UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549
FORM 20-F
☐
REGISTRATION STATEMENT PURSUANT TO SECTION 12(b) OR (g) OF THE SECURITIES EXCHANGE ACT OF 1934
OR
☒
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended December 31, 2024
OR
☐
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
OR
☐
SHELL COMPANY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
Commission file number 001-36625
CYBERARK SOFTWARE LTD.
(Exact name of Registrant as specified in its charter)
ISRAEL
(Jurisdiction of incorporation or organization)
9 Hapsagot St.
Park Ofer B, P.O. BOX 3143
Petach-Tikva 4951040, Israel
(Address of principal executive offices)
Donna Rahav
Chief Legal Officer
Telephone: +972 (3) 918-0000
CyberArk Software Ltd.
9 Hapsagot St.
Park Ofer B, P.O. BOX 3143
Petach-Tikva 4951040, Israel
(Name, telephone, e-mail and/or facsimile number and address of company contact person)
Securities registered or to be registered pursuant to Section 12(b) of the Act:
Title of each class
Trading Symbol(s)
Name of each exchange on which registered
Ordinary shares, par value NIS 0.01 per share
CYBR
The Nasdaq Stock Market LLC
Securities registered or to be registered pursuant to Section 12(g) of the Act: None.
Securities for which there is a reporting obligation pursuant to Section 15(d) of the Act: None.
Indicate the number of outstanding shares of each of the issuer’s classes of capital or common stock as of the close of the period covered by the annual report:
As of December 31, 2024, the registrant had outstanding 49,426,711 ordinary shares, par value NIS 0.01 per share.
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.
Yes ☒ No ☐
If this report is an annual or transition report, indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the
Securities Exchange Act of 1934.
Yes ☐ No ☒
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during
the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for
the past 90 days.
Yes ☒ No ☐
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of
Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).
Yes ☒ No ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, or an emerging growth company. See the
definitions of “large accelerated filer,” “accelerated filer,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
Large accelerated filer ☒
Accelerated filer ☐
Non-accelerated filer ☐
Emerging growth company ☐
If an emerging growth company that prepares its financial statements in accordance with U.S. GAAP, indicate by check mark if the registrant has elected not to
use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange
Act. ☐
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over
financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit
report. ☒
If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing
reflect the correction of an error to previously issued financial statements. ☐
Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by
any of the registrant’s executive officers during the relevant recovery period pursuant to § 240.10D-1(b). ☐
Indicate by check mark which basis of accounting the registrant has used to prepare the financial statements included in this filing:
U.S. GAAP ☒
International Financial Reporting Standards as issued
by the International Accounting Standards Board ☐
Other ☐
If “Other” has been checked in response to the previous question, indicate by check mark which financial statement item the registrant has elected to follow.
☐ Item 17 ☐ Item 18
If this is an annual report, indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).
Yes ☐ No ☒
CYBERARK SOFTWARE LTD.
FORM 20-F
ANNUAL REPORT FOR THE FISCAL YEAR ENDED DECEMBER 31, 2024
TABLE OF CONTENTS
Introduction
1
Special Note Regarding Forward-Looking Statements
1
PART I
Item 1.
Identity of Directors, Senior Management and Advisers
2
Item 2.
Offer Statistics and Expected Timetable
2
Item 3.
Key Information
2
Item 4.
Information on the Company
27
Item 4A.
Unresolved Staff Comments
44
Item 5.
Operating and Financial Review and Prospects
44
Item 6.
Directors, Senior Management and Employees
63
Item 7.
Major Shareholders and Related Party Transactions
83
Item 8.
Financial Information
85
Item 9.
The Offer and Listing
86
Item 10.
Additional Information
86
Item 11.
Quantitative and Qualitative Disclosures About Market Risk
96
Item 12.
Description of Securities Other than Equity Securities
97
PART II
Item 13.
Defaults, Dividend Arrearages and Delinquencies
98
Item 14.
Material Modifications to the Rights of Security Holders and Use of Proceeds
98
Item 15.
Controls and Procedures
98
Item 16A.
Audit Committee Financial Expert
99
Item 16B.
Code of Ethics
99
Item 16C.
Principal Accountant Fees and Services
99
Item 16D.
Exemptions from the Listing Standards for Audit Committees
100
Item 16E.
Purchases of Equity Securities by the Issuer and Affiliated Purchasers
100
Item 16F.
Change in Registrant’s Certifying Accountant
100
Item 16G.
Corporate Governance
100
Item 16H.
Mine Safety Disclosure
100
Item 16I.
Disclosure Regarding Foreign Jurisdictions that Prevent Inspections
100
Item 16J.
Insider Trading Policies
101
Item 16K.
Cybersecurity
101
PART III
Item 17.
Financial Statements
102
Item 18.
Financial Statements
102
Item 19.
Exhibits
102
INTRODUCTION
In this annual report, the terms “CyberArk,” “we,” “us,” “our” and “the Company” refer to CyberArk Software Ltd. and its subsidiaries.
This annual report includes statistical, market and industry data and forecasts that we obtained from publicly available information and independent industry
publications and reports that we believe to be reliable sources. These publicly available industry publications and reports generally state that they obtain their
information from sources that they believe to be reliable, but they do not guarantee the accuracy or completeness of the information. Although we believe that
these sources are reliable, we have not independently verified the information contained in such publications. Certain estimates and forecasts involve
uncertainties and risks and are subject to change based on various factors, including those discussed under the headings “Special Note Regarding Forward-
Looking Statements” and “Item 3.D. Risk Factors” in this annual report. Additionally, website and document references throughout this annual report are
provided for convenience only, and the content on the referenced websites or documents is not incorporated by reference into this annual report unless expressly
stated.
Throughout this annual report, we refer to various trademarks, service marks and trade names that we use in our business. The “CyberArk” design logo is the
property of CyberArk Software Ltd. CyberArk® is our registered trademark in the United States and numerous other countries. We have several other
trademarks, service marks and pending applications relating to our solutions or marketing slogans. In particular, although we have omitted the “®” and “™”
trademark designations in this annual report from each reference to our Privileged Access Security (PAS) solutions, including Privileged Access Manager,
Remote Access (Vendor Privileged Access Manager), Privileged Session Manager (PSM), Enterprise Password Vault (EPV), PrivateArk, Privilege Cloud,
CyberArk DNA (Discovery and Audit), Privileged Threat Analytics (PTA), Cloud Entitlements Manager (CEM), Dynamic Privileged Access (DPA) and Secure
Infrastructure Access (SIA); Endpoint Privilege Security solutions, including Endpoint Privilege Manager (EPM); Secret Management Solutions, including
Conjur Enterprise, Conjur Open Source, Conjur Cloud, Credential Providers, Secrets Hub, Secretless and Secretless Broker; Access Management Solutions,
including CyberArk Identity, Workforce Access, Customer Access and Secure Web Sessions (SWS); Identity Governance and Administrations solutions,
including Identity Compliance and Identity Flows; Machine Identity solutions, including Venafi, Jetstack, TLS Protect, TLS Protect for Kubernetes, CodeSign
Protect, Zero Touch PKI, Cloud Native Accelerator, Control Plane for Machine Identities and Firefly; C3 Alliance; Cora; MFA everywhere; Fearlessly Forward;
and The Identity Security Company, all rights to such names and trademarks are nevertheless reserved. Other trademarks and service marks appearing in this
annual report are the property of their respective holders.
SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS
In addition to historical facts, this annual report contains forward-looking statements within the meaning of Section 27A of the U.S. Securities Act of 1933, as
amended, (the Securities Act), Section 21E of the U.S. Securities Exchange Act of 1934, as amended, (the Exchange Act), and the safe harbor provisions of the
U.S. Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to risks and uncertainties and include information about
possible or assumed future results of our business, financial condition, results of operations, liquidity, plans and objectives. In some cases, you can identify
forward-looking statements by terminology such as “believe,” “may,” “estimate,” “continue,” “anticipate,” “intend,” “should,” “plan,” “expect,” “predict,”
“potential,” or the negative of these terms or other similar expressions. The forward-looking statements are based on our beliefs, assumptions and expectations
of future performance. There are important factors that could cause our actual results, levels of activity, performance or achievements to differ materially from
the results, levels of activity, performance or achievements expressed or implied by the forward-looking statements, including, but not limited to:
•
the rapidly evolving security market, increasingly changing cyber threat landscape and our ability to adapt our solutions to the information security
market changes and demands;
•
our ability to acquire new customers and maintain and expand our revenues from existing customers;
•
real or perceived security vulnerabilities and gaps in our solutions or services or the failure of our customers or third parties to correctly implement,
manage and maintain our solutions;
•
our IT network systems, or those of our third-party providers, may be compromised by cyberattacks or other security incidents, or by a critical system
disruption or failure;
•
intense competition within the information security market;
•
failure to fully execute, integrate, or realize the benefits expected from strategic alliances, partnerships, and acquisitions;
1
•
our ability to effectively execute our sales and marketing strategies, and expand, train and retain our sales personnel;
•
risks related to our compliance with privacy, data protection and artificial intelligence (AI) laws and regulations;
•
our ability to hire, upskill, retain and motivate qualified personnel;
•
risks related to AI technology;
•
our reliance on third-party cloud providers for our operations and software-as-a-service (SaaS) solutions;
•
our ability to main successful relationships with channel partners, or if our channel partners fail to perform;
•
fluctuation in our quarterly results of operations;
•
risks related to sales made to government entities;
•
economic uncertainties or downturns;
•
our history of incurring net losses, our ability to generate sufficient revenue to achieve and sustain profitability and our ability to generate cash flow
from operating activities;
•
regulatory and geopolitical risks associated with our global sales and operations;
•
risks related to intellectual property;
•
fluctuations in currency exchange rates;
•
the ability of our solutions to help customers achieve and maintain compliance with government regulations or industry standards;
•
our ability to protect our proprietary technology and intellectual property rights;
•
risks related to using third-party software, such as open-source software and other intellectual property;
•
risks related to share price volatility or activist shareholders;
•
any failure to retain our “foreign private issuer” status or the risk that we may be classified, for U.S. federal income tax purposes, as a “passive foreign
investment company”;
•
risks related to issuance of ordinary shares or securities convertible into ordinary shares and dilution, leading to a decline in the marketplace of our
ordinary shares;
•
changes in tax laws;
•
our expectation to not pay dividends on our ordinary shares for the foreseeable future; and
•
risks related to our incorporation and location in Israel, including the ongoing war between Israel and Hamas and conflict in the region.
In addition, you should consider the risks provided under “Item 3.D. Risk Factors” in this annual report.
You should not rely upon forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking
statements are reasonable, we cannot guarantee that future results, levels of activity, performance and events and circumstances reflected in the forward-looking
statements will be achieved or will occur. Additionally, we may provide information, forward-looking or otherwise, herein or in other locations, such as our
corporate website that is not necessarily “material” under the U.S. federal securities laws for Securities Exchange Commission (SEC) reporting purposes, but
that responds to a range of matters, such as certain environmental, social and governance (ESG) standards and frameworks (including standards for the
measurement of underlying data), and the interests of various stakeholders. Much of this information is subject to assumptions, estimates or third-party
information that is still evolving and subject to change. For example, our disclosures based on any standards may change due to revisions in framework
requirements, availability or quality of information, changes in our business or applicable government policies, or other factors, some of which may be beyond
our control. Except as required by law, we undertake no obligation to update publicly any forward-looking statements for any reason after the date of this annual
report, to conform these statements to actual results or to changes in our expectations.
PART I
ITEM 1.
IDENTITY OF DIRECTORS, SENIOR MANAGEMENT AND ADVISERS
Not applicable.
ITEM 2.
OFFER STATISTICS AND EXPECTED TIMETABLE
Not applicable.
ITEM 3. KEY INFORMATION
A.
[Reserved]
B.
Capitalization and Indebtedness
Not applicable.
2
C.
Reasons for the Offer and Use of Proceeds
Not applicable.
D.
Risk Factors
Risks Related to Our Business and Our Industry
The information security market is rapidly evolving within the increasingly challenging cyber threat landscape. If our solutions fail to adapt to market
changes and demands, sales may not continue to grow or may decline.
We offer identity security solutions, centered on intelligent privilege controls, to secure identities – both human and machine – in modern, hybrid
environments. If customers do not recognize the benefit of our solutions as a critical layer of an effective security strategy, our revenues may decline, which
could cause our share price to decrease in value. Security solutions such as ours, which aim to disrupt and prevent cyberattacks by insiders and external
perpetrators that have penetrated an organization’s information technology (IT) environment, represent a security layer designed to respond to advanced threats
and meet certain compliance standards and audit requirements. However, advanced cyber attackers continually adapt to new technologies and develop new
methods of accessing organizations’ sensitive data and technology assets, including through the use of non-human threat actors such as AI-driven malware and
automated bots. For example, generative AI’s ability to autonomously create content, mimic legitimate data, and adapt to changing environments raises the risks
of exploitation by malicious actors, enabling sophisticated phishing attacks or other deceptive methods that may compromise the organization’s IT security. We
expect that our customers, and thereby our solutions, will face new and increasingly sophisticated methods of attack, particularly given the growing complexity
of IT environments and the increase in nation-state attacks. We face significant challenges in ensuring our solutions effectively identify and respond to
sophisticated attacks without disrupting our customers’ operations. Further, the increasing number of identities having elevated privileged access associated with
both human and machine identities presents a growing security risk for our existing and prospective customers. As organizations expand their digital
ecosystems, the proliferation of such identities and the different varieties of identities across cloud, hybrid, and on-premises environments increases the
complexity of identity governance and administration. If our solutions fail to scale effectively or adapt to the evolving threat landscape, these customers may
experience security breaches, compliance failures, or operational disruptions. As a result, we must continually modify, enhance, and invest in our solutions to
remain aligned with market demands and technological advancements.
We cannot guarantee that we will be able to comply with new regulatory requirements, anticipate future market needs and opportunities or develop or
acquire applicable solutions or enhancements in a timely manner or at all. For example, emerging technologies, such as AI may expand our addressable market.
Our failure to timely and effectively capitalize on such opportunities could hinder our ability to innovate and meet customer demands. Furthermore, the
introduction of new technologies and solutions may render our solutions obsolete, lowering the demand for our solutions and reducing our sales. Even if we
anticipate, develop and launch new solutions and enhancements, there is no assurance that they will meet customer expectations, drive customer adoption,
achieve widespread market acceptance or provide measurable value to our customers. Implementing AI technology-based features in our solutions to stay
abreast of the latest technological advancements involve challenges, such as customer hesitation to adopt these features, leading to their limited acceptance. To
fully leverage these technologies, we may need to adjust our solutions and corresponding terms, potentially resulting in customer dissatisfaction. Our
investments in developing new solutions and new features, including investments in AI, may not yield expected design or performance improvements,
marketable offerings, cost savings, additional revenue or other benefits. Delays in developing or delivering new or enhanced solutions could cause our offerings
to be less competitive, impair customer acceptance of our solutions and result in delayed or reduced revenue and declines in the price of our ordinary shares.
If we are unable to acquire new customers or sell additional solutions to our existing customers, or if our existing customers do not renew their
subscriptions with us, our business, results of operations and financial condition could be negatively impacted, and we may not meet our investors’
expectations.
Our continued growth depends, in part, on acquiring a sufficient number of new customers while expanding our business from existing customers, by
selling incremental or new solutions to existing customers, as well as ensuring that subscriptions are renewed upon contract expiration, whether directly or
indirectly through our network of channel partners.
3
Our ability to expand our customer base may be negatively affected by a number of factors, for example, competition in the industry, which may also
lead us to provide more favorable commercial terms to attract or retain customers, our ability to execute our sales and marketing strategy, unfavorable
macroeconomic conditions that prolong sales cycles and make acquiring new customers more difficult, underperformance or misalignment with our channel
partners and changes in compliance standards or audit requirements that reduce the demand for our solutions. Additional factors include reductions in
government cybersecurity funding which could adversely impact sales to prospective and existing customers reliant on such funding, the size or prioritization of
customers’ IT budgets, the actual or perceived utility and efficacy of our existing and new offerings, changes in our pricing or licensing models that may impact
transaction sizes, and any downgrade of our recognized industry leadership position by industry analysts.
We may also face difficulties in expanding our customer base and revenue due to competitors that have entrenched offerings with prospective or
existing customers. These customers may have invested substantial personnel and financial resources to design and operate these solutions and may have
established strong relationships with existing security solutions providers. As a result, these organizations may prefer to purchase from their existing vendors
rather than add or switch to a new vendor or may not be willing to expand into CyberArk’s newer solutions areas. In addition, as our customers refresh the
security solutions bought in prior years, they may seek to consolidate vendors, which may result in current customers choosing to purchase solutions from our
competitors.
Furthermore, the introduction of new solutions and customer transition to SaaS may extend sales cycles or result in lost opportunities if our customers,
prospects, and partners are less receptive or require a longer period for comprehensive solution assessments, prolonged contract negotiations, and adherence to
stringent compliance and operational requirements. Additionally, we may face difficulty transitioning existing customers from perpetual licenses and
maintenance contracts, or from self-hosted solutions to our SaaS solutions. Over the long term, these customers present opportunities for expansion into new
solutions and use cases. Failure to successfully transition these customers to our cloud-based offerings may result in customer churn or shift to alternative
vendors.
