false--12-31FY20192019-12-3100011078434800000P4YP4Y8160006830000.0010.0011000000000100000000038598117390150343859811739015034P14YP3Y002430000013600000350000000.0010.0012000000020000000000000P5YP3YP1YP2YP3YP4YP5YP6YP3YP3Y0.490.470.470.450.460.400.0200.0180.0300.0250.0240.01589.5536.2526.6894.454.1086.3540.8995.1025.5613.6089.5540.6834.9794.4513.5087.2679.5195.1025.5625.17P5Y6MP5Y1M6DP5YP4Y6MP6Y7M6DP4Y4M24D 0001107843 2019-01-01 2019-12-31 0001107843 2019-06-30 0001107843 2020-02-13 0001107843 2018-12-31 0001107843 2019-12-31 0001107843 2018-01-01 2018-12-31 0001107843 2017-01-01 2017-12-31 0001107843 us-gaap:OtherOperatingIncomeExpenseMember 2019-01-01 2019-12-31 0001107843 us-gaap:OtherOperatingIncomeExpenseMember 2018-01-01 2018-12-31 0001107843 us-gaap:OtherOperatingIncomeExpenseMember 2017-01-01 2017-12-31 0001107843 2017-12-31 0001107843 2016-12-31 0001107843 qlys:PrivatelyheldcompaniesMember us-gaap:PreferredStockMember 2018-01-01 2018-12-31 0001107843 us-gaap:CommonStockMember 2019-01-01 2019-12-31 0001107843 us-gaap:RetainedEarningsMember 2017-12-31 0001107843 us-gaap:CommonStockMember 2018-12-31 0001107843 us-gaap:CommonStockMember 2016-12-31 0001107843 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2019-12-31 0001107843 us-gaap:AdditionalPaidInCapitalMember 2018-01-01 2018-12-31 0001107843 us-gaap:AdditionalPaidInCapitalMember 2018-12-31 0001107843 us-gaap:CommonStockMember 2018-01-01 2018-12-31 0001107843 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2018-12-31 0001107843 us-gaap:AdditionalPaidInCapitalMember 2019-12-31 0001107843 us-gaap:RetainedEarningsMember 2019-01-01 2019-12-31 0001107843 us-gaap:CommonStockMember 2019-12-31 0001107843 us-gaap:AccountingStandardsUpdate201609Member 2017-01-01 0001107843 us-gaap:AdditionalPaidInCapitalMember 2019-01-01 2019-12-31 0001107843 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2019-01-01 2019-12-31 0001107843 us-gaap:AdditionalPaidInCapitalMember 2017-12-31 0001107843 us-gaap:RetainedEarningsMember 2019-12-31 0001107843 us-gaap:CommonStockMember 2017-01-01 2017-12-31 0001107843 us-gaap:CommonStockMember 2017-12-31 0001107843 us-gaap:AdditionalPaidInCapitalMember 2017-01-01 2017-12-31 0001107843 us-gaap:AdditionalPaidInCapitalMember 2016-12-31 0001107843 us-gaap:AccountingStandardsUpdate201409Member us-gaap:RetainedEarningsMember 2018-01-01 0001107843 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2017-12-31 0001107843 us-gaap:AccountingStandardsUpdate201609Member us-gaap:RetainedEarningsMember 2017-01-01 0001107843 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2017-01-01 2017-12-31 0001107843 us-gaap:RetainedEarningsMember 2017-01-01 2017-12-31 0001107843 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2016-12-31 0001107843 us-gaap:AccountingStandardsUpdate201409Member 2018-01-01 0001107843 us-gaap:RetainedEarningsMember 2018-12-31 0001107843 us-gaap:RetainedEarningsMember 2016-12-31 0001107843 qlys:PrivatelyheldcompaniesMember us-gaap:ConvertibleDebtSecuritiesMember 2019-07-01 2019-09-30 0001107843 qlys:ScannerAppliancesMember 2019-01-01 2019-12-31 0001107843 us-gaap:DeferredCompensationShareBasedPaymentsMember 2018-12-31 0001107843 us-gaap:DeferredCompensationShareBasedPaymentsMember 2017-12-31 0001107843 qlys:PrivatelyheldcompaniesMember us-gaap:PreferredStockMember 2019-04-01 2019-06-30 0001107843 us-gaap:AccountsReceivableMember us-gaap:CustomerConcentrationRiskMember 2018-12-31 0001107843 us-gaap:DeferredCompensationShareBasedPaymentsMember 2019-12-31 0001107843 srt:MaximumMember 2019-01-01 2019-12-31 0001107843 srt:MinimumMember 2019-01-01 2019-12-31 0001107843 us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2019-12-31 0001107843 us-gaap:AssetBackedSecuritiesMember 2019-12-31 0001107843 us-gaap:CommercialPaperMember 2019-12-31 0001107843 us-gaap:CorporateBondSecuritiesMember 2019-12-31 0001107843 us-gaap:ForwardContractsMember us-gaap:NondesignatedMember 2018-12-31 0001107843 us-gaap:PreferredStockMember 2018-01-01 2018-12-31 0001107843 us-gaap:ForeignExchangeContractMember us-gaap:CashFlowHedgingMember us-gaap:DesignatedAsHedgingInstrumentMember 2019-12-31 0001107843 qlys:ForeignCurrencyContractEuroMember us-gaap:CashFlowHedgingMember us-gaap:DesignatedAsHedgingInstrumentMember 2019-12-31 0001107843 currency:EUR us-gaap:ForwardContractsMember us-gaap:NondesignatedMember 2019-12-31 0001107843 us-gaap:ForeignExchangeContractMember 2018-12-31 0001107843 qlys:ForeignCurrencyContractPoundMember us-gaap:CashFlowHedgingMember us-gaap:DesignatedAsHedgingInstrumentMember 2019-12-31 0001107843 currency:INR us-gaap:NondesignatedMember 2019-12-31 0001107843 currency:GBP us-gaap:NondesignatedMember 2019-12-31 0001107843 us-gaap:ForwardContractsMember us-gaap:NondesignatedMember 2019-12-31 0001107843 currency:GBP us-gaap:NondesignatedMember 2018-12-31 0001107843 qlys:ForeignCurrencyContractPoundMember us-gaap:CashFlowHedgingMember us-gaap:DesignatedAsHedgingInstrumentMember 2018-12-31 0001107843 us-gaap:ConvertibleDebtSecuritiesMember 2019-01-01 2019-12-31 0001107843 currency:EUR us-gaap:ForwardContractsMember us-gaap:NondesignatedMember 2018-12-31 0001107843 qlys:ForeignCurrencyContractEuroMember us-gaap:CashFlowHedgingMember us-gaap:DesignatedAsHedgingInstrumentMember 2018-12-31 0001107843 qlys:LongTermInvestmentsMember 2019-12-31 0001107843 qlys:NoncurrentAssetsMember us-gaap:AssetBackedSecuritiesMember 2019-12-31 0001107843 us-gaap:CashAndCashEquivalentsMember us-gaap:CashMember 2019-12-31 0001107843 qlys:CurrentAssetsMember us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2019-12-31 0001107843 us-gaap:ShortTermInvestmentsMember 2019-12-31 0001107843 qlys:CurrentAssetsMember us-gaap:CorporateBondSecuritiesMember 2019-12-31 0001107843 qlys:NoncurrentAssetsMember us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2019-12-31 0001107843 qlys:NoncurrentAssetsMember us-gaap:CorporateBondSecuritiesMember 2019-12-31 0001107843 us-gaap:CashAndCashEquivalentsMember us-gaap:CommercialPaperMember 2019-12-31 0001107843 qlys:CurrentAssetsMember us-gaap:AssetBackedSecuritiesMember 2019-12-31 0001107843 us-gaap:CashAndCashEquivalentsMember us-gaap:CommercialPaperMember us-gaap:CommercialPaperMember 2019-12-31 0001107843 us-gaap:CashAndCashEquivalentsMember us-gaap:CashAndCashEquivalentsMember 2019-12-31 0001107843 qlys:AvailableForSaleSecuritiesLineItemMember us-gaap:CommercialPaperMember 2019-12-31 0001107843 qlys:AvailableForSaleSecuritiesLineItemMember us-gaap:CommercialPaperMember 2019-09-30 0001107843 us-gaap:CashAndCashEquivalentsMember us-gaap:MoneyMarketFundsMember 2019-12-31 0001107843 us-gaap:FairValueInputsLevel2Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:CommercialPaperMember 2019-12-31 0001107843 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember 2019-12-31 0001107843 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2019-12-31 0001107843 us-gaap:FairValueInputsLevel2Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:CorporateBondSecuritiesMember 2019-12-31 0001107843 us-gaap:EstimateOfFairValueFairValueDisclosureMember us-gaap:FairValueMeasurementsRecurringMember us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2019-12-31 0001107843 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:CommercialPaperMember 2019-12-31 0001107843 us-gaap:EstimateOfFairValueFairValueDisclosureMember us-gaap:FairValueMeasurementsRecurringMember us-gaap:CorporateBondSecuritiesMember 2019-12-31 0001107843 us-gaap:MoneyMarketFundsMember us-gaap:FairValueMeasurementsRecurringMember 2019-12-31 0001107843 us-gaap:FairValueInputsLevel2Member us-gaap:FairValueMeasurementsRecurringMember 2019-12-31 0001107843 us-gaap:EstimateOfFairValueFairValueDisclosureMember us-gaap:FairValueMeasurementsRecurringMember us-gaap:CommercialPaperMember 2019-12-31 0001107843 us-gaap:FairValueInputsLevel2Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2019-12-31 0001107843 us-gaap:EstimateOfFairValueFairValueDisclosureMember us-gaap:FairValueMeasurementsRecurringMember us-gaap:AssetBackedSecuritiesMember 2019-12-31 0001107843 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:CorporateBondSecuritiesMember 2019-12-31 0001107843 us-gaap:FairValueInputsLevel2Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:AssetBackedSecuritiesMember 2019-12-31 0001107843 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:AssetBackedSecuritiesMember 2019-12-31 0001107843 us-gaap:EstimateOfFairValueFairValueDisclosureMember us-gaap:FairValueMeasurementsRecurringMember 2019-12-31 0001107843 us-gaap:MoneyMarketFundsMember us-gaap:FairValueMeasurementsRecurringMember 2018-12-31 0001107843 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:AssetBackedSecuritiesMember 2018-12-31 0001107843 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:CorporateBondSecuritiesMember 2018-12-31 0001107843 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2018-12-31 0001107843 us-gaap:FairValueInputsLevel2Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:CorporateBondSecuritiesMember 2018-12-31 0001107843 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:CommercialPaperMember 2018-12-31 0001107843 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember 2018-12-31 0001107843 us-gaap:EstimateOfFairValueFairValueDisclosureMember us-gaap:FairValueMeasurementsRecurringMember us-gaap:AssetBackedSecuritiesMember 2018-12-31 0001107843 us-gaap:FairValueInputsLevel2Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:CommercialPaperMember 2018-12-31 0001107843 us-gaap:EstimateOfFairValueFairValueDisclosureMember us-gaap:FairValueMeasurementsRecurringMember us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2018-12-31 0001107843 us-gaap:FairValueInputsLevel2Member us-gaap:FairValueMeasurementsRecurringMember 2018-12-31 0001107843 us-gaap:EstimateOfFairValueFairValueDisclosureMember us-gaap:FairValueMeasurementsRecurringMember us-gaap:CommercialPaperMember 2018-12-31 0001107843 us-gaap:FairValueInputsLevel2Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:AssetBackedSecuritiesMember 2018-12-31 0001107843 us-gaap:EstimateOfFairValueFairValueDisclosureMember us-gaap:FairValueMeasurementsRecurringMember us-gaap:CorporateBondSecuritiesMember 2018-12-31 0001107843 us-gaap:FairValueInputsLevel2Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2018-12-31 0001107843 us-gaap:EstimateOfFairValueFairValueDisclosureMember us-gaap:FairValueMeasurementsRecurringMember 2018-12-31 0001107843 qlys:CurrentAssetsMember us-gaap:AssetBackedSecuritiesMember 2018-12-31 0001107843 us-gaap:CashAndCashEquivalentsMember us-gaap:CashMember 2018-12-31 0001107843 qlys:AvailableForSaleSecuritiesLineItemMember 2018-12-31 0001107843 qlys:CurrentAssetsMember us-gaap:CommercialPaperMember 2018-12-31 0001107843 us-gaap:CashAndCashEquivalentsMember us-gaap:CashAndCashEquivalentsMember 2018-12-31 0001107843 qlys:NoncurrentAssetsMember us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2018-12-31 0001107843 qlys:LongTermInvestmentsMember 2018-12-31 0001107843 qlys:CurrentAssetsMember us-gaap:CorporateBondSecuritiesMember 2018-12-31 0001107843 qlys:CurrentAssetsMember us-gaap:USGovernmentAgenciesDebtSecuritiesMember 2018-12-31 0001107843 qlys:NoncurrentAssetsMember us-gaap:CorporateBondSecuritiesMember 2018-12-31 0001107843 qlys:NoncurrentAssetsMember us-gaap:AssetBackedSecuritiesMember 2018-12-31 0001107843 us-gaap:CashAndCashEquivalentsMember us-gaap:MoneyMarketFundsMember 2018-12-31 0001107843 us-gaap:OtherExpenseMember 2019-01-01 2019-12-31 0001107843 us-gaap:ForwardContractsMember 2017-01-01 2017-12-31 0001107843 us-gaap:OtherExpenseMember 2017-01-01 2017-12-31 0001107843 us-gaap:OtherExpenseMember 2018-01-01 2018-12-31 0001107843 us-gaap:ForwardContractsMember 2018-01-01 2018-12-31 0001107843 us-gaap:ForwardContractsMember 2019-01-01 2019-12-31 0001107843 us-gaap:ForwardContractsMember us-gaap:DesignatedAsHedgingInstrumentMember 2019-12-31 0001107843 us-gaap:ForwardContractsMember us-gaap:DesignatedAsHedgingInstrumentMember 2018-12-31 0001107843 us-gaap:LeaseholdImprovementsMember 2018-12-31 0001107843 qlys:ScannerAppliancesMember 2018-12-31 0001107843 us-gaap:LeaseholdImprovementsMember 2019-12-31 0001107843 us-gaap:ComputerEquipmentMember 2018-12-31 0001107843 qlys:ScannerAppliancesMember 2019-12-31 0001107843 qlys:EquipmentUnderCapitalLeaseMember 2018-12-31 0001107843 qlys:EquipmentUnderCapitalLeaseMember 2019-12-31 0001107843 us-gaap:FurnitureAndFixturesMember 2019-12-31 0001107843 us-gaap:ComputerSoftwareIntangibleAssetMember 2019-12-31 0001107843 us-gaap:ComputerSoftwareIntangibleAssetMember 2018-12-31 0001107843 us-gaap:ComputerEquipmentMember 2019-12-31 0001107843 us-gaap:FurnitureAndFixturesMember 2018-12-31 0001107843 qlys:ScannerAppliancesAndOtherComputerEquipmentSubjectToSubscriptionMember 2019-12-31 0001107843 qlys:ScannerAppliancesAndOtherComputerEquipmentNotPlacedInServiceMember 2019-12-31 0001107843 qlys:ScannerAppliancesAndOtherComputerEquipmentSubjectToSubscriptionMember 2018-12-31 0001107843 qlys:ScannerAppliancesAndOtherComputerEquipmentNotPlacedInServiceMember 2018-12-31 0001107843 us-gaap:SalesChannelDirectlyToConsumerMember us-gaap:AccountingStandardsUpdate201409Member 2019-01-01 2019-12-31 0001107843 us-gaap:SalesChannelDirectlyToConsumerMember 2017-10-01 2017-12-31 0001107843 us-gaap:SalesChannelThroughIntermediaryMember us-gaap:AccountingStandardsUpdate201602Member 2018-01-01 2018-12-31 0001107843 us-gaap:SalesChannelThroughIntermediaryMember 2017-01-01 2017-12-31 0001107843 us-gaap:AccountingStandardsUpdate201602Member 2018-01-01 2018-12-31 0001107843 us-gaap:SalesChannelDirectlyToConsumerMember us-gaap:AccountingStandardsUpdate201602Member 2018-01-01 2018-12-31 0001107843 us-gaap:SalesChannelThroughIntermediaryMember us-gaap:AccountingStandardsUpdate201409Member 2019-01-01 2019-12-31 0001107843 us-gaap:AccountingStandardsUpdate201409Member 2019-01-01 2019-12-31 0001107843 2024-01-01 2019-12-31 0001107843 2021-01-01 2019-12-31 0001107843 2020-01-01 2019-12-31 0001107843 2023-01-01 2019-12-31 0001107843 2022-01-01 2019-12-31 0001107843 2025-01-01 2019-12-31 0001107843 qlys:SubscriptionRevenueMember 2019-01-01 2019-12-31 0001107843 qlys:SubscriptionRevenueMember 2018-01-01 2018-12-31 0001107843 qlys:AdyaInc.Member 2019-01-10 0001107843 qlys:LayeredInsightsMember 2018-10-16 0001107843 qlys:DefensativeLLCNetWatcherMember 2017-11-28 0001107843 qlys:NevisNetworksPrivateLimitedMember 2017-08-29 0001107843 qlys:A1MobilityMember 2018-04-01 0001107843 qlys:DefensativeLLCNetWatcherMember 2017-11-28 2017-11-28 0001107843 qlys:NevisNetworksPrivateLimitedMember 2017-08-29 2017-08-29 0001107843 qlys:LayeredInsightsMember 2018-10-16 2018-10-16 0001107843 qlys:A1MobilityMember 2018-04-01 2018-04-01 0001107843 qlys:AdyaInc.Member 2019-01-10 2019-01-10 0001107843 qlys:A1MobilityMember 2019-01-01 2019-12-31 0001107843 qlys:DefensativeLLCNetWatcherMember 2017-01-01 2017-12-31 0001107843 qlys:DefensativeLLCNetWatcherMember 2019-01-01 2019-12-31 0001107843 qlys:LayeredInsightsMember 2019-01-01 2019-12-31 0001107843 us-gaap:DevelopedTechnologyRightsMember 2018-12-31 0001107843 us-gaap:DevelopedTechnologyRightsMember 2018-01-01 2018-12-31 0001107843 us-gaap:PatentsMember 2018-12-31 0001107843 us-gaap:PatentsMember 2018-01-01 2018-12-31 0001107843 us-gaap:PatentsMember 2019-01-01 2019-12-31 0001107843 us-gaap:PatentsMember 2019-12-31 0001107843 us-gaap:DevelopedTechnologyRightsMember 2019-12-31 0001107843 us-gaap:DevelopedTechnologyRightsMember 2019-01-01 2019-12-31 0001107843 us-gaap:OtherNoncurrentLiabilitiesMember 2019-12-31 0001107843 2019-10-01 2019-12-31 0001107843 2018-01-01 2018-01-31 0001107843 2018-01-01 0001107843 qlys:PuneIndiaDomain 2019-10-01 2019-10-01 0001107843 us-gaap:ResearchAndDevelopmentExpenseMember 2017-01-01 2017-12-31 0001107843 us-gaap:CostOfSalesMember 2017-01-01 2017-12-31 0001107843 us-gaap:SellingAndMarketingExpenseMember 2018-01-01 2018-12-31 0001107843 us-gaap:SellingAndMarketingExpenseMember 2019-01-01 2019-12-31 0001107843 us-gaap:ResearchAndDevelopmentExpenseMember 2019-01-01 2019-12-31 0001107843 us-gaap:CostOfSalesMember 2019-01-01 2019-12-31 0001107843 us-gaap:SellingAndMarketingExpenseMember 2017-01-01 2017-12-31 0001107843 us-gaap:GeneralAndAdministrativeExpenseMember 2019-01-01 2019-12-31 0001107843 us-gaap:CostOfSalesMember 2018-01-01 2018-12-31 0001107843 us-gaap:ResearchAndDevelopmentExpenseMember 2018-01-01 2018-12-31 0001107843 us-gaap:GeneralAndAdministrativeExpenseMember 2018-01-01 2018-12-31 0001107843 us-gaap:GeneralAndAdministrativeExpenseMember 2017-01-01 2017-12-31 0001107843 us-gaap:EmployeeStockOptionMember 2018-01-01 2018-12-31 0001107843 us-gaap:EmployeeStockOptionMember 2019-01-01 2019-12-31 0001107843 us-gaap:EmployeeStockOptionMember 2017-01-01 2017-12-31 0001107843 2016-01-01 2016-12-31 0001107843 qlys:A2012EquityIncentivePlanMember 2019-12-31 0001107843 qlys:A2000EquityIncentivePlanMember 2019-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember 2019-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember 2019-01-01 2019-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember 2018-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember 2016-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember 2017-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember 2018-01-01 2018-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember 2017-01-01 2017-12-31 0001107843 us-gaap:ShareBasedCompensationAwardTrancheThreeMember us-gaap:RestrictedStockUnitsRSUMember us-gaap:ShareBasedCompensationAwardTrancheThreeMember 2018-12-21 0001107843 2019-10-24 0001107843 us-gaap:RestrictedStockUnitsRSUMember qlys:TimebasedsharedbasedcompensationMember 2019-11-02 0001107843 us-gaap:EmployeeStockOptionMember qlys:A2000EquityIncentivePlanMember 2019-12-31 0001107843 us-gaap:EmployeeStockOptionMember qlys:A2012EquityIncentivePlanMember 2012-09-25 2012-09-26 0001107843 us-gaap:EmployeeStockOptionMember qlys:A2000EquityIncentivePlanMember 2019-01-01 2019-12-31 0001107843 us-gaap:ShareBasedCompensationAwardTrancheOneMember us-gaap:RestrictedStockUnitsRSUMember qlys:TimebasedsharedbasedcompensationMember 2018-12-21 0001107843 us-gaap:PreferredStockMember 2012-10-03 0001107843 srt:MaximumMember qlys:A2012EquityIncentivePlanMember 2012-09-25 2012-09-26 0001107843 qlys:IncreaseOfPercentageOfSharesOutstandingOptionMember qlys:A2012EquityIncentivePlanMember 2012-09-26 0001107843 us-gaap:RestrictedStockUnitsRSUMember qlys:TimebasedsharedbasedcompensationMember 2018-12-21 2018-12-21 0001107843 us-gaap:EmployeeStockOptionMember 2019-12-31 0001107843 qlys:IncreaseOfNumberOfSharesOptionMember qlys:A2012EquityIncentivePlanMember 2012-09-26 0001107843 2018-02-05 0001107843 qlys:A2018PerformanceBasedStockOptionsMember 2019-01-01 2019-12-31 0001107843 us-gaap:OptionOnSecuritiesMember us-gaap:PerformanceSharesMember 2019-11-02 0001107843 srt:MinimumMember us-gaap:EmployeeStockOptionMember qlys:A2000EquityIncentivePlanMember 2019-12-31 0001107843 us-gaap:ShareBasedCompensationAwardTrancheTwoMember us-gaap:RestrictedStockUnitsRSUMember us-gaap:PerformanceSharesMember 2018-12-21 0001107843 qlys:A2019PerformanceBasedStockOptionsMember 2019-01-01 2019-12-31 0001107843 2018-10-30 0001107843 qlys:ExercisePriceRangeEightMember 2019-01-01 2019-12-31 0001107843 qlys:ExercisePriceRangeSixMember 2019-12-31 0001107843 qlys:ExercisePriceRangeThreeMember 2019-12-31 0001107843 qlys:ExercisePriceRangeTenMember 2019-12-31 0001107843 qlys:ExercisePriceRangeTwoMember 2019-12-31 0001107843 qlys:ExercisePriceRangeSevenMember 2019-12-31 0001107843 qlys:ExercisePriceRangeEightMember 2019-12-31 0001107843 qlys:ExercisePriceRangeFiveMember 2019-12-31 0001107843 qlys:ExercisePriceRangeOneMember 2019-12-31 0001107843 qlys:ExercisePriceRangeSixMember 2019-01-01 2019-12-31 0001107843 qlys:ExercisePriceRangeNineMember 2019-12-31 0001107843 qlys:ExercisePriceRangeTwoMember 2019-01-01 2019-12-31 0001107843 qlys:ExercisePriceRangeFourMember 2019-12-31 0001107843 qlys:ExercisePriceRangeNineMember 2019-01-01 2019-12-31 0001107843 qlys:ExercisePriceRangeFiveMember 2019-01-01 2019-12-31 0001107843 qlys:ExercisePriceRangeFourMember 2019-01-01 2019-12-31 0001107843 qlys:ExercisePriceRangeTenMember 2019-01-01 2019-12-31 0001107843 qlys:ExercisePriceRangeOneMember 2019-01-01 2019-12-31 0001107843 qlys:ExercisePriceRangeThreeMember 2019-01-01 2019-12-31 0001107843 qlys:ExercisePriceRangeSevenMember 2019-01-01 2019-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember us-gaap:ShareBasedCompensationAwardTrancheTwoMember 2018-12-21 2018-12-21 0001107843 us-gaap:RestrictedStockUnitsRSUMember us-gaap:ShareBasedCompensationAwardTrancheTwoMember 2019-11-02 2019-11-02 0001107843 srt:MaximumMember us-gaap:EmployeeStockOptionMember 2017-01-01 2017-12-31 0001107843 srt:MaximumMember us-gaap:EmployeeStockOptionMember 2018-01-01 2018-12-31 0001107843 srt:MinimumMember us-gaap:EmployeeStockOptionMember 2017-01-01 2017-12-31 0001107843 srt:MinimumMember us-gaap:EmployeeStockOptionMember 2019-01-01 2019-12-31 0001107843 srt:MinimumMember us-gaap:EmployeeStockOptionMember 2018-01-01 2018-12-31 0001107843 srt:MaximumMember us-gaap:EmployeeStockOptionMember 2019-01-01 2019-12-31 0001107843 qlys:A401kPlanMember 2019-01-01 2019-12-31 0001107843 qlys:ProvidentFundPlanandGratuityPlanMember 2018-01-01 2018-12-31 0001107843 qlys:A401kPlanMember 2018-01-01 2018-12-31 0001107843 qlys:ProvidentFundPlanandGratuityPlanMember 2019-01-01 2019-12-31 0001107843 qlys:A401kPlanMember 2017-01-01 2017-12-31 0001107843 qlys:ProvidentFundPlanandGratuityPlanMember 2017-01-01 2017-12-31 0001107843 us-gaap:StateAndLocalJurisdictionMember 2019-12-31 0001107843 2017-10-01 2017-12-31 0001107843 us-gaap:ForeignCountryMember 2019-12-31 0001107843 us-gaap:DomesticCountryMember 2019-12-31 0001107843 us-gaap:StateAndLocalJurisdictionMember us-gaap:ResearchMember 2019-12-31 0001107843 us-gaap:DomesticCountryMember us-gaap:ResearchMember 2019-12-31 0001107843 2019-01-01 2019-03-31 0001107843 country:US 2017-01-01 2017-12-31 0001107843 country:US 2019-01-01 2019-12-31 0001107843 country:US 2018-01-01 2018-12-31 0001107843 qlys:OtherGeographicAreasMember 2018-01-01 2018-12-31 0001107843 qlys:OtherGeographicAreasMember 2019-01-01 2019-12-31 0001107843 qlys:OtherGeographicAreasMember 2017-01-01 2017-12-31 0001107843 country:IN 2018-12-31 0001107843 country:US 2019-12-31 0001107843 qlys:OtherGeographicAreasMember 2018-12-31 0001107843 country:IN 2019-12-31 0001107843 qlys:OtherGeographicAreasMember 2019-12-31 0001107843 country:US 2018-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember 2018-01-01 2018-12-31 0001107843 us-gaap:EmployeeStockOptionMember 2017-01-01 2017-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember 2017-01-01 2017-12-31 0001107843 us-gaap:EmployeeStockOptionMember 2019-01-01 2019-12-31 0001107843 us-gaap:RestrictedStockUnitsRSUMember 2019-01-01 2019-12-31 0001107843 us-gaap:EmployeeStockOptionMember 2018-01-01 2018-12-31 0001107843 2019-04-01 2019-06-30 0001107843 2019-07-01 2019-09-30 0001107843 2018-10-01 2018-12-31 0001107843 2018-07-01 2018-09-30 0001107843 2018-01-01 2018-03-31 0001107843 2018-04-01 2018-06-30 xbrli:pure qlys:customer qlys:contract iso4217:GBP iso4217:EUR iso4217:USD iso4217:USD xbrli:shares xbrli:shares qlys:segment utreg:sqft
Table of Contents



UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
__________________
FORM 10-K
__________________
Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the Annual Period Ended December 31, 2019
or
Transition Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the transition period from          to
Commission file number 001-35662
__________________
QUALYS, INC.
(Exact name of registrant as specified in its charter)
__________________
Delaware
 
77-0534145
(State or other jurisdiction of
 
(I.R.S. Employer
incorporation or organization)
 
Identification Number)
919 E. Hillsdale Boulevard, 4th Floor, Foster City, California 94404
(Address of principal executive offices, including zip code)
(650) 801-6100
(Registrant’s telephone number, including area code)
__________________
Securities registered pursuant to section 12(b) of the Act:
Title of each class
Trading Symbol(s)
Name of exchange on which registered
Common stock, $0.001 par value per share
QLYS
NASDAQ Stock Market

Securities registered pursuant to section 12(g) of the Act: None
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes x No o
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes o No x
Indicate by check mark whether the Registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes x No  o
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).    Yes  x    No o
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act. (Check one):
Large accelerated filer
x
 
Accelerated filer
o
 
Non-accelerated filer
o
 
Smaller reporting company
 
 
 
 
 
 
 
 
 
Emerging growth company
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. o
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).    Yes      No  xA
As of June 30, 2019, the aggregate market value of voting shares of common stock held by non-affiliates of the registrant was $2,505 million based on the last reported sale price of the registrant's common stock on June 30, 2019. Shares of common stock held by each executive officer and director and by each person who owns 10% or more of the outstanding common stock have been excluded in that such persons may be deemed to be affiliates. This determination of affiliate status is not necessarily a conclusive determination for other purposes.
The number of shares of the Registrant's common stock outstanding as of February 13, 2020 was 39,092,443 shares.

DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant's Proxy Statement for its 2020 Annual Meeting of Stockholders are incorporated by reference in Part III of this Annual Report on Form 10-K where indicated. Such proxy statement will be filed with the Securities and Exchange Commission within 120 days of the registrant's fiscal year ended December 31, 2019.




Table of Contents



Qualys, Inc.
TABLE OF CONTENTS
 
 
Page
PART I
Item 1.
4
Item 1A.
15
Item 1B.
36
Item 2.
36
Item 3.
36
Item 4.
36
PART II
Item 5.
37
Item 6.
40
Item 7.
41
Item 7A.
52
Item 8.
54
Item 9.
87
Item 9A.
87
Item 9B.
88
PART III
Item 10.
88
Item 11.
88
Item 12.
88
Item 13.
89
Item 14.
89
PART IV
Item 15.
90
91
 
 

2

Table of Contents



PART I
Forward-Looking Statements

In addition to historical information, this Annual Report on Form 10-K contains "forward-looking" statements within the meaning of Section 21E of the Securities Exchange Act of 1934, as amended, or the Exchange Act. Forward-looking statements generally relate to future events or our future financial or operating performance. In some cases, it is possible to identify forward-looking statements because they contain words such as "anticipates," "believes," "contemplates," "continue," "could," "estimates," "expects," "future," "intends," "likely," "may," "plans," "potential," "predicts," "projects," "seek," "should," "target," or "will," or the negative of these words or other similar terms or expressions that concern our expectations, strategy, plans or intentions. Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:

our financial performance, including our revenues, costs, expenditures, growth rates, operating expenses and ability to generate positive cash flow to fund our operations and sustain profitability;
anticipated technology trends, such as the use of cloud solutions;
our ability to adapt to changing market conditions;
economic and financial conditions, including volatility in foreign exchange rates;
our ability to diversify our sources of revenues, including selling additional solutions to our existing customers and our ability to pursue new customers;
the effects of increased competition in our market;
our ability to innovate, enhance our cloud solutions and platform and introduce new solutions;
our ability to effectively manage our growth;
our anticipated investments in sales and marketing, our infrastructure, new solutions, research and development, and acquisitions;
maintaining and expanding our relationships with channel partners;
our ability to maintain, protect and enhance our brand and intellectual property;
costs associated with defending intellectual property infringement and other claims;
our ability to attract and retain qualified employees and key personnel, including sales and marketing personnel;
our ability to successfully enter new markets and manage our international expansion;
our expectations, assumptions and conclusions related to our provision for income taxes, our deferred tax assets and our effective tax rate; and
other factors discussed in this Annual Report on Form 10-K in the sections titled "Risk Factors," "Management's Discussion and Analysis of Financial Condition and Results of Operations" and "Business."

We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, results of operations and prospects. The results, events and circumstances reflected in these forward-looking statements are subject to risks, uncertainties, assumptions, and other factors including those described in Part I, Item 1A (Risk Factors) of this Annual Report and those discussed in other documents we file with the U.S. Securities and Exchange Commission (SEC). Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time, and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements used herein. We cannot provide assurance that the results, events, and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in the forward-looking statements.

You should not rely on forward-looking statements as predictions of future events. Except as required by law, neither we nor any other person assumes responsibility for the accuracy and completeness of the forward-looking statements, and we undertake no obligation to update any forward-looking statements to reflect events or circumstances after the date of such statements.

Qualys, the Qualys logo and other trademarks and service marks of Qualys appearing in this Annual Report on Form 10-K are the property of Qualys. This Annual Report on Form 10-K also contains trademarks and trade names of other businesses that are the property of their respective holders. We have omitted the ® and ™ designations, as applicable, for the trademarks used in this Annual Report on Form 10-K.

3

Table of Contents



Item 1.
Business
Overview
We are a pioneer and leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions. Our integrated suite of IT, security and compliance solutions delivered on our Qualys Cloud Platform enables our customers to: 1) identify and manage their IT assets across on-premises, endpoints, cloud, containers, and mobile environments; 2) collect and analyze large amounts of IT security data; 3) discover and prioritize vulnerabilities; 4) recommend and implement remediation actions; and 5) verify the implementation of such actions. This helps organizations protect their systems and applications from ever-evolving cyber-attacks and helps achieve compliance with internal policies and external regulations.
Our cloud solutions address the growing IT, security and compliance complexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets. Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their IT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for information technology, information security, application security, endpoint, developer security and cloud teams.
IT infrastructures are more complex and globally-distributed today than ever before, as organizations of all sizes increasingly rely upon a myriad of interconnected information systems and related IT assets, such as servers, databases, web applications, routers, switches, desktops, laptops, other physical and virtual infrastructure, and numerous external networks and cloud services. In this environment, new and evolving digital technologies intended to improve organizations’ operations can also increase vulnerability to cyber-attacks, which can expose sensitive data, damage IT and physical infrastructures, and result in serious financial or reputational consequences. In addition, the rapidly increasing amount of data and devices in IT environments makes it more difficult to identify and remediate vulnerabilities in a timely manner. The predominant approach to IT security has been to implement multiple disparate security products that can be costly and difficult to deploy, integrate and manage and may not adequately protect organizations. As a result, we believe there is a large and growing opportunity for comprehensive cloud-based IT, security and compliance solutions delivered in a single platform.
We designed our Qualys Cloud Platform to transform the way organizations secure and protect their IT infrastructures and applications. Our cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security assessments, and compliance management for an organization’s IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints or in the cloud. Since inception, our solutions have been designed to be delivered through the cloud and to be easily and rapidly deployed on a global scale, enabling faster implementation and lower total cost of ownership than traditional on-premises enterprise software products. Our customers, ranging from some of the largest global organizations to small businesses, are served from our globally-distributed cloud platform, enabling us to rapidly deliver new solutions, enhancements and security updates.
We believe that our cloud platform provides our customers with unique advantages, including:
No hardware to buy or manage. There is no infrastructure or software to buy and maintain thus reducing our customers’ operating costs; all services are accessible in the cloud via web interface. Qualys operates and maintains the platform.
Real-time visibility in one place, anytime and anywhere. Our customers can conveniently see their security and compliance posture across their global IT asset inventory in one browser window, without plugins or a virtual private network (VPN), whenever and wherever Internet access is available.
Easy global scanning. Our customers can easily perform scans on geographically distributed and segmented networks at the perimeter, behind the firewall, on dynamic cloud environments and on endpoints.
Seamless scaling. Our cloud platform is a scalable, comprehensive, and end-to-end solution for the IT, security and compliance needs of our customers. Our customers can seamlessly add new coverage, users and services after they have deployed our platform.
Up to date resources. Qualys has one of the largest knowledge bases of vulnerability signatures in the industry. All security updates are made in real-time.
Data stored securely. Data is securely stored and processed in a multi-tiered architecture of load-balanced servers. Our encrypted databases are physically and logically secured.

