws that will be in effect when the differences are expected to reverse. We provide a valuation allowance, if necessary, to reduce deferred tax assets to their estimated realizable value if it is more likely than not that some portion or all of the deferred tax asset will not be realized.
 
We established reserves for uncertain tax positions based on the evaluation of whether or not the Company's uncertain tax position is “more likely than not” to be sustained upon examination. We record interest and penalties pertaining to its uncertain tax positions in the financial statements as income tax expense.
 
Legal Contingencies
 
From time to time we become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. Such matters are subject to many uncertainties and outcomes are not predictable with assurance. We accrue for contingencies when the loss is probable and can reasonably estimate the amount of any such loss.
 
Israeli Tax Considerations and Government Programs
 
The following is a brief summary of the material Israeli tax laws applicable to us, and certain Israeli Government programs that benefit us. To the extent that the discussion is based on new tax legislation that has not yet been subject to judicial or administrative interpretation, we cannot assure you that the appropriate tax authorities or the courts will accept the views expressed in this discussion. The discussion below is subject to change, including due to amendments under Israeli law or changes to the applicable judicial or administrative interpretations of Israeli law, which could affect the tax consequences described below.
 
General Corporate Tax Structure in Israel
 
The standard corporate tax rate in Israel is currently 23.0%, and was 26.5%, 25.0% and 24.0 for 2015, 2016 and 2017, respectively. However, the effective tax rate payable by a company that derives income from an Approved Enterprise, a Benefited Enterprise or a Preferred Enterprise (as discussed below) may be considerably less. Capital gains derived by an Israeli company are generally subject to tax at the prevailing ordinary corporate tax rate.
 
53

Tax Benefits and Grants for Research and Development
 
Israeli tax law allows, under certain conditions, a tax deduction for research and development expenditures, including capital expenditures, for the year in which they are incurred if:
 
the expenditures are approved by the relevant Israeli government ministry, determined by the field of research;
 
the research and development is for the promotion or development of the company; and
 
the research and development is carried out by or on behalf of the company seeking the deduction.
 
However, the amount of such deductible expenses shall be reduced by the sum of any funds received through government grants for the finance of such scientific research and development projects. Expenditures not so approved are deductible over a three-year period from the first year that the expenditures were made if the research or development is for the promotion or development of the company.
 
Law for the Encouragement of Industry (Taxes), 5729-1969
 
The Law for the Encouragement of Industry (Taxes), 5729-1969, generally referred to as the Industry Encouragement Law, provides several tax benefits for “Industrial Companies”.
 
The Industry Encouragement Law defines an “Industrial Company” as an Israeli resident company which was incorporated in Israel, of which 90% or more of its income in any tax year, other than income from certain government loans, is derived from an “Industrial Enterprise” owned by it and located in Israel. An “Industrial Enterprise” is defined as an enterprise whose principal activity in a given tax year is industrial production.
 
The following tax benefits, among others, are available to Industrial Companies:
 
deduction of the cost of purchased know-how, patents and rights to use a patent and know-how which are used for the development or promotion of the Industrial Enterprise, over an eight-year period commencing on the year in which such rights were first exercised;
 
under limited conditions, an election to file consolidated tax returns together with Israeli Industrial Companies controlled by it; and
 
expenses related to a public offering are deductible in equal amounts over three years commencing on the year of offering.
 
Eligibility for benefits under the Industry Encouragement Law is not contingent upon the approval of any governmental authority. We believe that we qualify as an Industrial Company within the meaning of the Industry Encouragement Law. The Israel Tax Authority may determine that we do not qualify as an Industrial Company, which could entail our loss of the benefits that relate to this status. There can be no assurance that we will continue to qualify as an Industrial Company or that the benefits described above will be available in the future.
 
Law for the Encouragement of Capital Investments, 5719-1959
 
The Law for the Encouragement of Capital Investments, 5719-1959, generally referred to as the Investment Law, provides certain incentives for capital investments in production facilities (or other eligible assets) by “Industrial Enterprises” (as defined under the Investment Law).
 
The Investment Law was significantly amended effective April 1, 2005, or the 2005 Amendment, further amended as of January 1, 2011, or the 2011 Amendment, and further amended as of January 1, 2017, or the 2017 Amendment. Pursuant to the 2005 Amendment, tax benefits granted in accordance with the provisions of the Investment Law prior to its revision by the 2005 Amendment remain in force but any benefits granted subsequently are subject to the provisions of the 2005 Amendment. Similarly, the 2011 Amendment introduced new benefits to replace those granted in accordance with the provisions of the Investment Law in effect prior to the 2011 Amendment. However, companies entitled to benefits under the Investment Law as in effect prior to January 1, 2011 were entitled to choose to continue to enjoy such benefits, provided that certain conditions are met, or elect instead, irrevocably, to forego such benefits and have the benefits of the 2011 Amendment apply. The 2017 Amendment introduces new benefits for Technological Enterprises which meet certain conditions, alongside the existing tax benefits.
 
54

Tax Benefits Prior to the 2005 Amendment
 
An investment program that is implemented in accordance with the provisions o