As a recurring revenue company, we are dependent on customer renewals to achieve our performance targets and meet investors’ expectations,
including metrics such as revenue, operating income, net income and annual recurring revenue (ARR), as well as certain non-GAAP performance measures. Our
customers have no obligation to renew their subscriptions, and may decide not to do so with the same contract period, prices and terms, or number of users.
Additionally, our ability to retain our existing customers is also dependent on their satisfaction with our solutions and overall user experience in various areas,
such as solutions support, and ease of deployment and implementation. For instance, as part of the natural lifecycle of our solutions, certain solutions may reach
end of development or end of life, ceasing to receive updates and security patches. Failure to effectively introduce new solutions, offer easy customer transition,
or manage our solution lifecycles appropriately could lead to customer dissatisfaction and lower renewal rates.
Our quarterly financial performance relies significantly on acquiring new customers, expanding sales to existing customers, and securing subscription
renewals. We have faced and may continue to face delays or difficulties in closing such deals, including due to the seasonal nature of our sales, or prolonged
sales cycles, exacerbated by customer scrutiny around business continuity, disaster recovery, and cyber resiliency, which could lead to revenue volatility and
fluctuations in our financial results, including ARR. These factors could also adversely affect our ability to meet financial guidance or market expectations,
potentially reducing investor confidence and negatively impacting our share price, business, results of operations and financial condition.
Real or perceived security vulnerabilities and gaps in our solutions or services or the failure of our customers or third parties to correctly implement,
manage and maintain our solutions, may result in significant reputational, financial, and legal adverse impact.
Security solutions and services such as ours are complex in development, design and deployment and are subject to errors, bugs, gaps, design failures,
misconfigurations or security vulnerabilities, some of which are potentially incapable of being remediated or detected until after their deployment, if at all.
Additionally, our solutions have limitations in functionality and scope and cannot guarantee protection against any and all threats, specifically those outside the
solution’s boundary. Real or perceived errors, bugs, gaps, design failures, defects, vulnerabilities, limitations, misconfigurations in our solutions or their
accompanying documentation, or untimely or insufficient remediation thereof, could cause our solutions not to meet their specifications or security standards.
The affected solutions may not fulfill some of their security functions, falsely identify threats or create new security threats, and be vulnerable to security
attacks. There is no guarantee that we will identify all vulnerabilities and gaps in our solutions or that our solutions will be free of flaws or vulnerabilities, and
we may not correct all known vulnerabilities, gaps, or errors promptly, fully, or at all.
4
Further, our solutions serve as mission-critical applications in our customers’ operational environments, allowing them to manage access, privileges
and digital certificates in their systems and networks. Any breach, interruption or shutdown of our solutions could significantly disrupt or damage customers’
internal and external operations, and therefore we may suffer significant reputational, financial and legal adverse impact. Potential vulnerabilities or deficiencies
associated with a solution developed or obtained through an acquisition could also deteriorate our solutions’ security and expose our customers to additional
risk.
Many of our solutions are made available to our customers as SaaS and involve our use of third-party cloud and SaaS infrastructure and related
services. Providing SaaS solutions involves storage and transmission of customers’ proprietary information, including personal data, related to their assets,
employees and users. Security breaches, bugs, vulnerabilities, gaps, defects or improper configuration of our solutions, cloud accounts or production and
development environments (including those embedded in third-party technology, such as SaaS solutions, used in our solutions or by our customers) could result
in loss or alteration of, or unauthorized access to this data and compromise of our networks or our customers’ networks secured by our SaaS solutions. Any such
incident, whether or not caused by us, could result in significant liability or reputational harm.
Our solutions not only reinforce but also rely on the common security concept of placing multiple layers of security controls throughout an IT
environment. The failure of our customers, channel partners, managed service providers, subcontractors or similar entities to correctly implement our solutions
in accordance with security best practices, or effectively manage and maintain our solutions and the environments in which they are utilized, or to consistently
implement and utilize generally accepted and comprehensive, multi-layered security measures and processes, may lessen the efficacy of our solutions, in whole
or in part. These entities may also independently develop or change existing application programming interfaces (APIs) that we provide or other customizable
components in an incorrect or insecure manner. Such failures or actions may lead to security breaches and data loss, which could result in a perception that our
solutions or services failed and associated negative business implications. In addition, we are expected to provide timely notice and high levels of transparency
regarding security vulnerabilities in our solutions. In the event that we notify our customers of such vulnerabilities, our customers’ exposure to a security breach
may also be increased until such time that they properly implement the relevant fix. Further, our failure to provide our customers, channel partners and advisory
firms with adequate services or accurate solution documentation and training related to the use, implementation and maintenance of our solutions, could lead to
claims against us.
Similarly, a failure by a provider like us to effectively secure and detect threats within our own resources and networks, such as corporate, development
or customer-serving production environments, could lead to threat actors compromising our customers’ environments through a breach or exploitation of our
various networks and/or our solutions. A similar effect could arise from the use of compromised or vulnerable third-party software, including open-source
software, in or in relation to our solutions or use by our third-party vendors or through the use of AI technologies by our workforce, which could expose our
solutions, networks and environments – and thereby our customers – to additional vulnerabilities and security threats.
Additionally, the incorporation of machine learning, AI and generative AI capabilities into our solutions may create vulnerabilities or content that
appears correct, but is factually inaccurate, unfair, biased, insufficient, or otherwise flawed. Our solutions, customers or others may rely on or use this flawed
content to their detriment, which may undermine confidence in our use or deployment of AI, reduce consumer demand for our solutions, or expose us to brand
or reputational harm, competitive harm, and/or legal liability.
As we increase our developers’ workforce globally to meet our business goals, including by engaging external developers or through mergers and
acquisitions, or partnerships and collaborations, the risk of errors, misconfigurations, vulnerabilities or intentional misconduct, may be heightened due to
governance difficulties and limited centralized oversight. In addition, difficulties or delays in hiring and retaining personnel may impact the resources available
to us for continuous improvement of our solutions security posture and therefore, increase this risk.
An actual or perceived error, bug, misconfiguration, vulnerability, gap, cyberattack or other security breach, regardless of whether the vulnerability or
breach is attributable to the failure of our solutions or the related services we provide, could adversely affect the market’s perception of the efficacy of our
solutions and our industry standing. Such circumstances could cause current or potential customers to look to our competitors for alternatives to our solutions
and subject us to negative media attention, reputational harm, lawsuits (including class actions), regulatory investigations and other government inquiries,
indemnity claims and financial losses, as well as the expenditure of significant financial resources to, among other actions, analyze, correct or eliminate any
vulnerabilities. Provisions in our agreements and documentation that attempt to limit our liability towards our customers, channel partners, and relevant third
parties may not withstand legal challenges, and certain liabilities may not be limited or capped, or may be capped at a less favorable quantum. Additionally, any
insurance coverage we have may not adequately cover all claims asserted against us and may leave a significant portion of such claims to be directly covered by
us. In addition, such insurance may not be available to us in the future on economically reasonable terms, or at all.
5
If our IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system
disruption or failure, then our reputation, financial condition and operating results could be materially adversely affected.
The confidentiality, integrity and availability of our IT network systems and of our third-party providers, and the perception thereof, is critical to our
ability to deliver solutions to customers as well as to run internal operations. While we operate certain of these network systems, we also rely on third-party
providers across an array of technologies and services that enable us to conduct, monitor and/or protect our business operations. For example, we rely on third
parties to host our SaaS solutions and support our customer relationship management and financial operation services (provided by our Enterprise Resource
Planning system). In addition, in the ordinary course of business, we and our third-party providers generate, collect, process and store sensitive information and
data, including proprietary and personal data belonging to us, to customers and to others.
We acknowledge that the threat landscape is broad and that threats are persistent. Being a prominent Israeli security company that provides identity
security solutions centered on privileged controls to leading global enterprises, we are and will remain an attractive target for cyber attackers and malicious
actors, including insiders, as well as cyber terrorists, sophisticated criminal groups or nation-state affiliated actors. We and certain of our service providers
regularly experience cyberattacks and security incidents, and we expect such attacks and incidents to continue in varying degrees. For example, we have
experienced attempts at phishing attacks targeting our employees. While, to date, no attacks or incidents have had a material impact on our operations or
financial results, we cannot guarantee that material incidents will not occur in the future. Further, as we deploy scanning tools in our infrastructure and systems,
conduct penetration testing and engage in other threat detection practices, we regularly identify and track security vulnerabilities and security gaps of varying
severities. Given the nature of complex systems, software, services and operations like ours and certain of our providers, we are unable to ensure that all
vulnerabilities and gaps are mitigated or fixed at all times or to guarantee that effective mitigating measures will be applied before the foregoing can be
exploited by a threat actor. Accordingly, we can provide no assurances that our or our providers’ cybersecurity risk management programs and processes,
including our applicable controls, policies and procedures, will be fully implemented, complied with or effective in protecting our or our customers’ IT network
systems, data, solutions or services.