4




We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance, we introduced additional solutions to help customers manage increasing IT, security and compliance requirements. Today, the suite of solutions that we offer on our cloud platform and refer to as the Qualys Cloud Apps helps our customers protect a range of assets across on-premises, endpoints, cloud, containers, and mobile environments. These Cloud Apps address and include:
IT Security: Vulnerability Management (VM), Threat Protection (TP), Continuous Monitoring (CM), Patch Management (PM), Indication of Compromise (IOC);
Compliance Monitoring: Policy Compliance (PC), PCI Compliance (PCI), File Integrity Monitoring (FIM), Security Configuration Assessment (SCA), Security Assessment Questionnaire (SAQ), Out of-Band Configuration Assessment (OCA);
Web Application Security: Web Application Scanning (WAS), Web Application Firewall (WAF);
Global IT Asset Management: Global IT Asset Inventory (AI), CMDB Sync (SYN), Certificate Inventory (CRI); and,
Cloud/Container Security: Cloud Inventory (CI), Cloud Security Assessment (CSA), Container Security
(CS).
We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require customers to pay a fee in order to access each of our cloud solutions. We generally invoice our customers for the entire subscription amount at the start of the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. We continue to experience significant revenue growth from our existing customers as they renew and purchase additional subscriptions, as well as from the addition of new customers to our cloud platform.
Our Qualys Cloud Platform is currently used by over 15,700 customers, including active subscribers of our free services, in more than 133 countries, including a majority of each of the Forbes Global 100 and Fortune 100. Our revenues increased to $321.6 million in 2019 from $278.9 million in 2018 and $230.8 million in 2017. Our VM solutions (including VM, CM, TP, Cloud Agent for VM, CS, CRI, allocated scanner revenue and Qualys Private Cloud Platform) have provided a majority of our revenues to date, representing 73% of total revenue in 2019, and 74% of total revenues in each of 2018 and 2017.
 
Our Platform
Our cloud platform consists of a suite of IT security, compliance monitoring, web application security, global IT asset management and cloud and container security solutions, which we refer to as the Qualys Cloud Apps, that leverages our shared and extensible core services and our highly scalable multi-tenant cloud infrastructure. We also provide open application program interfaces, or APIs, and other developer tools that allow third parties to embed our technology into their solutions and build applications on our cloud platform.
Our cloud platform utilizes physical and virtual sensors, and cloud agents that provide our customers with continuous visibility enabling customers to respond to threats immediately. Customers can extend visibility to all known IT infrastructure using our Out-of-Band Configuration Assessment sensor for systems that are air-gapped or otherwise difficult to assess.
The Qualys Cloud Platform automatically gathers and analyzes security and compliance data in a scalable, state-of-the-art backend. The technology underlying our cloud infrastructure enables us to ingest, process, analyze and store a high volume of sensor data coming from our agents, scanners and passive analyzers, and correlate information at very high speeds in a distributed manner for millions of devices.


5




BUSINESS1.JPG
Our cloud platform is delivered to our customers via our shared platform offering from our global data centers, or via our private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's data center. The PCP is a standalone version of our multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, cost effective and faster to deploy within a customer's data center. Solutions delivered through our PCP are typically on the same subscription basis as solutions delivered through our shared platform. Our PCP utilizes hardware and software owned by us and is physically located on the customer's premises. The customer is not permitted to take possession of the software or access the software code. We also offer our PCP as a subscription-based platform services to the customer using a virtual version of our software. This virtualized PCP allows us to extend our security and compliance solutions without the complexity and cost associated with deploying traditional enterprise software. We also offer Private Cloud Platform Appliance (PCPA), an on-premises IT, security and compliance solution packaged in a form-factor for medium-sized companies.

Qualys Core Services
Our core services enable integrated workflows, management and real-time analysis and reporting across all of our IT, security and compliance solutions for our customers inside their organizations, on the perimeter, on endpoints or in the cloud.
Our core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through what we call a “single-pane-of-glass” user interface. Our interactive, dynamic dashboards and cloud platform allow our customers to aggregate and correlate all of their IT, security and compliance data in one place, drill down into details, and generate reports customized for different audiences. Our cloud platform’s powerful Elasticsearch clusters enable customers to instantly find detailed data on any asset.

6




Our core services include:
Asset Tagging and Management. Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamic IT environments and automates the process of inventory management and hierarchical organization of IT assets. Built on top of this core service is the Qualys AI framework, which is a global asset inventory service enabling our customers to search for information on any IT asset, scaling to millions of assets for customers of all sizes, helping IT and security personnel to search IT assets and maintain an up-to-date inventory on a continuous basis.
Reporting and Dashboards. A highly configurable reporting engine that provides customers with reports and dashboards based on their roles and access privileges.
Questionnaires and Collaboration. A configurable workflow engine that enables customers to easily build questionnaires and capture existing business processes and workflows to evaluate controls and gather evidence to validate and document compliance.
Remediation and Workflow. An integrated workflow engine that allows customers to automatically generate helpdesk tickets for remediation and to manage compliance exceptions based on customer-defined policies, enabling subsequent review, commentary, tracking and escalation. This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress and closes open tickets once patches are applied and remediation is verified in subsequent scans.
Big Data Correlation and Analytics Engine. Provides Elasticsearch capabilities for indexing, searching and correlating large amounts of security and compliance data with other security incidents and third-party security intelligence data. Embedded workflows enable customers to quickly assess risk and access information for remediation, incident analysis and forensic investigations.
Alerts and Notifications. Creates email notifications to alert customers of new vulnerabilities, malware infections, scan completion, open trouble tickets and system updates.

Qualys Cloud Apps
Many organizations have an array of heterogeneous point tools that do not interoperate well and are difficult and costly to maintain and integrate, making it difficult for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to obtain a single, unified view of their organization’s security and compliance posture. The Qualys Cloud Platform and its Cloud Apps help organizations escape this tool-fragmentation dilemma by drastically simplifying their security stacks and regaining unimpeded visibility across their IT environment.
The Cloud Apps are self-updating, centrally managed and tightly integrated, and cover a broad range of functionality in areas such as IT, security, compliance monitoring, web application security, global IT asset management and cloud and container security solutions.
From inception through December 31, 2018, we have added the following Cloud Apps: VM, PC, PCI, WAS, WAF, CM, SYN, SAQ, TP, FIM, IOC, AI, SCA, CS, CI, CSA, and CRI. In 2019, we introduced Patch Management (PM) and a free version of Global IT Asset Discovery and Inventory.
We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of one platform, share a common user interface, utilize the same scanners and agents, access the same collected data, and leverage the same user permissions.
Our customers can subscribe to one or more of our IT, security and compliance Apps based on their initial needs and expand their subscriptions over time to new areas within their organization or to additional Qualys solutions. We offer four editions of our Qualys Cloud Apps: Enterprise for large enterprises, Express for medium-sized businesses, Express Lite for small-sized businesses, and Consulting Edition for consultants, consulting organizations and Managed Service Providers (MSPs).
Many of our customers use multiple Cloud Apps to develop a more complete understanding of their respective environment’s IT, security and compliance posture. The Qualys Cloud Platform currently provides the following Cloud Apps to our customers:

IT Security
Vulnerability Management (VM): VM is an industry leading and award-winning solution that automates network auditing and vulnerability management across an organization, including network discovery and mapping, asset management,

7




vulnerability reporting and remediation tracking. Driven by our comprehensive knowledge base of known vulnerabilities, VM enables cost-effective protection against vulnerabilities without substantial resource deployment.
Threat Protection (TP): Thousands of new vulnerabilities are disclosed annually. With TP, customers can pinpoint their most critical threats and identify what they need to remediate first. TP continuously correlates external threat information against a customer's vulnerabilities and IT asset inventory, so customers know which threats pose the greatest risk to their organization at any given time. As Qualys engineers continuously validate and rate new threats from internal and external sources, TP’s live feed displays the latest vulnerability disclosures and maps them to customers’ impacted IT assets. Customers can see the assets affected by each threat, and drill down into details.
Continuous Monitoring (CM): Built on top of VM, CM is a next-generation cloud service that can detect network threats and unexpected changes before they turn into breaches. Whenever CM spots an anomaly in a network, it immediately sends targeted, informative alerts to the right people for each situation and each machine. CM tracks what happens throughout public perimeters, internal networks, and cloud environments - anywhere in the world.
Patch Management (PM): PM provides automated patch deployment capabilities by correlating vulnerabilities and patches. It continuously gathers and uploads telemetry about installed software, open vulnerabilities and missing patches to the Qualys Cloud Platform. The resulting shared visibility of assets and their posture enables IT and security teams to collaborate using common vulnerability-centric terminology and provides a consistent data set to analyze, prioritize, deploy and verify patches more efficiently.
Indication of Compromise (IOC): IOC delivers threat hunting, detects suspicious activity, and confirms the presence of known and unknown malware for devices both on and off the network. From its single console, customers can monitor current and historical system activity for all on-premises servers, user endpoints, and cloud instances - even for assets that are currently offline or have been re-imaged by IT. IOC utilizes the Cloud Agent to capture endpoint activity on files, processes, mutant handles, registries, and network connections, and uploads the data to the Qualys Cloud Platform for storage, processing, and query. IOC 2.0, which was released in 2019, now provides enhanced attack detection, investigation, and response capabilities for security analysts, incident responders, and managed security service providers.

Compliance Monitoring
Policy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping to reduce risk and continuously ensure compliance with internal policies and external regulations. PC leverages out-of-the-box library content to fast-track compliance assessments using industry-recommended best practices. PC also provides a centralized, interactive console for specifying baseline standards for different hosts. By automating requirement evaluation against multiple standards for OSes, network devices, databases and server applications, PC enables the quick identification of security issues and works to prevent configuration drift. PC works to prioritize and track remediation and exceptions, while demonstrating a repeatable auditable process for compliance management.
PCI Compliance (PCI): PCI streamlines and automates compliance with PCI DSS (Payment Card Industry Data Security Standard) requirements for protecting the collection, storage, processing and transmission of cardholder data. As an Approved Scanning Vendor, Qualys has been authorized by the PCI Security Standards Council to conduct the required quarterly scans. PCI scans all Internet-facing networks and systems with Six Sigma (99.9996%) accuracy, generates reports and provides detailed patching instructions. An auto-submission feature completes the compliance process once remediation is completed.
File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all sizes. FIM provides customers with a simple way to achieve centralized cloud-based visibility of activity resulting from normal patching and administrative tasks, change control exceptions or violations, or malicious activity - then reports on that system activity as part of compliance mandates. FIM collects the critical details needed to quickly identify changes and root out activity that violates policy or is potentially malicious. FIM helps customers to comply with change control policy enforcement and change monitoring requirements.
Security Configuration Assessment (SCA): SCA provides automatic assessment of IT assets’ configurations using the latest Center for Internet Security (CIS) Benchmarks for operating systems, databases, applications and network devices. SCA provides intuitive workflows for assessing, monitoring, reporting and remediating security-related configuration issues. SCA’s CIS assessments are provided via a web-based user interface and delivered from the Qualys Cloud Platform, enabling centralized management with minimal deployment overhead. SCA users can automatically create downloadable reports and view dashboards.
Security Assessment Questionnaire (SAQ): SAQ automates and streamlines third-party and internal risk assessment processes, obviating the need to perform such processes manually via email and spreadsheets. SAQ easily designs surveys

8




to assess procedural controls of IT and security policies and practices. SAQ automates the launch and monitoring of assessment campaigns, making the process agile, accurate, comprehensive, centralized, scalable and uniform across an organization. SAQ also provides tools for displaying, analyzing and acting on collected data, enabling the assessment of compliance with industry standards, regulations and internal policies of third parties, like vendors and partners, and of employees.
Out-of-Band Configuration Assessment (OCA): The OCA sensor and Cloud App allows customers to achieve complete visibility of all known IT infrastructure by pushing vulnerability and configuration data to the Qualys Cloud Platform from systems that are otherwise difficult to assess, such as highly locked-down systems, systems on disconnected or “air gap” networks, or in environments that are highly sensitive to scans. OCA’s expanded data collection approach significantly broadens the types of technologies supported by the Qualys Cloud Platform and provides deeper assessment of configuration so that customers have better visibility into potentially critical vulnerabilities and misconfigurations across their entire environment.

Web Application Security
Web Application Scanning (WAS): WAS continuously discovers and catalogs web applications – including new and unknown ones – and detects vulnerabilities and misconfigurations in web apps and APIs. Scaling to thousands of scans, it conducts incisive, thorough and precise testing of browser-based web apps, mobile app backends, and Internet of things (IoT) services. Its seamless integration with the Qualys Web Application Firewall (WAF) enables verification of attack protection and one click mitigation of vulnerabilities. WAS' powerful API enables integration with other systems and allows teams to detect issues within DevOps environments early in the application development process. Bundled malware detection capability with WAS uses reputational, behavioral, antivirus, and heuristic analyses to identify and alert on malware infecting a user's websites. By Integrating WAS with manual testing tools and bug bounty solutions, customers can build a comprehensive web application vulnerability testing program.
Web Application Firewall (WAF): WAF permits the reduction of application security cost and complexity with a unified platform to prevent any attempt to exploit vulnerabilities. Simple, scalable and adaptive, WAF enables the quick blocking of attacks, prevents disclosure of sensitive information, and controls when and where customer applications are accessed. WAF and WAS work together seamlessly. Customers scan web apps with WAS, deploy one-click virtual patches if needed in WAF, and manage it all from a centralized cloud-based portal. WAF can be deployed in minutes on prem or in the cloud, as a virtual machine or a container, supports load-balancing as well as Transport Layer Security (TLS) offloading, and does not require special hardware.

Global IT Asset Management
Global IT Asset Inventory (AI): AI constantly gathers information on all assets, including system and hardware details, running services, open ports, installed software and user accounts. Asset discovery and inventory collection is done through a combination of Qualys network scanners, Cloud Agents and passive scanners, which together collect comprehensive data from on-premises or cloud infrastructure as well as remote endpoints. In order to create consistent and uniform asset data, AI normalizes raw discovery data to standardize every manufacturer name, product name, model and software version using Qualys’ ever-evolving technology catalog as a reference. This catalog automatically extends IT asset inventory with non-discoverable metadata such as hardware and software release dates, end of life dates, and license categories. This new data layer allows teams to detect issues such as unauthorized software, outdated hardware or end-of-life software, which can help properly tag, support, and secure business-critical assets. Additionally, customers can sync their asset information with ServiceNow CMDB.
CMDB Sync (SYN): SYN is a certified application that synchronizes Qualys AI data with ServiceNow’s Configuration Management system. Device changes are immediately transmitted to the Qualys Cloud Platform and then synchronized with ServiceNow. For customers, this means an end to unidentified and misclassified assets, and to data update delays, all of which increase chances of breaches. SYN provides real-time, comprehensive visibility of IT asset inventories enabling immediate detection of security and compliance risks.
Certificate Inventory (CRI): CRI continuously scans global IT assets from a single console to discover internal and external certificates issued from any certificate authority across all enterprise IT assets, both on premise and in the cloud. As a result, certificates can be renewed before they expire, which stops certificate-related outages and improves availability. It collects all certificate, vulnerability and configuration data required for certificate inventory and analysis. CRI also reveals how many certificates are out of compliance or do not follow organizational policies for key length, for signature algorithms or for the use of trusted and approved Certificate Authorities through the use of highly customizable dashboards and provides users a comprehensive overview of Qualys SSL Labs-caliber certificate grades for internal and externally facing certificates.


9




Cloud / Container Security
Cloud Inventory (CI): CI delivers continuous visibility into public cloud accounts. In one single-pane view, it inventories virtual machines, storage buckets, databases, security groups, Access Control Lists (ACLs), Elastic Load Balancers (ELBs) and users – across all regions, multiple accounts and multiple cloud platforms. CI continuously tracks assets and enables users to quickly understand the topography of their cloud environment and uncover the root cause of incidents.
Cloud Security Assessment (CSA): CSA provides a continuous assessment of the security posture of an organization’s cloud resources against misconfigurations, malicious behavior, and nonstandard deployments. CSA evaluates resources against CIS benchmarks and best practices to identify misconfigured storage buckets, security groups, Relational Database Service, exposing data and the resource for public exploitation. CSA correlates host vulnerabilities and compliance data into intelligent insights which allow users to quickly detect risks throughout their complex cloud environments. With CSA, users gain real-time visibility into their up-to-date security and compliance posture of public clouds in one single-pane view.
Container Security (CS): CS delivers container-native visibility and protection throughout the entire lifecycle of containerized applications. It incorporates scanning of container images for software composition and enforcement of hardened container stack configurations for continuous policy compliance, whether the images are on the build machines, in the container registries or in the runtime cluster nodes. CS uses a unique 'layered-in' approach to provide deep visibility into all the application activities and automatically creates a behavior profile, which is enforced on each container for runtime protection. By integrating with CI/CD pipelines and toolchains, CS enables DevSecOps processes and transparent enforcement of security and compliance without compromising the speed and agility of containers and serverless deployment models. This leads to significant cost benefits for enterprises compared to certain legacy security solutions.

Free Services
We also offer organizations of all sizes free security and compliance services based on the Qualys Cloud Platform:
Qualys Global IT Asset Discovery and Inventory app automatically creates a continuous, real-time inventory of known and unknown assets throughout a user's global IT footprint across on-premises, endpoints, multi-cloud, mobile, containers, OT and IoT. The app also automatically normalizes and categorizes assets to ensure clean, reliable, and consistent data. In-depth asset details provide fine-grained visibility on the system, services, installed software, network, and users. It also detects any device that connects to a user's networks, via passive scanning technology. Upon an unknown device detection, users can install a light-weight Qualys self-updating agent (3MB) to turn the device into a managed device or launch a vulnerability scan.
Qualys Community Edition automatically gathers and analyzes security and compliance data from hybrid IT environments to provide a complete, continuously updated, and instant view of monitored IT assets on-premises or in the cloud, as well as web apps, from a single-pane-of-glass interface. The Community Edition is limited to one user with data retention for three months.
Qualys CloudView continuously discovers and tracks assets and resources across public cloud deployments to provide users both real-time and historical views of cloud inventory. It collects metadata about cloud assets and resources to help users understand the relationships between public cloud assets and resources across different dimensions and then discover their threat posture based on those attributes and relationships. CloudView is limited to three accounts per public cloud platform.
Qualys CertView inventories and assesses all Internet-facing certificates to generate SSL/TLS configuration grades, identifies the certificate issuer and tracks certificate expirations to help stop expired and expiring certificates from interrupting critical business functions.

Our Growth Strategy
We intend to strengthen our leadership position as a trusted provider of cloud-based IT, security and compliance solutions. The key elements of our growth strategy are:
Continue to innovate and enhance our cloud platform and suite of solutions. We intend to continue to make significant investments in research and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further enhancing our existing suite of solutions. From inception through December 31, 2018, we have added the following Cloud Apps: VM, PCI, PC, WAS, WAF, CM, SYN, SAQ, TP, FIM, IOC, AI, SCA, CS, CI, CSA, and CRI. In 2019, we introduced Patch Management (PM) and a free version of Global IT Asset Discovery and Inventory.

10




Expand the use of our suite of solutions by our large and diverse customer base. With more than 15,700 customers, including active subscribers of our free services, across many industries and geographies, we believe we have a significant opportunity to sell additional solutions to our customers and expand their use of our suite of solutions. Because our customers typically initially deploy one or two of our solutions in select parts of their IT infrastructures, our existing customers serve as a strong source of new sales as they expand their scope and increase their subscriptions or choose to adopt additional solutions from our integrated suite of IT, security and compliance offerings. In this regard, we continue to expand our sales execution and marketing functions to increase adoption of our newly developed solutions among our existing customers.
Drive new customer growth and broaden our global reach. We are pursuing new customers by targeting key accounts, releasing free IT, security and compliance services and expanding both our sales and marketing organization and network of channel partners. We will continue to seek to make significant investments to encourage organizations to replace their existing security products with our cloud solutions. We intend to expand our relationships with key security consulting organizations, managed security service providers and value-added resellers to accelerate the adoption of our cloud platform. We seek to strengthen existing relationships as well as establish new relationships to increase the distribution and market awareness of our cloud platform and target new geographic regions. We also plan to partner with such security providers that can host our private cloud offering within their data centers, helping us expand our reach in new markets and new geographies.
Selectively pursue technology acquisitions to bolster our capabilities and leadership position. We may explore acquisitions that are complementary to and can expand the functionality of our cloud platform. We may also seek to acquire development teams to supplement our own personnel and acquire technology to increase the breadth of our cloud-based IT, security and compliance solutions. In 2019, we acquired the software assets of Adya Inc. (Adya), enabling Qualys to provide companies of all sizes with the ability to consolidate administration of their Software as a Service (SaaS) applications into one console, manage license costs across SaaS applications, set and enforce security policies in one place and report and audit on all activity with a single tool. In 2018, we acquired the software assets of 1Mobility Private Limited (1Mobility), a Singapore based company, allowing Qualys to provide enterprises of all sizes with the ability to create and continuously update an inventory of mobile devices on all versions of Android, iOS and Windows Mobile in their environment; and to continuously assess their security and compliance posture, while quarantining devices that are compromised or out-of-compliance. In 2018, we also acquired Layered Insight (Layered Insight), a provider of container native application protection, delivering insight into container images, adaptive analysis of running containers, and automated enforcement of the container environments.

Our Customers
We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2019, we had over 15,700 customers, including active subscribers of our free services, in more than 133 countries, including a majority of each of the Forbes Global 100 and Fortune 100. In each of 2019, 2018 and 2017, no one customer accounted for more than 10% of our revenues. In 2019, 2018 and 2017, 64%, 67% and 70%, respectively, of our revenues were derived from customers in the United States based on our customers billing address. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel partners, including managed security service providers, value-added resellers and consulting firms in the United States and internationally.

Sales and Marketing

Sales
We market and sell our IT, security and compliance solutions to customers directly through our sales teams as well as indirectly through our network of channel partners.
Our global sales force is organized into a field sales team, which focuses on enterprises, generally including organizations with more than 5,000 employees, and an inside sales team, which focuses on small to medium-sized businesses, which generally include organizations with less than 5,000 employees. Both our field and inside sales teams are divided into three geographic regions, including the Americas; Europe, Middle East and Africa; and Asia-Pacific. We also further segment each of our sales teams into groups that focus on adding new customers or managing relationships with existing customers.

11




Our channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners offer our IT, security and compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which we can connect with these prospective customers to offer our solutions. Our channel partners include security consulting organizations, managed service providers and resellers, such as Accenture, BT Managed Security, Cognizant Technology Solutions, Deutsche Telekom, DXC Technology, Fujitsu, Hindustan Computers Limited (HCL) Technologies, International Business Machines (IBM), Infosys, Nippon Telegraph and Telephone Corporation (NTT), Optiv, SecureWorks, Tata Communications, Verizon and Wipro. Qualys has also established strategic partnerships with leading cloud providers like Amazon Web Services, Microsoft Azure and the Google Cloud Platform.
For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves our sales team as needed to assist in developing and closing an order. When a channel partner secures a sale, we sell the associated subscription to the channel partner who in turn resells the subscription to the customer, with the channel partner earning a fee based on the total value of the order. Once the order is completed, we provide these customers with direct access to our solutions and other associated back-office applications, enabling us to establish a direct relationship as part of ensuring customer satisfaction with our solutions. At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with our sales team providing assistance as required. In 2019, 2018 and 2017, 42%, 41% and 39%, respectively, of our revenues were generated by channel partners.

Marketing
Our marketing programs include a variety of online marketing, advertising, conferences, events, public relations activities and web-based seminar campaigns targeted at key decision makers within our prospective customers.
We have a number of marketing initiatives to build awareness and encourage customer adoption of our solutions. We offer free trials and services to allow prospective customers to experience the quality of our solutions, to learn in detail about the features and functionality of our cloud platform, and to quantify the potential benefits of our solutions.
Customer Support
Qualys Support delivers 24x7x365 day customer technical support from global centers located in Foster City, California; Raleigh, North Carolina; and Pune, India. We recruit senior level technical personnel and trained subject matter experts who work closely with engineering and operations personnel to resolve issues quickly. Our IT, security and compliance solutions can be deployed easily and are designed to be implemented and operated without the need for significant professional services. We also offer various training programs as part of our subscriptions to all of our customers. In addition, we leverage the insights drawn from our customers to further improve the functionality of our IT, security and compliance solutions. Our mission is to ensure customer satisfaction and play a critical role in retaining and expanding our customer base.
Research and Development and Operations
We devote significant resources to maintain, enhance and add new functionality to our Qualys Cloud Platform and the integrated suite of solutions that we offer. Our development organization consists of agile engineering teams with substantial security expertise in specific areas of our solutions. In addition to our development teams, we also built a sophisticated research team focused on identifying threats and developing signatures for vulnerabilities and compliance checks so that we can provide our customers with daily updates and enable them to scan their assets for the latest threats. We conduct our research and development in the United States, France and India, which gives us access to some of the best research and engineering talent in the world. Our focus remains to attract engineering talent as we continue to add new solutions and improve existing ones.
Our development team works closely with our customers and partners to gain valuable insights into their environments and gather feedback for threat research, product development and innovations. We typically release updates to our solutions, including enhancements and new features multiple times a year, and we measure the quality of our scan results on a frequent basis in an effort to maintain the highest level of scan accuracy.
The modular architecture of our cloud platform enables our engineering teams to simultaneously work on different features, accelerating the delivery of new functionalities to customers. Our research and development team also works collaboratively with our technical support team to ensure customer satisfaction and with our sales team to accelerate the adoption of our solutions.

12




Manufacturing Agreement
Our physical appliances are provided by SYNNEX Corporation (SYNNEX), pursuant to a manufacturing services agreement dated March 1, 2011. Under this agreement, SYNNEX manufactures, assembles and tests our physical scanner appliances. This agreement is automatically renewed annually, unless terminated (i) at any time upon the mutual written agreement of us and SYNNEX, (ii) by either party upon 90 days or more written notice, (iii) upon written notice, subject to applicable cure periods, if the other party has materially breached its obligations under the agreement or (iv) by either party upon the other party seeking an order for relief under the bankruptcy laws of the United States or similar laws of any other jurisdiction, a composition with or assignment for the benefit of creditors, or dissolution or liquidation.
Data Center Agreements
Our data center operations are provided by large third-party data center vendors and are located in the United States, Canada, Switzerland, the Netherlands and India. Our data center agreements have varying terms through 2022.
Competition
The expanding capabilities of our IT, security and compliance solutions have enabled us to address a growing array of opportunities in the cloud IT, security and compliance market. We compete with a large and broad array of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment.
We compete with large and small public companies, such as Belden (Tripwire), Broadcom (Symantec Enterprise Security), CrowdStrike, F5 Networks, FireEye, Forescout Technologies, International Business Machines, Micro Focus International, Rapid7, Palo Alto Networks, and Tenable Holdings, as well as privately held security providers including Barracuda Networks, BeyondTrust Software, Flexera, Imperva, McAfee, Tanium, Trustwave Holdings, Venafi, and Veracode. We also seek to replace IT, security and compliance solutions that organizations have developed internally. As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as web application scanning and firewalls, we expect to face additional competition in these new markets. Our competitors may also attempt to further expand their presence in the IT, security and compliance market and compete more directly against one or more of our solutions.
We believe that the principal competitive factors affecting our markets include product functionality, breadth of product offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and extensibility of platform. We believe that our suite of solutions generally competes favorably with respect to these factors. However, many of our primary competitors have greater name recognition, longer operating histories, more established customer relationships, larger marketing budgets and significantly greater resources than we do.
Intellectual Property
We rely on a combination of trade secrets, copyrights, patents and trademarks, as well as contractual protections, to establish and protect our intellectual property rights and protect our proprietary technology. As of December 31, 2019, we have eighteen issued patents, several pending U.S. patent applications and an exclusive license to four U.S. patents, which was obtained in connection with our acquisition of Nemean in 2010. The inbound license remains in effect until the licensed patents are no longer enforceable, unless the applicable license agreement is first terminated by us or terminated by the licensor for a breach of the agreement or if we undergo certain bankruptcy events. The licenses are currently exclusive and will remain exclusive so long as we make an appropriately-timed written election and pay an annual fixed royalty for ten years thereafter. These exclusive licenses are subject to the licensor’s reservation of certain rights in the patents and subject to the U.S. government’s reserved rights in the technology. We have a number of registered and unregistered trademarks. We require our employees, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information. We view our trade secrets and know-how as a significant component of our intellectual property assets, as we have spent years designing and developing the Qualys Cloud Platform, which we believe differentiates us from our competitors.
We expect that software and other solutions in our industry may be subject to third-party infringement claims as the number of competitors grows and the functionality of products in different industry segments overlaps. Any of these third parties might make a claim of infringement against us at any time.


13




Employees
As of December 31, 2019, we had 1,289 full-time employees, including 659 in research and development, 267 in sales and marketing, 236 in operations and customer support and 127 in general and administrative. As of December 31, 2019, we had 389 employees in the United States and 900 employees internationally. None of our U.S. employees are covered by collective bargaining agreements. Employees in certain European countries have collective bargaining arrangements at the national level. We believe our employee relations are good and we have not experienced any work stoppages. As of December 31, 2019, approximately 70% of our employees were located outside the United States, with 61% of our employees located in Pune, India.

Available Information
Our principal executive offices are located at 919 E. Hillsdale Blvd., 4th Floor, Foster City, California 94404. The telephone number of our principal executive offices is (650) 801-6100, and our main corporate website is www.qualys.com. Information contained on, or that can be accessed through, our website, does not constitute part of this Annual Report on Form 10-K and inclusion of our website address in this Annual Report on Form 10-K is an inactive textual reference only.
We make available our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to those reports filed or furnished pursuant to Section 13(a) or Section 15(d) of the Securities Exchange Act of 1934, as amended, free of charge on our website, www.qualys.com as soon as reasonably practicable after they are electronically filed with or furnished to the SEC. Additionally, copies of materials filed by us with the SEC may be accessed at the SEC's website, www.sec.gov.

14





Item 1A.
Risk Factors
An investment in our common stock involves a high degree of risk. You should carefully consider the risks and uncertainties described below, and all other information contained in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes, before making a decision to invest in our common stock. Our business, operating results, financial condition, or prospects could be materially and adversely affected by any of these risks and uncertainties. In that case, the trading price of our common stock could decline, and you might lose all or part of your investment. In addition, the risks and uncertainties discussed below are not the only ones we face. Our business, operating results, financial performance or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material.

Subscriptions to our Vulnerability Management solutions generate most of our revenues, and if we are unable to continue to renew and grow subscriptions for these solutions, our operating results would suffer.
We derived approximately 73%, 74% and 74% of our revenues from subscriptions to our VM solutions for the years ended December 31, 2019, 2018 and 2017, respectively.
We expect to continue to derive a significant majority of our revenues from subscriptions to our VM solutions. As a result, the market demand for our VM solutions is critical to our continued success. Demand for these solutions is affected by a number of factors beyond our control, including continued market acceptance of our solution for existing and new use cases, the timing of development and release of new products or services by our competitors, technological change, and growth or contraction in our market. Our inability to renew or increase subscriptions for this solution or a decline in price of this solution would harm our business and operating results more seriously than if we derived significant revenues from a variety of solutions.

Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.

Our operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:
the level of demand for our solutions;
publicity regarding security breaches generally and the level of perceived threats to IT security;
expenses associated with our existing and new products and services;
changes in customer renewals of our solutions;
the extent to which customers subscribe for additional solutions;
seasonal buying patterns of our customers;
security breaches, technical difficulties or interruptions with our service;
changes in the growth rate of the IT, security and compliance market;
the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors;
the introduction or adoption of new technologies that compete with our solutions;
decisions by potential customers to purchase IT, security and compliance products or services from other vendors;
the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;
the timing of sales commissions relative to the recognition of revenues;
the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;
failure of our products and services to operate as designed;
price competition;

15




the length of our sales cycle for our products and services;
insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions;
timely invoicing or changes in billing terms of customers;
timing of deals signed within the quarter;
pace and cost of hiring employees;
changes in foreign currency exchange rates;
general economic conditions, both domestically and in the foreign markets in which we sell our solutions;
future accounting pronouncements or changes in our accounting policies;
our ability to integrate any products or services that we may acquire in the future into our product suite or migrate existing customers of any companies that we may acquire in the future to our products and services;
our effective tax rate;
the amount and timing of income tax benefits that we recognize resulting from excess tax benefits related to stock-based compensation;
the timing of expenses related to the development or acquisition of technologies, services or businesses; and
potential goodwill and intangible asset impairment charges associated with acquired businesses.
Further, the interpretation and application of international laws and regulations in many cases is uncertain, and our legal and regulatory obligations in foreign jurisdictions are subject to frequent and unexpected changes, including the potential for various regulatory or other governmental bodies to enact new or additional laws or regulations or to issue rulings that invalidate prior laws or regulations.
For example, a Data Protection Act that substantially implements the European Union’s General Data Protection Regulation (GDPR) was implemented in the United Kingdom in May 2018, and "Brexit" could also lead to further legislative and regulatory changes. It is unclear, however, how United Kingdom data protection laws or regulations will develop in the medium to longer term, and how data transfers to and from the United Kingdom will be regulated.
Each factor above or discussed elsewhere in this Annual Report on Form 10-K or the cumulative effect of some of these factors may result in fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or those of securities analysts or investors, for a particular period. In addition, a significant percentage of our operating expenses are fixed in nature and based on forecasted trends in revenues. Accordingly, in the event of shortfalls in revenues, we are generally unable to mitigate the negative impact on margins in the short term by reducing our operating expenses. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the trading price of our common stock could fall and we could face costly lawsuits, including securities class action suits.

If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that meet those needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and financial condition may be harmed.
The IT, security and compliance market is characterized by rapid technological advances, customer price sensitivity, short product and service life cycles, intense competition, changes in customer requirements, frequent new product introductions and enhancements and evolving industry standards and regulatory mandates. Any of these factors could create downward pressure on pricing and gross margins, and could adversely affect our renewal rates, as well as our ability to attract new customers. Our future success will depend on our ability to enhance existing solutions, introduce new solutions on a timely and cost-effective basis, meet changing customer needs, extend our core technology into new applications, and anticipate and respond to emerging standards and business models. We must also continually change and improve our solutions in response to changes in operating systems, application software, computer and communications hardware, networking software, data center architectures, programming tools and computer language technology.
We may not be able to anticipate future market needs and opportunities or develop enhancements or new solutions to meet such needs or opportunities in a timely manner or at all. The market for cloud solutions for IT, security and compliance continues to evolve, and it is uncertain whether our new solutions will gain market acceptance.
Our solution enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including:
failure to timely meet market demand for product functionality;

16




inability to identify and provide intelligence regarding the attacks or techniques used by cyber-attackers;
inability to inter-operate effectively with the database technologies, file systems or web applications of our prospective customers;
defects, errors or failures;
delays in releasing our enhancements or new solutions;
negative publicity about their performance or effectiveness;
introduction or anticipated introduction of products by our competitors;
poor business conditions, causing customers to delay IT, security and compliance purchases;
easing or changing of external regulations related to IT, security and compliance; and
reluctance of customers to purchase cloud solutions for IT, security and compliance.
Furthermore, diversifying our solutions and expanding into new IT, security and compliance markets will require significant investment and planning, require that our research and development and sales and marketing organizations develop expertise in these new markets, bring us more directly into competition with IT, security compliance providers that may be better established or have greater resources than we do, require additional investment of time and resources in the development and training of our channel partners and entail significant risk of failure.
If we fail to anticipate market requirements or fail to develop and introduce solution enhancements or new solutions to satisfy those requirements in a timely manner, such failure could substantially decrease or delay market acceptance and sales of our present and future solutions and cause us to lose existing customers or fail to gain new customers, which would significantly harm our business, financial condition and results of operations.