The operation of our solutions relies at times on third-party software, including open-source and other software, services, networks, environments, and
AI tools, which could also serve as an attack vector. Cyberattacks and security incidents are expected to accelerate in both frequency and impact as the use of
cloud-based solutions expands and as the use of AI increases. In particular, the use of AI enables attackers to become increasingly sophisticated and provides
them with tools, advanced techniques and new attack-vectors to circumvent controls, avoid detection, and remove or obfuscate forensic evidence. The
techniques used to obtain unauthorized access to systems or sabotage systems or disable or degrade services are continuously evolving and can sometimes be
unrecognizable until launched against a target and therefore we may be unable to anticipate these techniques and implement preventative measures. Our security
measures, controls and processes might prove insufficient to protect us against any and all attacks. We might inadequately evaluate certain risks and threats,
leading to a lack of prioritization. Additionally, there could be a lack of oversight and employee awareness. This means that we may be unable to detect,
investigate, contain or recover from future attacks or incidents in a timely or effective manner. Disruptive attacks, such as through ransomware and other
extortion-based tactics, that can temporarily or permanently disable operations are increasingly prevalent. For example, we face the risk of malicious third
parties injecting malicious code into our solutions’ source code, disrupting our research and development pipelines and production environments and/or using
our solutions and network as a point-of-entry to infiltrate our customers’ IT systems. Malicious third parties or insiders may also attempt to fraudulently induce
employees or customers into disclosing sensitive information such as usernames, passwords or other information through phishing attempts, or otherwise
compromise the security of our or our customers’ networks or data. Individuals who are able to circumvent our security measures may misappropriate
proprietary, confidential or personal information held by or on behalf of us, disrupt our operations, damage our computers or otherwise damage our business.
Additionally, we face ongoing risks due to the increased frequency of sophisticated cyberattacks coordinated by foreign nation-states and other actors. For
example, the conflicts between Israel and Hamas, as well as other hostile countries, such as Iran, and Ukraine and Russia may result, and in certain cases have
resulted, in a heightened threat environment and create unknown cyber risks, including increased risk of actors against Israeli companies, institutions and
governmental bodies, or the proliferation of nation-state capabilities to non-state attack groups.
6
As many companies continue to provide workers with the ability to operate remotely or in a hybrid environment the attack surface possibilities for
cyberattacks against us, our customers, and third-party providers increases due to the challenges associated with managing remote computing assets and security
vulnerabilities inherent in many non-corporate and home networks. Material cyberattacks against our Company may also be caused by breaches of our
contractors, channel partners, supply chain network, vendors, and other third parties associated with us, which could result from, among other causes, the
sophistication of the attackers, human error, and insufficient employee training, or lack of security and compliance oversight and prioritization.
In addition, we have acquired and continue to acquire companies with cybersecurity vulnerabilities and/or unsophisticated security measures, which
exposes us and our customers to the risk of a cyberattack on our networks and environments, as well as our solutions.
We and our third-party providers are also vulnerable to information technology system failures, service outages or network disruptions caused by a
variety of factors, including pandemics, natural disasters and other catastrophic events (such as increased frequency and severity of storms, earthquakes,
flooding, fires, heatwaves or drought), accidents, power disruptions, telecommunications failures, acts of terrorism, wars (including the conflicts between Israel
and Hamas and Ukraine and Russia), computer viruses and malware (such as ransomware), outages caused by technical failures or errors in system maintenance
or upgrades, or other events or disruptions. System redundancy, data back-ups and other continuity measures may be ineffective or inadequate, and our business
continuity and disaster recovery planning may not be sufficient for all eventualities. Cyberattacks, security breaches, service outages and other incidents could
result in significant damage to our market position and lead to costly remediation requirements, indemnity claims, legal claims (including class action
litigation), regulatory investigations and fines or penalties, as well as the loss of proprietary and confidential data, trade secrets and customers. An actual or
perceived failure, disruption, or breach of our network, our operations or privileged account security in our systems could adversely affect the market perception
of our solutions, or of our expertise in this field. Moreover, if critical business functions or services from third-party providers are breached and become
unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms, our ability to manage our
operations could be interrupted, our contractual service level commitments could be breached, and our ability to provide timely and adequate maintenance and
support services to our customers could be impacted. Any of the foregoing events could have a material and adverse effect on our operations, reputation,
financial condition and operating results and expenses.
With the increase in the likelihood and severity of security breaches and the increase in cybersecurity insurance premiums for our customers,
negotiations with customers may require us to assume more risk, including higher liabilities with regards to security and data breaches. In addition, we are
unable to ensure that any limitations of liability provisions in our customer contracts with respect to our information security operations or our liability would be
enforceable, adequate, or would otherwise protect us from any liabilities or damages with respect to any particular claim (including in cases where existing
customers purchase new solutions based on previously agreed contractual terms). We also may not be able to adequately recover damages from third parties
associated with us, who were involved in a security incident. Additionally, any insurance coverage we may have may not adequately cover any of these claims
asserted against us or any related damage and may leave a significant portion of such claims to be directly covered by us. If any of the foregoing were to occur,
our business may suffer materially adverse results due to extensive costs, reduced sales, negative share price impacts and/or a host of other consequences
affecting our business.
We face intense competition from a wide variety of information security vendors operating in different market segments and across diverse IT environments.
This may challenge our ability to maintain or improve our competitive position or to meet planned growth rates.
The information security market in which we operate is characterized by intense competition, constant innovation, evolving customer requirements,
advancement in existing solutions, rapid adoption of different technologies and services, and an evolving security landscape.
We compete with both established and emerging companies that offer a broad array of cybersecurity solutions and employ different approaches,
delivery models, and technologies. Specifically, our Identity Security Platform and other solutions compete across a variety of markets for solutions or
functionalities offered within certain market segments, including, but not limited to:
•
Privileged Access Management (PAM), including Endpoint Privilege Management, such as Delinea and BeyondTrust;
•
Access Management, such as Okta and Microsoft;
7
•
Secrets Management, such as Hashi Corporation;
•
Machine Identity, such as KeyFactor; and
•
Identity Governance and Administration, such as SailPoint and Saviynt.
The maturity and expansion of the information security market may attract new players, such as large or emerging cybersecurity vendors or those in
related domains, to enter markets where we specialize. For example, CrowdStrike, Okta and SailPoint have announced that they are introducing solutions or
intend to introduce solutions that provide features and functionality related to the PAM market. As cybersecurity vendors pivot their messaging toward more
identity-related use cases, it may create confusion with customers who are evaluating the various alternatives. Given the importance of identity in the attack
chain, which is increasing demand for identity security solutions such as ours, larger vendors, including the cloud hyperscalers and large cybersecurity platform
vendors, may meaningfully enter the identity security market. These organizations have extensive resources, and competition could impact our business.
Additionally, consolidation among cybersecurity vendors may create an opportunity for our competitors and other cybersecurity vendors to provide a
greater breadth of offerings, including more integrations and bundled solutions. If customers trend towards consolidating with a vendor or vendors providing
multiple cybersecurity capabilities and we fail to successfully execute our development and sales strategy of delivering our solutions on a framework that can
compete effectively against such cybersecurity vendors, this may place us at a competitive disadvantage. Furthermore, organizations continuously evaluate their
security priorities and investments and may allocate their information security budgets to other solutions and strategies, including solutions offered by our
competitors, and may not adopt or expand the use of our solutions. Accordingly, we may also compete for budget priority, to a certain extent, with other
cybersecurity solutions offered by Microsoft, Palo Alto Networks, and CrowdStrike.
In particular, our competitors may enjoy advantages, including greater resources or brand recognition, more experience and longer operating histories,
better access to partners, customers or technologies, lower expenses, broader offerings, better customer support or greater cross-selling opportunities. Further,
their advanced technology, operational flexibility, or ability to bundle or discount solutions could commoditize our offerings, reducing demand and pricing for
our solutions. With the introduction of new technologies and market entrants, we expect competition to intensify in the future. For example, disruptive
technologies such as generative AI may fundamentally alter the market for our solutions in unpredictable ways, including impacting customer demand and costs
of doing business. Additionally, while we intend to continue incorporating AI and generative AI capabilities into our solutions, if we fail to differentiate
ourselves from, or otherwise successfully compete against, other information security vendors that have incorporated AI technology into their solutions, or if we
fail to continue to release AI capabilities that our customers find useful, our business, operating results, and financial condition may be harmed. Further, the
increasing number of start-up companies that operate in the AI field may provide competitors with a competitive advantage by granting them early access to
emerging AI technologies, talent, and intellectual property, including through acquisitions or partnerships. If we are unable to identify, partner with, or acquire
such start-ups at the same pace as our competitors, or if our competitors leverage these acquisitions to develop superior solutions or enhance operational
efficiencies, our competitive position in the market could be adversely affected.