If we fail to continue to effectively scale and adapt our platform to meet the performance and other requirements of our customers, our operating results and our business would be harmed.
Our future growth depends upon our ability to continue to meet the expanding needs of our customers as their use of our cloud platform grows. As these customers gain more experience with our solutions, the number of users and the number of locations where our solutions are being accessed may expand rapidly in the future. In order to ensure that we meet the performance and other requirements of our customers, we intend to continue to make significant investments to develop and implement new proprietary and third-party technologies at all levels of our cloud platform. These technologies, which include databases, applications and server optimizations, and network and hosting strategies, are often complex, new and unproven. We may not be successful in developing or implementing these technologies. To the extent that we do not effectively scale our platform to maintain performance as our customers expand their use of our platform, our operating results and our business may be harmed.

If we are unable to sell subscriptions to additional solutions, our future revenue growth may be harmed and our business may suffer.
We will need to increase the revenues that we derive from our current and future solutions other than VM for our business and revenues to grow as we expect. Revenues from our other solutions such as Policy Compliance, PCI Compliance, Web Application Scanning, Web Application Firewall, CMDB Sync, Security Assessment Questionnaire, File Integrity Monitoring, Indication of Compromise, Global IT Asset Inventory, Security Configuration Assessment, Cloud Security Assessment and Patch Management have been relatively modest compared to revenues from our VM solutions. Our future success depends in part on our ability to sell subscriptions to these additional solutions to existing and new customers. This may require more costly sales and marketing efforts and may not result in additional sales. If our efforts to sell subscriptions to additional solutions to existing and new customers are not successful, our business may suffer.

If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results would be harmed.
Our success depends to a significant extent on the willingness of organizations to increase their use of cloud solutions for their IT, security and compliance. To date, some organizations have been reluctant to use cloud solutions because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with these solutions. If other cloud service providers experience security incidents, loss of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole, including our solutions, may be negatively impacted. Moreover, many organizations have invested substantial personnel and financial resources to integrate on-premise software into their businesses, and as a result may be reluctant or unwilling to migrate to a cloud solution. Organizations that use on-

17




premise security products, such as network firewalls, security information and event management products or data loss prevention solutions, may also believe that these products sufficiently protect their IT infrastructure and deliver adequate security. Therefore, they may continue spending their IT security budgets on these products and may not adopt our IT, security and compliance solutions in addition to or as a replacement for such products.
If customers do not recognize the benefits of our cloud solutions over traditional on-premise enterprise software products, and as a result we are unable to increase sales of subscriptions to our solutions, then our revenues may not grow or may decline, and our operating results would be harmed.

Our current research and development efforts may not produce successful products or enhancements to our platform that result in significant revenue, cost savings or other benefits in the near future.
We must continue to dedicate significant financial and other resources to our research and development efforts if we are to maintain our competitive position. However, developing products and enhancements to our platform is expensive and time consuming, and there is no assurance that such activities will result in significant new marketable products or enhancements to our platform, design improvements, cost savings, revenue or other expected benefits. If we spend significant resources on research and development and are unable to generate an adequate return on our investment, our business and results of operations may be materially and adversely affected.

Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales.
We and our service providers face threats from a variety of sources, including attacks on our networks and systems from numerous sources, including traditional “hackers,” sophisticated nation-state and nation-state supported actors, other sources of malicious code (such as viruses and worms), and phishing attempts. We and our service providers could be a target of cyber-attacks or other malfeasance designed to impede the performance of our solutions, penetrate our network security or the security of our cloud platform or our internal systems, misappropriate proprietary information and/or cause interruptions to our services. Our solutions, platforms, and system, and those of our service providers, may also suffer security incidents as a result of non-technical issues, including intentional or inadvertent acts or omissions by our employees or service providers. Because our operations involve providing IT security solutions to our customers, we may be targeted for cyber-attacks and other security incidents. A breach in our data security or an attack against our service availability, or that of our third-party service providers, could impact our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers could be accessed, publicly disclosed, altered, lost, or stolen, which could subject us to liability and cause us financial harm. If an actual or perceived disruption in the availability of our solutions or the breach of our security measures or those of our service providers occurs, it could adversely affect the market perception of our solutions, result in a loss of competitive advantage, have a negative impact on our reputation, or result in the loss of customers, channel partners and sales, and it may expose us to the loss or alteration of information, litigation, regulatory actions and investigations and possible liability. Any such actual or perceived security breach or disruption could also divert the efforts of our technical and management personnel. We also may incur significant costs and operational consequences of investigating, remediating, eliminating and putting in place additional tools and devices designed to prevent actual or perceived security incidents, as well as the costs to comply with any notification obligations resulting from any security incidents. In addition, any such actual or perceived security breach could impair our ability to operate our business and provide solutions to our customers. If this happens, our reputation could be harmed, our revenues could decline and our business could suffer.
Although we maintain insurance coverage that may be applicable to certain liabilities in the event of a security breach or other security incident, we cannot be certain that our insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our business, including our financial condition, operating results and reputation.

Our business depends substantially on retaining our current customers, and any reduction in our customer renewals or revenues from such customers could harm our future operating results.
We offer our Qualys Cloud Platform and integrated suite of solutions pursuant to a software-as-a-service model, and our customers purchase subscriptions from us that are generally one year in length. Our customers have no obligation to renew their subscriptions after their subscription period expires, and they may not renew their subscriptions at the same or higher levels or at all. As a result, our ability to grow depends in part on customers renewing their existing subscriptions and purchasing additional subscriptions and solutions. Our customers may choose not to renew their subscriptions to our solutions

18




or purchase additional solutions due to a number of factors, including their satisfaction or dissatisfaction with our solutions, the prices of our solutions, the prices of products or services offered by our competitors, reductions in our customers’ spending levels due to the macroeconomic environment or other factors. If our customers do not renew their subscriptions to our solutions, renew on less favorable terms, or do not purchase additional solutions or subscriptions, our revenues may grow more slowly than expected or decline and our results of operations may be harmed.

If we are unable to continue to attract new customers and grow our customer base, our growth could be slower than we expect and our business may be harmed.
We believe that our future growth depends in part upon increasing our customer base. Our ability to achieve significant growth in revenues in the future will depend, in large part, upon continually attracting new customers and obtaining subscription renewals to our solutions from those customers. If we fail to attract new customers our revenues may grow more slowly than expected and our business may be harmed.

Our sales cycle can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, revenues may vary from period to period, which may cause our operating results to fluctuate and could harm our business.
The timing of sales of subscriptions for our solutions can be difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large transactions. We sell subscriptions to our IT, security and compliance solutions primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contract negotiation and budgeting processes varies significantly, which has also made our sales cycle long and unpredictable. The length of the sales cycle for our solutions typically ranges from six to twelve months but can be more than eighteen months. In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result we could lose other sales opportunities or incur expenses that are not offset by an increase in revenues, which could harm our business.

Adverse economic conditions or reduced IT spending may adversely impact our business.
Our business depends on the overall demand for IT and on the economic health of our current and prospective customers. Economic weakness, customer financial difficulties, and constrained spending on IT security may result in decreased revenue and earnings. Such factors could make it difficult to accurately forecast our sales and operating results and could negatively affect our ability to provide accurate forecasts to our contract manufacturers. In addition, continued governmental budgetary challenges in the United States and Europe and geopolitical turmoil in many parts of the world have and may continue to put pressure on global economic conditions and overall spending on IT security. General economic weakness may also lead to longer collection cycles for payments due from our customers, an increase in customer bad debt, restructuring initiatives and associated expenses, and impairment of investments. Furthermore, the continued weakness and uncertainty in worldwide credit markets, including the sovereign debt situation in certain countries in the European Union, may adversely impact our customers' available budgetary spending, which could lead to delays in planned purchases of our solutions.
Additionally, concerns regarding the effects of the "Brexit" decision, uncertainties related to changes in public policies such as domestic and international regulations, taxes or international trade agreements as well as geopolitical turmoil and other disruptions to global and regional economies and markets in many parts of the world, have and may continue to put pressure on global economic conditions and overall spending on IT security. We have operations, as well as current and potential customers, throughout most of Europe. If economic conditions in Europe and other key markets for our platform continue to remain uncertain or deteriorate further, many customers may delay or reduce their IT spending.
Uncertainty about future economic conditions also makes it difficult to forecast operating results and to make decisions about future investments. Future or continued economic weakness for us or our customers, failure of our customers and markets to recover from such weakness, customer financial difficulties, and reductions in spending on IT security could have a material adverse effect on demand for our platform and consequently on our business, financial condition and results of operations.


19




Our IT, security and compliance solutions are delivered from six data centers, and any disruption of service at these facilities would interrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results.
We currently host substantially all of our solutions from third-party data centers located in the United States, Canada, Switzerland, the Netherlands and India. These facilities are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, cybersecurity attacks, terrorist attacks, employee negligence, power losses, telecommunications failures and similar events. The facilities also could be subject to break-ins, sabotage, intentional acts of vandalism and other misconduct. The occurrence of a natural disaster, an act of terrorism or misconduct, a decision to close the facilities without adequate notice or other unanticipated problems could result in interruptions in our services.
Some of our data centers are not currently redundant and we may not be able to rapidly move our customers from one data center to another, which may increase delays in the restoration of our service for our customers if an adverse event occurs. We have added data center facilities to provide additional capacity for our cloud platform and to enable disaster recovery. We continue to build out these facilities; however, these additional facilities may not be operational in the anticipated time-frame and we may incur unplanned expenses.
Additionally, our existing data center facilities providers have no obligations to renew their agreements with us on commercially reasonable terms, or at all. If we are unable to renew our agreements with the facilities providers on commercially reasonable terms or if in the future we add additional data center facility providers, we may experience costs or downtime in connection with the loss of an existing facility or the transfer to, or addition of, new data center facilities.
Any disruptions or other performance problems with our solutions could harm our reputation and business and may damage our customers’ businesses. Interruptions in our service delivery might reduce our revenues, cause us to issue credits to customers, subject us to potential liability and cause customers to terminate their subscriptions or not renew their subscriptions.

If we are unable to increase market awareness of our company and our new solutions, our revenues may not continue to grow, or may decline.
We have a limited operating history, particularly in certain markets and solution offerings, and we believe that we need to continue to develop market awareness in the IT, security and compliance market. Market awareness of our capabilities and solutions is essential to our continued growth and success in all of our markets, particularly for the large enterprise, service provider and government markets. If our marketing programs are not successful in creating market awareness of our company and our full suite of solutions, our business, financial condition and results of operations may be adversely affected, and we may not be able to achieve our expected growth.

We face competition in our markets, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
We compete with a large range of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment. We face significant competition for each of our solutions from companies with broad product suites and greater name recognition and resources than we have, as well as from small companies focused on specialized security solutions.
We compete with large and small public companies, such as Belden (Tripwire), Broadcom (Symantec Enterprise Security), CrowdStrike, F5 Networks, FireEye, Forescout Technologies, International Business Machines, Micro Focus International, Rapid7, Palo Alto Networks, and Tenable Holdings, as well as privately held security providers including Barracuda Networks, BeyondTrust Software, Flexera, Imperva, McAfee, Tanium, Trustwave Holdings, Venafi, and Veracode. We also seek to replace IT, security and compliance solutions that organizations have developed internally. As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as web application scanning and firewalls, we expect to face additional competition in these new markets. Our competitors may also attempt to further expand their presence in the IT, security and compliance market and compete more directly against one or more of our solutions.
We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and extensibility of platform. Many of our existing and potential competitors have competitive advantages, including:
greater brand name recognition;
larger sales and marketing budgets and resources;
broader distribution networks and more established relationships with distributors and customers;

20




access to larger customer bases;
greater customer support resources;
greater resources to make acquisitions;
greater resources to develop and introduce products that compete with our solutions;
greater resources to meet relevant regulatory requirements; and
substantially greater financial, technical and other resources.
As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. With the introduction of new technologies, the evolution of our service and new market entrants, we expect competition to intensify in the future.
In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services with other software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing pressure on our solutions and cause the average sales price for our solutions to decline. These larger competitors are also often in a better position to withstand any significant reduction in capital spending, and will therefore not be as susceptible to economic downturns.
Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that may further enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may be acquired by third parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do. For all of these reasons, we may not be able to compete successfully against our current or future competitors.

If our solutions fail to help our customers achieve and maintain compliance with regulations and industry standards, our revenues and operating results could be harmed.
We generate a portion of our revenues from solutions that help organizations achieve and maintain compliance with regulations and industry standards. For example, many of our customers subscribe to our IT, security and compliance solutions to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that store cardholder data. Industry organizations like the PCI Council may significantly change their security standards with little or no notice, including changes that could make their standards more or less onerous for businesses. Governments may also adopt new laws or regulations, or make changes to existing laws or regulations, that could impact the demand for or value of our solutions.
If we are unable to adapt our solutions to changing regulatory standards in a timely manner, or if our solutions fail to assist with or expedite our customers’ compliance initiatives, our customers may lose confidence in our solutions and could switch to products offered by our competitors. In addition, if regulations and standards related to data security, vulnerability management and other IT, security and compliance requirements are relaxed or the penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our solutions. In any of these cases, our revenues and operating results could be harmed.

We may not maintain profitability in the future.
We may not be able to sustain or increase our growth or maintain profitability in the future. We plan to continue to invest in our infrastructure, new solutions, research and development and sales and marketing, and as a result, we cannot assure you that we will maintain profitability. We may incur losses in the future for a number of reasons, including without limitation, the other risks and uncertainties described in this Annual Report on Form 10-K. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed and we may not again achieve or maintain profitability in the future.


21




The sales prices of our solutions are subject to competitive pressures and may decrease, which may reduce our gross profits and adversely impact our financial results.
The sales prices for our solutions may decline for a variety of reasons, including competitive pricing pressures, discounts, a change in our mix of solutions and subscriptions, anticipation of the introduction of new solutions or subscriptions, or promotional programs. Competition continues to increase in the market segments in which we participate, and we expect competition to further increase in the future, thereby leading to increased pricing pressures. Larger competitors with more diverse product and service offerings may reduce the price of products or subscriptions that compete with ours or may bundle them with other products and subscriptions. Additionally, although we price our products and subscriptions worldwide in U.S. Dollars, Euros, British Pounds, Canadian Dollars, Japanese Yen and Indian Rupee, currency fluctuations in certain countries and regions may negatively impact actual prices that partners and customers are willing to pay in those countries and regions, or the effective prices we realize in our reporting currency. We cannot assure you that we will be successful in developing and introducing new offerings with enhanced functionality on a timely basis, or that our new product and subscription offerings, if introduced, will enable us to maintain our prices and gross profits at levels that will allow us to maintain positive gross margins and profitability.

If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.
If our solutions fail to detect vulnerabilities in our customers’ IT infrastructures, or if our solutions fail to identify and respond to new and increasingly complex methods of attacks, our business and reputation may suffer. There is no guarantee that our solutions will detect all vulnerabilities. Additionally, our IT, security and compliance solutions may falsely detect vulnerabilities or threats that do not actually exist. For example, some of our solutions rely on information on attack sources aggregated from third-party data providers who monitor global malicious activity originating from a variety of sources, including anonymous proxies, specific IP addresses, botnets and phishing sites. If the information from these data providers is inaccurate, the potential for false indications of security vulnerabilities increases. These false positives, while typical in the industry, may impair the perceived reliability or usability of our solutions and may therefore adversely impact market acceptance of our solutions and could result in negative publicity, loss of customers and sales, increased costs to remedy any incorrect information or problem, or claims by aggrieved parties. Similar issues may be generated by the misuse of our tools to identify and exploit vulnerabilities.
Further, our solutions sometimes are tested against other security products, and may fail to perform as effectively, or to be perceived as performing as effectively, as competitive products for any number of reasons, including misconfiguration. To the extent current or potential customers, channel partners, or others believe there has been an occurrence of an actual or perceived failure of our solutions to detect a vulnerability or otherwise to function as effectively as competitive products in any particular test, or indicates our solutions do not provide significant value, our business, competitive position, and reputation could be harmed.
In addition, our solutions do not currently extend to cover mobile devices or personal devices that employees may bring into an organization. As such, our solutions would not identify or address vulnerabilities in mobile devices, such as mobile phones or tablets, or personal devices, and our customers’ IT infrastructures may be compromised by attacks that infiltrate their networks through such devices.
An actual or perceived security breach or theft of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our solutions, could adversely affect the market’s perception of our security solutions.

Incorrect or improper implementation or use of our solutions could result in customer dissatisfaction and harm our business and reputation.
If our customers are unable to implement our solutions successfully, customer perceptions of our platform and solutions may be impaired or our reputation and brand may suffer. Our customers have in the past inadvertently misused our solutions, which triggered downtime in their internal infrastructure until the problem was resolved. Additionally, any failure to implement and configure our solutions correctly may result in our solutions failing to detect vulnerabilities or compliance issues, or otherwise to perform effectively, and may result in disruptions to our customers’ IT environments and businesses. Any misuse of our solutions, including any failure to implement and configure them appropriately, could result in disruption to our customers’ businesses, customer dissatisfaction, negative impacts on the perceived reliability or effectiveness of our solutions, and claims and litigation, and may result in negative press coverage, negative effects on our reputation and competitive position, a loss of sales, customers, and channel partners, and harm our financial results.


22




Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in liability.
Our solutions may contain undetected errors or defects when first introduced or as new versions are released. We have experienced these errors or defects in the past in connection with new solutions and solution upgrades and we expect that these errors or defects will be found from time to time in the future in new or enhanced solutions after commercial release of these solutions. Since our customers use our solutions for security and compliance reasons, any errors, defects, disruptions in service or other performance problems with our solutions, or any other failure of our solutions to detect vulnerabilities or compliance problems or otherwise to perform effectively, may result in disruptions or damage to the business of our customers, including security breaches or compliance failures. Additionally, any such issues, or the perception that they have occurred, whether or not relating to any actual or perceived error or defect in our solutions, could hurt our reputation and competitive position and we may incur significant costs, the attention of key personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew, we could face a loss of sales, customers, and channel partners, and other significant problems with our relationships with customers and channel partners may arise. We may also be subject to liability claims for damages related to actual or perceived errors or defects in our solutions. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our solutions may harm our business, competitive and financial position, and operating results.
Although we maintain insurance coverage that may be applicable to certain liabilities in connection with these matters, we cannot be certain that our insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our business, including our financial condition, operating results and reputation.

Our solutions could be used to collect and store personal information of our customers’ employees or customers, and therefore privacy and other data handling concerns could result in additional cost and liability to us or inhibit sales of our solutions.
We collect the names and email addresses of our customers in connection with subscriptions to our solutions. Additionally, the data that our solutions collect to help secure and protect the IT infrastructure of our customers may include additional personal or confidential information of our customers’ employees and their customers. Personal privacy has become a significant issue in the United States and in many other countries where we offer our solutions. The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use, disclosure and retention of personal information. In the United States, these include, for example, rules and regulations promulgated under the authority of the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and state breach notification laws. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply.
These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions. Additionally, new laws and regulations relating to privacy and data protection continue to be proposed and enacted. For example, the European Union has adopted the GDPR. This regulation, which took effect in May of 2018, causes EU data protection requirements to be more stringent and provides for greater penalties. The GDPR may be subject to new or changing interpretations by courts, and our interpretation of the law and efforts to comply with the rules and regulations of the law may be ruled invalid. Noncompliance with the GDPR can trigger fines of up to €20 million or 4% of global annual revenues, whichever is higher. Similarly, California recently enacted the California Consumer Privacy Act (“CCPA”), which, among other things, requires covered companies to provide new disclosures to California consumers and afford such consumers new rights to opt-out of certain sales of personal information. The CCPA creates a private right of action for statutory damages for certain breaches of information. The CCPA has been amended on multiple occasions and is the subject of proposed regulations of the California Attorney General that were released on February 7, 2020. Aspects of the CCPA and its interpretation remain unclear. In addition, other states have enacted or proposed legislation that regulates the collection, use, and sale of personal information, and such regimes might not be compatible with either the GDPR or the CCPA or may require us to undertake additional practices. We cannot yet predict the impact of the CCPA or impending legislation on our business or operations, but it may require us to modify our data processing practices and policies and incur substantial costs and expenses in an effort to comply.
The privacy, data protection, and information security laws and regulations we must comply with also are subject to change. For example, the United Kingdom enacted a Data Protection Act in May 2018 that substantially implements the

23




GDPR, but the United Kingdom’s exit from the European Union, commonly referred to as “Brexit,” could lead to further legislative and regulatory changes, it remains unclear how United Kingdom data protection laws or regulations will develop in the medium to longer term and how data transfers to and from the United Kingdom will be regulated. Additionally, U.S. and EU authorities reached a political agreement in February 2016 regarding a means for legitimizing personal data transfers from the EEA to the U.S., the EU-U.S. Privacy Shield Framework, replacing a prior program that was invalidated. We have joined the EU-U.S. Privacy Shield Framework and a related program, the Swiss-U.S. Privacy Shield Framework. The EU-U.S. Privacy Shield Framework is subject to legal challenge, however, and it or the Swiss-U.S. Privacy Shield Framework may be modified or invalidated. We may be unsuccessful in maintaining legitimate means for our transfer and receipt of personal data from the EEA or Switzerland. We may experience reluctance or refusal by current or prospective European customers to use our products, and we may find it necessary or desirable to make further changes to our handling of personal data of European residents.
In addition to laws and regulations, privacy advocacy and industry groups or other private parties may propose new and different privacy standards that either legally or contractually apply to us. Because the interpretation and application of privacy and data protection laws, regulations, standards and contractual obligations are uncertain, it is possible that they may be interpreted and applied in a manner that is, or perceived to be, inconsistent with our data management practices or the features of our solutions. If so, in addition to the possibility of regulatory investigations and enforcement actions, fines, lawsuits and other claims, other forms of injunctive or operations-limiting relief, and damage to our reputations and loss of goodwill, we could be required to fundamentally change our business activities and practices or modify our solutions and may face limitations in our ability to develop new solutions and features, any of which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or any actual or perceived inability to comply with applicable privacy or data protection laws, regulations and privacy standards, could result in cost and liability to us, damage our reputation, inhibit sales of subscriptions and harm our business.
Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and privacy standards that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions. Privacy concerns, whether valid or not valid, may inhibit market adoption of our solutions particularly in certain industries and foreign countries.

If we are unable to continue the expansion of our sales force, sales of our solutions and the growth of our business would be harmed.
We believe that our growth will depend, to a significant extent, on our success in recruiting and retaining a sufficient number of qualified sales personnel and their ability to obtain new customers, manage our existing customer base and expand the sales of our newer solutions. We plan to continue to expand our sales force and make a significant investment in our sales and marketing activities. Our recent hires and planned hires may not become as productive as quickly as we would like, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the competitive markets where we do business. Competition for highly skilled personnel is frequently intense and we may not be able to compete for these employees. If we are unable to recruit and retain a sufficient number of productive sales personnel, sales of our solutions and the growth of our business may be harmed. Additionally, if our efforts do not result in increased revenues, our operating results could be negatively impacted due to the upfront operating expenses associated with expanding our sales force.

A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a number of risks associated with conducting international operations, and if we are unable to successfully manage these risks, our business and operating results could be harmed.
We market and sell subscriptions to our solutions throughout the world and have personnel in many parts of the world. In addition, we have sales offices and research and development facilities outside the United States and we conduct, and expect to continue to conduct, a significant amount of our business with organizations that are located outside the United States, particularly in Europe and Asia. Therefore, we are subject to risks associated with having international sales and worldwide operations, including:
foreign currency exchange fluctuations;
trade and foreign exchange restrictions;
economic or political instability in foreign markets;
greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;
changes in regulatory requirements;
tax laws (including U.S. taxes on foreign subsidiaries);

24




difficulties and costs of staffing and managing foreign operations;
the uncertainty and limitation of protection for intellectual property rights in some countries;
costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;
costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain foreign markets, and the risks and costs of non-compliance;
heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;
the potential for political unrest, acts of terrorism, hostilities or war;
management communication and integration problems resulting from cultural differences and geographic dispersion; and
multiple and possibly overlapping tax structures.
Our business, including the sales of subscriptions of our solutions, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Failure to comply with these regulations could adversely affect our business. Further, in many foreign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Although we have implemented policies and procedures designed to ensure compliance with these laws and policies, there can be no assurance that all of our employees, contractors, channel partners and agents have complied or will comply with these laws and policies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our solutions and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected.
In addition, as of December 31, 2019, approximately 70% of our employees were located outside of the United States, and 61% of our employees were located in Pune, India. Accordingly, we are exposed to changes in laws governing our employee relationships in various U.S. and foreign jurisdictions, including laws and regulations regarding wage and hour requirements, fair labor standards, employee data privacy, unemployment tax rates, workers’ compensation rates, citizenship requirements and payroll and other taxes which may have a direct impact on our operating costs. We may continue to expand our international operations and international sales and marketing activities. Expansion in international markets has required, and will continue to require, significant management attention and resources. We may be unable to scale our infrastructure effectively or as quickly as our competitors in these markets and our revenues may not increase to offset any increased costs and operating expenses, which would cause our results to suffer.

Disruptive technologies could gain wide adoption and supplant our cloud security and compliance solutions, thereby weakening our sales and harming our results of operations.
The introduction of products and services embodying new technologies could render our existing solutions obsolete or less attractive to customers. Our business could be harmed if new security and compliance technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all. If we fail to keep up with technological changes or to convince our customers and potential customers of the value of our solutions even in light of new technologies, our business could be harmed and our revenues may decline.

Our business and operations have experienced significant growth, and if we do not appropriately manage any future growth, or are unable to improve our systems and processes, our operating results may be negatively affected.
We have experienced significant growth over the last several years. From 2017 to 2019, our revenues grew from $230.8 million to $321.6 million, and our headcount increased from 684 employees at the beginning of 2017 to 1,289 employees as of December 31, 2019. We rely on information technology systems to help manage critical functions such as order processing, revenue recognition and financial forecasts. To manage any future growth effectively we must continue to improve and expand our IT systems, financial infrastructure, and operating and administrative systems and controls, and continue to manage headcount, capital and processes in an efficient manner. We may not be able to successfully implement improvements to these systems and processes in a timely or efficient manner.

25




Our failure to improve our systems and processes, or their failure to operate in the intended manner, may result in our inability to manage the growth of our business and to accurately forecast our revenues, expenses and earnings, or to prevent certain losses. In addition, as we continue to grow, our productivity and the quality of our solutions may also be adversely affected if we do not integrate and train our new employees quickly and effectively. Any future growth would add complexity to our organization and require effective coordination across our organization. Failure to manage any future growth effectively could result in increased costs, harm our results of operations and lead to investors losing confidence in our internal systems and processes.

Forecasts of market growth may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth, there can be no assurance that our business will grow at similar rates, or at all.
Growth forecasts relating to the expected growth in the market for IT, security and compliance and other markets are subject to significant uncertainty and are based on assumptions and estimates which may prove to be inaccurate. Even if these markets experience the forecasted growth, we may not grow our business at similar rates, or at all. Our growth is subject to many factors, including our success in implementing our business strategy, which is subject to many risks and uncertainties. Accordingly, forecasts of market growth should not be taken as indicative of our future growth.

We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to expand and manage our distribution channels, our revenues could decline and our growth prospects could suffer.
Our success significantly depends upon establishing and maintaining relationships with a variety of channel partners and we anticipate that we will continue to depend on these partners in order to grow our business. For the years ended December 31, 2019, 2018 and 2017, we derived approximately 42%, 41% and 39%, respectively, of our revenues from sales of subscriptions for our solutions through channel partners, and the percentage of revenues derived from channel partners may increase in future periods. Our agreements with our channel partners are generally non-exclusive and do not prohibit them from working with our competitors or offering competing solutions, and many of our channel partners have more established relationships with our competitors. If our channel partners choose to place greater emphasis on products of their own or those offered by our competitors, do not effectively market and sell our solutions, or fail to meet the needs of our customers, then our ability to grow our business and sell our solutions may be adversely affected. In addition, the loss of one or more of our larger channel partners, who may cease marketing our solutions with limited or no notice, and our possible inability to replace them, could adversely affect our sales. Moreover, our ability to expand our distribution channels depends in part on our ability to educate our channel partners about our solutions, which can be complex. Our failure to recruit additional channel partners, or any reduction or delay in their sales of our solutions or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Even if we are successful, these relationships may not result in greater customer usage of our solutions or increased revenues.
In addition, the financial health of our channel partners and our continuing relationships with them are important to our success. Some of these channel partners may be unable to withstand adverse changes in economic conditions, which could result in insolvency and/or the inability of such distributors to obtain credit to finance purchases of our products and services. In addition, weakness in the end-user market could negatively affect the cash flows of our channel partners who could, in turn, delay paying their obligations to us, which would increase our credit risk exposure. Our business could be harmed if the financial condition of some of these channel partners substantially weakened and we were unable to timely secure replacement channel partners.


26




Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our solutions.
Our solutions contain software licensed to us by third-parties under so-called “open source” licenses, including the GNU General Public License, the GNU Lesser General Public License, the BSD License, the Apache License and others. From time to time, there have been claims against companies that distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses require that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works to such open source software continue to be licensed under the same terms. If we combine our proprietary software with open source software in certain ways, we could, in some circumstances, be required to release the source code of our proprietary software to the public. Disclosing the source code of our proprietary software could make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our solutions, which could result in our solutions failing to provide our customers with the security they expect from our services. This could harm our business and reputation. Disclosing our proprietary source code also could allow our competitors to create similar products with lower development effort and time and ultimately could result in a loss of sales for us. Any of these events could have a material adverse effect on our business, operating results and financial condition.
Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our solutions to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our solutions. In this event, we could be required to seek licenses from third parties to continue offering our solutions, to make our proprietary code generally available in source code form, to re-engineer our solutions or to discontinue the sale of our solutions if re-engineering could not be accomplished on a timely basis, any of which could adversely affect our business, operating results and financial condition.

We rely on software-as-a-service vendors to operate certain functions of our business and any failure of such vendors to provide services to us could adversely impact our business and operations.
We rely on third-party software-as-a-service vendors to operate certain critical functions of our business, including financial management and human resource management. If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business.

We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lost customers or harm to our reputation and our operating results.
We license third-party software as well as security and compliance data from various third parties to deliver our solutions. In the future, this software or data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or data could result in delays in the provisioning of our solutions until equivalent technology or data is either developed by us, or, if available, is identified, obtained and integrated, which could harm our business. In addition, any errors or defects in or failures of this third-party software or data could result in errors or defects in our solutions or cause our solutions to fail, which could harm our business and be costly to correct. Many of these providers attempt to impose limitations on their liability for such errors, defects or failures, and if enforceable, we may have additional liability to our customers or third-party providers that could harm our reputation and increase our operating costs.
We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do not contain any errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our operating results.

27




Delays or interruptions in the manufacturing and delivery of our physical scanner appliances by our sole source manufacturer may harm our business.
Upon customer request, we provide physical or virtual scanner appliances on a subscription basis as an additional capability to the customer’s subscription for use during their subscription term. Our physical scanner appliances are built by a single manufacturer. Our reliance on a sole manufacturer involves several risks, including a potential inability to obtain an adequate supply of physical scanner appliances and limited control over pricing, quality and timely deployment of such scanner appliances. In addition, replacing this manufacturer may be difficult and could result in an inability or delay in deploying our solutions to customers that request physical scanner appliances as part of their subscriptions.
Furthermore, our manufacturer’s ability to timely manufacture and ship our physical scanner appliances depends on a variety of factors, such as the availability of hardware components, supply shortages or contractual restrictions. In the event of an interruption from this manufacturer, we may not be able to develop alternate or secondary sources in a timely manner. If we are unable to purchase physical scanner appliances in quantities sufficient to meet our requirements on a timely basis, we may not be able to effectively deploy our solutions to new customers that request physical scanner appliances, which could harm our business.

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.
Our reporting currency is the U.S. Dollar and we generate a majority of our revenues in U.S. dollars. However, for the year ended December 31, 2019, we incurred approximately 25% of our expenses outside of the United States in foreign currencies, primarily Euros, British Pounds, and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian operations. Additionally, for the year ended December 31, 2019, approximately 21% of our revenues were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and financial condition. The exchange rate between the U.S. Dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future. We expect that a majority of our revenues will continue to be generated in U.S. Dollars for the foreseeable future and that a significant portion of our expenses, including personnel costs, as well as capital and operating expenditures, will continue to be denominated in the Euro, British Pound and Indian Rupee. The results of our operations may be adversely affected by foreign exchange fluctuations.
We use derivative financial instruments to reduce our foreign currency exchange risks. We use foreign currency forward contracts to mitigate the impact of foreign currency fluctuations of certain non-U.S. Dollar denominated asset positions, to date primarily cash and accounts receivable (non-designated), as well as to manage foreign currency fluctuation risk related to forecasted transactions (designated). However, we may not be able to purchase derivative instruments that are adequate to insulate ourselves from foreign currency exchange risks. Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets.

Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
The success of our business depends in part on our ability to protect and enforce our trade secrets, trademarks, copyrights, patents and other intellectual property rights. We attempt to protect our intellectual property under copyright, trade secret, patent and trademark laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.
We primarily rely on our unpatented proprietary technology and trade secrets. Despite our efforts to protect our proprietary technology and trade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. The contractual provisions that we enter into with employees, consultants, partners, vendors and customers may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or intellectual property rights. Moreover, policing unauthorized use of our technologies, solutions and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or infringement of our solutions, technologies or intellectual property rights.
As of December 31, 2019, we had 18 issued patents and several pending U.S. patent applications, and we may file additional patent applications in the future. Additionally, we have an exclusive license to four third-party patents. The process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or

28




desirable patent applications at a reasonable cost or in a timely manner, if at all. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions.
Furthermore, it is possible that our patent applications may not result in granted patents, that the scope of our issued patents will be limited or not provide the coverage originally sought, that our issued patents will not provide us with any competitive advantages, or that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation. In addition, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. As a result, we may not be able to obtain adequate patent protection or to enforce our issued patents effectively.
From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could result in substantial costs and diversion of resources and could negatively affect our business, operating results and financial condition. If we are unable to protect our intellectual property rights, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create the innovative solutions that have enabled us to be successful to date.

Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and harm our business and operating results.
Patent and other intellectual property disputes are common in our industry. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. They may also assert such claims against our customers or channel partners whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business.
The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.
An adverse outcome of a dispute may require us to:
pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights;
cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others;
expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which may not be successful;
enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and
indemnify our partners and other third parties.

In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Any of the foregoing events could seriously harm our business, financial condition and results of operations.


29




If we are required to collect sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and our future sales may decrease.
Taxing jurisdictions, including state and local entities, have differing rules and regulations governing sales and use or other taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our subscription services in various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. We could also be subject to audits with respect to state and international jurisdictions for which we may not accrued tax liabilities. A successful assertion that we should be collecting additional sales or other taxes on our services in jurisdictions where we have not historically done so and do not accrue for sales taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our solutions or otherwise harm our business and operating results.

We depend on the continued services and performance of our senior management and other key employees, the loss of any of whom could adversely affect our business, operating results and financial condition.
Our future performance depends on the continued services and continuing contributions of our senior management, particularly Philippe F. Courtot, our Chairman, President and Chief Executive Officer, and other key employees, to execute on our business plan and to identify and pursue new opportunities and product innovations. We do not maintain key-man insurance for Mr. Courtot or for any other member of our senior management team. From time to time, there may be changes in our senior management team resulting from the termination or departure of executives. Our senior management and key employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. The loss of the services of our senior management, particularly Mr. Courtot, or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations.

If we are unable to hire, retain and motivate qualified personnel, our business may suffer.
Our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. The loss of the services of any of our key personnel, the inability to attract or retain qualified personnel or delays in hiring required personnel, particularly in engineering and sales, may seriously harm our business, financial condition and results of operations. Any of our employees may terminate their employment at any time. Competition for highly skilled personnel is frequently intense, especially in the San Francisco Bay Area and Pune, India, locations in which we have a substantial presence and need for highly skilled personnel and we may not be able to compete for these employees.
We are required under accounting principles generally accepted in the United States (U.S. GAAP) to recognize compensation expense in our operating results for employee stock-based compensation under our equity grant programs, which may negatively impact our operating results and may increase the pressure to limit stock-based compensation that we might otherwise offer to current or potential employees, thereby potentially harming our ability to attract or retain highly skilled personnel. In addition, to the extent we hire personnel from competitors, we may be subject to allegations that they have been improperly solicited or divulged proprietary or other confidential information, which could result in a diversion of management's time and our resources.

Changes in laws or regulations related to the Internet may diminish the demand for our solutions and could have a negative impact on our business.
We deliver our solutions through the Internet. Federal, state or foreign government bodies or agencies have in the past adopted, and may in the future adopt, laws or regulations affecting data privacy and the use of the Internet. In addition, government agencies or private organizations may begin to impose taxes, fees or other charges for accessing the Internet or on commerce conducted via the Internet. These laws or charges could limit the viability of Internet-based solutions such as ours and reduce the demand for our solutions.


30




A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks.
Government entities have historically been particularly concerned about adopting cloud-based solutions for their operations, including security solutions, and increasing sales of subscriptions for our solutions to government entities may be more challenging than selling to commercial organizations. Selling to government entities can be highly competitive, expensive and time-consuming, often requiring significant upfront time and expense without any assurance that we will win a sale. We have invested in the creation of a cloud offering certified under the Federal Information Security Management Act for government usage but we cannot be sure that we will continue to sustain or renew this certification, that the government will continue to mandate such certification or that other government agencies or entities will use this cloud offering. Government demand and payment for our solutions may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions. Government entities may have contractual or other legal rights to terminate contracts with our channel partners for convenience or due to a default, and any such termination may adversely impact our future results of operations. Governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result in the government refusing to continue buying our solutions, a reduction of revenues or fines or civil or criminal liability if the audit uncovers improper or illegal activities. Any such penalties could adversely impact our results of operations in a material way.

Governmental export or import controls could subject us to liability if we violate them or limit our ability to compete in foreign markets.
Our solutions are subject to U.S. export controls, specifically, the Export Administration Regulations and economic sanctions enforced by the Office of Foreign Assets Control. We incorporate encryption technology into certain of our solutions. These encryption solutions and the underlying technology may be exported only with the required export authorizations, including by license, a license exception or other appropriate government authorizations. U.S. export controls may require submission of an encryption registration, product classification and/or annual or semi-annual reports. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export authorization for our solutions, when applicable, could harm our international sales and adversely affect our revenues. Compliance with applicable regulatory requirements regarding the export of our solutions, including with respect to new releases of our solutions, may create delays in the introduction of our solutions in international markets, prevent our customers with international operations from deploying our solutions throughout their globally-distributed systems or, in some cases, prevent the export of our solutions to some countries altogether. In addition, various countries regulate the import of our appliance-based solutions and have enacted laws that could limit our ability to distribute solutions or could limit our customers’ ability to implement our solutions in those countries. Any new export or import restrictions, new legislation or shifting approaches in the enforcement or scope of existing regulations, or in the countries, persons or technologies targeted by such regulations, could result in decreased use of our solutions by existing customers with international operations, declining adoption of our solutions by new customers with international operations and decreased revenues. If we fail to comply with export and import regulations, we may be fined or other penalties could be imposed, including denial of certain export privileges.

Our success in acquiring and integrating other businesses, products or technologies could impact our financial position.
In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products, services or technologies. For example, we acquired 1Mobility on April 1, 2018, Layered Insight on October 16, 2018 and Adya on January 10, 2019. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices may exceed what we would prefer to pay. Moreover, achieving the anticipated benefits of future acquisitions will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner, and even if we achieve benefits from acquisitions, such acquisitions may still be viewed negatively by customers, financial markets or investors. The acquisition and integration process is complex, expensive and time-consuming, and may cause an interruption of, or loss of momentum in, product development and sales activities and operations of both companies, as well as divert the attention of management, and we may incur substantial cost and expense. We may issue equity securities which could dilute current stockholders’ ownership, incur debt, assume contingent or other liabilities and expend cash in acquisitions, which could negatively impact our financial position, stockholder equity and stock price. We may not find suitable acquisition candidates, and acquisitions we complete may be unsuccessful. If we consummate a transaction, we may be unable to integrate and manage acquired products and businesses effectively or retain key personnel. If we are unable to effectively execute acquisitions, our business, financial condition and operating results could be adversely affected.


31




Our financial results are based in part on our estimates or judgments relating to our critical accounting policies. These estimates or judgments may prove to be incorrect, which could harm our operating results and result in a decline in our stock price.
The preparation of financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the amounts reported in the consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Part II, Item 7 - Management’s Discussion and Analysis of Financial Condition and Results of Operations,” the results of which form the basis for making judgments about the carrying values of assets, liabilities, equity, revenues and expenses that are not readily apparent from other sources. Our operating results may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our operating results to fall below the expectations of securities analysts and investors, resulting in a decline in our stock price. Significant assumptions and estimates used in preparing our consolidated financial statements include those related to revenue recognition, accounting for income taxes, stock-based compensation, and fair value measurement.

Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations.
We prepare our financial statements in accordance with U.S. GAAP. These principles are subject to interpretation by the SEC and various bodies formed to interpret and create appropriate accounting principles. A change in these accounting standards or practices could harm our operating results and could have a significant effect on our reporting of transactions and reported results and may even retroactively affect previously reported transactions. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing rules or the questioning of current practices may harm our operating results or require that we make significant changes to our systems, processes and controls or the way we conduct our business.

We have historically expensed commissions associated with sales of our solutions immediately upon receipt of a subscription order from a customer and generally recognize the revenues associated with such sale over the term of the agreement. Accordingly, our historical operating income in any period may not be indicative of our financial health and future performance. With the adoption of Accounting Standards Codification (ASC) 606, Revenue from Contracts with Customers effective January 1, 2018, we commenced capitalizing our commissions but elected to use the practical expedient in ASC 606 and expense commissions related to contracts with a renewal contract term of one year or less. As a result of the adoption of ASC 606, our future operating results may vary from period to period as our commission expense will not be directly comparable to historical periods.
Through December 2017, we expensed commissions paid to our sales personnel in the quarter in which the related order was received. In contrast, we have generally recognized the revenues associated with a sale of our solutions ratably over the term of the subscription, which is typically one year. Accordingly, our historical results may have fluctuated based on timing of commission expenses as compared to revenue recognized. With the adoption of ASC 606, our operating results will also fluctuate and not be comparable to historical periods, and will continue to fluctuate as we will generally capitalize commissions for new and upsell contracts except for renewal sales that are one year or less. In addition, amortization of expense from previously capitalized contracts is expected to increase over time as our opening capitalized commission asset balance upon adoption of ASC 606 only included open contracts as of December 31, 2017. Accordingly, we expect our commission expense to grow in future periods as a result of the adoption of ASC 606. Without the adoption of ASC 606, commission expenses would have been $2.6 million and $2.5 million higher for the years ended December 31, 2019 and 2018, respectively.

We recognize revenues from subscriptions over the term of the relevant service period, and therefore any decreases or increases in bookings are not immediately reflected in our operating results.
We recognize revenues from subscriptions over the term of the relevant service period, which is typically one year. As a result, most of our reported revenues in each quarter are derived from the recognition of deferred revenues relating to subscriptions entered into during previous quarters. Consequently, a shortfall in demand for our solutions in any period may not significantly reduce our revenues for that period, but could negatively affect revenues in future periods. Accordingly, the effect of significant downturns in bookings may not be fully reflected in our results of operations until future periods. We may be unable to adjust our costs and expenses to compensate for such a potential shortfall in revenues. Our subscription model also makes it difficult for us to rapidly increase our revenues through additional bookings in any period, as revenues are recognized ratably over the subscription period.


32




Changes in our provision for income taxes or adverse outcomes resulting from examination of our income tax returns could adversely affect our operating results. We could be subject to additional taxes.
We are subject to income taxes in the United States and various foreign jurisdictions, and our domestic and international tax liabilities are subject to the allocation of expenses in differing jurisdictions. Our tax rate is affected by changes in the mix of earnings and losses in countries with differing statutory tax rates, certain non-deductible expenses arising from the requirement to expense stock options, excess tax benefits from stock-based compensation, and the valuation of deferred tax assets and liabilities, including our ability to utilize our federal and state net operating losses, which were $5.0 million and $2.1 million, respectively, as of December 31, 2019. Increases in our effective tax rate could harm our operating results.
Additionally, significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations, including those relating to income tax nexus, by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made.

Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by man-made problems such as terrorism.
A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. Our corporate headquarters and a significant portion of our operations are located in the San Francisco Bay Area, a region known for seismic activity. In addition, natural disasters could affect our business partners’ ability to perform services for us on a timely basis. In the event we or our business partners are hindered by any of the events discussed above, our ability to provide our solutions to customers could be delayed, resulting in our missing financial targets, such as revenues and net income, for a particular quarter. Further, if a natural disaster occurs in a region from which we derive a significant portion of our revenues, customers in that region may delay or forego subscriptions of our solutions, which may materially and adversely impact our results of operations for a particular period. In addition, acts of terrorism could cause disruptions in our business or the business of our business partners, customers or the economy as a whole. All of the aforementioned risks may be exacerbated if the disaster recovery plans for us and our suppliers prove to be inadequate. To the extent that any of the above results in delays of customer subscriptions or commercialization of our solutions, our business, financial condition and results of operations could be adversely affected.

If we fail to maintain an effective system of internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
As a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, or the Exchange Act, the Sarbanes-Oxley Act of 2002, or the Sarbanes-Oxley Act, and the rules and regulations of the NASDAQ Stock Market. To continue to comply with the requirements of being a public company, we may need to undertake various actions, such as implementing additional internal controls and procedures and hiring additional accounting or internal audit staff.
Our internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with U.S. GAAP. Our current controls and any new controls that we develop may become inadequate because of changes in conditions in our business. Any failure to maintain effective controls, or any difficulties encountered in their improvement, could harm our operating results or cause us to fail to meet our reporting obligations. Any failure to maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports we file with the SEC under Section 404 of the Sarbanes-Oxley Act. While we were able to assert in this Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2019, we cannot predict the outcome of our testing in future periods. If we are unable to assert in any future reporting period that our internal control over financial reporting is effective (or if our independent registered public accounting firm is unable to express an opinion on the effectiveness of our internal controls), investors may lose confidence in our operating results and our stock price could decline. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NASDAQ Stock Market.


33




Market volatility may affect our stock price and the value of an investment in our common stock and could subject us to litigation.
The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most of which we cannot predict or control, including:
announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors;
fluctuations in stock market prices and trading volumes of securities of similar companies;
general market conditions and overall fluctuations in U.S. equity markets;
variations in our operating results, or the operating results of our competitors;
changes in our financial guidance or securities analysts’ estimates of our financial performance;
changes in accounting principles;
sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders;
additions or departures of any of our key personnel;
announcements related to litigation;
changing legal or regulatory developments in the United States and other countries; and
discussion of us or our stock price by the financial press and in online investor communities.
In addition, the stock market in general, and the stocks of technology companies such as ours in particular, have experienced substantial price and volume volatility that is often seemingly unrelated to the operating performance of particular companies. These broad market fluctuations may cause the trading price of our common stock to decline. In the past, securities class action litigation has often been brought against a company after a period of volatility in the trading price of its common stock. We may become involved in this type of litigation in the future. Any securities litigation claims brought against us could result in substantial expenses and the diversion of our management’s attention from our business.

Our actual operating results may differ significantly from our guidance.
From time to time, we have released, and may continue to release, guidance in our quarterly earnings conference calls, quarterly earnings releases, or otherwise, regarding our future performance that represents our management's estimates as of the date of release. This guidance, which includes forward-looking statements, has been and will be based on projections prepared by our management. These projections are not prepared with a view toward compliance with published guidelines of the American Institute of Certified Public Accountants, and neither our registered public accountants nor any other independent expert or outside party compiles or examines the projections. Accordingly, no such person expresses any opinion or any other form of assurance with respect to the projections.
Projections are based upon a number of assumptions and estimates that, while presented with numerical specificity, are inherently subject to significant business, economic and competitive uncertainties and contingencies, many of which are beyond our control and are based upon specific assumptions with respect to future business decisions, some of which will change. We intend to state possible outcomes as high and low ranges which are intended to provide a sensitivity analysis as variables are changed but are not intended to imply that actual results could not fall outside of the suggested ranges. The principal reason that we release guidance is to provide a basis for our management to discuss our business outlook with analysts and investors. We do not accept any responsibility for any projections or reports published by any such third parties.
Guidance is necessarily speculative in nature, and it can be expected that some or all of the assumptions underlying the guidance furnished by us will not materialize or will vary significantly from actual results. Accordingly, our guidance is only an estimate of what management believes is realizable as of the date of release. Actual results may vary from our guidance and the variations may be material. In light of the foregoing, investors are urged not to rely upon our guidance in making an investment decision regarding our common stock.
Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “Risk Factors” section in this Annual Report on Form 10-K could result in our actual operating results being different from our guidance, and the differences may be adverse and material.


34




Concentration of ownership among our existing executive officers, directors and holders of 10% or more of our outstanding common stock may prevent new investors from influencing significant corporate decisions.
As of December 31, 2019, our executive officers, directors and holders of 10% or more of our outstanding common stock beneficially owned, in the aggregate, approximately 30% of our outstanding common stock. As a result, such persons, acting together, have significant ability to control our management and affairs and substantially all matters submitted to our stockholders for approval, including the election and removal of directors and approval of any significant transaction. This concentration of ownership may have the effect of delaying, deferring or preventing a change in control, impeding a merger, consolidation, takeover or other business combination involving us, or discouraging a potential acquirer from making a tender offer or otherwise attempting to obtain control of our business, even if such a transaction would benefit other stockholders.

Future sales of shares by existing stockholders could cause our stock price to decline.
The market price of shares of our common stock could decline as a result of substantial sales of our common stock, particularly sales by our directors, executive officers, employees and significant stockholders, a large number of shares of our common stock becoming available for sale, or the perception in the market that holders of a large number of shares intend to sell their shares. As of December 31, 2019, we had approximately 39.1 million shares of our common stock outstanding.
In addition, as of December 31, 2019, there were approximately 1.2 million restricted stock units and options to purchase approximately 2.9 million shares of our common stock outstanding. If such options are exercised and restricted stock units are released, these additional shares will become available for sale. As of December 31, 2019, we had an aggregate of 5.2 million shares of our common stock reserved for future issuance under our 2012 Equity Incentive Plan, which can be freely sold in the public market upon issuance. If a large number of these shares are sold in the public market, the sales could reduce the trading price of our common stock.

We cannot guarantee that our stock repurchase program will be fully consummated or that it will enhance stockholder value, and any stock repurchases we make could affect the price of our common stock.
In February 2018, we announced a $100.0 million stock repurchase program. In October 2018 and 2019, we announced that our authorization under this program had increased by $100.0 million and $100.0 million, respectively. Although our board of directors authorized this stock repurchase program, we are not obligated to repurchase any specific dollar amount or to acquire any specific number of shares. The stock repurchase program could affect the price of our common stock, increase volatility and diminish our cash reserves. In addition, it may be suspended or terminated at any time, which may result in a decrease in the price of our common stock. In the year ended December 31, 2019, we repurchased 1,026,455 shares of our common stock for an aggregate purchase price of approximately $86.4 million. As of December 31, 2019, approximately $128.5 million remained available for share repurchases pursuant to our stock repurchase program.

We do not intend to pay dividends on our common stock and therefore any returns will be limited to the value of our stock.
We have never declared or paid any cash dividend on our common stock. We currently anticipate that we will retain future earnings for the development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to stockholders will therefore be limited to the value of their stock.

Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us, which may be beneficial to our stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management.
Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may delay or prevent an acquisition of us or a change in our management. These provisions include:
authorizing “blank check” preferred stock, which could be issued by the board without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt;
a classified board of directors whose members can only be dismissed for cause;
the prohibition on actions by written consent of our stockholders;
the limitation on who may call a special meeting of stockholders;

35




the establishment of advance notice requirements for nominations for election to our Board of Directors or for proposing matters that can be acted upon at stockholder meetings; and
the requirement of at least two-thirds of the outstanding capital stock to amend any of the foregoing second through fifth provisions.
In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us. Although we believe these provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to negotiate with our Board of Directors, they would apply even if an offer rejected by our board were considered beneficial by some stockholders. In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our Board of Directors, which is responsible for appointing the members of our management.

Item 1B.
Unresolved Staff Comments
None.

Item 2.
Properties
Our principal executive offices are located in Foster City, California, where we occupy a 76,922 square-foot facility under a lease expiring on April 30, 2028. We have additional U.S. offices in Bellevue, Washington and Raleigh, North Carolina. We also lease offices in Courbevoie, France; Moscow, Russia; Munich, Germany; Frankfurt, Germany; Nuremberg, Germany; Pune, India; Dubai, United Arab Emirates; Reading, United Kingdom; and Tokyo, Japan. In addition, during the fiscal year ended December 31, 2019, we entered into a new agreement to lease 281,787 square feet of office space in Pune, India, which has a non-cancellable lease term through February 2025. We believe our facilities are adequate for our current needs and for the foreseeable future.
We operate principal data centers at third-party facilities in Santa Clara, California; Ashburn, Virginia; Ontario, Canada; Geneva, Switzerland; Pune, India; and Amsterdam, the Netherlands.

Item 3.
Legal Proceedings
From time to time we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. We are not presently a party to any legal proceedings that, if determined adversely to us, would individually or taken together have a material adverse effect on our business, operating results, financial condition or cash flows. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.

Item 4.
Mine Safety Disclosures
Not Applicable.


36




PART II
Item 5.             Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

Holders of Common Equity
As of February 13, 2020, there were approximately 68 holders of record of our common stock. Because many of our shares of common stock are held by brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of stockholders represented by these record holders.

Dividend Policy
We have never declared or paid any cash dividends on our capital stock. We currently intend to retain any future earnings to fund business development and growth, and do not expect to pay any dividends in the foreseeable future. Any future determination to declare cash dividends will be made at the discretion of our Board of Directors, subject to applicable laws, and will depend on a number of factors, including our financial condition, results of operations, capital requirements, contractual restrictions, general business conditions and other factors that our Board of Directors may deem relevant.

Securities Authorized for Issuance under Equity Compensation Plans

The following table summarizes information about our equity compensation plans as of December 31, 2019. All outstanding awards relate to our common stock.
Plan Category
  
(a) Number of Securities to be
Issued Upon
Exercise of
Outstanding
Options, Warrants
and Rights
  
(b) Weighted-Average
Exercise Price of
Outstanding Options,
Warrants and Rights
  
(c) Number of Securities
Remaining Available for
Future Issuance Under
Equity Compensation
Plans (Excluding
Securities Reflected in
Column (a)(2)
Equity compensation plans approved by security holders(1)
  
2,866,675

  
$
40.5

  
5,243,730

Equity compensation plans not approved by security holders
 

 
$

 

(1) Equity compensation plans approved by stockholders include our 2000 Equity Incentive Plan (2000 Plan), and our 2012 Equity Incentive Plan (2012 Plan). Prior to our IPO, we issued securities under our 2000 Equity Incentive Plan. Following our IPO, we issued securities under our 2012 Plan.
(2) Represents shares reserved for issuance under our 2012 Plan, under which incentive stock options, non-statutory stock options, stock appreciation rights, restricted stock awards, restricted stock units, performance units and performance shares are authorized for grant to eligible participants.

37




Stock Price Performance Graph
The following graph shows a comparison from December 31, 2014 through December 31, 2019 of the cumulative total return for an investment of $100 (and the reinvestment of dividends) in our common stock, the NASDAQ Global Select Market Composite Index and the NASDAQ Computer Index and the S&P 500 Index. Such returns are based on historical results and are not intended to suggest future performance.

COMPARISON OF CUMULATIVE TOTAL RETURN*
Among Qualys, Inc., NASDAQ-Global Select Market Composite Index, and NASDAQ Computer Index and S&P 500 Index
* $100 invested on 12/31/14 in stock or index, including reinvestment of dividends. Fiscal year ending December 31.
STOCKPERFORMANCEGRAPHBASEYAE.JPG
 
Dec 31, 2014
 
Dec 31, 2015
 
Dec 31, 2016
 
Dec 31, 2017
 
Dec 31, 2018
 
Dec 31, 2019
Qualys, Inc.
$
100.00

 
$
143.18

 
$
136.95

 
$
256.82

 
$
323.41

 
$
360.75

NASDAQ Global Select Market
$
100.00

 
$
120.64

 
$
129.80

 
$
166.71

 
$
160.58

 
$
217.75

NASDAQ Computer
$
100.00

 
$
127.36

 
$
142.99

 
$
198.42

 
$
191.11

 
$
287.31

S&P 500
$
100.00

 
$
110.58

 
$
121.13

 
$
144.65

 
$
135.63

 
$
174.79

The information on the above Stock Price Performance Graph shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and shall not be incorporated by reference into any registration statement or other document filed by us with the SEC, whether made before or after the date of this Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific reference in such filing.

38





Purchases of Equity Securities by the Issuer and Affiliated Purchasers
On February 5, 2018, our Board of Directors authorized a $100.0 million two-year share repurchase program, which was announced on February 12, 2018. On October 25, 2018, our Board of Directors authorized an increase of $100.0 million to the original share repurchase program authorization, which was announced on October 30, 2018. Shares may be purchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934. On October 24, 2019, our Board of Directors authorized another increase of $100.0 million, which allows us to repurchase shares pursuant to a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act until October 30, 2020. All share repurchases were made using cash resources. As of December 31, 2019, approximately $128.5 million remained available for share repurchases pursuant to our share repurchase program.
A summary of our repurchases of common stock during the fourth quarter of 2019 is as follows:
Period
 
Total Number of Shares Purchased
 
Average Price Paid per Share
 
Total Number of Shares Purchased as Part of Publicly Announced Plan or Program
 
Approximate Dollar Value of Shares that May Yet Be Purchased under the Plan or Program
October 1, 2019 - October 31, 2019
 

 
$

 

 
$
141,079,878

November 1, 2019 - November 30, 2019
 
145,000

 
$
86.53

 
145,000

 
$
128,531,156

December 1, 2019 - December 31, 2019
 

 
$

 

 
$
128,531,156

Total
 
145,000

 
 
 
145,000

 
 


39




Item 6.
Selected Consolidated Financial Data

The following selected consolidated financial data should be read in conjunction with "Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements, related notes and other financial information included elsewhere in this Annual Report on Form 10-K. Our historical results are not necessarily indicative of the results that may be expected in the future, and the results for the year ended December 31, 2019 are not necessarily indicative of operating results to be expected for any other period. Results for reporting periods beginning after January 1, 2018 are presented under Topic 606, while prior period amounts have not been adjusted and continue to be reported in accordance with our historical accounting under Topic 605. 
 
 
 
As of December 31,
 
 
2019
 
2018
 
2017
 
2016
 
2015
 
 
(in thousands, except per share data)
Consolidated Statements of Operations Data:
 
 
 
 
 
 
 
 
 
 
Revenues
 
$
321,607

 
$
278,889

 
$
230,828

 
$
197,925

 
$
164,284

Income from operations
 
$
72,253

 
$
50,361

 
$
37,243

 
$
30,107

 
$
24,806

Net income
 
$
69,336

 
$
57,304

 
$
40,440

 
$
19,224

 
$
15,865

Net income per share
 
 
 

 
 
 
 
 
 
Basic
 
$
1.77

 
$
1.47

 
$
1.08

 
$
0.55

 
$
0.47

Diluted
 
$
1.68

 
$
1.37

 
$
1.01

 
$
0.50

 
$
0.42


 
 
 
As of December 31,
 
 
2019
 
2018
 
2017
 
2016
 
2015
 
 
(in thousands)
Consolidated Balance Sheet Data:
 
 
 
 
 
 
 
 
Cash, cash equivalents and short-term marketable securities
 
$
298,890

 
$
289,166

 
$
288,414

 
$
243,856

 
$
178,966

Long-term marketable securities
 
$
119,508

 
$
76,710

 
$
67,224

 
$
45,725

 
$
43,277

Total assets
 
$
675,608

 
$
585,680

 
$
537,525

 
$
407,004

 
$
323,514

Deferred revenues, current
 
$
192,172

 
$
164,624

 
$
143,186

 
$
114,964

 
$
98,025

Deferred revenues, noncurrent
 
$
20,935

 
$
20,423

 
$
17,136

 
$
15,528

 
$
14,564

Total stockholders’ equity
 
$
386,803

 
$
357,989

 
$
343,544

 
$
258,413

 
$
195,566

 


40




Item 7.
Management's Discussion and Analysis of Financial Condition and Results of Operations

You should read the following discussion in conjunction with the section titled "Selected Consolidated Financial Data" and our consolidated financial statements and the related notes included elsewhere in this Annual Report on Form 10-K. You should carefully review and consider the information regarding our financial condition and results of operations set forth under Part I-Item 7 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) in our Annual Report on Form 10-K for the fiscal year ended December 31, 2018, filed with the SEC on February 27, 2019, for an understanding of our results of operations and liquidity discussions and analysis comparing fiscal year 2018 to fiscal year 2017. In addition to historical information, this discussion contains forward-looking statements that involve risks and uncertainties that could cause our actual results to differ materially from our expectations, as discussed in "Forward-Looking Statements" in Part I of this Annual Report on Form 10-K. Factors that could cause such differences include, but are not limited to, those described in the section titled "Risk Factors" and elsewhere in this Annual Report on Form 10-K.

Overview
We are a pioneer and leading provider of a cloud-based platform delivering IT, security and compliance solutions that enable organizations to identify security risks to their information technology (IT) infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations. Our cloud solutions address the growing security and compliance complexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets. Our integrated suite of security and compliance solutions delivered on our Qualys Cloud Platform enables our customers to identify and manage their IT assets, collect and analyze large amounts of IT security data, discover and prioritize vulnerabilities, recommend remediation actions and verify the implementation of such actions. Organizations use our integrated suite of solutions delivered on our Qualys Cloud Platform to cost-effectively obtain a unified view of their IT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for information technology, information security, application security, endpoint, developer security and cloud teams.
We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance, we introduced additional solutions to help customers manage increasing IT, security and compliance requirements. Today, the suite of solutions that we offer on our cloud platform and refer to as the Qualys Cloud Apps helps our customers protect a range of assets across on-premises, endpoints, cloud, containers, and mobile environments. These Cloud Apps address and include:
IT Security: Vulnerability Management (VM), Threat Protection (TP), Continuous Monitoring (CM), Patch Management (PM), Indication of Compromise (IOC);
Compliance Monitoring: Policy Compliance (PC), PCI Compliance (PCI), File Integrity Monitoring (FIM), Security Configuration Assessment (SCA), Security Assessment Questionnaire (SAQ), Out of-Band Configuration Assessment (OCA);
Web Application Security: Web Application Scanning (WAS), Web Application Firewall (WAF);
Global IT Asset Management: Global IT Asset Inventory (AI), CMDB Sync (SYN), Certificate Inventory (CRI); and,
Cloud/Container Security: Cloud Inventory (CI), Cloud Security Assessment (CSA), Container Security
(CS).
Our VM solutions (including VM, CM, TP, Cloud Agent for VM, allocated scanner revenue and Qualys Private Cloud Platform) have provided a majority of our revenues to date, representing 73% of total revenue in 2019 and 74% of total revenues in each of 2018 and 2017, respectively.

41




We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require customers to pay a fee in order to access each of our cloud solutions. We generally invoice our customers for the entire subscription amount at the start of the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. We continue to experience significant revenue growth from our existing customers as they renew and purchase additional subscriptions.
We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2019, we had over 15,700 active customers in more than 133 countries, including a majority of each of the Forbes Global 100 and Fortune 100. In 2019, 2018 and 2017, approximately 64%, 67% and 70%, respectively, of our revenues were derived from customers in the United States based on our customers billing address. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel partners, including managed service providers, value-added resellers and consulting firms in the United States and internationally.
We have had continued revenue growth over the past three years. Our revenues reached $321.6 million in 2019 from $278.9 million in 2018 and $230.8 million in 2017, respectively, representing period-over-period increases of $42.7 million and $48.1 million in 2019 and 2018, or 15% and 21%, respectively. We generated net income of $69.3 million in 2019, $57.3 million in 2018 and $40.4 million in 2017.

Key Components of Results of Operations

Revenues
We derive revenues from the sale of subscriptions to our security and compliance solutions, which are delivered on our cloud platform. Subscriptions to our solutions allow customers to access our cloud-based security and compliance solutions through a unified, web-based interface. Customers generally enter into one-year renewable subscriptions. The subscription fee entitles the customer to an unlimited number of scans for a specified number of devices or web applications and, if requested by a customer as part of their subscription, a specified number of physical or virtual scanner appliances. Our physical and virtual scanner appliances are requested by certain customers as part of their subscriptions in order to scan IT infrastructures within their firewalls and do not function without, and are not sold separately from, subscriptions for our solutions. In some limited cases, we also provide certain computer equipment used to extend our Qualys Cloud Platform into our customers private cloud environment. Customers are required to return physical scanner appliances and computer equipment if they do not renew their subscriptions.
We typically invoice our customers for the entire subscription amount at the start of the subscription term. Invoiced amounts are reflected on our consolidated balance sheets as accounts receivable or as cash when collected, and as deferred revenues until earned and recognized ratably over the subscription period. Accordingly, deferred revenues represent the amount billed to customers that has not yet been earned or recognized as revenues, pursuant to subscriptions entered into in current and prior periods.

Cost of Revenues
Cost of revenues consists primarily of personnel expenses, comprised of salaries, benefits, amortization of internal-use software, performance-based compensation and stock-based compensation, for employees who operate our data centers and provide support services to our customers. Other expenses include depreciation of data center equipment and physical scanner appliances and computer hardware provided to certain customers as part of their subscriptions, expenses related to the use of third-party data centers, amortization of third-party technology licensing fees, amortization of intangibles related to acquisitions, maintenance support, fees paid to contractors who supplement or support our operations center personnel and overhead allocations. We expect to continue to make capital investments to expand and support our data center operations, which will increase the cost of revenues in absolute dollars.

Operating Expenses
Research and Development
Research and development expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation, for our research and development teams. Other expenses

42


include third-party contractor fees, software and license fees, amortization of intangibles related to acquisitions and overhead allocations.
We capitalize certain research and development costs related to new products' internal-use software development efforts. Capitalized costs include salaries, benefits, and stock-based compensation charges for employees that are directly involved in developing new products for our cloud security platform during the application development stage. Capitalized costs related to internally developed software under development are treated as construction in progress until the program, feature or functionality is ready for its intended use, at which time amortization commences. We expect to continue to devote substantial resources to research and development in an effort to continuously improve our existing solutions as well as develop new solutions and capabilities and expect that research and development expenses will increase in absolute dollars.

Sales and Marketing
Sales and marketing expenses consist primarily of personnel expenses, comprised of salaries, benefits, sales commissions, performance-based compensation and stock-based compensation for our worldwide sales and marketing teams. Other expenses include marketing and promotional events, lead-generation marketing programs, public relations, travel, software licenses and overhead allocations. Sales commissions related to new business and upsells are capitalized as an asset. We amortize the capitalized commission cost as a selling expense on a straight-line basis over a period of five years. We expense sales commissions related to contract renewals. Our new sales personnel are typically not immediately productive, and the resulting increase in sales and marketing expenses we incur when we add new personnel may not result in increased revenues if these new sales personnel fail to become productive. The timing of our hiring of sales personnel, or the participation in new marketing events or programs, and the rate at which these generate incremental revenues, may affect our future operating results. We expect to continue to significantly invest in additional sales personnel worldwide and also in more marketing programs to support new solutions on our platform, which will increase sales and marketing expenses in absolute dollars.

General and Administrative
General and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation, for our executive, finance and accounting, legal and human resources teams, as well as professional services, fees, software licenses and overhead allocations. We expect that general and administrative expenses will increase in absolute dollars, as we continue to add personnel and incur professional services to support our growth and compliance with legal requirements.

Other Income (Expense), Net
Our other income (expense), net consists primarily of interest and investment income from our short-term and long-term marketable securities; foreign exchange gains and losses, the majority of which result from fluctuations between the U.S. Dollar and the Euro, British Pound (GBP) and Indian Rupee; and losses on disposal of property and equipment.

Provision for Income Taxes
We are subject to federal, state and foreign income taxes for jurisdictions in which we operate, and we use estimates in determining our provision for these income taxes and deferred tax assets. Earnings from our non-U.S. activities are subject to income taxes in the local countries at rates which were generally similar to the U.S. statutory tax rate. Our effective rate differs from the U.S. statutory rate primarily due to excess tax benefits related to stock-based compensation, U.S. federal research and development tax credits, U.S. foreign tax credits, and non-deductible compensation to certain employees.
Income taxes are accounted for under the asset and liability method. Deferred tax assets and liabilities are recognized for the tax impact of timing differences between the financial statement carrying amounts of existing assets and liabilities and their respective tax bases and operating loss and tax credit carry-forwards. Deferred tax assets and liabilities are measured using statutory tax rates expected to apply to taxable income in the years in which those temporary differences are expected to be recovered or settled. The effect on deferred tax assets and liabilities of a change in tax rates is recognized in income in the period when the statutory rate change is enacted into law.
We assess the likelihood that deferred tax assets will be realized, and we recognize a valuation allowance if it is more likely than not that some portion of the deferred tax assets will not be recognized. This assessment requires judgment as to the likelihood and amounts of future taxable income.

43


Our income tax expense in 2019 increased due to an increase in our income before income taxes, as well as a reduction in excess stock-based compensation deductions.

Results of Operations
The following table sets forth selected consolidated statements of operations data for each of the periods presented as a percentage of revenues:
 
 
Year Ended December 31,
 
 
2019
 
2018
Revenues
 
100
%
 
100
 %
Cost of revenues
 
22

 
24

Gross profit
 
78

 
76

Operating expenses:
 
 
 
 
Research and development
 
21

 
19

Sales and marketing
 
22

 
25

General and administrative
 
13

 
14

Total operating expenses
 
56

 
58

Income from operations
 
22

 
18

Other income (expense), net
 
3

 
2

Income before income taxes
 
25

 
20

Provision for (benefit from) income taxes
 
3

 
(1
)
Net income
 
22
%
 
21
 %

Comparison of Years Ended December 31, 2019 and 2018
Revenues
 
 
Year Ended
 
 
 
 
 
 
December 31,
 
Change
 
 
2019
 
2018
 
$
 
%
 
 
(in thousands, except percentages)
Revenues
 
$
321,607

 
$
278,889

 
$
42,718

 
15
%
Revenues increased $42.7 million in 2019 compared to 2018 due to an increase in the subscriptions from existing customers and new customer subscriptions entered into in 2019. Revenues from customers existing at or prior to December 31, 2018 grew by $31.2 million to $310.1 million during 2019. Subscriptions from new customers added in 2019 contributed $11.5 million to the increase in revenues. Revenues from customers in the United States increased by $20.7 million, or 12%, from $185.9 million in 2018 to $206.6 million in 2019 and revenues from customers in foreign countries increased by $22.0 million, or 24%, from $93.0 million in 2018 to $115.1 million in 2019. We expect revenue growth from existing and new customers to continue. The growth in revenues reflects the continued demand for our solutions.