From time to time, industry analysts may review our solutions either independently or against other cybersecurity solutions offered by our competitors.
If we receive unfavorable reviews or a downgrade in our existing accreditation for any reason, this may adversely impact our standing within the industry,
market confidence, customer trust, and our ability to attract and retain clients, and could result in diminished market share, impaired customer perception, and a
negative impact on our financial performance. Additionally, as the pioneer in the "Identity Security" space, we face a unique risk associated with being at the
forefront of a market that lacks a universally accepted definition. The term "Identity Security" is not yet standardized and may be subject to varying
interpretations by industry stakeholders, including analysts, customers, and competitors. This ambiguity could lead to the mischaracterization of our solutions,
or market positioning by such industry stakeholders, resulting in unfavorable evaluations, reviews, or accreditations, which could negatively affect our
reputation, competitive standing, and ability to attract and retain customers.
Our current and potential competitors may also establish collaborations or alliances among themselves or with third parties that may further enhance
their resources and capabilities. Our collaborative efforts with our technology partners could also change if they develop and market competitive solutions, thus
intensifying the competitive landscape, while adversely affecting our partnership efforts and their resale and marketing of our solutions. If we are not able to
compete effectively under these circumstances, this may result in price reductions, fewer orders, reduced renewals, reduced revenue and gross margins, and loss
of market share. Any failure to adequately address these factors could seriously harm our business and operating results and may impact our share price.
8
We may fail to fully execute, integrate, or realize the benefits expected from strategic alliances, partnerships, and acquisitions, which may require
significant management attention, disrupt our business, dilute shareholder value, and adversely affect our financial condition and results of operations.
As part of our business strategy and to remain competitive, we continue to evaluate acquiring or making investments in complementary companies,
solutions, or technologies. We may not be able to find suitable acquisition candidates or complete such acquisitions on favorable terms. We may incur
significant expenses, divert employee and management time and attention from other business-related tasks and our organic strategy, and incur other
unanticipated complications while engaging with potential target companies where no transaction is eventually completed.
If we do complete acquisitions, such as the acquisition of Venafi Holdings, Inc. (Venafi) on October 1, 2024 and the acquisition of Zilla Security Inc.
(Zilla) on February 12, 2025 (collectively, Acquisitions), we may not ultimately derive benefits commensurate with the purchase price paid for such
acquisitions, strengthen our competitive position or achieve our goals or expected growth, profitability or cash flow generation, and any acquisitions we
complete could be viewed negatively by our customers, analysts, and investors, or create unexpected competition from market participants. Additionally, the
success of cross-selling newly acquired solutions to our existing customer base is not guaranteed and may depend on our ability to effectively integrate and align
these offerings with our customers’ needs. Any integration process may require significant time and resources. We may not be able to manage the integration
process successfully, including successfully implementing, scaling, or managing improvements to our systems, processes, and controls in an efficient or timely
manner such that we prevent or detect all errors, omissions, or fraud, and may experience a decline in our profitability as we incur expenses prior to fully
realizing the benefits of the acquisitions. We could expend significant cash and incur acquisition-related costs and other unanticipated liabilities associated with
the acquisitions, the product, or the technology, such as contractual obligations, potential security vulnerabilities of the acquired company and its solutions, and
potential intellectual property infringement, and there can be no assurances that indemnification rights we may obtain will be enforceable, collectible or
sufficient in an amount, scope or duration to fully offset the possible liabilities associated with the acquired business. Any acquisition may involve expansion
into businesses that are outside our core competencies and into market segments where we do not have existing expertise, and as a result, we may be unable to
achieve the expected benefits. In addition, any acquired technology or product may not comply with legal or regulatory requirements and may expose us to
regulatory risk and require us to make additional investments to make them compliant. Further, we may not be able to provide the same support service levels to
the acquired technology or product that we generally offer with our other solutions.
Additionally, we have and intend to continue to enter into partnerships and strategic alliances. These and other similar arrangements involve significant
investments of both time and resources, and there can be no assurances that they will be successful or provide the intended benefits or return on investment, or
advance our business strategy. Partnerships and strategic alliances are subject to a number of risks, including risks related to unanticipated costs and increased
long-term expenditures, issues conforming to standards, procedures and contractual requirements, ability to renew or replace existing relationships, issues
related to intellectual property rights, misaligned goals, disagreements with partners, and diversion of management’s attention from our existing business. Such
risks could harm our reputation, disrupt our business operations, and adversely affect our financial performance. Additionally, if we fail to structure and manage
these relationships effectively, our alliance partners may gain access to critical insights, technologies, or market opportunities that enable them to develop
competing solutions. This could lead to the erosion of our competitive advantage and market share. Furthermore, if and when we acquire companies that offer
solutions overlapping with those we currently market through our strategic partnerships, it could create conflicts with our partners, potentially straining or
disrupting these relationships.
Any of these issues could have a material adverse impact on our business, financial condition and results of operations and may result in a decline in
our share price.
If we do not effectively execute our sales and marketing strategies, and expand, train and retain our sales personnel, our business may suffer.
We depend significantly on our sales force and go-to-market organization to execute our sales and marketing strategies, attract new customers, provide
positive customer experience, deliver a high level of customer service and support and expand sales to existing customers. Factors such as increased
competition, shifts in market dynamics, or unforeseen challenges in customer engagement could impede the successful execution of these strategies.
9
We are dependent on our ability to train and enable our sales force to adapt to changes to our go-to-market strategy and evolving market trends,
effectively position our solutions, differentiate ourselves from competitors or meet our customers’ expectations in terms of performance, ease of use, customer
support, and overall user experience. Failure to do so may result in decreased market share, reduced revenue, and hindered business growth. In 2024, we began
transitioning our go-to-market strategy from a traditional, siloed, product-specific licensing approach to a solutions-based framework to provide our customers
with a unified user experience. Failure to adequately train our sales personnel on the new go-to-market approach may negatively impact our ability to execute or
effectively communicate and implement this shift while adapting to evolving market dynamics and customer preferences. Additionally, our failure to
successfully operationalize the new solutions-based selling framework, for example in assigning appropriate pricing models for these solutions, may negatively
affect our ability to execute our strategic initiatives to grow our business.
Our ability to grow our revenues also depends, in part, on our success in recruiting, training, and retaining enough sales personnel to support our
growth. The number of our sales personnel increased from 272 as of December 31, 2023, to 345 as of December 31, 2024. We expect to continue to expand our
sales personnel and to do so, we may face a number of challenges in achieving our hiring, retention, and integration goals.
Additionally, the training and integration of a large number of sales personnel in a short time requires the allocation of significant internal resources.
Based on our experience, it takes an average of approximately six to nine months before a new sales force member operates at target performance levels. We
may not be able to recruit at our anticipated rate or achieve or maintain our target performance levels with large numbers of new sales personnel as quickly as
we have done in the past, which may materially and adversely impact our business and results of operations. In addition, significant turnover in our sales,
customer success, or marketing organizations, may impact our ability to retain and expand our customers, obtain new customers, or deliver on our revenue,
profitability, or cash flow generation goals.
The dynamic regulatory environment around privacy, data protection, and AI may limit our offerings or require modification of our solutions, which could
limit our ability to attract new customers and support our current customers and increase our operational expenses. We could also be subject to
investigations, litigation, or enforcement actions alleging that we fail to comply with regulatory requirements, which could harm our operating results and
adversely affect our business.
Federal, state and international bodies continue to adopt, enact, and enforce new laws and regulations, as well as industry standards and guidelines,
addressing cybersecurity, privacy, data protection and the collection, processing, storage, cross-border transfer and use of personal information.
We are subject to diverse laws and regulations relating to data privacy, either directly or indirectly from our customers’ own compliance obligations,
including but not limited to the EU General Data Protection Regulation 2016/679 (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance
Portability and Accountability Act as amended by the Health Information Technology for Economic and Clinical Health Act (HIPAA), the U.K. Data Protection
Act 2018 (UK DPA), the UK General Data Protection Regulation (together with the UK DPA, the UK GDPR), and, national privacy laws of EU Member States
and other laws relating to privacy, data protection, and cloud computing. These laws impose comprehensive data privacy compliance obligations on us in
relation to our collection, processing, sharing, disclosure, transfer and other use of data relating to an identifiable living individual. These laws are also evolving
rapidly, as exemplified by the recent adoption by the European Commission of a new set of Standard Contractual Clauses, the U.K.’s adoption of its own
international data transfer agreement, and the implementation of the California Privacy Rights Act, which expands upon the CCPA, as well as privacy legislation
in several other U.S. states, the Cyber Resilience Act, which came into force on December 10, 2024, and the Digital Operational Resilience Act Regulation (EU)
2022/2554 (DORA) which entered into force on January 16, 2023. Compliance with these laws, as well as the efforts required to understand and interpret new
legal requirements, require us to expend significant capital and other resources. Our compliance efforts are further complicated by the fact that such laws,
regulations and standards around the world may be subject to uncertain or inconsistent interpretations and enforcement, and may conflict among various
jurisdictions. We could be found to not be in compliance with obligations or suffer from adverse interpretations of such legal requirements either as directly
relating to our business or in the context of legal developments impacting our customers or other businesses, which could impact our ability to offer our
solutions, impact operating results, or reduce demand for our solutions.