Cost of Revenues
 
 
Year Ended
 
 
 
 
 
 
December 31,
 
Change
 
 
2019
 
2018
 
$
 
%
 
 
(in thousands, except percentages)
Cost of revenues
 
$
69,517

 
$
66,185

 
$
3,332

 
5
%
Percentage of revenues
 
22
%
 
24
%
 
 
 
 
Gross profit percentage
 
78
%
 
76
%
 
 
 
 
Cost of revenues increased $3.3 million in 2019 compared to 2018, primarily due to an increase of $2.4 million in amortization expense related to acquired technologies resulting from our business acquisitions; increased costs related to our data centers of $1.9 million; and increased third-party software license costs of $1.2 million resulting from our continued

44


business growth. These increases were partially offset by a $1.8 million decrease in stock-based compensation and personnel expenses driven by a higher proportion of employees in lower-cost locations and a $0.5 million decrease in depreciation expenses.

Research and Development Expenses
 
 
Year Ended
 
 
 
 
 
 
December 31,
 
Change
 
 
2019
 
2018
 
$
 
%
 
 
(in thousands, except percentages)
Research and development
 
$
68,239

 
$
53,255

 
$
14,984

 
28
%
Percentage of revenues
 
21
%
 
19
%
 
 
 
 
Research and development expenses increased $15.0 million in 2019 compared to 2018, primarily due to an increase in personnel expenses of $7.4 million, driven by additional employees hired to support the growth of our business; an increase in stock-based compensation expense of $3.2 million; an increase in allocation of overhead costs to the research and development department of $3.2 million; and an increase in compensation costs associated with prior acquisitions of $2.7 million, offset by a $1.4 million reversal of acquisition-related obligations previously recorded.

Sales and Marketing Expenses
 
 
Year Ended
 
 
 
 
 
 
December 31,
 
Change
 
 
2019
 
2018
 
$
 
%
 
 
(in thousands, except percentages)
Sales and marketing
 
$
70,833

 
$
70,039

 
$
794

 
1
%
Percentage of revenues
 
22
%
 
25
%
 
 
 
 
Sales and marketing expenses increased $0.8 million in 2019 compared to 2018, primarily due to an increase in personnel expenses of $4.4 million, driven by additional employees hired to support the growth of our business, and an increase in trade shows and travel related costs of $1.0 million. These increases were offset by a decrease in compensation costs associated with prior acquisitions of $1.8 million; a decrease of $0.8 million in allocated overhead costs due to a lower proportion of sales and marketing employees in the employee base; a decrease of $0.8 million in consulting fees; a decrease of $0.7 million in customer acquisition costs; and a decrease of $0.4 million in recruiting and training costs.

General and Administrative Expenses
 
 
Year Ended
 
 
 
 
 
 
December 31,
 
Change
 
 
2019
 
2018
 
$
 
%
 
 
(in thousands, except percentages)
General and administrative
 
$
40,765

 
$
39,049

 
$
1,716

 
4
%
Percentage of revenues
 
13
%
 
14
%
 
 
 
 

General and administrative expenses increased $1.7 million in 2019 compared to 2018, primarily driven by an increase in stock-based compensation of $1.5 million, driven by additional employees hired to support growth of business, and an increase in personnel related expenses of $1.1 million, which were partially offset by a decrease of $1.1 million in consulting fees and temporary employee costs.


45


Total Other Income (Expense), Net
 
 
Year Ended
 
 
 
 
 
 
December 31,
 
Change
 
 
2019
 
2018
 
$
 
%
 
 
(in thousands, except percentages)
Total other income (expense), net
 
$
7,730

 
$
5,107

 
$
2,623

 
51
%
Percentage of revenues
 
3
%
 
2
%
 
 
 
 

Total other income (expense), net, increased $2.6 million in 2019 compared to 2018, primarily due to an increase in interest income from marketable securities due to higher yields and larger portfolio of investments.

Provision for (benefit from) Income Taxes
 
 
Year Ended
 
 
 
 
 
 
December 31,
 
Change
 
 
2019
 
2018
 
$
 
%
 
 
(in thousands, except percentages)
Provision for (benefit from) income taxes
 
$
10,647

 
$
(1,836
)
 
$
12,483

 
680
%
Percentage of revenues
 
3
%
 
(1
)%
 
 
 
 

We recorded an income tax expense of $10.6 million in 2019 as compared to an income tax benefit of $(1.8) million in 2018. Our income tax expense increased in 2019 by $12.5 million due to an increase in our income before income taxes, as well as a reduction in the income tax benefits from excess stock-based compensation deductions.

Key Non-GAAP Metric
In addition to measures of financial performance presented in our consolidated financial statements, we monitor the Non-GAAP key metric set forth below to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies.

 
 
Year Ended December 31,
 
 
2019
 
2018
 
 
(in thousands)
Adjusted EBITDA
 
$
140,785

 
$
112,380


Adjusted EBITDA
We monitor Adjusted EBITDA, a non-GAAP financial measure, to analyze our financial results and believe that it is useful to investors, as a supplement to U.S. GAAP measures, in evaluating our ongoing operational performance and enhancing an overall understanding of our past financial performance. We believe that Adjusted EBITDA helps illustrate underlying trends in our business that could otherwise be masked by the effect of the income or expenses that we exclude in Adjusted EBITDA. Furthermore, we use this measure to establish budgets and operational goals for managing our business and evaluating our performance. We also believe that Adjusted EBITDA provides an additional tool for investors to use in comparing our recurring core business operating results over multiple periods with other companies in our industry.

Adjusted EBITDA should not be considered in isolation from, or as a substitute for, financial information prepared in accordance with U.S. GAAP. We calculate Adjusted EBITDA as net income before (1) other (income) expense, net, which includes interest income, interest expense and other income and expense, (2) provision for (benefit from) income taxes, (3) depreciation of property and equipment, (4) amortization of intangible assets, (5) stock-based compensation, (6) non-recurring expenses and (7) cash acquisition-related expense that do not reflect ongoing costs of operating the business.


46


The following unaudited table presents the reconciliation of net income to Adjusted EBITDA for each of the periods presented.
 
 
Year Ended December 31,
 
 
2019
 
2018
 
 
(in thousands)
Net income
 
$
69,336

 
$
57,304

Depreciation and amortization of property and equipment
 
25,121

 
25,179

Amortization of intangible assets
 
6,080

 
3,725

Provision for (benefit from) income taxes
 
10,647

 
(1,836
)
Stock-based compensation
 
34,892

 
30,090

Other income (expense), net
 
(7,730
)
 
(5,107
)
Acquisition-related expense(1)
 
2,439

 
3,025

Adjusted EBITDA
 
$
140,785

 
$
112,380

Percentage of revenues
 
44
%
 
40
%
(1) Relates to compensation expense from the acquisition of Adya, NetWatcher and Layered Insight.

Limitations of Adjusted EBITDA
Adjusted EBITDA, a non-GAAP financial measure, has limitations as an analytical tool, and should not be considered in isolation from or as a substitute for the measures presented in accordance with U.S. GAAP. Some of these limitations are:
Adjusted EBITDA does not reflect certain cash and non-cash charges that are recurring;
Adjusted EBITDA does not reflect income tax payments that reduce cash available to us;
Adjusted EBITDA excludes depreciation of property and equipment and amortization of intangible assets, although these are non-cash charges, the assets being depreciated and amortized may have to be replaced in the future; and
Other companies, including companies in our industry, may calculate Adjusted EBITDA differently or not at all, which reduces its usefulness as a comparative measure.
Because of these limitations, Adjusted EBITDA should be considered alongside other financial performance measures, including revenues, net income, cash flows from operating activities and our financial results presented in accordance with U.S. GAAP.

Liquidity and Capital Resources

At December 31, 2019, our principal source of liquidity was cash, cash equivalents and short-term and long-term investments of $418.4 million, including $24.6 million of cash held outside of the United States by our foreign subsidiaries. We do not anticipate that we will need funds generated from foreign operations to fund our domestic operations. However, if we repatriate these funds, we could be subject to foreign withholding taxes.

We have experienced positive cash flows from operations during the years ended December 31, 2019 and 2018. We believe our existing cash, cash equivalents, short-term and long-term marketable securities, and cash from operations will be sufficient to fund our operations for at least the next twelve months. In 2020, we expect capital expenditures to be in a range of $30.0 million to $35.0 million, which includes approximately $5.0 million of capital expenditures at our new offices in Pune, India.

Our future capital requirements will depend on many factors, including our rate of revenue growth, the expansion of our sales and marketing activities, the timing, type and extent of our spending on research and development efforts, international expansion and investment in data centers. We may also seek to invest in or acquire complementary businesses or technologies.


47


Cash Flows

The following summary of cash flows for the periods indicated has been derived from our consolidated financial statements included elsewhere in this report:
 
 
Year Ended December 31,
 
 
2019
 
2018
 
 
(in thousands)
Cash provided by operating activities
 
$
160,607

 
$
125,464

Cash used in investing activities
 
(35,029
)
 
(93,546
)
Cash used in financing activities
 
(79,045
)
 
(77,483
)
Net increase (decrease) in cash, cash equivalents and restricted cash
 
$
46,533

 
$
(45,565
)

Cash Flows from Operating Activities
In 2019, cash provided by operating activities of $160.6 million was primarily due to $69.3 million of net income, as adjusted by increases in non-cash items including stock-based compensation expense of $34.9 million, depreciation and amortization expense of $31.2 million, an increase in deferred income taxes of $7.1 million; and an increase in deferred revenues of $28.1 million due to our continued growth in sales. These increases were partially offset by $6.0 million of increased prepayments primarily for computer hardware maintenance fees; a $2.5 million decrease in accounts receivable due to higher billings; and a $1.1 million decrease in accounts payable mainly due to timing of payments.
In 2018, cash provided by operating activities of $125.5 million was primarily due to $57.3 million of net income, as adjusted by increases in non-cash items including stock-based compensation expense of $30.1 million and depreciation and amortization expense of $28.9 million. There was also an increase in deferred revenues of $24.7 million which was attributable to our continued growth in sales and a $4.9 million increase in accounts payable and accrued liabilities due to more expenditures to support growing our business and higher accruals related to acquisitions in 2018. These increases were partially offset by a $11.5 million decrease in accounts receivable due to timing of customer payments and a $5.0 million decrease related to prepaid assets due to timing.

Cash Flows from Investing Activities
In 2019, cash used in investing activities of $35.0 million was primarily attributable to $27.6 million of cash used for capital expenditures, $4.1 million in aggregate payments made in connection with our acquisitions of Adya and holdback payments for our acquisitions in the prior years, net purchases of investments of $2.8 million, and $0.6 million for our purchase of an investment in a privately-held company. The $27.6 million increase in capital expenditures included leasehold improvements for a new office in India and computer hardware purchases to support our growth.
In 2018, cash used in investing activities of $93.5 million was primarily attributable to net purchases of investments of $54.6 million and $22.8 million of cash used for capital expenditures, including computer hardware and software for our data centers to support our growth, and $13.6 million used in connection with our acquisition of Layered Insight and the assets of 1Mobility in addition to $2.5 million for our purchase of an investment in a privately-held company.

Cash Flows from Financing Activities
In 2019, cash used in financing activities of $79.0 million was primarily attributable to $86.4 million of common stock repurchases and $15.7 million of payments related to net share settlement of equity awards, offset by $24.8 million of proceeds from the exercise of stock options.
In 2018, cash used in financing activities of $77.5 million was primarily attributable to $85.0 million of common stock repurchases and $14.9 million of payments related to net share settlement of equity awards, offset by $24.1 million of proceeds from the exercise of stock options.


48


Contractual Obligations
Our principal commitments consist of obligations under our outstanding leases for office space, third-party data centers and office equipment. The following table summarizes our contractual cash obligations at December 31, 2019 and the effect such obligations are expected to have on our liquidity and cash flows in future periods: 
 
 
 
 
Payment Due by Period
Contractual Obligations:
 
Total
 
Less Than
1 Year
 
1-3
Years
 
3-5
Years
 
More than 5 Years
 
 
(in thousands)
 
 
Operating lease obligations
 
$
62,102

 
$
10,603

 
$
18,398

 
$
17,518

 
$
15,583

Purchase order obligations
 
25,338
 
23,060
 
2,278

 
 
Total
 
$
87,440

 
$
33,663

 
$
20,676

 
$
17,518

 
$
15,583

Operating lease obligations represent our obligations to make payments under the lease agreements for our facilities, data centers, and office equipment leases. During the year ended December 31, 2019, total payments for our operating lease obligations was $9.4 million.

Off-Balance Sheet Arrangements
During the periods presented, we did not have, nor do we currently have, any relationships with unconsolidated entities or financial partnerships, such as entities often referred to as structured finance or special purpose entities.

Recent Accounting Pronouncements

See Note 1 to the consolidated financial statements in Part II, Item 8 of this Annual Report on Form10-K for a discussion of recent accounting pronouncements.

Critical Accounting Policies and Estimates

Our consolidated financial statements are prepared in accordance with U.S. GAAP. The preparation of these financial statements requires us to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenues, expenses and related disclosures. On an ongoing basis, we evaluate our estimates and assumptions. Our actual results may differ from these estimates under different assumptions or conditions.

We believe that of our significant accounting policies, which are described in the notes to our consolidated financial statements, the following accounting policies involve the greatest degree of judgment and complexity and have the greatest potential impact on our consolidated financial statements. A critical accounting policy is one that is material to the presentation of our consolidated financial statements and requires us to make difficult, subjective or complex judgments for uncertain matters that could have a material effect on our financial condition and results of operations. Accordingly, these are the policies we believe are the most critical to aid in fully understanding and evaluating our financial condition and results of operations. For further information on all of our significant accounting policies, see Note 1 - The Company and Summary of Significant Accounting Policies in the accompanying notes to the consolidated financial statements included in Part II, Item 8, "Financial Statements and Supplementary Data" of this Annual Report on Form 10-K.

Revenue Recognition

We derive revenues from the sale of subscriptions to our security and compliance solutions, which are delivered on our cloud platform. Subscriptions to our solutions allow customers to access our cloud-based security and compliance solutions through a unified, web-based interface. Customers generally enter into one-year renewable subscriptions though some customers do enter into subscriptions with longer terms. The subscription fee entitles the customer to an unlimited number of scans for a specified number of devices or web applications and, if requested by a customer as part of their subscription, a specified number of physical or virtual scanner appliances. Our physical and virtual scanner appliances are requested by certain customers as part of their subscriptions in order to scan IT infrastructures within their firewalls and do not function without, and are not sold separately from, subscriptions for our solutions. In some limited cases, we also provide certain computer equipment used to extend our Qualys Cloud Platform into our customers’ private cloud environment. Customers are required to return physical scanner appliances and computer equipment if they do not renew their subscriptions.


49


We recognize revenues on a usage basis for certain other limited scan arrangements, where expiration dates can be extended. Physical equipment (scanners and private cloud platforms) are accounted for as operating leases under ASC 842. The company used the practical expedient to combine lease and nonlease components as a combined component under ASC 606 due to the software subscription nonlease components being the predominant component of the combined component. Therefore, the Company recognizes revenue for the physical equipment ratably over the related subscription period. Costs of shipping and handling charges associated with physical scanner appliances and other computer equipment are included in cost of revenues.

Deferred revenues consist of customer contracts billed or cash received that will be recognized in the future under subscriptions existing at the balance sheet date.

We adopted ASC 606, "Revenue from Contracts with Customers" with a date of initial application of January 1, 2018. We adopted ASC 606 using the modified retrospective method and recognized the cumulative effect as an adjustment to the opening balance of equity at January 1, 2018. We previously expensed sales commission as incurred. Under ASC 606, sales commissions cost related to new business and upsells are recorded as an asset. We amortize the capitalized commission cost as a selling expense on a straight-line basis over a period of five years. Five years represents the estimated life of the customer relationship taking into account factors such as peer estimates of technology lives and customer lives as well as our own historical data. Applying the practical expedient in ASC 340-40-25-4, we expense commissions related to renewals with a contract term of one year or less. The current and noncurrent portions of deferred commissions are included in prepaid expenses and other current assets, and other noncurrent assets, respectively, in our consolidated balance sheets.
Income Taxes
We are subject to income taxes in the United States as well as other tax jurisdictions in which we conduct business. Earnings from our non-U.S. activities are subject to local income tax and may also be subject to U.S. income tax.
Income tax expense or benefit is recognized for the amount of taxes payable or refundable for the current year, and for deferred tax assets and liabilities for the tax consequences of events that have been recognized in an entity’s financial statements or tax returns. We must make significant assumptions, judgments and estimates to determine our current provision for (benefit from) income taxes, our deferred tax assets and liabilities, and any valuation allowance to be recorded against our deferred tax assets. Our judgments, assumptions and estimates relating to the current provision for (benefit from) income taxes include the geographic mix and amount of income (loss), our interpretation of current tax laws, and possible outcomes of current and future audits conducted by foreign and domestic tax authorities. Our judgments also include anticipating the tax positions we will record in the financial statements before actually preparing and filing the tax returns. Our estimates and assumptions may differ from the actual results as reflected in our income tax returns and we record the required adjustments when they are identified or resolved. Changes in our business, tax laws or our interpretation of tax laws, and developments in current and future tax audits, could significantly impact the amounts provided for income taxes in our results of operations, financial position, or cash flows.
Deferred tax assets and liabilities are recognized for the estimated future tax consequences attributable to tax benefit carry-forwards and to differences between the financial statement amounts of assets and liabilities and their respective tax basis. We regularly review our deferred tax assets for recoverability and establish a valuation allowance if it is more likely than not that some portion or all of the deferred tax assets will not be realized. To make this assessment, we take into account predictions of the amount and category of taxable income from available positive and negative evidence about these possible sources of taxable income. The weight given to the potential effect of negative and positive evidence is commensurate with the extent to which the strength of the evidence can be objectively verified.
Based on the analysis of positive and negative factors noted above, we do not have a valuation allowance against U.S. federal and certain state deferred tax assets. We believe it is more likely than not that our California deferred tax assets will not be realized because the income attributed to California is not expected to be sufficient to recognize these deferred tax assets. Accordingly, we continue to record a valuation allowance as of December 31, 2019 for our California deferred tax assets. If, in the future, we determine that these deferred tax assets are more likely than not to be realized, a release of all or part, of the related valuation allowance could result in an income tax benefit in the period such determination is made.
We recognize an income tax expense or benefit with respect to uncertain tax positions in our financial statements that we judge is more likely than not to be sustained solely on its technical merits in a tax audit, including resolution of any related appeals or litigation processes. To make this judgment, we must interpret complex and sometimes ambiguous tax laws, regulations and administrative practices. If an income tax position meets the more likely than not recognition threshold, then we must measure the amount of the tax benefit to be recognized by determining the largest amount of tax benefit that has a greater than a 50% likelihood of being realized upon effective settlement with a taxing authority that has full knowledge of

50


all of the relevant facts. It is inherently difficult and subjective to estimate such amounts, as this requires us to determine the probability of various possible settlement outcomes. To determine if a tax position is effectively settled after a tax examination has been completed, we must also estimate the likelihood that another taxing authority could review the respective tax position. We must also determine when it is reasonably possible that the amount of unrecognized tax benefits will significantly increase or decrease in the 12 months after each fiscal year-end. These judgments are difficult because a taxing authority may change its behavior as a result of our disclosures in our financial statements. We must reevaluate our income tax positions on a quarterly basis to consider factors such as changes in facts or circumstances, effectively settled issues under audit, the potential for interest and penalties, and new audit activity. Such a change in recognition or measurement would result in recognition of a tax benefit or an additional charge to the tax provision.
On December 22, 2017, the Tax Cuts and Jobs Act (the “2017 Tax Act”) was enacted into law. The new legislation contains several key tax provisions that impacted us, including the reduction of the corporate income tax rate from 35% to 21% effective January 1, 2018. The new legislation also includes a variety of other changes, such as a one-time repatriation tax on accumulated foreign earnings (transition tax), acceleration of business asset expensing, and a reduction in the amount of executive pay that could qualify as a tax deduction, among others. We recognized a provisional income tax expense of $10.4 million in the fourth quarter of 2017, from the re-measurement of certain deferred tax assets and liabilities as a result of the reduction of the federal tax rate, which was included as a component of the income tax provision on our consolidated statement of income. We completed our analysis of the impacts of the 2017 Tax Act in the fourth quarter of 2018 with no material change to our provisional estimate.
Stock-Based Compensation
We recognize the fair value of our employee stock options and restricted stock units over the requisite service period for those awards ultimately expected to vest. The fair value of each option is estimated on date of grant using the Black-Scholes-Merton option pricing model and the fair value of each restricted stock unit is based on the fair value of our stock on the date of grant. Forfeitures are estimated on the date of grant and revised if actual or expected forfeiture activity differs materially from original estimates.
Determining the appropriate fair value model and calculating the fair value of employee stock options requires the use of highly subjective assumptions, including the expected life of the stock option and stock price volatility. The assumptions used in calculating the fair value of employee stock options represent management’s best estimates, but the estimates involve inherent uncertainties and the application of management’s judgment. As a result, if factors change and we use different assumptions, our stock-based compensation expense could be materially different in the future.
For performance-based non-qualified stock options and restricted stock units, we recognize compensation costs when it is probable that the performance conditions will be met. We assess these conditions on a quarterly basis.
Fair Value Measurement
Fair value is defined as the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants at the measurement date. For certain of our financial instruments, including cash and certain cash equivalents, accounts receivable, accounts payable, and other current liabilities, the carrying amounts approximate their fair value due to the relatively short maturity of these balances.

We measure and report certain cash equivalents, investments and derivative foreign currency forward contracts at fair value in accordance with the provisions of the authoritative accounting guidance that addresses fair value measurements. This guidance establishes a hierarchy for inputs used in measuring fair value that maximizes the use of observable inputs and minimizes the use of unobservable inputs by requiring that the most observable inputs be used when available. The hierarchy is broken down into three levels based on the reliability of inputs as follows:

Level 1—Valuations based on quoted prices in active markets for identical assets or liabilities.

Level 2—Valuations based on other than quoted prices in active markets for identical assets and liabilities, quoted prices for identical or similar assets or liabilities in inactive markets, or other inputs that are observable or can be corroborated by observable market data for substantially the full term of the assets or liabilities.

Level 3—Valuations based on inputs that are generally unobservable and typically reflect management’s estimates of assumptions that market participants would use in pricing the asset or liability.


51


Our financial instruments consist of assets measured using Level 1 and 2 inputs. Level 1 assets include a highly liquid money market fund, which is valued using unadjusted quoted prices that are available in an active market for an identical asset. Level 2 assets include fixed-income U.S. government agency securities, commercial paper, corporate bonds, asset-backed securities and derivative financial instruments consisting of foreign currency forward contracts. The securities, bonds and commercial paper are valued using prices from independent pricing services based on quoted prices in active markets for similar instruments or on industry models using data inputs such as interest rates and prices that can be directly observed or corroborated in active markets. The foreign currency forward contracts are valued using observable inputs. The carrying amounts of other financial instruments including accounts receivable, the investments in a privately-held company, account payables, accrued liabilities in our consolidated balance sheets approximates fair value as of December 31, 2019 and 2018.
For further details, see Part II, Item 8 of this Annual Report on Form10-K Note 2, Fair Value of Financial Instruments.
Derivative Financial Instruments

Derivative financial instruments are utilized by us to reduce foreign currency exchange risks. We use foreign currency forward contracts to mitigate the impact of foreign currency fluctuations of certain non-U.S. dollar denominated asset positions, to date primarily cash and accounts receivable (non-designated), as well as to manage foreign currency fluctuation risk related to forecasted transactions (designated). We account for these instruments as either non-designated or cash flow hedges, respectively. Open contracts are recorded within prepaid expenses and other current assets, other noncurrent assets, accrued liabilities or other noncurrent liabilities in the consolidated balance sheets. Gains and losses resulting from currency exchange rate movements on non-designated forward contracts are recognized in other income (expense). Any gains or losses from derivatives designated as cash flow hedges are first accumulated in accumulated other comprehensive income (AOCI) and then reclassified to revenue when the hedged item impacts the consolidated financial statements.

Item 7A.
Quantitative and Qualitative Disclosures about Market Risk

We have domestic and international operations and we are exposed to market risks in the ordinary course of our business. These risks primarily include interest rate, foreign exchange and inflation risks, as well as risks relating to changes in the general economic conditions in the countries where we conduct business. To reduce certain of these risks, we monitor the financial condition of our large customers and limit credit exposure by collecting subscription fees in advance.

Foreign Currency Risk

Our results of operations and cash flows have been and will continue to be subject to fluctuations because of changes in foreign currency exchange rates, particularly changes in exchange rates between the U.S. dollar and the Euro, GBP and Indian Rupee, the currencies of countries where we currently have our most significant international operations. A portion of our invoicing is denominated in the Euro, GBP, Japanese Yen and Indian Rupee. Our expenses in international locations are generally denominated in the currencies of the countries in which our operations are located.

The cash flow effects of our derivative contracts for the year ended December 31, 2019 and 2018 were included within net cash provided by operating activities on our consolidated statements of cash flows. At December 31, 2019, we had 26 open designated cash flow hedge forward contracts with notional amounts of €24.2 million and £9.7 million. During the fiscal year ended December 31, 2019, we recorded $0.4 million of unrealized foreign exchange gains (net of realized gains and losses and tax) related to the designated cash flow hedge contracts in AOCI. At December 31, 2018, we had 12 open cash flow hedge contracts with notional amount of €12.9 million and £4.1 million. The unrealized foreign exchange losses on these contracts recorded in AOCI were insignificant.

For further details, see Part II, Item 8 of this Annual Report on Form10-K Note 2, Fair Value of Financial Instruments.

Interest Rate Sensitivity

We have $418.4 million in cash, cash equivalents and short-term and long-term marketable securities at December 31, 2019. Cash and cash equivalents include cash held in banks, highly liquid money market funds and commercial paper. Marketable securities consist of fixed-income U.S. government agency securities, corporate bonds, asset-backed securities and commercial paper. We determine the appropriate balance sheet classification of our investments at the time of purchase and reevaluate such designation at each balance sheet date. We classify our marketable securities as either short-term or long-term based on each instrument's underlying contractual maturity date.

52





The primary objectives of our investment activities are the preservation of principal and support of our liquidity requirements. We do not enter into investments for trading or speculative purposes. Our marketable securities are subject to market risk due to changes in interest rates, which may affect the interest income we earn and the fair market value. We do not believe that a 10% increase or decrease in interest rates would have a material impact on our operating results or cash flows.


53




Item 8.
Financial Statements and Supplementary Data

Qualys, Inc.
INDEX TO CONSOLIDATED FINANCIAL STATEMENTS

Table of Contents

 
Page
Reports of Independent Registered Public Accounting Firm
55
Consolidated Balance Sheets
58
Consolidated Statements of Operations
59
Consolidated Statements of Comprehensive Income
60
Consolidated Statements of Cash Flows
61
Consolidated Statements of Stockholders' Equity
62
Notes to Consolidated Financial Statements
63



54





REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM

Board of Directors and Stockholders
Qualys, Inc.
Opinion on the financial statements
We have audited the accompanying consolidated balance sheets of Qualys, Inc. (a Delaware corporation) and subsidiaries (the “Company”) as of December 31, 2019 and 2018, the related consolidated statements of operations, comprehensive income, changes in stockholders’ equity, and cash flows for each of the three years in the period ended December 31, 2019, and the related notes and financial statement schedule included under Item 15(a)(2) (collectively referred to as the “financial statements”). In our opinion, the financial statements present fairly, in all material respects, the financial position of the Company as of December 31, 2019 and 2018, and the results of its operations and its cash flows for each of the three years in the period ended December 31, 2019, in conformity with accounting principles generally accepted in the United States of America.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (“PCAOB”), the Company’s internal control over financial reporting as of December 31, 2019, based on criteria established in the 2013 Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”), and our report dated February 21, 2020 expressed an unqualified opinion.
Adoption of New Accounting Standard
As discussed in Note 1 to the financial statements, the Company has changed its method of accounting for leases in 2019 due to the adoption of the guidance in ASC Topic 842, Leases, using the current period adjustment method.
Basis for opinion
These financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on the Company’s financial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the financial statements. We believe that our audits provide a reasonable basis for our opinion.
Critical audit matters
The critical audit matters communicated below are matters arising from the current period audit of the financial statements that were communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements and (2) involved our especially challenging, subjective, or complex judgments. The communication of critical audit matters does not alter in any way our opinion on the financial statements, taken as a whole, and we are not, by communicating the critical audit matters below, providing separate opinions on the critical audit matters or on the accounts or disclosures to which they relate.
Income Taxes
As described further in Note 10 to the financial statements, the company records income taxes using the asset and liability method, under which deferred tax assets and liabilities are determined based on the difference between the financial statement and tax bases of assets and liabilities using enacted tax rates in effect for the year in which the differences are expected to affect taxable income. We identified the tax effects of temporary and permanent differences related to stock-based compensation as a critical audit matter.

The principal considerations for our determination that the tax effects of temporary and permanent differences as a critical audit matter are that auditing the application of executive compensation rules requires significant technical expertise, the

55


Company is generating excess tax deductions as a result of stock-based compensation and the stock-based compensation calculation is complex due to the required recordkeeping. Our audit procedures related to the tax effects of temporary and permanent differences related to stock-based compensation included the following, among others.
Involved an employee compensation specialist to assess the application of executive compensation rules.
Obtained management’s permanent and temporary provision calculation and tied out inputs to supporting equity documentation.
Tested the completeness and accuracy of the calculation of permanent and temporary differences.
Determined that the ending gross temporary difference agreed to the supporting equity documentation.


/s/ GRANT THORNTON LLP


We have served as the Company’s auditor since 2005.
San Jose, California
February 21, 2020

56


Report of Independent Registered Public Accounting Firm


Board of Directors and Stockholders
Qualys, Inc.
Opinion on internal control over financial reporting
We have audited the internal control over financial reporting of Qualys, Inc. (a Delaware corporation) and subsidiaries (the “Company”) as of December 31, 2019, based on criteria established in the 2013 Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”). In our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2019, based on criteria established in the 2013 Internal Control-Integrated Framework issued by COSO.

We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (“PCAOB”), the consolidated financial statements of the Company as of and for the year ended December 31, 2019, and our report dated February 21, 2020 expressed an unqualified opinion on those financial statements.

Basis for opinion
The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying Management’s Annual Report on Internal Control over Financial Reporting (“Management’s Report”). Our responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.

We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.

Definition and limitations of internal control over financial reporting
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
/s/ GRANT THORNTON LLP
San Jose, California
February 21, 2020

57


Qualys, Inc.
CONSOLIDATED BALANCE SHEETS
(in thousands, except share and per share data)

 
 
December 31,
 
 
2019
 
2018
Assets
 
 
 
 
Current assets:
 
 
 
 
Cash and cash equivalents
 
$
87,559

 
$
41,026

Short-term marketable securities
 
211,331

 
248,140

Accounts receivable, net of allowance of $585 and $683 at December 31, 2019 and 2018, respectively
 
78,034

 
75,825

Prepaid expenses and other current assets
 
18,692

 
13,974

Total current assets
 
395,616

 
378,965

Long-term marketable securities
 
119,508

 
76,710

Property and equipment, net
 
60,579

 
61,442

Operating leases - right of use asset
 
40,551

 

Deferred tax assets, net
 
18,830

 
26,387

Intangible assets, net
 
16,795

 
21,976

Goodwill
 
7,447

 
7,225

Restricted cash
 
1,200

 
1,200

Other noncurrent assets
 
15,082

 
11,775

Total assets
 
$
675,608

 
$
585,680

Liabilities and Stockholders’ Equity
 
 
 
 
Current liabilities:
 
 
 
 
Accounts payable
 
$
848

 
$
5,588

Accrued liabilities
 
22,784

 
26,695

Deferred revenues, current
 
192,172

 
164,624

Operating lease liabilities, current
 
7,663

 

Total current liabilities
 
223,467

 
196,907

Deferred revenues, noncurrent
 
20,935

 
20,423

Operating lease liabilities, noncurrent
 
44,015

 

Other noncurrent liabilities
 
388

 
10,361

Total liabilities
 
288,805

 
227,691

Commitments and contingencies (Note 7)
 


 


Stockholders’ equity:
 
 
 
 
Preferred stock: $0.001 par value; 20,000,000 shares authorized, no shares issued and outstanding at December 31, 2019 and 2018
 

 

Common stock, $0.001 par value; 1,000,000,000 shares authorized, 39,146,272 and 39,015,034 shares issued and outstanding at December 31, 2019 and 2018, respectively
 
39

 
39

Additional paid-in capital
 
362,408

 
330,572

Accumulated other comprehensive income (loss)
 
1,162

 
(586
)
Retained earnings
 
23,194

 
27,964

Total stockholders’ equity
 
386,803

 
357,989

Total liabilities and stockholders’ equity
 
$
675,608

 
$
585,680


The accompanying notes are an integral part of these Consolidated Financial Statements.

58




Qualys, Inc.
CONSOLIDATED STATEMENTS OF OPERATIONS
(in thousands, except per share data)

 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
Revenues
 
$
321,607

 
$
278,889

 
$
230,828

Cost of revenues
 
69,517

 
66,185

 
51,580

Gross profit
 
252,090

 
212,704

 
179,248

Operating expenses:
 
 
 
 
 
 
Research and development
 
68,239

 
53,255

 
42,816

Sales and marketing
 
70,833

 
70,039

 
63,855

General and administrative
 
40,765

 
39,049

 
35,334

Total operating expenses
 
179,837

 
162,343

 
142,005

Income from operations
 
72,253

 
50,361

 
37,243

Other income (expense), net:
 
 
 
 
 
 
Interest expense
 
(106
)
 
(172
)
 
(3
)
Interest income
 
8,443

 
6,080

 
2,674

Other income (expense), net
 
(607
)

(801
)

(536
)
Total other income (expense), net
 
7,730

 
5,107

 
2,135

Income before income taxes
 
79,983

 
55,468

 
39,378

Provision for (benefit from) income taxes
 
10,647

 
(1,836
)
 
(1,062
)
Net income
 
$
69,336

 
$
57,304

 
$
40,440

Net income per share:
 
 
 
 
 
 
Basic
 
$
1.77

 
$
1.47

 
$
1.08

Diluted
 
$
1.68

 
$
1.37

 
$
1.01

Weighted average shares used in computing net income per share:
 
 
 
 
 
 
Basic
 
39,075

 
38,876

 
37,443

Diluted
 
41,345

 
41,897

 
40,071


The accompanying notes are an integral part of these Consolidated Financial Statements.


59




Qualys, Inc.
CONSOLIDATED STATEMENTS OF COMPREHENSIVE INCOME
(in thousands)

 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
Net income
 
$
69,336

 
$
57,304

 
$
40,440

Other comprehensive income (loss):
 
 
 
 
 
 
 Available-for-sale marketable securities:
 
 
 
 
 
 
Change in net unrealized gain (loss), net of tax effect of ($243), $0 and $0 in fiscal years 2019, 2018 and 2017, respectively
 
1,367

 
(261
)
 
(462
)
Reclassification adjustment for net loss realized and included in net income, net of tax effect of $0 in fiscal years 2019, 2018 and 2017
 

 
289

 
44

Total change in unrealized gain (loss) on marketable securities, net of tax
 
1,367

 
28

 
(418
)
Cash flow hedges:
 
 
 
 
 
 
Change in net unrealized gain (loss), net of tax effect of ($136), $0 and $0 in fiscal years 2019, 2018 and 2017, respectively
 
515

 
(40
)
 

Reclassification adjustment for net gain realized and included in net income, net of tax effect of $35, $0 and $0 in fiscal years 2019, 2018 and 2017, respectively
 
(134
)
 

 

Total change in unrealized gain (loss) on cash flow hedges, net of tax
 
381

 
(40
)
 

Other comprehensive income (loss), net of tax
 
1,748

 
(12
)
 
(418
)
Comprehensive income
 
$
71,084

 
$
57,292

 
$
40,022


The accompanying notes are an integral part of these Consolidated Financial Statements.