Additionally, any violation of data or security laws, or of our relevant measures and safeguards, by our third-party processors could have a material
adverse effect on our business, result in applicable fines and penalties, damage our reputation, and/ or result in civil claims. Due to concerns about data security
and integrity, a growing number of legislative and regulatory bodies have adopted breach notification and other requirements in the event that information
subject to such laws is accessed by unauthorized persons and additional regulations regarding security of such data are possible. We may need to notify
governmental authorities and affected individuals with respect to such incidents. For example, laws in the EU and UK and all 50 U.S. states may require
businesses to provide notice to individuals whose personal information has been disclosed as a result of a data security breach. Complying with such numerous
and complex regulations in the event of a data security breach would be expensive and difficult, and failure to comply with these regulations could subject us to
regulatory scrutiny and additional liability. We may also be contractually required to notify customers or other counterparties of a security incident, including a
data security breach.
10
Compliance with privacy and data protection laws and contractual obligations may require changes in services, business practices, or internal systems
resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with firms that are not subject to these laws and regulations.
For example, GDPR and the UK GDPR’s compliance regimes impose several stringent requirements for controllers and processors of personal data and increase
our obligations such as, requiring robust disclosures to individuals, establishing an individual data rights regime (including the right to be “forgotten”), setting
timelines for data breach notifications, imposing conditions for international data transfers, requiring detailed internal policies and procedures to demonstrate
compliance through the principle of accountability and limiting retention periods. Ongoing compliance with these and other legal and contractual requirements
may necessitate changes in services and business practices, which may lead to the diversion of engineering resources from other projects.
As a company that focuses on identity security with a foundation in Privilege Access Management, our customers may rely on our solutions as part of
their own efforts to comply with security control obligations under GDPR, CCPA, HIPAA, DORA and other laws and contractual commitments. If our solutions
are found insufficient to meet these standards in the context of an investigation into us or our customers, or we are unable to engineer solutions that meet these
standards, we could experience reduced demand for our solutions. There is also increased international scrutiny of cross-border transfers of data, including by
the EU for personal data transfers to countries such as the United States, following recent case law and regulatory guidance. This increased scrutiny, as well as
evolving legal and other regulatory requirements around the privacy or cross-border transfer of personal data, including potential challenges to the new EU-US
Data Privacy Framework, the UK extension to the EU-US Data Privacy Framework, or other cross border data transfer mechanism or data localization
requirements implemented in different jurisdictions in which we operate, could increase our costs, result in complaints and/or regulatory investigations or fines,
cause us to stop using certain tools or vendors, restrict our ability to store and process data as part of our solutions, or, in some cases, impact our ability to offer
our solutions or services in certain jurisdictions, which may adversely affect our business, financial condition and results of operations.
We are also subject to federal privacy and security standards regarding the protection of individually identifiable health information under HIPAA and
these carry significant enforcement penalties for non-compliance. Failure to comply with HIPAA can result in an injunction, regulatory action, civil monetary
penalties, or in certain circumstances, criminal penalties with fines and/or imprisonment. We operate as a HIPAA business associate for certain of our customers
and, therefore, must comply with applicable administrative, technical, and physical safeguards required by HIPAA. If we are unable to comply with our
obligations as a HIPAA business associate, in addition to potential regulatory enforcement actions, we also could face contractual liability under applicable
business associate agreements.
Since the CCPA and related legislation went into effect, comprehensive privacy statutes that share similarities with the CCPA are now in effect and
enforceable in Virginia, Colorado, Connecticut, and Utah, and similar laws will soon be enforceable in other states.
Additionally, laws, regulations, and standards covering marketing, advertising, and other activities conducted by telephone, email, mobile devices, and
the internet may be applicable to our business. Numerous class-action suits under federal and state laws have been filed in recent years against companies who
conduct telemarketing and/or SMS texting programs, with many resulting in significant liability. We send marketing messages via email and are subject to the
CAN-SPAM Act and implementing legislation under Directive 2002/58 on Privacy and Electronic Communications which impose certain obligations regarding
the content of emails and providing opt-outs (with the corresponding requirement to honor such opt-outs promptly).
Enactment of further privacy laws in the United States, at the state or federal level, or introduction of new solutions that are subject to additional
regulations, including services based on machine learning or AI technologies, as well as ensuring compliance of solutions that we obtained through acquisitions,
may require us to expend considerable resources to fulfill regulatory obligations, and could carry the potential for significant financial or reputational exposure
to our business, delay introduction to the market and affect adoption rates.
11
The legal landscape pertaining to machine learning and AI technologies, including generative AI, is rapidly evolving as many federal, state and foreign
government bodies and agencies have introduced or are currently considering additional laws and regulations. Additionally, existing laws and regulations may
be interpreted in ways that would affect our use of AI technologies. For example, recent case law from the Court of Justice of the European Union (CJEU) has
taken an expansive view of the scope of the GDPR’s requirements around automated decision-making and introduced uncertainty in the interpretation of these
rules. As a result, implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the
impact of future laws, regulations, standards or market perception of such requirements on our business, and we may not always be able to anticipate how to
respond to these laws or regulations.
Incorporating third-party AI technologies, including the output of generative AI, into our solutions may expose us to claims of copyright infringement
or other intellectual property-related actions. The potential for robust regulation around AI systems may necessitate substantial resources for the design,
development, testing, and maintenance of our platform and solutions, including appropriate protections and safeguards for handling the use of customer data
with such technologies. AI-related initiatives may attract heightened governmental and regulatory scrutiny, leading to various complications such as litigation,
ethical concerns, and privacy and security risks. In Europe, on August 1, 2024, the EU Artificial Intelligence Act (EU AI Act) entered into force, establishing a
comprehensive, risk-based governance framework for AI in the EU market, with the majority of the substantive requirements becoming applicable on August 2,
2026. The EU AI Act applies to companies that develop, use and/or provide AI in the EU and includes requirements around transparency, conformity
assessments and monitoring, risk assessments, human oversight, security, accuracy, general purpose AI and foundation models, and fines for breach of up to 7%
of worldwide annual turnover. Once fully applicable, the EU AI Act will have a material impact on the way AI is regulated in the EU. The prospect of new laws
and regulations may adversely affect our business, reputation, financial results, and our ability to develop and offer AI-driven solutions, while also increasing
compliance costs and operational complexities. Further, the uncertain landscape around AI and existing laws and regulations such as the EU AI Act may require
additional investment in the development and maintenance of proprietary datasets and machine learning models, development of new approaches and processes
to provide attribution or remuneration to creators of training data, development of appropriate protections and safeguards for handling the use of customer data
with such technologies, and additional compliance measures and changes to our operations and processes generally, which may be costly and could impact our
expenses. If our solutions are found to have incorporated AI-derived features that behaved or performed unethically, or subjected natural persons to bias, or if
we are subject to claims that we or our service providers have failed to comply with new AI laws, even if we are not found liable, we may incur substantial
expenses in connection with defending such claims, and our reputation and business could be adversely affected.
If there are claims against us that we or our service providers have breached our contractual obligations or failed to comply with applicable privacy,
and data protection laws, such claims, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity
that could harm our business. As a data processor, we are required to process customer data only on the documented instructions of our customers. If we acted
outside of these instructions, we could face regulatory consequences. In addition to litigation, we could face regulatory investigations, including assessment
notices (for compulsory audit), negative market perception, orders to cease/change our data processing activities, potential loss of business, litigation expenses,
enforcement notices and/or fines (which, for example, under GDPR / UK GDPR can be up to 4% of global turnover for the preceding financial year or €20
million / £17.5 million, whichever is higher). As we are subject to the supervision of the relevant data protection authorities under multiple legal regimes
(including both the GDPR and UK GDPR), we could be fined under those regimes independently in respect of the same breach.
The highly competitive cybersecurity labor market has made it a challenge to attract and retain qualified personnel. As the industry rapidly evolves, if we are
unable to hire, retain, motivate and upskill qualified personnel, our business will suffer.