60




Qualys, Inc.
CONSOLIDATED STATEMENTS OF CASH FLOWS
(in thousands)
 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
 
 
 
Cash flows from operating activities:
 
 
 
 
 
 
Net income
 
$
69,336

 
$
57,304

 
$
40,440

Adjustments to reconcile net income to net cash provided by operating activities:
 
 
 
 
 
 
Depreciation and amortization expense
 
31,201

 
28,904

 
20,636

Bad debt expense
 
247

 
86

 
657

Loss on disposal of property and equipment
 
202

 
9

 
161

Stock-based compensation
 
34,892

 
30,090

 
26,961

Amortization of premiums and (accretion) of discounts on marketable securities
 
(1,597
)
 
(1,136
)
 
1,324

Deferred income taxes
 
7,095

 
(2,521
)
 
(2,718
)
Changes in operating assets and liabilities:
 
 
 
 
 
 
Accounts receivable
 
(2,456
)
 
(11,467
)
 
(17,966
)
Prepaid expenses and other assets
 
(6,012
)
 
(4,970
)
 
(53
)
Accounts payable
 
(1,076
)
 
3,515

 
(454
)
Accrued liabilities
 
715

 
1,426

 
1,485

Deferred revenues
 
28,060

 
24,725

 
29,830

Other noncurrent liabilities
 

 
(501
)
 
7,343

Net cash provided by operating activities
 
160,607

 
125,464

 
107,646

Cash flows from investing activities:
 
 
 
 
 
 
Purchases of marketable securities
 
(331,131
)
 
(339,862
)
 
(299,891
)
Sales and maturities of marketable securities
 
328,350

 
285,224

 
231,996

Purchases of property and equipment
 
(27,573
)
 
(22,775
)
 
(37,818
)
Business combinations
 
(4,050
)
 
(13,633
)
 
(12,482
)
Purchase of privately-held investment
 
(625
)
 
(2,500
)
 

Net cash used in investing activities
 
(35,029
)
 
(93,546
)
 
(118,195
)
Cash flows from financing activities:
 
 
 
 
 
 
Repurchase of common stock
 
(86,424
)
 
(85,040
)
 

Proceeds from exercise of stock options
 
24,831

 
24,053

 
31,327

Payments for taxes related to net share settlement of equity awards
 
(15,743
)
 
(14,879
)
 
(20,924
)
Principal payments under finance lease obligations
 
(1,709
)
 
(1,617
)
 

Net cash (used in) provided by financing activities
 
(79,045
)
 
(77,483
)
 
10,403

Net increase (decrease) in cash and cash equivalents
 
46,533

 
(45,565
)
 
(146
)
Cash, cash equivalents and restricted cash at beginning of period
 
42,226

 
87,791

 
$
87,937

Cash, cash equivalents and restricted cash at end of period
 
$
88,759

 
$
42,226

 
$
87,791

Supplemental disclosures of cash flow information
 
 
 
 
 
 
Cash paid for interest expense
 
$
107

 
$
168

 
$
3

Cash paid for income taxes, net of refunds
 
3,031

 
2,693

 
1,584

Non-cash investing and financing activities
 
 
 
 
 
 
Business acquisitions recorded in accrued liabilities and deferred tax liability
 
1,650

 
4,676

 
1,000

Purchases of property and equipment recorded in accounts payable and accrued liabilities
 
235

 
4,190

 
2,765


The accompanying notes are an integral part of these Consolidated Financial Statements.


61




Qualys, Inc.
CONSOLIDATED STATEMENTS OF STOCKHOLDERS’ EQUITY 
(in thousands, except share data)
 
 
Common Stock
 
Additional
Paid-In
Capital
 
Accumulated
Other
Comprehensive
Income (Loss)
 
Retained Earnings (deficit)
 
Total
Stockholders’
Equity
 
 
Shares
 
Amount
 
Balances at December 31, 2016
 
35,841,001

 
$
36

 
$
266,794

 
$
(156
)
 
$
(8,261
)
 
$
258,413

Cumulative effect of a change in accounting principle related to stock-based compensation
 

 

 

 

 
7,745

 
7,745

Net income
 

 

 

 

 
40,440

 
40,440

Other comprehensive loss, net of tax
 

 

 

 
(418
)
 

 
(418
)
Issuance of common stock upon exercise of stock options
 
2,997,095

 
3

 
31,324

 

 

 
31,327

Issuance of common stock upon vesting of restricted stock units
 
368,367

 

 

 

 

 

Taxes related to net share settlement of equity awards and options
 
(608,346
)
 

 
(20,924
)
 

 

 
(20,924
)
Stock-based compensation
 

 

 
26,961

 

 

 
26,961

Balances at December 31, 2017
 
38,598,117

 
39

 
304,155

 
(574
)
 
39,924

 
343,544

Adjustment to opening retained earnings on adoption of ASC 606
 

 

 

 

 
2,711

 
2,711

Net income
 

 

 

 

 
57,304

 
57,304

Other comprehensive loss, net of tax
 

 

 

 
(12
)
 

 
(12
)
Issuance of common stock upon exercise of stock options
 
1,183,235

 
1

 
24,052

 

 

 
24,053

Repurchase of common stock
 
(1,088,899
)
 
(1
)
 
(13,064
)
 

 
(71,975
)
 
(85,040
)
Issuance of common stock upon vesting of restricted stock units
 
525,375

 

 

 

 

 

Taxes related to net share settlement of equity awards
 
(202,794
)
 

 
(14,879
)
 

 

 
(14,879
)
Stock-based compensation
 

 

 
30,308

 

 

 
30,308

Balances at December 31, 2018
 
39,015,034

 
39

 
330,572

 
(586
)
 
27,964

 
357,989

Net income
 

 

 

 

 
69,336

 
69,336

Other comprehensive income, net of tax
 

 

 

 
1,748

 

 
1,748

Issuance of common stock upon exercise of stock options
 
901,290

 
1

 
24,830

 

 

 
24,831

Repurchase of common stock
 
(1,026,455
)
 
(1
)
 
(12,317
)
 

 
(74,106
)
 
(86,424
)
Issuance of common stock upon vesting of restricted stock units
 
438,892

 

 

 

 

 

Taxes related to net share settlement of equity awards
 
(182,489
)
 

 
(15,743
)
 

 

 
(15,743
)
Stock-based compensation
 

 

 
35,066

 

 

 
35,066

Balances at December 31, 2019
 
39,146,272

 
$
39

 
$
362,408

 
$
1,162

 
$
23,194

 
$
386,803

 
 
 
 
 
 
 
 
 
 
 
 
 

The accompanying notes are an integral part of these Consolidated Financial Statements.


62


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS



NOTE 1.
The Company and Summary of Significant Accounting Policies

Description of Business
Qualys, Inc. (the “Company”, "we", "us", "our") was incorporated in the state of Delaware on December 30, 1999. The Company is headquartered in Foster City, California and has wholly-owned subsidiaries throughout the world. The Company is a pioneer and leading provider of cloud-based IT, security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations. The Company’s cloud solutions address the growing security and compliance complexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web environments, the rapid adoption of cloud computing and the proliferation of geographically dispersed IT assets. Organizations can use the Company’s integrated suite of solutions delivered on its Qualys Cloud Platform to cost-effectively obtain a unified view of their security and compliance posture across globally-distributed IT infrastructures.

Basis of Presentation
The accompanying consolidated financial statements and footnotes have been prepared in accordance with U.S. GAAP as well as the instructions to Form 10-K and the rules and regulations of SEC. In the opinion of management, the accompanying consolidated financial statements reflect all adjustments, which include only normal recurring adjustments, necessary for the fair presentation of the Company’s consolidated financial position, results of operations and cash flows for the periods presented. The accompanying consolidated financial statements include the accounts of the Company and its wholly-owned subsidiaries. All intercompany transactions and balances have been eliminated upon consolidation.

Use of Estimates
The preparation of the consolidated financial statements in conformity with U.S. GAAP requires management to make certain estimates and assumptions that affect the reported amounts of assets and liabilities and disclosure of assets and liabilities at the date of the consolidated financial statements and the reported results of operations during the reporting period. The Company’s management regularly assesses these estimates, which primarily affect revenue recognition, the valuation of accounts receivable, goodwill and intangible assets, capitalization of internally developed software, stock-based compensation and the provision for income taxes. Actual results could differ from those estimates and such differences may be material to the accompanying consolidated financial statements.

Concentration of Credit Risk
The Company invests its cash and cash equivalents with major financial institutions. Cash balances with any one institution at times may be in excess of federally insured limits. Cash equivalents are invested in high-quality investment grade financial instruments and are diversified. The Company has not experienced any losses in such accounts and believes it is not exposed to any significant credit risk.
Credit risk with respect to accounts receivable is dispersed due to the large number of customers. Collateral is not required for accounts receivable. As of December 31, 2019 and 2018, no customer or channel partner accounted for more than 10% of the Company's revenues and accounts receivable balance.

Cash, Cash Equivalents, Short-Term and Long-Term Marketable Securities
Cash and cash equivalents include cash held in banks, highly liquid money market funds and commercial paper, all with original maturities of three months or less when acquired. The Company’s short-term and long-term marketable securities consist of fixed-income U.S. government agency securities, corporate bonds, asset-backed securities and commercial paper. Management determines the appropriate classification of the Company's investments at the time of purchase and reevaluates such designation at each balance sheet date. The Company classifies its marketable securities as either short-term or long-term based on each instrument's underlying contractual maturity date.
Cash equivalents are stated at cost, which approximates fair market value. Short-term and long-term marketable securities are classified as available-for-sale debt securities and are carried at fair value. Unrealized gains and losses in fair value of the available-for-sale debt securities are reported in other comprehensive income (loss). When the available-for-

63


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



sale debt securities are sold, cost is based on the specific identification method, and the realized gains and losses are included in other income (expense), net in the consolidated statements of operations. Available-for-sale debt securities are reviewed quarterly for impairment that is deemed to be other-than-temporary. An investment is considered other-than-temporarily impaired when its fair value is below its amortized cost and (1) there is an intent to sell the security, (2) it is “more likely than not” that the security will be sold before recovery of its amortized cost basis or (3) the present value of expected cash flows from the investment is not expected to recover the entire amortized cost basis. Declines in value that are considered to be other-than-temporary are recorded in other income (expense), net. Adjustments to amortized cost for the amortization of premiums, the accretion of discounts and Interest and dividends are recorded in interest income as earned.

Accounts Receivable
Accounts receivable are recorded at the invoiced amount and do not bear interest. The allowance for doubtful accounts represents the Company’s best estimate of the amount of probable credit losses and is determined based on a review of existing accounts receivable by aging category to identify significant customers or invoices with collectability issues. For those invoices not specifically reviewed, the reserve is calculated based on the age of the receivable and historical write-offs.
Any change in the assumptions used in analyzing a specific account receivable may result in an additional provision for doubtful accounts being recognized in the period in which the change occurs. When the Company ultimately concludes that a receivable is uncollectible, the balance is written off against the allowance for doubtful accounts. Payments subsequently received on such receivables are credited back to the allowance for doubtful accounts.

Non-marketable securities
During the fiscal year ended December 31, 2018, the Company invested $2.5 million in preferred stock of a privately-held company. The fair value of the investment is not readily available, and there are no quoted market prices for the investment. The investment is included in other noncurrent assets on the consolidated balance sheets and measured at cost less impairment, adjusted for observable price changes. The investment is assessed for impairment annually or whenever events or changes in circumstances indicate that the carrying amount may not be recoverable. The Company has not received any dividends or other-than-temporary impairment charges related to the investment. During the second quarter ended June 30, 2019, the Company made an advance payment of $0.6 million to the investee for certain development work, which is recorded in other noncurrent assets on the consolidated balance sheet. During the third quarter ended September 30, 2019, the Company made an additional investment of $0.6 million in a convertible security issued by this investee and recorded it in other current assets on the consolidated balance sheet. 

Property and Equipment, net
Property and equipment are stated at cost less accumulated depreciation and amortization. Depreciation is computed using the straight-line method over the estimated useful lives of the assets, which range from three to five years. Leasehold improvements are amortized on a straight-line basis over the lesser of the estimated useful life of the asset or the remaining lease term.
The Company purchases physical scanner appliances and other computer equipment that are provided to customers on a subscription basis. This equipment is recorded within property and equipment and the depreciation is recorded in cost of revenues over an estimated useful life of three years.

Upon retirement or disposal, the cost of assets and the related accumulated depreciation are removed from the accounts and any resulting gain or loss is reflected in the consolidated statements of operations. Repairs and maintenance that do not extend the life of an asset are expensed as incurred and major improvements are capitalized as property and equipment.

Impairment of Long-Lived Assets

The Company evaluates its long-lived assets, which consist of property and equipment, and intangible assets subject to amortization, for indicators of possible impairment when events or changes in circumstances indicate the carrying amount of an asset may not be recoverable. Impairment exists if the carrying amounts of such assets exceed the estimates of future undiscounted cash flows expected to be generated by such assets. Should an impairment exist, the impairment loss would be measured based on the excess carrying value of the asset over the asset’s estimated fair value. In each of 2019, 2018 and 2017, the Company had no impairment of long-lived assets.


64


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



Goodwill and Intangible Assets
Goodwill represents the excess of the purchase price over the fair value of the net tangible and identifiable intangible assets acquired in a business combination and is not subject to amortization. Goodwill and other intangible assets with indefinite lives are not amortized, but tested for impairment at least annually or more frequently if certain circumstances indicate a possible impairment may exist. These tests are performed at the reporting unit level. The Company’s operations are organized as one reporting unit.
In testing for a potential impairment of goodwill, the Company first performs a qualitative assessment of its reporting unit to determine if it is more likely than not (a more than 50% likelihood) that the fair value of the reporting unit is less than its carrying amount. If the fair value is not considered to be less than the carrying amount, no further evaluation is necessary. The Company performed the annual assessment on December 1, 2019 and 2018 and concluded there was no potential impairment of goodwill.
In testing for a potential impairment of intangible assets with indefinite lives that are not subject to amortization, the Company first performs a qualitative assessment to determine if it is more likely than not (a more than 50% likelihood) that the fair value of the indefinite-lived intangible assets is less than the carrying amount. If the fair value is not considered to be less than the carrying amount, no further evaluation is necessary. The Company performs the annual qualitative assessment in the fourth quarter each fiscal year. There were no such impairment losses during 2019, 2018 and 2017.
If the qualitative assessment indicates there is more than a 50% likelihood that the fair value is less than the carrying amount of the reporting unit or the intangible asset, the Company would perform a quantitative test. Goodwill impairment is measured as the amount by which a reporting unit’s carrying value exceeds its fair value. For indefinite-lived intangible assets, the Company would perform the quantitative impairment test by comparing the fair value of the indefinite-lived intangible asset with its carrying value.

Internally Developed Software
Costs incurred in the development phase are capitalized and amortized over the product’s estimated useful life, which is three years. Capitalized costs include salaries, benefits and stock-based compensation charges for employees that are directly involved in developing its cloud security platform during the post planning and implementation phases. Capitalized costs related to internally developed software under development are treated as construction in progress until the program, feature or functionality is ready for its intended use, at which time amortization commences. These capitalized costs are included in other noncurrent assets on the consolidated balance sheets. For the fiscal years 2019, 2018 and 2017, the Company capitalized $1.0 million, $1.3 million and $0.4 million of costs related to internally developed software (of which $0.2 million, $0.2 million and zero, respectively, were stock-based compensation), respectively. As of December 31, 2019 and 2018, unamortized internally developed software costs totaled $2.0 million and $1.2 million, respectively. Amortization of internally developed software is recorded in cost of revenues. Costs associated with minor enhancements and maintenance are expensed as incurred. Management evaluates the useful lives of these assets on an annual basis and tests for impairment whenever events or changes in circumstances occur that could impact the recoverability of these assets. 

Business Combinations
The Company applies the provisions of ASC 805, Business Combinations, in accounting for its acquisitions. It requires the Company to recognize separately from goodwill the assets acquired and the liabilities assumed at their acquisition date fair values. Goodwill as of the acquisition date is measured as the excess of consideration transferred over the net of the acquisition date fair values of the assets acquired and the liabilities assumed. While the Company uses its best estimates and assumptions to accurately value assets acquired and liabilities assumed at the acquisition date as well as any contingent consideration, where applicable, its estimates are inherently uncertain and subject to refinement. As a result, during the measurement period, which may be up to one year from the acquisition date, the Company records adjustments to the assets acquired and liabilities assumed with the corresponding offset to goodwill. Upon the conclusion of the measurement period or final determination of the values of assets acquired or liabilities assumed, whichever comes first, any subsequent adjustments are recorded to its consolidated statements of operations.


65


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



Derivative Financial Instruments

Derivative financial instruments are utilized by the Company to reduce foreign currency exchange risks. The Company uses foreign currency forward contracts to mitigate the impact of foreign currency fluctuations of certain non-U.S. dollar denominated asset positions, to date primarily cash and accounts receivable (non-designated forward contracts), as well as to manage foreign currency fluctuation risk related to forecasted transactions (designated cash flow hedges). Open contracts are recorded within prepaid expenses and other current assets, other noncurrent assets, accrued liabilities, or other noncurrent liabilities in the consolidated balance sheets. Gains and losses resulting from currency exchange rate movements on non-designated forward contracts are recognized in other income (expense), net. Any gains or losses from derivatives designated as cash flow hedges are first accumulated in AOCI and then reclassified to revenue when the hedged item impacts the consolidated statements of operations.

Stock-Based Compensation
The Company recognizes the fair value of its employee stock options and restricted stock units (RSUs) over the requisite service periods for those awards ultimately expected to vest. The fair value of each option is estimated on date of grant using the Black-Scholes-Merton option pricing model and the fair value of each RSU is based on the fair value of the Company's stock on the date of grant. Forfeitures are estimated on the date of grant and revised if actual or expected forfeiture activity differs materially from original estimates.
The Company recognizes compensation costs for performance-based non-qualified stock options and restricted stock units when it is probable that the performance conditions will be met. The Company assesses these conditions on a quarterly basis.

Revenue Recognition
The Company derives revenues from subscriptions that require customers to pay a fee in order to access the Company’s cloud solutions. Customers generally enter into one-year renewable subscriptions though some customers do enter into subscriptions with longer terms. The subscription fee entitles the customer to an unlimited number of scans for a specified number of networked devices or web applications and, if requested by a customer as part of their subscription, a specified number of physical or virtual scanner appliances. Revenue is recognized when control of these subscription services is transferred to its customers, in an amount that reflects the consideration the Company expects to be entitled to in exchange for those services.
The Company’s physical and virtual scanner appliances are requested by certain customers as part of their subscriptions in order to scan IT infrastructures within their firewalls and do not function without, and are not sold separately from, subscriptions for the Company’s solutions. In some limited cases, the Company also provides certain computer equipment used to extend its Qualys Cloud Platform into its customers’ private cloud environment. Customers are required to return physical scanner appliances and computer equipment if they do not renew their subscriptions. Physical equipment (scanners and private cloud platforms) are accounted for as operating leases under ASC 842. The company used the practical expedient to combine lease and nonlease components as a combined component under ASC 606 due to the software subscription nonlease components being the predominant component of the combined component. Therefore, the Company recognizes revenue for the physical equipment ratably over the related subscription period.
The Company determines revenue recognition through the following steps:
Identification of the contract, or contracts, with a customer;
Identification of the performance obligations in the contract;
Determination of the transaction price
Allocation of the transaction price to the performance obligations in the contract; and
Recognition of revenue when, or as, the Company satisfies a performance obligation.
At the inception of a customer contract, the Company makes an assessment as to that customer's ability to pay for the services provided. The Company assesses collectability based on a number of factors, including credit worthiness of the customer along with past transaction history. In addition, the Company performs periodic evaluations of its customers’ financial condition. 
Deferred revenues consist of customer contracts billed or cash received that will be recognized in the future under subscriptions existing at the balance sheet date. The current portion of deferred revenues represents amounts that are expected to be recognized within one year of the balance sheet date.

66


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



Costs of shipping and handling charges incurred by the Company associated with physical scanner appliances and other computer equipment are included in cost of revenues.
Sales taxes and other taxes collected from customers to be remitted to government authorities are excluded from revenues.

Advertising Expenses
Advertising costs are expensed as incurred and include costs of advertising and promotional materials. The Company incurred advertising costs of $74 thousand, $87 thousand and $482 thousand for 2019, 2018 and 2017, respectively.

Income Taxes
The Company provides for the effect of income taxes in its consolidated financial statements using the asset and liability method which requires the recognition of deferred tax assets and liabilities for the expected future tax consequences of events that have been included in the consolidated financial statements. Under this method, deferred tax assets and liabilities are recognized for the future tax consequences attributable to differences between the financial statement carrying amounts of existing assets and liabilities and their respective tax bases, net operating loss carryovers, and tax credit carry forwards. Deferred tax assets and liabilities are measured using enacted tax rates expected to apply to taxable income in the years in which those temporary differences are expected to be recovered or settled. The effect on deferred tax assets and liabilities of a change in tax rates is recognized in the period that includes the enactment date.
Income tax expense or benefit is recognized for the amount of taxes payable or refundable for the current year and for deferred tax assets and liabilities for the tax consequences of events that have been recognized in an entity’s financial statements or tax returns. The Company must make significant assumptions, judgments and estimates to determine its current provision for (benefit from) income taxes, its deferred tax assets and liabilities, and any valuation allowance to be recorded against its deferred tax assets. The Company's judgments, assumptions and estimates relating to the current provision for (benefit from) income taxes include the geographic mix and amount of income (loss), its interpretation of current tax laws, and possible outcomes of current and future audits conducted by foreign and domestic tax authorities. The Company's judgments also include anticipating the tax positions the Company will record in the consolidated financial statements before actually preparing and filing the tax returns. The Company's estimates and assumptions may differ from the actual results as reflected on its income tax returns and will record the required adjustments when they are identified or resolved. Changes in the Company's business, tax laws or interpretation of tax laws, and developments in current and future tax audits, could significantly impact the amounts provided for income taxes in the Company's results of operations, financial position, or cash flows.
Deferred tax assets and liabilities are recognized for the estimated future tax consequences attributable to tax benefit carry-forwards and to differences between the financial statement amounts of assets and liabilities and their respective tax basis. The Company regularly reviews its deferred tax assets for recoverability and establishes a valuation allowance if it is more likely than not that some portion or all of the deferred tax assets will not be realized. To make this assessment, the Company takes into account predictions of the amount and category of taxable income from various sources and all available positive and negative evidence about these possible sources of taxable income. The weight given to the potential effect of negative and positive evidence is commensurate with the extent to which the strength of the evidence can be objectively verified.
The Company applies a two-step approach to determining the financial statement recognition and measurement of uncertain tax positions. The Company only recognizes an income tax expense or benefit with respect to uncertain tax positions in its financial statements that the Company judges is more likely than not to be sustained solely on its technical merits in a tax audit, including resolution of any related appeals or litigation processes. To make this judgment, the Company must interpret complex and sometimes ambiguous tax laws, regulations and administrative practices. If an income tax position meets the more likely than not recognition threshold, then the Company must measure the amount of the tax benefit to be recognized by determining the largest amount of tax benefit that has a greater than a 50% likelihood of being realized upon effective settlement with a taxing authority that has full knowledge of all of the relevant facts. It is inherently difficult and subjective to estimate such amounts, as this requires the Company to determine the probability of various possible settlement outcomes. To determine if a tax position is effectively settled after a tax examination has been completed, the Company must also estimate the likelihood that another taxing authority could review the respective tax position. The Company must also determine when it is reasonably possible that the amount of unrecognized tax benefits will significantly increase or decrease in the 12 months after each fiscal year-end. These judgments are difficult because a taxing authority may change its behavior as a result of the Company's disclosures in its financial statements. The Company must reevaluate its income tax positions on a quarterly basis to consider factors such as changes in facts or circumstances, changes in tax law, effectively settled issues under audit, and new audit activity. Such a change in recognition or measurement would result in recognition of a tax

67


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



benefit or an additional charge to the tax provision. The Company's policy is to recognize interest and penalties related to unrecognized tax benefits as a component of the provision for income taxes.

Comprehensive Income (Loss)
Other comprehensive income (loss) consists of unrealized gains (losses) on marketable securities, net of tax, and derivative financial instruments designated as cash flow hedges which are not included in the Company’s net income. Total comprehensive income includes net income and other comprehensive income (loss) and is included in the consolidated statements of comprehensive income.

Foreign Currency Transactions
The Company’s operations are conducted in various countries around the world and the financial statements of its foreign subsidiaries are reported in the U.S. dollar as their respective functional currency. Monetary assets and liabilities denominated in foreign currencies have been re-measured into U.S. dollars using the exchange rates in effect at the balance sheet date, and income and expenses are re-measured at average exchange rates during the period. Foreign currency re-measurement gains and losses and foreign currency transaction gains and losses are recognized in other income (expense), net. The Company recorded total foreign currency transaction losses of $0.4 million, $0.6 million and $0.4 million during 2019, 2018 and 2017, respectively.

Net Income Per Share
Basic net income per share is computed by dividing net income by the weighted-average number of common shares outstanding during the period. All participating securities are excluded from basic weighted average common shares outstanding. Diluted net income per share is computed by dividing net income by the weighted-average number of shares of common stock outstanding during the period, adjusted for the effects of potentially dilutive common shares, which are comprised of outstanding stock options and RSUs. The dilutive potential common shares are computed using the treasury stock method or the as-if converted method, as applicable. The outstanding stock options and RSUs which would be anti-dilutive are excluded from the computation of diluted net income per common share.

Reclassification
Reclassification has been made to the shares issued for RSUs and taxes related to net share settlement of equity awards and options in the consolidated statement of stockholders' equity for the fiscal year 2017. The reclassification had no effect on the total number of shares outstanding at the end of each period presented in the consolidated statements of stockholders' equity.

Recently Adopted Accounting Pronouncements
In August 2018, the Financial Accounting Standards Board (FASB) issued Accounting Standards Updates (ASU) 2018-13, Disclosure Framework - Changes to the Disclosure requirements for Fair Value Measurement, which adds, modifies and removes certain fair value measurement disclosure requirements. The ASU is effective for the Company for fiscal years beginning after December 15, 2019, including interim periods therein. The Company early adopted the guidance in the fiscal year 2019. The adoption of this ASU did not have a material impact on the Company's consolidated financial statements.
In June 2018, the FASB issued ASU 2018-07, Compensation - Stock Compensation (Topic 718): Improvements to Nonemployee Share-Based Payment Accounting. This ASU expands the scope of Topic 718 to include share-based payment transactions for acquiring goods and services from nonemployees. The Company adopted this guidance as of January 1, 2019. The adoption of this ASU did not have a material impact on the Company's consolidated financial statements.
In January 2017, the FASB issued ASU 2017-04, Simplifying the Test for Goodwill Impairment (Topic 350). This standard eliminates Step 2 from the goodwill impairment test, instead requiring an entity to recognize a goodwill impairment charge for the amount by which the goodwill carrying amount exceeds the reporting unit’s fair value. This ASU is effective for interim and annual goodwill impairment tests in fiscal years beginning after December 15, 2019 with early adoption permitted. The Company adopted this ASU on a prospective basis during the first quarter of fiscal 2019 and the adoption did not have a material impact on the Company's consolidated financial statements.
In February 2016, the FASB issued ASU 2016-02, Leases (Topic 842), which requires lessees to recognize all leases, including operating leases, on the balance sheet as a lease asset and lease liability, unless the lease is a short-term lease. ASU 2016-02 also requires additional disclosures regarding leasing arrangements. ASU 2016-02 is effective for the Company beginning in the first quarter of fiscal 2019 and early adoption is permitted. In July 2018, the FASB issued ASU 2018-11,

68


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



Targeted Improvements - Leases (Topic 842). This update provides an optional transition method that allows entities to elect to apply the standard prospectively at its effective date, versus recasting the prior periods presented. If elected, an entity would recognize a cumulative-effect adjustment to the opening balance of retained earnings in the period of adoption. Pursuant to the leasing criteria, most of the Company's leased space and equipment leases will be required to be accounted for as right-of-use assets (ROU) on the balance sheet with offsetting financing obligations. In the statement of operations, what was formerly rent expense for operating leases will be lease expense; and finance leases will be bifurcated into amortization of right-of-use assets and interest on lease liabilities. The Company adopted the ASU utilizing the current period adjustment method on January 1, 2019, and recognized a ROU asset of $30.8 million and a lease liability of $41.6 million on its consolidated financial statements. As of January 1, 2019, $3.9 million of deferred rent and $6.9 million related to tenant improvement allowance was removed upon adoption. As part of this adoption, the Company elected the package of transitional practical expedients to not reassess (1) whether any contracts that existed prior to adoption have or contain leases, (2) the classification of existing leases or (3) initial direct costs for existing leases. The Company also elected to make the accounting policy election for short-term leases, permitting the Company to not apply the recognition requirements of this standard to short-term leases with terms of 12 months or less.

Recently Issued Accounting Pronouncements Not Yet Adopted
In December 2019, the FASB issued ASU No. 2019-12, Simplifying the Accounting for Income Taxes (ASU 2019-12), which simplifies the accounting for income taxes, eliminates certain exceptions within ASC 740, Income Taxes, and clarifies certain aspects of the current guidance to promote consistency among reporting entities. ASU 2019-12 is effective for the Company for fiscal years beginning after December 15, 2020. Most amendments within the standard are required to be applied on a prospective basis, while certain amendments must be applied on a retrospective or modified retrospective basis. The Company is currently evaluating the impacts of the provisions of ASU 2019-12 on its consolidated financial statements.
In August 2018, the FASB issued ASU 2018-15, Intangibles - Goodwill and Other - Internal-Use Software (Subtopic 350-40): Customer's Accounting for Implementation Costs Incurred in a Cloud Computing Arrangement That Is a Service Contract. This ASU aligns the requirements for capitalizing implementation costs incurred in a hosting arrangement that is a service contract with the requirements for capitalizing implementation costs related to internal-use software. ASU 2018-15 is effective for the Company beginning in the first quarter of fiscal 2020 and early adoption is permitted. The Company is currently evaluating the impact of this ASU on its consolidated financial statements.
In June 2016, the FASB issued ASU No. 2016-13, Financial Instruments-Credit Losses (Topic 326) as modified by subsequently issued ASU No. 2018-19, 2019-04 and 2019-05, which introduces a new accounting model, Current Expected Credit Losses (CECL). CECL requires earlier recognition of credit losses, while also providing additional transparency about credit risk. CECL utilizes a lifetime expected credit loss measurement objective for the recognition of credit losses at the time the financial asset is originated or acquired. The expected credit losses are adjusted each period for changes in expected lifetime credit losses. The ASUs are effective for the Company beginning in the first quarter of fiscal 2020. The adoption of the ASUs is not expected to have a material impact on the Company's consolidated financial statements.

NOTE 2.
Fair Value of Financial Instruments
Fair value is defined as the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants at the measurement date. For certain of the Company’s financial instruments, including certain cash equivalents, accounts receivable, accounts payable, and other current liabilities, the carrying amounts approximate their fair values due to the relatively short maturity of these balances.
The Company measures and reports certain cash equivalents, marketable securities, derivative foreign currency forward contracts and commitments associated with prior business combinations at fair value in accordance with the provisions of the authoritative accounting guidance that addresses fair value measurements. This guidance establishes a hierarchy for inputs used in measuring fair value that maximizes the use of observable inputs and minimizes the use of unobservable inputs by requiring that the most observable inputs be used when available. The hierarchy is broken down into three levels based on the reliability of inputs as follows:
Level 1-Valuations based on quoted prices in active markets for identical assets or liabilities.
Level 2-Valuations based on other than quoted prices in active markets for identical assets and liabilities, quoted prices for identical or similar assets or liabilities in inactive markets, or other inputs that are observable or can be corroborated by observable market data for substantially the full term of the assets or liabilities.
Level 3-Valuations based on inputs that are generally unobservable and typically reflect management’s estimates of assumptions that market participants would use in pricing the asset or liability.

69


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



The Company's financial instruments consist of assets and liabilities measured using Level 1 and 2 inputs. Level 1 assets include a highly liquid money market fund, which is valued using unadjusted quoted prices that are available in an active market for an identical asset. Level 2 assets include fixed-income U.S. government agency securities, commercial paper, corporate bonds, asset-backed securities and derivative financial instruments consisting of foreign currency forward contracts. The securities, bonds and commercial paper are valued using prices from independent pricing services based on quoted prices in active markets for similar instruments or on industry models using data inputs such as interest rates and prices that can be directly observed or corroborated in active markets. The foreign currency forward contracts are valued using observable inputs, such as quotations on forward foreign exchange points and foreign interest rates. The fair value of commitments from prior acquisitions was determined based on management’s estimate of fair value using a Monte Carlo simulation model, which uses Level 3 inputs for fair value measurements. As of December 31, 2019, management estimated the fair value of such commitments to be zero. During the fiscal year ended December 31, 2019 and 2018, the Company made investments of $0.6 million and $2.5 million in a convertible security and preferred stock issued by a privately-held company. The estimated fair value of the investments was determined based on Level 3 inputs. As of December 31, 2019, management estimated that the fair value of the investments equaled its carrying value.
The Company's cash and cash equivalents, short-term marketable securities, and long-term marketable securities consist of the following:
 
 
December 31, 2019
  
 
Amortized Cost
 
Unrealized Gains
 
Unrealized Losses
 
Fair Value
 
 
(in thousands)
Cash and cash equivalents:
 
 
 
 
 
 
 
 
Cash
 
$
84,102

 
$

 
$

 
$
84,102

Money market funds
 
58

 

 

 
58

Commercial paper
 
3,399

 

 

 
3,399

Total
 
87,559

 

 

 
87,559

Short-term marketable securities:
 
 
 
 
 
 
 
 
Commercial paper
 
2,239

 

 

 
2,239

Corporate bonds
 
33,048

 
51

 
(1
)
 
33,098

Asset-backed securities
 
2,438

 
11

 

 
2,449

U.S. government agencies
 
173,364

 
184

 
(3
)
 
173,545

Total
 
211,089

 
246

 
(4
)
 
211,331

 
 
 
 
 
 
 
 
 
Long-term marketable securities:
 
 
 
 
 
 
 
 
Asset-backed securities
 
40,001

 
193

 
(1
)
 
40,193

U.S. government agencies
 
46,447

 
370

 

 
46,817

Corporate bonds
 
32,236

 
262

 

 
32,498

Total
 
118,684

 
825

 
(1
)
 
119,508

Total
 
$
417,332

 
$
1,071

 
$
(5
)
 
$
418,398



70


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



 
 
December 31, 2018
  
 
Amortized Cost
 
Unrealized Gains
 
Unrealized Losses
 
Fair Value
 
 
(in thousands)
Cash and cash equivalents:
 
 
 
 
 
 
 
 
Cash
 
$
40,913

 
$

 
$

 
$
40,913

Money market funds
 
113

 

 

 
113

Total
 
41,026

 

 

 
41,026

Short-term marketable securities:
 
 
 
 
 
 
 
 
Commercial paper
 
3,237

 

 

 
3,237

Corporate bonds
 
30,906

 

 
(84
)
 
30,822

Asset-backed securities
 
10,447

 

 
(15
)
 
10,432

U.S. government agencies
 
203,734

 
9

 
(94
)
 
203,649

Total
 
248,324

 
9

 
(193
)
 
248,140

Long-term marketable securities:
 
 
 
 
 
 
 
 
Asset-backed securities
 
22,945

 
10

 
(28
)
 
22,927

U.S. government agencies
 
18,804

 

 
(53
)
 
18,751

Corporate bonds
 
35,322

 
3

 
(293
)
 
35,032

Total
 
77,071

 
13

 
(374
)
 
76,710

Total
 
$
366,421

 
$
22

 
$
(567
)
 
$
365,876


As of December 31, 2019 and 2018, the Company had no investments utilizing level 3 inputs, other than the aforementioned investments in the privately-held company.
The following table sets forth by level within the fair value hierarchy the fair value of the Company's cash equivalents and marketable securities measured on a recurring basis:
 
 
December 31, 2019
 
 
Level 1
 
Level 2
 
Fair Value
 
 
(in thousands)
Money market funds
 
$
58

 
$

 
$
58

Commercial paper
 

 
5,638

 
5,638

U.S. government agencies
 

 
220,362

 
220,362

Corporate bonds
 

 
65,596

 
65,596

Asset-backed securities
 

 
42,642

 
42,642

Total
 
$
58

 
$
334,238

 
$
334,296



 
 
December 31, 2018
 
 
Level 1
 
Level 2
 
Fair Value
 
 
(in thousands)
Money market funds
 
$
113

 
$

 
$
113

Commercial paper
 

 
3,237

 
3,237

U.S. government agencies
 

 
222,400

 
222,400

Corporate bonds
 

 
65,854

 
65,854

Asset-backed securities
 

 
33,359

 
33,359

Total
 
$
113

 
$
324,850

 
$
324,963




71


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



The following summarizes the fair value of marketable securities classified as available-for-sale debt securities by contractual maturity:
 
 
December 31, 2019
 
 
Mature within One Year
 
After One Year through Two Years
 
Over Two Years
 
Fair Value
 
 
(in thousands)
Commercial paper
 
$
5,638

 
$

 
$

 
$
5,638

U.S. government agencies
 
173,546

 
46,816

 


 
220,362

Corporate bonds
 
33,098

 
23,251

 
9,247

 
65,596

Asset-backed securities
 
2,449

 
15,550

 
24,643

 
42,642

Total
 
$
214,731

 
$
85,617

 
$
33,890

 
$
334,238



Derivative Financial Instruments
The Company uses a hedging strategy to reduce its exposure to foreign currency exchange rate fluctuations for forecasted subscription renewals and new orders in both GBP and Euro. The Company uses forward currency contracts accounted for as cash flow hedges against a designated portion of forecasted subscription renewals and new orders. Upon executing a hedging contract and periodically thereafter, the Company assesses hedge effectiveness using regression analysis. The Company includes time value in its effectiveness testing and the changes in the value of hedge contracts is recorded as unrealized gains or losses in AOCI within stockholders’ equity on the Company's consolidated balance sheet as of December 31, 2019. The unrealized gains or losses in AOCI will be reclassified into revenue when the respective hedged transactions affect earnings. As of December 31, 2019, the net amount of unrealized gains and losses related to the hedged forecasted transactions reported in AOCI that is expected to be reclassified into revenue within the next 12 months was $0.7 million gains, net of losses (before taxes).
At December 31, 2019, the Company had 26 open designated cash flow hedge forward contracts with notional amounts of €24.2 million and £9.7 million. During the fiscal year ended December 31, 2019, the Company recorded $0.7 million of unrealized foreign exchange gains, net of losses (before taxes) related to the designated cash flow hedge contracts in AOCI. During the fiscal year ended December 31, 2019, $0.2 million of gains, net of losses (before tax) were realized and reclassified into revenue.
At December 31, 2018, the Company had 12 open cash flow hedge contracts with notional amount of €12.9 million and £4.1 million. The unrealized foreign exchange losses on these contracts recorded in AOCI were insignificant.
At December 31, 2019, the Company had 15 outstanding non-designated forward contracts with notional amounts of €20.0 million, £5.6 million and ₨756.0 million which will mature at various dates through January 2021. At December 31, 2018, the Company had two non-designated outstanding forward contracts with notional amounts of €16.0 million and £6.3 million.
The following summarizes derivative financial instruments as of December 31, 2019 and 2018:
 
 
December 31,
 
 
 
2019
 
2018
 
Assets:
 
(in thousands)
Foreign currency forward contracts designated as cash flow hedge
 
$
427

 
$
32

 
Foreign currency forward contracts not designated as hedging instruments
 
515

 

 
     Total
 
$
942

 
$
32

 
Liabilities:
 
 
 
 
 
Foreign currency forward contracts designated as cash flow hedge
 
$
(524
)
 
$
(72
)
 
Foreign currency forward contracts not designated as hedging instruments
 
(550
)
 
(44
)
 
     Total
 
$
(1,074
)
 
$
(116
)
 

All foreign currency forward contracts were valued at fair value using level 2 inputs.

72


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



The following summarizes the gains (losses) recognized in other income (expense), net, on the consolidated statements of operations, from forward contracts and other foreign currency transactions (in thousands):
 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
Net gains (losses) from forward contracts
 
$
438

 
$
543

 
$
(1,665
)
Other foreign currency transaction (losses) gains
 
(792
)
 
(1,120
)
 
1,310

     Total foreign exchange loss, net
 
(354
)
 
(577
)
 
(355
)
Other expenses
 
(253
)
 
(224
)
 
(181
)
    Other income (expense), net
 
$
(607
)

$
(801
)

$
(536
)


NOTE 3.
Property and Equipment, Net

Property and equipment, net, which includes assets under finance lease, consists of the following:
 
 
December 31,
 
 
2019
 
2018
 
 
(in thousands)
Computer equipment
 
$
112,599

 
$
93,530

Computer software
 
26,137

 
26,030

Scanner appliances
 
15,864

 
15,356

Furniture, fixtures and equipment
 
6,973

 
5,814

Equipment under capital lease
 
3,503

 
3,503

Leasehold improvements
 
18,817

 
16,439

Total property and equipment
 
183,893

 
160,672

Less: accumulated depreciation and amortization
 
(123,314
)
 
(99,230
)
Property and equipment, net
 
$
60,579

 
$
61,442


Physical scanner appliances and other computer equipment that are or will be subject to leases by customers have a net carrying value of $4.9 million and $7.9 million, respectively, including assets that have not been placed in service of $0.9 million and $1.8 million, respectively, as of December 31, 2019 and 2018. Depreciation and amortization expenses relating to property and equipment were $24.9 million, $25.1 million and $19.9 million for 2019, 2018 and 2017, respectively.

NOTE 4.
Revenue from Contracts with Customers
The Company's subscription contracts are typically satisfied ratably over the subscription term as its cloud-based offerings are delivered to customers electronically and over time. In addition, the Company recognizes revenues for certain limited scan arrangements on an as-used basis. The Company recognizes revenue related to professional services based on time and materials or completion of milestones stated in the contracts.
As the vast majority of the Company’s offerings are subscription based, the Company rarely needs to allocate the transaction price to separate performance obligations. In the rare case that allocation of the transaction price is needed, the Company recognizes revenue in proportion to the standalone selling prices (SSP) of the underlying services at contract inception. If an SSP is not directly observable, the Company determines the SSP using information that may include market conditions and other observable inputs. The Company's transaction prices typically do not include variable consideration and are a fixed amount for a specific period of time, and the majority of contracts are twelve months with certain customers signing longer term deals. In general, the Company does not offer rights of return, performance bonuses, customer loyalty programs, payments via non-cash methods, refunds, volume rebates, incentive payments, penalties, price concessions or payments or discounts contingent on future events and the Company does not grant its customers any material rights. For contracts that include leased scanners and PCPs, the Company applies the lease and non-lease component practical expedient under ASC 842 to account for non-lease components and lease components as combined components under the revenue recognition guidance in ASU 2014-09, "Revenue from Contracts with Customers" (Topic 606) as the subscriptions are the predominant components in the arrangements.
Costs of shipping and handling charges associated with physical scanner appliances and other computer equipment are included in cost of revenues. Sales taxes and other taxes collected from customers to be remitted to government authorities are excluded from revenues.
Incremental direct costs of obtaining a contract, which consist of sales commissions primarily for new business and upsells, are deferred and amortized over the estimated life of the customer relationship if renewals are expected and the renewal commission is not commensurate with the initial commission. The Company elected the practical expedient to expense commissions on renewals where the specific anticipated contract term amortization period is one year or less. The Company amortizes the capitalized commission cost as a selling expense on a straight-line basis over a period of five years. The Company classifies deferred commissions as current or noncurrent based on the timing of when it expects to recognize the expense. The current and noncurrent portions of deferred commissions are included in prepaid expenses and other current assets and other noncurrent assets, respectively, in its consolidated balance sheets. 
Capitalized costs to obtain contracts, current and noncurrent are as follows (in thousands):
 
December 31, 2019
 
December 31, 2018
Commission asset, current
$
2,568

 
$
1,480

Commission asset, noncurrent
$
6,454

 
$
4,692


For the year ended December 31, 2019 and 2018, the Company recognized $2.0 million and $1.2 million of commission expense from amortization of its commission assets. During the same periods, there was no impairment loss related to the capitalized costs.
The Company records deferred revenue when cash payments are received or due in advance of its performance offset by revenue recognized in the period. Revenues of $160.8 million and $141.3 million were recognized during the years ended December 31, 2019 and December 31, 2018, respectively, which amounts were included in the deferred revenue balances as of December 31, 2018 and December 31, 2017, respectively.
The Company's payment terms vary by the type and location of its customer and the products or services offered. The term between invoicing and when payment is due is not significant. For certain products or services and customer types, the Company requires payment before the products or services are delivered to the customer.
The following table sets forth the expected revenue from all remaining performance obligations as of December 31, 2019 (in thousands):
 
Total Expected Revenue
 
2020
$
67,055

 
2021
35,437

 
2022
13,027

 
2023
1,454

 
2024
343

 
2025 and thereafter
138

 
Total
$
117,454

 

Revenues allocated to remaining performance obligations represents contracted revenues that have not yet been recognized, which include deferred revenue and the amounts that will be invoiced and recognized as revenues in future periods from open contracts. Remaining performance obligations represent the transaction price of noncancelable orders for which service has not been performed and excludes unexercised renewals. The Company applied the short-term contract exemption to exclude the remaining performance obligations that are part of a contract that has an original expected duration of one year or less.
From time to time, the Company enters into contracts with customers that extend beyond one year, with certain of its customers electing to pay for more than one year of services upon contract execution. For any discounts associated with these multiple year contracts, the Company concluded its contracts did not contain a financing component.
Revenues by sales channel are as follows (in thousands):

73


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017(1)
Direct
 
$
186,130

 
$
164,084

 
$
139,908

Partner
 
135,477

 
114,805

 
90,920

Total
 
$
321,607

 
$
278,889

 
$
230,828


(1) Revenue has not been adjusted under the modified retrospective method.
The Company utilizes partners to enable and accelerate the adoption of its cloud platform by increasing its distribution capabilities and market awareness of its cloud platform as well as by targeting geographic regions outside the reach of its direct sales force. The Company's channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners may offer the Company's IT security and compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which the Company can connect with these prospective customers to offer its solutions. For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves the Company's sales team as needed to assist in developing and closing an order. When a channel partner secures a sale, the Company sells the associated subscription to the channel partner who in turn resells the subscription to the customer. Sales to channel partners are made at a discount and revenues are recorded at this discounted price over the subscription terms. The Company does not have any influence or specific knowledge of its partners' selling terms with their customers. See Note 11, "Segment Information and Information about Geographic Area" for disaggregation of revenue by geographic area.

NOTE 5.
Business Combinations
The following table summarizes the purchase price allocation of the business acquisitions during the fiscal years 2019, 2018 and 2017 based on estimated fair values of the acquired assets as of the acquisition date (in thousands);
Acquiree
 
Acquisition Date
 
Purchase Consideration
 
Net Tangible
 Assets Acquired/
(liabilities assumed)
 
Purchased Intangible Assets
 
Goodwill
 
Deferred Tax Liability
Adya
 
January 10,2019
 
$
1,000

 
$

 
$
900

 
$
100

 
$

Layered Insight
 
October 16, 2018
 
$
13,434

 
$
80

 
$
9,600

 
$
5,498

 
$
1,500

1Mobility
 
April 1, 2018
 
$
4,000

 
$

 
$
3,700

 
$
300

 
$

NetWatcher
 
November 28, 2017
 
$
7,729

 
$
80

 
$
7,000

 
$
649

 
$

Nevis
 
August 29, 2017
 
$
5,753

 
$
14

 
$
5,156

 
$
583

 
$


On January 10, 2019, the Company acquired the assets of Adya, an India-based company. The acquisition included a cloud application management platform, which enables security and compliance audits of SaaS applications. Total purchase consideration included $0.2 million of deferred consideration due 18 months from the closing date of the acquisition, subject to potential adjustment from possible indemnity claims. The acquired intangible assets relating to Adya's developed technology are being amortized over the estimated useful lives of approximately four years. Goodwill arising from the Adya acquisition is deductible for tax purposes over 15 years
On October 16, 2018, the Company completed the acquisition of Layered Insight, a pioneer and global leader in container native application protection, providing accurate insight into container images, adaptive analysis of running containers, and automated enforcement of the container environment. Of the total consideration, $1.6 million was paid during the fiscal year ended December 31, 2019 based on the terms and conditions of the purchase agreement. All consideration was paid in cash. The Company also paid additional $4.0 million as the acquired business had achieved certain integration milestones for the annual period ending December 31, 2019. In addition, the Company initially recorded $1.5 million of the contingent consideration related to revenue milestone payments in accrued liabilities of the consolidated balance sheet as of December 31, 2018. The entire amount was reversed during the fiscal year 2019 as the revenue milestone was not met. The acquired intangible asset relating to Layered Insight's developed technology is amortized over the estimated useful life of approximately four years. Goodwill arising from the Layered Insight acquisition is not deductible for tax purposes.
On April 1, 2018, the Company acquired the assets of 1Mobility, a Singapore-based company. The acquisition allowed the Company to provide enterprises of all sizes with the ability to create and continuously update an inventory of mobile devices on all versions of Android, iOS and Windows Mobile in their environment; and to continuously assess their security and

74


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



compliance posture, while quarantining devices that were compromised or out-of-compliance. Of the total purchase consideration, $0.6 million was paid during the fiscal year ended December 31, 2019 based on the terms and conditions of the purchase agreement. The acquired intangible assets relating to 1Mobility's developed technology is being amortized over the estimated useful lives of approximately four years. Goodwill arising from the 1Mobility acquisition is deductible for tax purposes over 15 years. 
In 2017, the Company purchased certain assets of Nevis Networks (India) Private Limited (Nevis) and Defensative, LLC (NetWatcher). The Nevis acquisition accelerated the Company's development of network security solutions for detection and awareness of external intrusions to computer networks. The NetWatcher acquisition expanded the Company's threat protection and management capabilities and added new offerings to managed security service providers. Of the total consideration, $1.0 million was paid during the fiscal year ended December 31, 2019 based on the terms and conditions of the purchase agreement. Purchased intangible assets represented the fair value of purchased technology from the Company's acquisitions of Nevis and NetWatcher. Goodwill generated from these acquisitions was primarily related to the acquired workforce, expected improvements in technology performance and additional product functionality. The intangible assets have a useful life of 5 years. Goodwill is deductible for tax purposes over 15 years.
Pro forma financial information for these acquisitions in the fiscal years 2019, 2018 and 2017 was not presented because the acquisitions were not material to the Company's consolidated financial statements, either individually or in aggregate.

NOTE 6.
Goodwill and Intangible Assets, Net
Intangible assets consist primarily of developed technology and patent licenses in business combinations. Acquired intangibles are amortized on a straight-line basis over the respective estimated useful lives of the assets.
The carrying values of intangible assets as of December 31, 2019 are as follows (in thousands, except for years):
 
 
 
 
 
 
 
December 31,
 
 
 
 
 
 
 
2019
 
Weighted Average Lives (Years)
 
Weighted Remaining Average Lives (Years)
 
Cost
 
Accumulated Amortization
 
Net Book Value
Developed technology
4.6
 
2.7
 
$
26,356

 
$
(10,066
)
 
$
16,290

Patent licenses
14.0
 
4.7
 
1,387

 
(922
)
 
465

Total intangibles subject to amortization
 
 
 
 
$
27,743

 
$
(10,988
)
 
16,755

Intangible assets not subject to amortization
 
 
 
 
 
 
 
 
40

Total intangible assets, net
 
 
 
 
 
 
 
 
$
16,795

 
 
 
 
 
 
 
December 31,
 
 
 
 
 
 
 
2018
 
Weighted Average Lives (Years)
 
Weighted Remaining Average Lives (Years)
 
Cost
 
Accumulated Amortization
 
Net Book Value
Developed technology
5.0
 
3.8
 
$
25,456

 
$
(4,085
)
 
$
21,371

Patent licenses
14.0
 
5.9
 
1,388

 
(822
)
 
565

Total intangibles subject to amortization
 
 
 
 
$
26,844

 
$
(4,907
)
 
21,936

Intangible assets not subject to amortization
 
 
 
 
 
 
 
 
40

Total intangible assets, net
 
 
 
 
 
 
 
 
$
21,976


Intangible assets amortization expenses were $6.1 million, $3.7 million and $0.7 million for 2019, 2018 and 2017 respectively, which were recorded in cost of revenues in the consolidated statements of operations.

75


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



As of December 31, 2019, the Company expects amortization expense in future periods to be as follows (in thousands):
2020
$
6,081

2021
6,081

2022
4,427

2023
100

2024
66

2025 and thereafter

Total expected future amortization expense
$
16,755


Goodwill, which is not subject to amortization, totaled $7.4 million and $7.2 million as of December 31, 2019, and 2018, respectively.
Changes in the carrying amount of goodwill for the years ended December 31, 2019, 2018 and 2017 were as follows (in thousands):
 
Amount
Balance as of December 31, 2017
$
1,549

Goodwill acquired
5,676

Balance as of December 31, 2018
7,225

Goodwill acquired
100

Adjustment
122

Balance as of December 31, 2019
$
7,447



NOTE 7.
Commitments and Contingencies

Leases
On January 1, 2019, the Company adopted ASU No. 2016-02, “Leases (Topic 842),” which requires leases with durations greater than twelve months to be recognized on the balance sheet. The Company adopted the standard using the current period adjustment method with an effective date of January 1, 2019. Prior year financial statements were not restated under the new standard and, therefore, those amounts are not presented below. For both operating and finance leases, the Company recognizes a right-of-use asset, which represents its right to use the underlying asset for the lease term, and a lease liability, which represents the present value of its obligation to make payments arising over the lease term. The present value of the lease payments is calculated using the incremental borrowing rate for operating and finance leases. The incremental borrowing rate is determined using a portfolio approach based on the rate of interest that the Company would have to pay to borrow an amount equal to the lease payments on a collateralized basis over a similar term.
Where the Company is the lessee, the Company elected to account for non-lease components associated with its leases (e.g., common area maintenance costs) and lease components separately for substantially all of the asset classes. In arrangements where the Company is the lessor, the Company applies the lease and non-lease component practical expedient and the Company accounts for lease components (e.g., customer premise equipment) and non-lease components (e.g., service revenue) as combined components and account for the combined components under the revenue recognition guidance in Topic 606 as the service revenues are the predominant components in the arrangements.
The Company leases property and equipment under finance and operating leases. For leases with terms greater than 12 months, the Company records the related asset and obligation at the present value of lease payments over the term. Many of its leases include rental escalation clauses, renewal options and/or termination options that are factored into the determination of lease payments when appropriate.
When available, the Company uses the rate implicit in the lease to discount lease payments to present value; however, most of the leases do not provide a readily determinable implicit rate. Therefore, the Company must estimate an incremental borrowing rate to discount the lease payments based on information available at lease commencement.

76


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



The table below presents the lease-related assets and liabilities recorded on the balance sheet.
 
 
December 31
(in thousands)
Classification on the Balance Sheet
2019
Assets
 
 
Operating lease assets
Operating lease - right of use asset
$
40,551

Finance lease assets
Property and equipment, net
1,299

Total lease assets
 
$
41,850

 
 
 
Liabilities
 
 
Current
 
 
Operating
Operating lease liabilities, current
$
7,663

Finance
Accrued liabilities
124

Noncurrent
 
 
Operating
Operating lease liabilities, noncurrent
44,015

Finance
Other noncurrent liabilities
54

Total lease liabilities
 
$
51,856


The Company leases certain offices, computer equipment and its data center facilities under non-cancelable operating leases for varying periods through 2028. In January 2018, the Company entered into a $3.5 million financing arrangement for data center storage equipment, accounted for as a finance lease, with an implied interest rate of 5%.
During the fourth quarter ended December 31, 2019, the Company entered into a new lease agreement (included in the table above) for a total of approximately 282,000 square feet of office space in Pune, India. On the lease inception date of October 1, 2019, the Company recognized $14.7 million of lease liability and ROU assets, which will be amortized over the non-cancellable lease term through February 2025.
The following are the minimum annual lease payments due under operating leases at December 31, 2019 (in thousands):
 
 
Operating
Leases
 
Finance
Leases
 
 
(in thousands)
2020
 
$
10,603

 
$
130

2021
 
9,859

 
54

2022
 
8,539

 

2023
 
8,652

 

2024
 
8,866

 

2025 and thereafter
 
15,583

 

Total minimum lease payments
 
62,102

 
184

Less: amount representing interest
 
(10,424
)
 
(6
)
Present value of minimum payments
 
51,678

 
178

Less: lease obligations, current
 
(7,663
)
 
(124
)
Lease obligations, noncurrent
 
$
44,015

 
$
54


Rent expense was $13.9 million, $9.9 million and $9.6 million for 2019, 2018 and 2017, respectively.

77


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



The weighted average remaining lease term and the weighted average discount rate of the Company's leases were as follows:
 
December 31, 2019
Weighted average remaining lease term (years)
 
Operating leases
6.5

Finance leases
1.25

Weighted average discount rates
 
Operating leases
5.0
%
Finance leases
5.0
%


Purchase Obligation
The Company has entered into agreements to purchase goods and services in the ordinary course of business, primarily through the next 12 months. As of December 31, 2019, these remaining commitments were $25.3 million.

Indemnifications
The Company from time to time enters into certain types of contracts that contingently require it to indemnify various parties against claims from third parties. These contracts primarily relate to (i) the Company's by-laws, under which it must indemnify directors and executive officers, and may indemnify other officers and employees, for liabilities arising out of their relationship, (ii) contracts under which the Company must indemnify directors and certain officers for liabilities arising out of their relationship, and (iii) contracts under which the Company may be required to indemnify customers or resellers from certain liabilities arising from potential infringement of intellectual property rights, as well as potential damages caused by limited product defects. To date, the Company has not incurred and has not recorded any liability in connection with such indemnifications.
The Company maintains director and officer insurance, which may cover certain liabilities arising from its obligation to indemnify its directors.

NOTE 8.
Stockholders' Equity and Stock-based Compensation

Common Stock
The Company had reserved shares of common stock for future issuance as of December 31, 2019 as follows:
Options and RSUs outstanding under equity incentive plans
 
 
2000 Equity Incentive Plan
 
157,385

2012 Equity Incentive Plan
 
3,924,108

Shares available for future grants under an equity incentive plan
 
 
2012 Equity Incentive Plan
 
5,243,730

Total shares reserved for future issuance
 
9,325,223



Preferred Stock
Effective October 3, 2012, the Company is authorized to issue 20,000,000 shares of undesignated preferred stock with a par value of $0.001 per share. Each series of preferred stock will have such rights and preferences including dividend rights, dividend rate, conversion rights, voting rights, rights and terms of redemption (including sinking fund provisions), redemption price, and liquidation preferences as determined by the Board. As of December 31, 2019, and 2018, there were no issued or outstanding shares of preferred stock.

Stock Options

2012 Equity Incentive Plan
The 2012 Equity Incentive Plan was adopted and approved in September 2012 and became effective on September 26, 2012. Under the 2012 Plan, the Company is authorized to grant to eligible participant's incentive stock options (ISOs), non-statutory stock options (NSOs), stock appreciation rights (SARs), restricted stock awards (RSAs), RSUs, performance

78


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



units and performance shares equivalent to up to 13,741,931 shares of common stock as of December 31, 2019. The number of shares of common stock available for issuance under the 2012 Plan includes an annual increase on January 1 of each year by an amount equal to the least of 3,050,000 shares; 5% of the outstanding shares of stock as of the last day of the immediately preceding fiscal year; or an amount determined by the Board of Directors. Options may be granted with an exercise price that is at least equal to the fair market value of the Company's stock at the date of grant and are exercisable when vested. Options granted generally vest over a period of up to four years, with a maximum term of ten years. ISOs may only be granted to employees and any subsidiary corporations' employees. All other awards may be granted to employees, directors and consultants and subsidiary corporations' employees and consultants. Options, SARs, RSUs, performance units and performance awards may be granted with vesting terms as determined by the Board of Directors and expire no more than ten years after the date of grant or earlier if employment or service is terminated.

2000 Equity Incentive Plan
Under the 2000 Equity Incentive Plan (2000 Plan), the Company was authorized to grant to eligible participants either ISOs or NSOs. The ISOs were granted at a price per share not less than the fair market value at the date of grant. The NSOs were granted at a price per share not less than 85% of the fair market value at the date of grant. Options granted generally vest over a period of up to four years, with a maximum term of ten years. The 2000 Plan was terminated in connection with the closing of the Company's initial public offering, and accordingly, no shares are currently available for grant under the 2000 Plan. The 2000 Plan continues to govern outstanding awards granted thereunder.
Options granted under the 2000 Plan were immediately exercisable, and unvested shares are subject to repurchase by the Company. Upon termination of employment of an option holder, the Company has the right to repurchase at the original purchase price any issued but unvested common shares. The amounts paid for shares purchased under an early exercise of stock options and subject to repurchase by the Company are not reported as a component of stockholders’ equity (deficit) until those shares vest. The amounts received in exchange for these shares are recorded as an accrued liability in the accompanying consolidated balance sheets and will be reclassified to common stock and additional paid-in capital as the shares vest.

Stock-based Compensation
The following table shows a summary of the stock-based compensation expense included in the condensed consolidated statements of operations for the fiscal years ended December 31, 2019, 2018 and 2017:
 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
 
 
(in thousands)
Cost of revenues
 
$
2,262

 
$
2,489

 
$
2,159

Research and development
 
11,151

 
7,961

 
5,944

Sales and marketing
 
4,984

 
4,650

 
4,755

General and administrative
 
16,495

 
14,990

 
14,103

Total stock-based employee compensation
 
$
34,892

 
$
30,090

 
$
26,961



Stock-based compensation cost is recognized over the service period. Forfeitures are estimated at the time of grant and revised, if necessary, in subsequent periods if actual forfeitures materially differ from those estimates.

As of December 31, 2019, the Company had $17.5 million of total unrecognized employee compensation cost related to unvested options that it expects to recognize over a weighted-average period of 2.5 years.
The fair value of each option granted to employees is estimated on the date of grant using the Black-Scholes-Merton option-pricing model based on the following assumptions:
 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
Expected term (in years)
 
4.4 to 6.6
 
4.5 to 5.0
 
5.1 to 5.5
Volatility
 
40% to 46%
 
45% to 47%
 
47% to 49%
Risk-free interest rate
 
1.5% to 2.4%
 
2.5% to 3.0%
 
1.8% to 2.0%
Dividend yield
 
 
 


79


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



The expected term of the options is based on evaluations of historical and expected future employee exercise behavior. The risk-free interest rate is based on the U.S. Treasury rates at the date of grant with maturity dates approximately equal to the expected term at the grant date. Prior to the third quarter of 2017, volatility was based on a combination of the historical volatility of the Company and of several public entities that are similar to the Company. The Company based volatility on this combination because it did not have sufficient historical transactions in its own shares on which to solely base expected volatility. Beginning in the third quarter of 2017, the volatility was estimated using the historical volatility derived from the Company's common stock. The Company has not historically declared any dividends and does not expect to in the future.

Stock Option Plan Activity
A summary of the Company’s stock option activity is as follows:
 
 
Outstanding
Shares
 
Weighted
Average
Exercise
Price
 
Weighted
Average
Remaining
Contractual
Life (Years)
 
Aggregate
Intrinsic
Value
 
 
 
 
 
 
 
 
(in thousands)
Balance as of December 31, 2016
 
7,527,680

 
$
19.25

 
6.0
 
$
101,717

Granted
 
408,225

 
$
40.82

 
 
 
 
Exercised
 
(2,997,095
)
 
$
11.05

 
 
 
 
Canceled
 
(442,919
)
 
$
33.29

 
 
 
 
Balance as of December 31, 2017
 
4,495,891

 
$
25.29

 
6.6
 
$
153,129

Granted
 
366,786

 
$
79.79

 
 
 
 
Exercised
 
(1,183,235
)
 
$
20.33

 
 
 
 
Canceled
 
(250,133
)
 
$
39.61

 
 
 
 
Balance as of December 31, 2018
 
3,429,309

 
$
31.79

 
6.4
 
$
149,935

Granted
 
496,145

 
$
87.10

 
 
 
 
Exercised
 
(901,290
)
 
$
27.55

 
 
 
 
Canceled
 
(157,489
)
 
$
71.04

 
 
 
 
Balance as of December 31, 2019
 
2,866,675

 
$
40.54

 
6.0
 
$
125,647

Vested and expected to vest—December 31, 2019
 
2,655,987

 
$
37.27

 
5.9
 
$
124,592

Exercisable—December 31, 2019
 
2,099,200

 
$
28.39

 
5.4
 
$
115,916


The following table summarizes the outstanding and vested stock options at December 31, 2019:
 
 
Outstanding
 
Exercisable
Exercise Price
 
Number of
Shares

 
Weighted
Average
Exercise
Price Per
Share
 
Weighted
Average
Remaining
Contractual
Life (Years)
 
Number of
Shares
 
Weighted
Average
Exercise
Price Per
Share
$4.10 - $13.50
 
297,913

 
$
9.75

 
2.5
 
297,913

 
$
9.75

$13.60 - $25.17
 
351,255

 
$
22.22

 
4.6
 
347,391

 
$
22.19

$25.56 - $25.56
 
836,635

 
$
25.56

 
6.3
 
764,382

 
$
25.56

$26.86 - $34.97
 
297,207

 
$
30.98

 
5.0
 
287,277

 
$
30.96

$36.25 - $40.68
 
301,532

 
$
38.19

 
6.3
 
244,236

 
$
38.17

$40.89 - $79.51
 
363,278

 
$
70.50

 
8.5
 
113,388

 
$
61.81

$86.35 - $87.26
 
196,706

 
$
86.69

 
5.5
 
2,770

 
$
87.26

$89.55 - $89.55
 
63,300

 
$
89.55

 
9.6
 
499

 
$
89.55

$94.45 - $94.45
 
77,425

 
$
94.45

 
9.0
 
10,458

 
$
94.45

$95.10 - $95.10
 
81,424

 
$
95.10

 
8.5
 
30,886

 
$
95.10

 
 
2,866,675

 
$
40.54

 
6.0
 
2,099,200

 
$
28.39


The weighted-average grant date fair value of the Company’s stock options granted during 2019, 2018 and 2017 was $34.02, $33.05 and $18.03, respectively. The aggregate grant date fair value of the Company’s stock options granted during 2019, 2018 and 2017 was $12.2 million, $12.1 million and $7.4 million, respectively.

80


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



The intrinsic value of options exercised was $52.1 million, $71.7 million and $92.1 million during 2019, 2018 and 2017, respectively. Intrinsic value of an option is the difference between the fair value of the Company’s common stock at the time of exercise and the exercise price paid.

Restricted Stock
The terms and conditions of RSUs include vesting criteria and timing are set by the Board of Directors. The cost of RSUs is determined using the fair value of the Company’s common stock on the date of the grant. Compensation cost is recognized on a straight-line basis over the requisite service period of each grant adjusted for estimated forfeitures.
A summary of the Company’s RSU activity is as follows:
 
 
Number of Shares
 
Weighted-Average Grant Date Fair Value Per Share
Balance as of December 31, 2016
 
587,333

 
$
28.85

Granted
 
1,326,849

 
$
42.69

Vested
 
(368,367
)
 
$
33.52

Cancelled
 
(135,227
)
 
$
32.04

Balance as of December 31, 2017
 
1,410,588

 
$
40.34

Granted
 
548,245

 
$
75.44

Vested
 
(525,375
)
 
$
39.87

Cancelled
 
(206,575
)
 
$
43.43

Balance as of December 31, 2018
 
1,226,883

 
$
55.71

Granted
 
595,985

 
$
81.59

Vested
 
(438,892
)
 
$
53.17

Cancelled
 
(169,158
)
 
$
65.51

Balance as of December 31, 2019
 
1,214,818

 
$
67.99

Expected to vest as of December 31, 2019
 
902,794

 
$
66.37


As of December 31, 2019, the Company had $66.0 million of unrecognized compensation cost related to unvested awards that it expects to recognize over a weighted-average period of 2.6 years.

Performance-Based Stock Options and Restricted Stock Units
On November 2, 2019, the Board of Directors granted an award of time-based RSUs and performance-based NSOs to the Company’s Chairman and Chief Executive Officer, Philippe Courtot. The Compensation Committee of the Board, in consultation with its independent compensation consultant, designed these awards so that greater than 50% of this compensation was based on the achievement of performance goals linked to metrics designed to drive the creation of shareholder value.
The first portion of the award consists of 48,683 time-based RSUs that will vest in quarterly installments beginning on December 1, 2019, assuming continued service through each applicable vesting date. The second portion of the award consists of 123,856 NSOs that will vest at the end of the performance period based on achievement of goals related to revenue growth and free cash flow per share growth during the three-year period from January 2020 through December 2022, generally conditioned on Mr. Courtot’s continued status as a service provider through the date that performance is certified. If Mr. Courtot’s employment (a) is terminated by reason of death or disability or (b) is terminated by the Company for reasons other than cause within 12 months following a change in control (a “double trigger” termination), then 100% of any unvested portions of the award will vest, with any vesting in connection with change in control terminations conditioned upon the effectiveness of a release of claims in favor of the Company (2019 performance-based NSOs).
On December 21, 2018, the Board of Directors granted an award of time-based and performance-based restricted stock units to Mr. Courtot. The compensation committee of the Board, in consultation with its independent compensation consultant, designed these awards so that greater than 50% of this compensation was based on the achievement of performance goals linked to metrics designed to drive the creation of shareholder value.

81


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



The first portion of the award consists of 56,250 time-based RSUs that will vest in 16 quarterly increments beginning on January 1, 2019, assuming continued service through each applicable vesting date. The second portion of the award consists of 33,089 performance-based RSUs that will vest based on achievement of goals related to revenue growth for a three-year period from January 2019 through December 2021 and adjusted EBITDA margin for the 2021 fiscal year, generally conditioned on Mr. Courtot’s continued status as a service provider through the date that performance is certified. The third portion of the award consists of 33,088 performance-based RSUs that will vest in three increments based on the achievement of goals related to revenue growth and adjusted EBITDA margin for each of the 2019, 2020 and 2021 fiscal years, generally conditioned on Mr. Courtot’s continued status as a service provider through the date that performance is certified for the relevant increment. If Mr. Courtot’s employment (a) is terminated by reason of death or disability or (b) is terminated by the Company for reasons other than cause or good reason within 12 months following a change in control (a “double trigger” termination), then 100% of any unvested portions of the award will vest, with any vesting in connection with change in control terminations conditioned upon the effectiveness of a release of claims in favor of the Company (2018 performance-based RSUs).
The Company accounts for these awards as share-based compensation with multiple performance conditions and recognizes compensation costs when it is probable that the performance conditions are met. The Company assesses these conditions on a quarterly basis. During the year ended December 31, 2019, stock-based compensation costs of $0.3 million and $0.9 million were recognized for the 2019 performance-based NSOs and the 2018 performance-based RSUs, respectively.