Our success depends, in part, on our ability to effectively attract and retain highly skilled personnel in a timely manner. The intense competition in the
cybersecurity labor market has led to greater difficulty and rising costs in securing top tier talent. For example, shifts in industry demand for AI or other
technological advancements may heighten competition for specialized expertise, making it challenging for us to secure top-tier talent; additionally, attracting,
hiring and retaining talent to maintain both emerging and our legacy solutions may present challenges. We have experienced, and may continue to experience,
hiring difficulties, high employee turnover, increased costs and longer recruitment cycles, all of which may impact our productivity, ability to meet customer
expectations and overall profitability. Many corporations and startup companies may have greater resources and more flexible compensation structures for talent
acquisition, which may not be available to us. Our compensation includes various equity-based incentives, such as RSUs (defined below) and our ESPP (defined
below). Market volatility, including fluctuations in the share prices of technology companies, or poor stock performance may affect employee retention and our
ability to attract new talent. Our inability to attract or retain qualified personnel or delays in doing so could significantly harm our business, operational
performance, and financial condition. Furthermore, hiring employees who previously worked for our competitors may expose us to claims of improper
solicitation or misappropriation of proprietary information, which could lead to legal disputes and potential liability.
12
To address these challenges and support our business goals, we have expanded our workforce, including by engaging external service providers, some
of which are involved in our core solution development. If we are unable to retain these personnel at a sufficient rate, or if our relationship with such service
providers deteriorates or ends prematurely, our ability to achieve our goals and meet customer expectations may be materially adversely affected.
Additionally, we believe that our corporate culture has been, and will continue to be, a key advantage in our success and our ability to retain highly
skilled personnel. As we grow and adapt to the evolving industry landscape, maintaining our corporate culture may become increasingly difficult. Failure to do
so, or adverse perceptions of any efforts we have in place to maintain our corporate culture or otherwise manage human capital matters, could negatively affect
our brand and reputation, as well as our ability to attract and retain both customers and employees.
Adapting our workforce to ongoing changes in the business environment is also critical to sustaining our competitive position. Changes within our
executive team may be disruptive to our business operations and impact its ability to attract and retain top talent and execute sales and marketing strategies. If
we are unable to successfully manage leadership transitions and integrate key personnel and new executives into our team, our business, financial condition and
operational results may be adversely affected.
Risks related to AI technology may present both legal and business challenges that could adversely affect our business and operating results.
We have integrated, and plan to continue integrating, AI technology into our operations and solutions, including leveraging AI-driven assistance in our
Identity Security Platform for streamlined identity management, threat detection, and response automation. This presents various risks and challenges that could
negatively impact our business and create unforeseen liabilities.
Market acceptance of AI technologies remains uncertain, and our investments may not prove commercially viable or yield adequate returns.
Disruptions, latency or failure in our AI systems or infrastructure could result in delays or errors in our offerings. Development, testing, deployment and
maintenance of AI technologies may require significant resources and increase operating costs, with no guarantee of success. Our competitors may use AI
technologies more effectively, and we may encounter difficulties in successfully implementing or marketing our AI technologies. Furthermore, failure to
leverage AI advancements in a timely manner may disadvantage us compared to industry peers, potentially impacting our financial performance and market
position. We also face risks related to regulatory scrutiny, contractual obligations, ethical, technical or compliance concerns that could erode public confidence,
damage our reputation, slow adoption or demand for our AI-enhanced solutions, and adversely affect our business and operations.
As AI technologies evolve, maintaining operational efficiency and competitiveness increasingly depends on our workforce’s timely adoption and
effective use of AI tools and processes. Failure to do so may prevent us from realizing the anticipated benefits, leading to higher operational costs, reduced
productivity, and missed opportunities for efficiency gains. Additionally, the use of AI technologies by our workforce introduces potential security risks,
including cybersecurity breaches, unauthorized exposure of confidential information, misuse of third-party intellectual property and other intellectual property
ownership disputes. AI inaccuracies could also lead to errors in our decision-making and operations, which could negatively impact our business, operating
results and financial condition.
Further, the intellectual property ownership and licensing rights surrounding AI technologies, as well as data protection laws related to the use and
development of AI, are currently not fully addressed by courts or regulators. The use or adoption of AI technologies in our solutions or by our workforce may
expose us to claims of copyright infringement or other intellectual property misappropriation, by third parties, which may require us to pay compensation or
licensing fees. The evolving legal, regulatory, and compliance framework for AI technologies may also impact our ability to protect our own data and
intellectual property from unauthorized use. Moreover, some open-source software that we use incorporate or rely on generative AI or other AI technologies,
which could expose us to risks related to intellectual property infringement claims by other third parties.
The rapid advancement of, and evolving legal and business landscapes surrounding, AI technologies, introduce many uncertainties regarding its long-
term implications. Our failure to effectively manage these risks could materially impact our operations, financial performance, reputation, and growth strategy.
13
We increasingly rely on third-party providers of cloud infrastructure services to deliver our SaaS solutions to customers, and any disruption of or
interference with our use of these services, including any outage or security incidents, could adversely affect our business.
Our SaaS solutions are hosted by and dependent upon third-party providers of cloud infrastructure services (Cloud Service Providers), primarily
Amazon Web Services (AWS). We do not have control over the operations or the facilities of the Cloud Service Providers that we use. If any of the services
provided by the Cloud Service Providers fail, become unavailable, or experience service degradation due to earthquakes, flooding, fires, heatwaves, power loss,
telecommunication failures, natural disasters and other catastrophic events, extended outages, cyberattacks, or other interruptions or similar events, our ability to
operate our platform and deliver our SaaS solutions to customers could be materially negatively impacted, and the quality or perception of the quality of our
solutions could be diminished, which may result in a decrease in revenues, damage to our reputation, contractual liability, including for failure to meet service
level agreements, regulatory actions and interruption of our ability to manage our finances and our processes for managing sales of our offerings. If we are
unable to rapidly and cost-effectively substitute one Cloud Service Provider with another in circumstances of a failure or unavailability, or maintain or renew
our agreements with our Cloud Service Providers on commercially reasonable terms, or we need to add new Cloud Service Providers to increase capacity and
uptime, we could experience interruptions, downtime, delays, and additional expenses related to transferring to and providing support for these new platforms.
Any of the above circumstances or events may harm our reputation and brand, expose us to liability, reduce the availability or usage of our platform or services,
and impair our ability to attract new users, any of which could adversely affect our business, financial condition and results of operations.
Delivery of our SaaS solutions to our customers and operation of our platform depends on the ability of data centers and cloud infrastructure to allow
for our customers’ configuration, architecture, features and interconnection requirements and other specifications. Any limitation on the availability and/or
capability of these data centers or cloud infrastructure to meet or maintain such specification requirements could impede our ability to onboard new customers
or expand the usage of our existing customers, host our platform and services, or serve our customers, any of which could adversely affect our business,
financial condition and results of operations.
If we fail to maintain successful relationships with our channel partners, or if our channel partners fail to perform, our ability to market, sell, and distribute
our solutions will be limited, and our business, financial condition, and results of operations will be harmed.
We rely on our channel partners to market, sell, support, and implement our solutions. We expect that indirect sales through our channel partners will
continue to account for a significant percentage of our revenue for the foreseeable future. Further, we cooperate with advisory firms in marketing our solutions
and providing implementation services to our customers, in both direct and indirect sales. Our agreements with channel partners are non-exclusive, meaning our
partners may offer customers information security solutions from other companies, including solutions that compete with our solutions.
If our channel partners do not effectively market, sell (including the cross-selling of newly acquired solutions, for example, as a result of the
Acquisitions) and implement our solutions or choose to use greater efforts to market, sell and implement their own solutions or the solutions of our competitors
or adjacent security solutions, our ability to grow our business will be adversely affected. Further, new channel partners require training and may take several
months or more to achieve productivity. The loss of key channel partners, the inability to replace them, or the failure to recruit additional channel partners could
materially and adversely affect our results of operations. Our reliance on channel partners could also subject us to lawsuits or reputational harm if, for example,
a channel partner misrepresents the functionality of our solutions to customers, fails to appropriately implement our solutions, or violates applicable laws, and,
in addition, this may result in termination of such partner’s agreement and potentially curb future revenues associated with this channel partner and their
customer base. Under some circumstances, the illegal or unethical actions of channel partners could be imputed to us, creating a risk of civil and criminal
liability, along with the substantial costs of investigating and defending such a case. If we are unable to maintain our relationships with channel partners or
otherwise develop and expand our indirect sales channel, or if we are unable to train our channel partners to independently sell, install and support our solutions,
or if our channel partners fail to perform, our business, financial condition and results of operations could be adversely affected.
14
Our quarterly results of operations could fluctuate due to a number of factors, including sales execution from quarter to quarter, seasonality, or other
factors. These factors could impact our revenues, ARR, operating results, and cash flows, and we may fail to meet publicly announced financial guidance or
other expectations about our business, which could adversely affect our share price.