Share Repurchase Program
On February 5, 2018, the Company's board of directors authorized a $100.0 million two-year share repurchase program, which was announced on February 12, 2018. On October 30, 2018, the Company announced that the board of directors had authorized an increase of $100.0 million to the original share repurchase program authorization. Shares may be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934. On October 24, 2019, the Company's board of directors authorized another increase of $100.0 million, which allows the Company to repurchase shares pursuant to a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act until October 30, 2020.
Repurchased shares are retired and reclassified as authorized and unissued shares of common stock. On retirement of the repurchased shares, common stock is reduced by an amount equal to the number of shares being retired multiplied by the par value. The excess amount that is retired over its par value is first allocated as a reduction to additional paid-in capital based on the initial public offering price of the stock, with the remaining excess to retained earnings.
During the year ended December 31, 2019, the Company repurchased 1,026,455 shares of its common stock for approximately $86.4 million. All share repurchases were made using cash resources. As of December 31, 2019, approximately $128.5 million remained available for share repurchases pursuant to the Company's share repurchase program.

NOTE 9.
Employee Benefits Plan


401(k) Plan
The Company’s 401(k) Plan was established in 2000 to provide retirement and incidental benefits for its employees. As allowed under section 401(k) of the Internal Revenue Code, the 401(k) Plan provides tax-deferred salary deductions for eligible employees. Contributions to the 401(k) Plan are limited to a maximum amount as set periodically by the Internal Revenue Service. During the fiscal years ended December 31, 2019, 2018 and 2017, the Company made contributions to the 401(k) Plan of $1.3 million, $1.2 million and $1.1 million, respectively.
The Company contributes to a Provident Fund Plan for its employees in India, which is defined contribution plan set up in accordance with local labor and tax laws. Gratuity is also paid by the Company to eligible employees in India in accordance with Payment of Gratuity Act, 1972. During the fiscal years ended December 31, 2019, 2018 and 2017, the Company contributed $1.1 million, $0.7 million and $0.4 million, respectively, to those plans.

NOTE 10.
Income Taxes

82


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



The Company’s geographical breakdown of income before income taxes is as follows:
 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
 
 
(in thousands)
Domestic
 
$
72,124

 
$
50,010

 
$
34,914

Foreign
 
7,859

 
5,458

 
4,464

Income before income taxes
 
$
79,983

 
$
55,468

 
$
39,378


The provision for (benefit from) income taxes consists of the following:
 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
 
 
(in thousands)
Current
 
 
 
 
 
 
Federal
 
$
(90
)
 
$
(90
)
 
$
22

State
 
646

 
62

 
23

Foreign
 
3,000

 
1,988

 
1,471

Total current provision
 
3,556

 
1,960

 
1,516

Deferred
 
 
 
 
 
 
Federal
 
7,085

 
(3,449
)
 
(1,650
)
State
 
447

 
21

 
(996
)
Foreign
 
(441
)
 
(368
)
 
68

Total deferred (benefit) provision
 
7,091

 
(3,796
)
 
(2,578
)
                    Total provision for (benefit from) provision for income taxes
 
$
10,647

 
$
(1,836
)
 
$
(1,062
)

The reconciliation of the statutory federal income tax rate to the Company’s effective tax rate is as follows:
 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
Federal statutory rate
 
21.0
  %
 
21.0
  %
 
35.0
  %
State taxes
 
1.5

 
(1.9
)
 
(2.1
)
Stock-based compensation
 
(7.2
)
 
(20.4
)
 
(58.1
)
Foreign source income
 
0.1

 
(0.2
)
 
(0.2
)
Change in valuation allowance
 
1.1

 
4.4

 
2.8

Federal rate adjustment (due to 2017 Tax Act)
 

 

 
26.4

Federal and state research and development credit
 
(3.7
)
 
(6.7
)
 
(5.3
)
Other
 
0.4

 
0.5

 
(1.2
)
Provision for (benefit from) income taxes
 
13.2
 %
 
(3.3
)%
 
(2.7
)%

On December 22, 2017, the Tax Cuts and Jobs Act (the “2017 Tax Act”) was enacted into law. The new legislation contains several key tax provisions that impact the Company, including the reduction of the corporate income tax rate from 35% to 21% effective January 1, 2018. The new legislation also includes a variety of other changes, such as a one-time repatriation tax on accumulated foreign earnings (transition tax), acceleration of business asset expensing, and reduction in the amount of executive pay that could qualify as a tax deduction, among others. The Company recognized a provisional income tax expense of $10.4 million in the fourth quarter of 2017, from the re-measurement of certain deferred tax assets and liabilities as a result of the reduction of the federal tax rate, which was included as a component of the income tax provision on its consolidated statement of income. The Company completed its analysis of the impacts of the 2017 Tax Act in the fourth quarter of 2018 with no material change to its provisional estimate.


83


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



Deferred Income Taxes
Deferred income taxes reflect the tax effects of temporary differences between the carrying amounts of assets and liabilities for financial reporting purposes and the amounts used for income tax purposes. The components of the Company’s deferred tax assets and liabilities are as follows:
 
 
December 31,
 
 
2019
 
2018
 
 
(in thousands)
Deferred tax assets
 
 
 
 
Net operating loss carryforwards
 
$
1,325

 
$
11,250

Research and development credit carryforwards
 
20,182

 
16,901

Foreign tax credit carryforwards
 
2,586

 
2,209

Accrued liabilities
 
1,109

 
4,180

Deferred revenues
 
4,843

 
4,200

Lease Liability
 
13,187

 

Intangible assets
 
327

 

Stock-based compensation
 
5,942

 
6,975

Other
 
158

 
174

Gross deferred tax assets
 
49,659

 
45,889

Valuation allowance
 
(10,094
)
 
(9,100
)
Net deferred tax assets
 
39,565

 
36,789

Deferred tax liabilities
 
 
 
 
Fixed assets
 
(8,097
)
 
(8,160
)
ROU Asset
 
(10,496
)
 

Deferred commissions
 
(2,142
)
 
(1,458
)
Intangible assets
 

 
(784
)
Total deferred tax liabilities
 
(20,735
)
 
(10,402
)
Net deferred tax assets
 
$
18,830

 
$
26,387


The realization of deferred tax assets is dependent upon the generation of sufficient taxable income of the appropriate character in future periods. The Company regularly assesses the ability to realize its deferred tax assets and establishes a valuation allowance if it is more-likely than-not that some portion, or all, of the deferred tax assets will not be realized. The Company weighs all available positive and negative evidence, including its earnings history and results of recent operations, scheduled reversals of deferred tax liabilities, projected future taxable income, and tax planning strategies. Due to the weight of objectively verifiable negative evidence, it is more-likely-than-not that its California deferred tax assets will not be realized as of December 31, 2019. Additionally, due to a lack of sufficient future income of the appropriate character, certain U.S. federal and state deferred tax assets are not more-likely-than-not to be realized. Accordingly, the Company has recorded a valuation allowance of $10.1 million against such deferred tax assets. The valuation allowance increased by $1.0 million and $3.3 million during the years ended December 31, 2019 and 2018, respectively.
At December 31, 2019, the Company had federal and state net operating loss carryforwards of approximately $5.0 million and $2.1 million, respectively, available to reduce federal and state taxable income. Federal net operating losses do not expire but the net operating loss deduction is limited to 80% of taxable income. The state net operating losses begin to expire in 2030. Utilization of the Company’s net operating loss carryforwards may be subject to an annual limitation due to the ownership change limitations provided by the Internal Revenue Code and similar state provisions. Such an annual limitation could result in the expiration of the net operating loss carryforwards before utilization. As of December 31, 2019, the Company had $14.6 million of federal and $13.2 million of state research and development credit carryforwards, respectively. Federal research and development credits begin to expire in 2022. State research and development credits do not expire. As of December 31, 2019, the Company had foreign tax credit carryforwards of $2.6 million which begin to expire in 2024.


84


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



The following table summarizes the activity related to the Company’s unrecognized tax benefits (in thousands):
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
 
 
Unrecognized tax benefits beginning balance
 
$
6,406

 
$
5,112

 
$
4,071

Gross increase for tax positions of prior years
 

 
279

 
66

Gross decrease for tax positions of prior years
 
(12
)
 
(227
)
 

Gross increase for tax positions of current year
 
1,384

 
1,399

 
1,101

Lapse of statute of limitations
 

 
(157
)
 
(126
)
Total unrecognized tax benefits
 
$
7,778

 
$
6,406

 
$
5,112



The unrecognized tax benefits, if recognized, would impact the income tax provision by $4.2 million, $3.5 million and $2.8 million as of December 31, 2019, 2018 and 2017, respectively. The remaining amount would be offset by the reversal of related deferred tax assets which are subject to a full valuation allowance. As of December 31, 2019, the Company does not believe that its estimates, as otherwise provided for, on such tax positions will significantly increase or decrease within the next twelve months. The Company has elected to include interest and penalties as a component of income tax expense. The amounts were not material for 2019, 2018 and 2017.

The Company files income tax returns in the United States, including various state jurisdictions. The Company’s subsidiaries file tax returns in various foreign jurisdictions. The tax years 2001 through 2018 remain open to examination by the major taxing jurisdictions in which the Company is subject to tax. The Company is also currently subject to tax audits in various jurisdictions. The Company believes that an adequate provision has been made for any adjustments that may result from tax examinations. However, the outcome of tax audits cannot be predicted with certainty. If any issues addressed in the Company's tax audits are resolved in a manner inconsistent with its expectations, the Company could be required to adjust its provision for income taxes in the period such resolution occurs. Although timing of resolution and/or closure of audits is not certain, the Company believes it is reasonably possible that its gross unrecognized tax benefits could increase or decrease in the next 12 months.

U.S. income tax has not been recognized on the excess of the amount for financial reporting over the tax basis of investments in foreign subsidiaries that is indefinitely reinvested outside the United States. A determination of the unrecognized deferred tax liability related to this basis difference is not practicable because of the complexities of the calculation.

NOTE 11.
Segment Information and Information about Geographic Area
The Company operates in one segment. The Company determines its reportable operating segments in accordance with the provisions in the FASB guidance on segment reporting, which establishes standards for, and requires disclosure of, certain financial information related to reportable operating segments and geographic regions. The Company’s chief operating decision maker is the Chairman, President and Chief Executive Officer, who makes operating decisions, assesses performance and allocates resources on a consolidated basis. All of the Company’s principal operations and decision-making functions are located in the United States.
Revenue by geographic area, based on the customers billing address, is as follows:
 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
 
 
(in thousands)
United States
 
$
206,555

 
$
185,887

 
$
162,681

Foreign
 
115,052

 
93,002

 
68,147

Total revenues
 
$
321,607

 
$
278,889

 
$
230,828




85


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



Property and equipment, net, by geographic area, is as follows:
 
 
December 31,
 
 
2019
 
2018
 
 
(in thousands)
United States
 
$
46,100

 
$
51,587

India
 
9,221

 
5,774

Rest of world
 
5,258

 
4,081

Total property and equipment, net
 
$
60,579

 
$
61,442



NOTE 12.
Net Income Per Share
The computations for basic and diluted net income per share are as follows:
 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
 
 
(in thousands, except per share data)
Numerator:
 
 
 
 
 
 
Net income
 
$
69,336

 
$
57,304

 
$
40,440

 
 
 
 
 
 
 
Denominator:
 
 
 
 
 
 
Weighted-average shares used in computing net income per share - basic
 
39,075

 
38,876

 
37,443

Effect of potentially dilutive securities:
 
 
 
 
 
 
Common stock options
 
1,807

 
2,401

 
2,262

Restricted stock units
 
463

 
620

 
366

Weighted-average shares used in computing net income per share - diluted
 
$
41,345

 
$
41,897

 
$
40,071

Net income per share:
 
 
 
 
 
 
Basic
 
$
1.77

 
$
1.47

 
$
1.08

Diluted
 
$
1.68

 
$
1.37

 
$
1.01



Potentially dilutive securities not included in the calculation of diluted net income per share because doing so would be anti-dilutive are as follows:
 
 
Year Ended December 31,
 
 
2019
 
2018
 
2017
 
 
(in thousands)
Common stock options
 
461

 
177

 
742

Restricted stock units
 
26

 
22

 
71

   Total anti-dilutive shares
 
487

 
199

 
813




86


Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)



NOTE 13.
Selected Quarterly Financial Information (Unaudited)

The following table shows a summary of the Company's quarterly financial information for each of the quarters in the two-year period ended December 31, 2019:
 
Three Months Ended
 
Dec. 31,
2019
 
Sep. 30,
 2019
 
Jun. 30,
2019
 
Mar. 31,
2019
 
Dec. 31,
2018
 
Sep. 30,
 2018
 
Jun. 30,
2018
 
Mar. 31,
2018
 
(unaudited)
 
(in thousands, except per share data)
Revenues
$
84,664

 
$
82,671

 
$
78,929

 
$
75,343

 
$
74,200

 
$
71,658

 
$
68,153

 
$
64,878

Income from operations
19,545

 
22,549

 
16,108

 
14,051

 
12,943

 
18,117

 
10,895

 
8,406

Other income (expense), net
1,757

 
1,786

 
2,401

 
1,786

 
1,862

 
1,116

 
884

 
1,245

Income before income taxes
21,302

 
24,335

 
18,509

 
15,837

 
14,805

 
19,233

 
11,779

 
9,651

Net income
$
20,664

 
$
19,174

 
$
16,232

 
$
13,266

 
$
14,400

 
$
23,469

 
$
10,293

 
$
9,142

Net income per share:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Basic
$
0.53

 
$
0.49

 
$
0.41

 
$
0.34

 
$
0.37

 
$
0.60

 
$
0.26

 
$
0.24

Diluted
$
0.50

 
$
0.47

 
$
0.39

 
$
0.32

 
$
0.35

 
$
0.56

 
$
0.24

 
$
0.22



Item 9.
Changes In and Disagreements with Accountants on Accounting and Financial Disclosure

None.

Item 9A.
Controls and Procedures

Evaluation of Disclosure Controls and Procedures
Our management, with the participation of our Chief Executive Officer, Chief Financial Officer and our Principal Accounting Officer, evaluated the effectiveness of our disclosure controls and procedures as of December 31, 2019. The term “disclosure controls and procedures,” as defined in Rules 13a-15(e) and 15d-15(e) under the Exchange Act, means controls and other procedures of a company that are designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Securities and Exchange Commission’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is accumulated and communicated to the company’s management, including its principal executive and principal financial officers, as appropriate to allow timely decisions regarding required disclosure. Management recognizes that any controls and procedures, no matter how well designed and operated, can provide only reasonable assurance of achieving their objectives and management necessarily applies its judgment in evaluating the cost-benefit relationship of possible controls and procedures. Based on the evaluation of our disclosure controls and procedures as of December 31, 2019, our Chief Executive Officer and Chief Financial Officer concluded that, as of such date, our disclosure controls and procedures were effective at the reasonable assurance level.

Management's Annual Report on Internal Control over Financial Reporting
Our management is responsible for establishing and maintaining adequate internal control over financial reporting, as such term is defined in Rules 13a-15(f) and 15d-15(f) of the Exchange Act. Our internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with U.S. GAAP. Our internal control over financial reporting includes those policies and procedures that: (i) pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of our assets, (ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with U.S. GAAP, and that our receipts and expenditures are being made only in accordance with authorizations of our management and directors, and (iii) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of our assets that could have a material effect on our financial statements.

87




Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
Under the supervision and with the participation of our management, including our Chief Executive Officer, Chief Financial Officer and our Principal Accounting Officer, we conducted an evaluation of the effectiveness of our internal control over financial reporting as of December 31, 2019 based on the criteria established in the 2013 Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. Based on our evaluation under the criteria set forth in the 2013 Internal Control - Integrated Framework issued by the COSO, our management concluded our internal control over financial reporting was effective as of December 31, 2019.
The effectiveness of the Company's internal control over financial reporting as of December 31, 2019 has been audited by Grant Thornton LLP, an independent registered public accounting firm, as stated in its report, which is included in Item 8 of this Annual Report on Form 10-K.

Changes in Internal Control over Financial Reporting
There was no change in our internal control over financial reporting identified in connection with the evaluation required by Rule 13a-15(d) and 15d-15(d) of the Exchange Act that occurred during the fourth quarter ended December 31, 2019 that has materially affected, or is reasonably likely to materially affect, our internal control over financial reporting.

Item 9B.
Other Information

None.

PART III
Item 10.
Directors, Executive Officers and Corporate Governance

Executive Officers and Directors
Except as set forth below, the information required by this item is incorporated by reference to our Proxy Statement for our 2020 Annual Meeting of Stockholders to be filed with the SEC within 120 days after the end of the fiscal year ended December 31, 2019.

Codes of Business Conduct and Ethics
Our Board of Directors has adopted a code of business conduct and ethics that applies to all of our employees, officers and directors, including our Chief Executive Officer, Chief Financial Officer and other executive and senior financial officers. The code of business conduct and ethics is available on our website. We expect that, to the extent required by law, any amendments to the code, or any waivers of its requirements, will be disclosed on our website. We intend to disclose any waiver to the provisions of the code of business conduct and ethics that applies specifically to directors or executive officers by filing such information on a Current Report on Form 8-K with the SEC, to the extent such filing is required by the NASDAQ Stock Market's listing requirements; otherwise, we will disclose such waiver by posting such information on our website.

Item 11.
Executive Compensation

The information required by this item is incorporated by reference to our Proxy Statement for our 2020 Annual Meeting of Stockholders to be filed with the SEC within 120 days after the end of the fiscal year ended December 31, 2019.

Item 12.
Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters

The information required by this item with respect to Item 403 of Regulation S-K regarding security ownership of certain beneficial owners and management is incorporated by reference to our Proxy Statement for our 2020 Annual Meeting of Stockholders to be filed with the SEC within 120 days after the end of the fiscal year ended December 31, 2019. For the

88




information required by this item with respect to Item 201(d) of Regulation S-K regarding securities authorized for issuance under equity compensation plans, see “Item 5: Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities—Securities Authorized for Issuance under Equity Compensation Plans.”

Item 13.
Certain Relationships and Related Transactions, and Director Independence

The information required by this item is incorporated by reference to our Proxy Statement for our 2020 Annual Meeting of Stockholders to be filed with the SEC within 120 days after the end of the fiscal year ended December 31, 2019.

Item 14.
Principal Accounting Fees and Services

The information required by this item is incorporated by reference to our Proxy Statement for our 2020 Annual Meeting of Stockholders to be filed with the SEC within 120 days after the end of the fiscal year ended December 31, 2019.


89




PART IV
Item 15.
Exhibits and Financial Statement Schedules
(a)(1) Financial Statements - The financial statements filed as part of this Annual Report on Form 10-K are listed on the Index to Consolidated Financial Statements in Item 8.
(a)(2) Financial Statement Schedules

SCHEDULE II
SUPPLEMENTARY CONSOLIDATED FINANCIAL STATEMENT SCHEDULE
VALUATION AND QUALIFYING ACCOUNTS
(in thousands)

 
 
 
 
Additions
 
 
 
 
 
 
Balance at Beginning of Year
 
Charged to Costs and Expenses
 
Deductions and Other (1)
 
Balance at End of Year
Allowance for Doubtful Accounts
 
 
 
 
 
 
 
 
Year Ended December 31, 2019
 
$
683

 
$
247

 
$
(345
)

$
585

Year Ended December 31, 2018
 
$
816

 
$
86

 
$
(219
)

$
683

Year Ended December 31, 2017
 
$
702

 
$
657

 
$
(543
)

$
816

(1) Primarily represents write-offs of uncollectible accounts, net of recoveries.
All other schedules have been omitted because they are not required, not applicable, or the required information is otherwise included.
(b) Exhibits

 
 
 
Incorporated by Reference
Exhibit
 
Description
Filed Herewith
Form
File No.
Exhibit No.
Filing Date
Number
 
 
 
 
 
 
 
 
 
3.1
  
 
S-1/A
333-182027
3.3
September 12, 2012
 
 
 
 
 
 
 
 
3.2
  
 
S-1/A
333-182027
3.5
September 12, 2012
 
 
 
 
 
 
 
 
4.1
  
 
S-1/A
333-182027
4.1
September 12, 2012
 
 
 
 
 
 
 
 
4.2
 
X
 
 
 
 
 
 
 
 
 
 
 
 
10.1*
  
 
S-1
333-182027
10.1
June 8, 2012
 
 
 
 
 
 
 
 
10.2*
  
 
S-1/A
333-182027
10.2
September 12, 2012
 
 
 
 
 
 
 
 
10.3*
  
 
S-1
333-182027
10.3
June 8, 2012
 
 
 
 
 
 
 
 
10.4*
  
 
S-1
333-182027
10.5
June 8, 2012
 
 
 
 
 
 
 
 
10.5*
  
 
8-K
001-35662
10.1
May 2, 2016
 
 
 
 
 
 
 
 
10.6*
  
 
S-1
333-182027
10.9
June 8, 2012
 
 
 
 
 
 
 
 
10.7*

 
 
S-1/A

333-182027

10.10
August 10, 2012

 
 
 
 
 
 
 
 
10.8
 
 
8-K
001-35662
10.1
October 19, 2016
 
 
 
 
 
 
 
 
10.9*
 
 
Schedule 14A, Appendix A
001-35662
N/A
April 25, 2016
 
 
 
 
 
 
 
 
10.10*†
 
 
10-Q
001-35662
10.3
August 4, 2016
 
 
 
 
 
 
 
 
10.11
  
 
S-1/A
333-182027
10.14
September 12, 2012
 
 
 
 
 
 
 
 
10.12†
  
 
S-1/A
333-182027
10.15
September 12, 2012
 
 
 
 
 
 
 
 
10.13†
  
 
S-1/A
333-182027
10.16
September 12, 2012
 
 
 
 
 
 
 
 
21.1
  
X
 
 
 
 
 
 
 
 
 
 
 
 
23.1
  
X
 
 
 
 
 
 
 
 
 
 
 
 
31.1
 
X
 
 
 
 
 
 
 
 
 
 
 
 
31.2
 
X
 
 
 
 
 
 
 
 
 
 
 
 
32.1
 
X
 
 
 
 
 
 
 
 
 
 
 
 
32.2
 
X
 
 
 
 
 
 
 
 
 
 
 
 
101.INS
 
Inline XBRL Instance Document - the instance document does not appear in the Interactive Data File because its XBRL tags are embedded within the Inline XBRL document.
X
 
 
 
 
 
 
 
 
 
 
 
 
101.SCH
 
Inline XBRL Taxonomy Extension Schema Document
X
 
 
 
 
 
 
 
 
 
 
 
 
101.CAL
 
Inline XBRL Taxonomy Extension Calculation Linkbase Document
X
 
 
 
 
 
 
 
 
 
 
 
 
101.DEF
 
Inline XBRL Taxonomy Extension Definition Linkbase
X
 
 
 
 
 
 
 
 
 
 
 
 
101.LAB
 
Inline XBRL Taxonomy Extension Labels Linkbase Document
X
 
 
 
 
 
 
 
 
 
 
 
 
101.PRE
 
Inline XBRL Taxonomy Extension Presentation Linkbase Document
X
 
 
 
 
 
 
 
 
 
 
 
 
104
 
Cover Page Interactive Data File - formatted in Inline XBRL and included as Exhibit 101
X
 
 
 
 
 
 
 
 
 
 
 
 
 
*
Indicates a management contract or compensatory plan or arrangement.
 
 
 
 
 
 
Portions of this exhibit have been omitted due to a determination by the Securities and Exchange Commission that these portions should be granted confidential treatment.
 
 
 
 
 






90




SIGNATURES

Pursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, the registrant has duly caused this Annual Report on Form 10-K to be signed on its behalf by the undersigned, thereunto duly authorized, in the City of Foster City, State of California on February 21, 2020.

                          

QUALYS, INC.
 
 
By:
/s/ PHILIPPE F. COURTOT
 
Philippe F. Courtot
 
Chairman and Chief Executive Officer
 
(principal executive officer)


91

Table of Contents



Pursuant to the requirements of the Securities Exchange Act of 1934, this report has been signed below by the following persons on behalf of the Registrant and in the capacities indicated:

Signature
 
Title
Date
 
 
 
 
/s/ PHILIPPE F. COURTOT
 
Chairman and Chief Executive Officer (principal executive officer)
February 21, 2020
Philippe F. Courtot
 
 
 
 
 
 
 
/s/ MELISSA B. FISHER
 
Chief Financial Officer (principal financial officer)
February 21, 2020
Melissa B. Fisher
 
 
 
 
 
 
 
/s/ SANDRA E. BERGERON
 
Director
February 21, 2020
Sandra Bergeron
 
 
 
 
 
 
 
/s/ JEFFREY P. HANK
 
Director
February 21, 2020
Jeffrey P. Hank
 
 
 
 
 
 
 
/s/ GENERAL PETER PACE
 
Director
February 21, 2020
General Peter Pace
 
 
 
 
 
 
 
/s/ KRISTI M. ROGERS
 
Director
February 21, 2020
Kristi M. Rogers
 
 
 
 
 
 
 
/s/ WENDY M. PFEIFFER
 
Director
February 21, 2020
Wendy M. Pfeiffer
 
 
 


92


Exhibit 4.2

DESCRIPTION OF REGISTRANT’S SECURITIES
REGISTERED PURSUANT TO SECTION 12 OF THE
SECURITIES EXCHANGE ACT OF 1934

The following description of the common stock, par value $0.001 per share (“Common Stock”) of Qualys, Inc. (the “Company”) is based upon the Company’s amended and restated certificate of incorporation (the “Certificate of Incorporation”), the Company’s amended and restated bylaws (the “Bylaws”), and applicable provisions of law. The following description summarizes the most important terms of the Company’s Common Stock. For a complete description of the matters set forth in this exhibit, please refer to the Company’s Certificate of Incorporation and Bylaws, each of which is filed as an exhibit to the Annual Report on Form 10‑K of which this exhibit is a part, and to the applicable provisions of Delaware law.

Authorized Capital Stock

Under the Certificate of Incorporation, the Company’s authorized capital stock consists of 1,000,000,000 shares of Common Stock and 20,000,000 shares of undesignated preferred stock, $0.001 par value per share.
 
Common Stock

Common Stock Outstanding. The outstanding shares of Common Stock are duly authorized, validly issued, fully paid and nonassessable.

Voting Rights. Each holder of Common Stock is entitled to one vote for each share held of record on the applicable record date on all matters submitted to a vote of stockholders, including the election of directors. Holders of Common Stock do not have cumulative voting rights in the election of directors.

Dividend Rights. Subject to preferences that may be applicable to any then outstanding preferred stock, holders of Common Stock are entitled to receive dividends, if any, as may be declared from time to time by the Company’s board of directors out of legally available funds.

Rights upon Liquidation. In the event of a liquidation, dissolution or winding up of the Company, holders of Common Stock will be entitled to share ratably in the net assets legally available for distribution to stockholders after the payment of all of the Company’s debts and other liabilities and the satisfaction of any liquidation preference granted to the holders of any then outstanding shares of preferred stock.

Other Rights. Holders of Common Stock have no preemptive, conversion, subscription or other rights, and there are no redemption or sinking fund provisions applicable to Common Stock. The rights, preferences and privileges of the holders of Common Stock are subject to and may be adversely affected by, the rights of the holders of shares of any series of preferred stock that the Company may designate and issue in the future.

Preferred Stock

Under the Certificate of Incorporation, without further stockholder action, the Company’s board of directors is authorized to issue up to 20,000,000 shares of preferred stock in one or more series and to fix the rights, preferences, privileges and restrictions thereof. These rights, preferences and privileges could include dividend rights, conversion rights, voting rights, terms of redemption, liquidation preferences, sinking fund terms and the number of shares constituting any series or the designation of such series, any or all of which may be greater than the rights of Common Stock. The issuance of preferred stock by the Company could adversely affect the voting power of holders of Common Stock and the likelihood that such holders will receive dividend payments and payments upon liquidation. In addition, the issuance of preferred stock could have the effect of delaying, deferring or preventing a change of control of the Company or other corporate action.

Certain Anti-Takeover Provisions

Certain provisions of Delaware law, the Certificate of Incorporation and the Bylaws may have the effect of delaying, deferring or discouraging another person from acquiring control of the Company. These provisions, which are summarized below, may have the effect of discouraging takeover bids. They are also designed, in part, to encourage persons seeking to acquire control of the Company to negotiate first with the Company’s board of directors.

Delaware Law. The Company is governed by the provisions of Section 203 of the Delaware General Corporation Law, or Section 203. In general, Section 203 prohibits a public Delaware corporation from engaging in a “business combination” with an “interested stockholder” for a period of three years after the date of the transaction in which the person became an interested stockholder, unless the business combination is approved in a prescribed manner. A “business combination” includes mergers, asset sales or other transactions resulting in a financial benefit to the stockholder. An “interested stockholder” is a person who, together with affiliates and associates, owns, or within three years did own, 15% or more of the corporation’s outstanding voting stock. These provisions may have the effect of delaying, deferring or preventing a change in control.

Board of Directors Vacancies. The Certificate of Incorporation and Bylaws authorize only the Company’s board of directors to fill vacant directorships, including newly created seats. In addition, the number of directors constituting the Company’s board of directors is permitted to be set only by a resolution adopted by a majority vote of the entire board of directors. These provisions would prevent a stockholder from increasing the size of the Company’s board of directors and then gaining control of the board of directors by filling the resulting vacancies with its own nominees. This makes it more difficult to change the composition of the Company’s board of directors but promotes continuity of management.

Classified Board. The Certificate of Incorporation and Bylaws provide that the board is classified into three classes of directors. A third party may be discouraged from making a tender offer or otherwise attempting to obtain control of the Company as it is more difficult and time consuming for stockholders to replace a majority of the directors on a classified board of directors.

Stockholder Action and Special Meeting of Stockholders. The Certificate of Incorporation provides that stockholders may not take action by written consent, but may only take action at annual or special meetings of stockholders. As a result, a holder controlling a majority of the Company’s capital stock would not be able to amend the Bylaws or remove directors without holding a meeting of stockholders called in accordance with the Bylaws. The Bylaws further provide that special meetings of stockholders may be called only by a majority of the Company’s board of directors, the Chairman of the board of directors, the Company’s Chief Executive Officer or the Company’s President, thus prohibiting a stockholder from calling a special meeting. These provisions might delay the ability of stockholders to force consideration of a proposal or for stockholders controlling a majority of the Company’s capital stock to take any action, including the removal of directors.

Advance Notice Requirements for Stockholder Proposals and Director Nominations. The Bylaws provide advance notice procedures for stockholders seeking to bring business before an annual meeting of stockholders or to nominate candidates for election as directors at an annual meeting of stockholders. The Bylaws also specify certain requirements regarding the form and content of a stockholder’s notice. These provisions might preclude stockholders from bringing matters before an annual meeting of stockholders or from making nominations for directors at an annual meeting of stockholders if the proper procedures are not followed. These provisions may also discourage or deter a potential acquirer from conducting a solicitation of proxies to elect the acquirer’s own slate of directors or otherwise attempting to obtain control of the Company.

Directors Removed Only for Cause. The Certificate of Incorporation provides that stockholders may remove directors only for cause.

Amendment of Charter Provisions. Any amendment of the above provisions in the Certificate of Incorporation would require approval by holders of at least two-thirds of the Company’s then outstanding Common Stock.








Exhibit 21.1


List of subsidiaries of Qualys, Inc.


Name of Subsidiary
 
Jurisdiction of Incorporation
Qualys International, Inc.
 
United States
Blue Jay Acquisition Sub, Inc.
 
United States
Qualys Brazil Desenvolvimento de Produtos e Consultoria de Tecnologias de Seguranca LTDA.
 
Brazil
Qualys Canada, Ltd.
 
Canada
Qualys Technologies, S.A.
 
France
Qualys GmbH
 
Germany
Qualys Hong Kong Limited
 
Hong Kong
Qualys Security TechServices Private Ltd.
 
India
Qualys Japan K.K.
 
Japan
Qualys Singapore Pte. Ltd.
 
Singapore
Qualys Middle East FZE
 
United Arab Emirates
Qualys Ltd.
 
United Kingdom
Qualys Australia Pty Ltd.
 
Australia
Qualys Switzerland Sarl
 
Switzerland
Qualys Colombia S.A.S.
 
Colombia
Qualys South Africa Proprietary Limited
 
South Africa
Qualys Netherlands B.V.
 
The Netherlands




    
Exhibit 23.1

CONSENT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM

We have issued our reports dated February 21, 2020, with respect to the consolidated financial statements, schedule and internal control over financial reporting included in the Annual Report of Qualys, Inc. on Form 10-K for the year ended December 31, 2019. We consent to the incorporation by reference of said reports in the Registration Statements of Qualys, Inc. on Forms S-8 (File Nos. 333-184394, 333-193576, 333-202587, 333- 209735, 333-216232, 333-223192, and 333-229908).


/s/ GRANT THORNTON LLP

San Jose, California
February 21, 2020



Exhibit 31.1


CERTIFICATION OF CHIEF EXECUTIVE OFFICER
PURSUANT TO RULE 13a-14(a) OR RULE 15d-14(a)
OF THE SECURITIES EXCHANGE ACT OF 1934

I, Philippe F. Courtot, certify that:

1.
I have reviewed this annual report on Form 10-K of Qualys, Inc.;
2.
Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
3.
Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
4.
The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and
5.
The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.






Date:
February 21, 2020
 
By:
/s/ PHILIPPE F. COURTOT
 
Philippe F. Courtot
Chairman and Chief Executive Officer
(Principal Executive Officer)
Qualys, Inc.





Exhibit 31.2

CERTIFICATION OF CHIEF FINANCIAL OFFICER
PURSUANT TO RULE 13a-14(a) OR RULE 15d-14(a)
OF THE SECURITIES EXCHANGE ACT OF 1934

I, Melissa B. Fisher, certify that:

1.
I have reviewed this annual report on Form 10-K of Qualys, Inc.;
2.
Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
3.
Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
4.
The registrant's other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and
5.
The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.






Date:
February 21, 2020
 
By:
/s/ MELISSA B. FISHER
 
Melissa B. Fisher
Chief Financial Officer
(Principal Financial Officer)
Qualys, Inc.





Exhibit 32.1

CERTIFICATION OF CHIEF EXECUTIVE OFFICER
PURSUANT TO RULE 13a-14(b) OR RULE 15d-14(b)
OF THE SECURITIES EXCHANGE ACT OF 1934 AND 18 U.S.C. SECTION 1350

In connection with the Annual Report of Qualys, Inc. (the “Company”) on Form 10-K for the year ended December 31, 2019, as filed with the Securities and Exchange Commission on the date hereof (the “Report”), I, Philippe F. Courtot, Chairman, President and Chief Executive Officer of the Company, certify, pursuant to 18 U.S.C. § 1350, as adopted pursuant to § 906 of the Sarbanes-Oxley Act of 2002, that, to the best of my knowledge:
          (1) The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and
          (2) The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the Company.

Date:
February 21, 2020
 
By:
/s/ PHILIPPE F. COURTOT
 
Philippe F. Courtot
Chairman and Chief Executive Officer
(Principal Executive Officer)
Qualys, Inc.





Exhibit 32.2

CERTIFICATION OF CHIEF FINANCIAL OFFICER
PURSUANT TO RULE 13a-14(b) OR RULE 15d-14(b)
OF THE SECURITIES EXCHANGE ACT OF 1934 AND 18 U.S.C. SECTION 1350

In connection with the Annual Report of Qualys, Inc. (the “Company”) on Form 10-K for the year ended December 31, 2019, as filed with the Securities and Exchange Commission on the date hereof (the “Report”), I, Melissa B. Fisher, Chief Financial Officer of the Company, certify, pursuant to 18 U.S.C. § 1350, as adopted pursuant to § 906 of the Sarbanes-Oxley Act of 2002, that, to the best of my knowledge:
          (1) The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and
          (2) The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the Company.

Date:
February 21, 2020
 
By:
/s/ MELISSA B. FISHER
 
Melissa B. Fisher
Chief Financial Officer
(Principal Financial Officer)
Qualys, Inc.