We offer our customers multiple software and delivery models, including SaaS, self-hosted subscriptions, and perpetual licenses, whose revenues are
recognized differently based on the composition of the selected offering. In 2024, the majority of our annualized software bookings were subscriptions or
recurring revenue, and only a declining, single-digit, percentage of our annualized bookings were from perpetual licenses. The mix of our SaaS and self-hosted
subscriptions, the mix of subscription and perpetual bookings and the duration of self-hosted subscriptions in any given quarter may be difficult to predict and
may cause trends in revenue recognition to lag those in bookings, potentially causing us to fall short of investor expectations for revenue and profitability
metrics, even while meeting or exceeding periodic booking targets. In addition, due to our ongoing introduction of new solutions and features to meet market
demands, our teams may have difficulty selling, supporting, developing and maintaining multiple license models, environments and code bases which may
negatively impact our operations, such as in sales execution, customer experience, or efficiencies of scale.
A meaningful portion of our quarterly bookings is typically generated through transactions of significant size. In addition, purchases and renewals of
our solutions and services often occur at the end of each quarter. This sales pattern exposes us to risk, as any delays, slippage of deals, or unforeseen
circumstances affecting the timely issuance of such purchase orders by our customers could have a disproportionately adverse impact on our financial
performance.
In addition, we experience quarterly and annual seasonality in our sales, demonstrated by increased sales in the third month of each quarter relative to
the first two months, and increased sales in the fourth quarter of each year. The timing in which SaaS deals close may further exacerbate the seasonality impact
on reported revenues due to the impact of ratable revenue recognition. In addition, our sales process can be intensely competitive, and our sales cycle can last
several quarters from proof of concept to the actual sale and could potentially be impacted by numerous factors including increased visibility and scrutiny by
our customers around business continuity planning, disaster recovery and cyber resiliency as a result of high profile cybersecurity and disaster recovery
incidents within the broader software market and with cybersecurity competitors in particular. At times, sales have occurred in an earlier or later quarter than
anticipated, and some sales opportunities that were expected to close did not close at all. A failure to close a large transaction in a particular quarter may
adversely impact our revenues in that quarter and in subsequent quarters. Closing an exceptionally large transaction in a certain quarter may disproportionately
increase our revenues in that quarter, which may make it more difficult for us to meet growth rate expectations in subsequent quarters. Even if we close a sale
during a given quarter, we may be unable to recognize the revenues derived from such sale during the same period due to revenue recognition accounting
standards. Likewise, due to payment terms, net cash provided by operating activities is impacted by the timing of sales within a quarter, and may not be
collected in that quarter, which could impact the net cash provided by operating activities for that period. Furthermore, our ARR may fluctuate depending on our
ability to close transactions and the size of transactions, among other factors. As a result of the foregoing, the timing of closing sales cycles and the associated
revenue from such sales can be difficult to predict and may cause us to miss our guidance or fall short of market expectations. This may result in a decline in the
price of our ordinary shares.
In addition, our financial condition and results of operations may vary and continue to fluctuate as a result of a number of other factors, many of which
may be outside of our control or difficult to predict, including the amount and timing of our operating costs and cash collection, which may change also as a
result of fluctuations in foreign currency exchange rates or changes in taxes or other applicable regulations, the ability of our support and customer success
operations to keep pace with sales to new and existing customers and the expansion of our solution portfolio, our ability to successfully expand our business
globally, our ability to successfully integrate any newly acquired business or company, the introduction of new accounting pronouncements or changes in our
accounting policies or practices, and geopolitical, economic, or regional instability, including the ongoing war between Israel and Hamas. Any of these factors
may result in significant fluctuations in our financial condition and operating results, which could result in our failure to meet our operating plan or the
expectations of investors or analysts for any given period, causing the market price of our ordinary shares to be negatively impacted.
15
A portion of our revenues is generated by sales to government entities, which are subject to a number of challenges and risks, such as increased competitive
pressures, administrative delays and additional approval requirements.
A portion of our revenues is generated by sales to U.S. and foreign federal, state, and local governmental agency customers, and we may increase sales
to government entities in the future. Selling to government entities can be highly competitive, expensive and time consuming, often requiring significant upfront
time and expense without any assurance that we will complete a sale, or imposing terms of sale which are less favorable than the prevailing market terms.
Government demand and payment for our solutions may be impacted by public sector budgetary cycles and funding authorizations, funding reductions,
government shutdowns or delays, or shift in government policies and priorities, adversely affecting public sector demand for our solutions. The foregoing may
be intensified due to macroeconomic impacts. Additionally, for purchases by the U.S. government, the government may require certain solutions to be
developed or maintained in the United States and other high-cost locations, and we may not develop or maintain all solutions in locations that meet the
requirements of the U.S. government. Finally, some government entities require solutions such as ours to comply with certain technical or security requirements
or standards or be certified by industry-approved security agencies as a pre-condition of purchasing them, for example authorization from the Federal Risk and
Authorization Management Program (FedRAMP) or compliance with Cybersecurity Maturity Model Certification 2.0. We cannot guarantee we will be
successful in meeting or attaining such requirements, standards or certifications. Even if achieved, the process (including maintenance thereof) may be
expensive and time-consuming. While we have obtained FedRAMP authorization for certain of our SaaS solutions, the grant and maintenance of such
certifications depend on the then-current requirements of the certifying agency and our ability to meet them. We cannot be certain that any certificate will be
granted, remain in effect or renewed, or that we will be able to satisfy the technological and other requirements to maintain certifications. The loss or suspension
of any of our current certificates, or the failure to obtain new ones, could result in the imposition of various penalties, reputational harm, loss of existing
customers, or could deter new and existing customers from purchasing our solutions, any of which could adversely affect our business, operating results or
financial condition.
Economic uncertainties or downturns, globally or in certain regions or industries, could materially adversely affect our business.
Our business depends on our current and prospective customers’ ability and willingness to invest money in information security, which in turn is
dependent upon their overall economic health and the strength of the broader macroeconomic environment. Uncertain economic conditions in the global
economy or certain regions, including conditions resulting from financial and credit market fluctuations (including rising interest rates), exchange rate
fluctuations, tariffs or other trade restrictions or inflation, and the potential for regional or global recessions, could cause a decrease in corporate spending on
cybersecurity software. Other matters that influence customer confidence and spending, such as political unrest, changes in laws, regulations or policies in the
new U.S. administration, public health crises, terrorist attacks, armed conflicts, rising energy costs, natural disasters and other catastrophic events, could also
negatively affect our customers’ spending on our solutions. For example, we are currently operating in a period of economic uncertainty. While interest rates
have begun to decline and inflation is significantly lower than in past quarters, the U.S. has recently experienced increased costs of labor, capital, employee
compensation, consumer debt, and other similar effects, as well as great uncertainty surrounding the implementation of new tariffs by the U.S. and retaliatory
tariffs by targeted countries. If conditions in the national and global economy do not continue to improve or instead worsen, our current and potential customers’
operating costs will likely increase, which could result in reduced operating and information technology budgets or delayed purchase decisions. Since a
significant portion of our operations are based in Israel, hostilities within the region, including due to the war between Israel and Hamas, as well as any political
uncertainty or reform, or a significant downturn in the economic or financial condition of Israel, could materially adversely affect our operations. In addition,
economic instability within areas experiencing armed conflicts can and has resulted in sanctions that restrict the selling or importing of goods, services, or
technology in or from certain regions. Political instability could further exacerbate macroeconomic uncertainty on a global scale, including within specific
revenue-generating industry verticals. Furthermore, due to political uncertainty, geopolitical unrest, and international military actions, we and the third parties
upon which we rely may be vulnerable to a heightened risk of security breaches, cyberattacks, and other disruptions that could materially impact our systems,
operations, and supply chain. Our international operations also involve risks that could increase our expenses, adversely affect our operating results, and require
increased time and attention from our management. A significant portion of our business operations are concentrated in core geographic areas, and economic
downturns in these areas could severely affect our business operations. In addition, some of our business operations depend on emerging markets that are less
resilient to fluctuations in the global economy.
Negative economic conditions may cause key customers, or specific revenue-generating verticals, to reduce their IT spending. Customers may delay or
cancel IT projects, choose to focus on in-house development efforts or seek to lower their costs by renegotiating subscription renewals or maintenance and
support agreements, thus making it difficult to adequately forecast and plan future business activities accurately, or prolonging our sales cycles. Further,
customers or channel partners may be more likely to make late payments in worsening economic conditions, which could lead to increased collection efforts and
require us to incur additional associated costs to collect expected revenues. If the economic conditions of the general economy or industries in which we operate
deteriorate from present levels, our business, results of operation and financial condition could be adversely affected.
16
We have incurred net losses and may not be able to generate sufficient revenue to achieve and sustain profitability, which may also impact our ability to
expand our cash flow generated by operating activities.
We have incurred net losses of $66.5 million and $93.5 million in the years ended December 31, 2023 and 2024, respectively, and anticipate our cash
flow from operating activities could fluctuate. Our ability to generate cash flow from operating activities as a subscription company will depend on the
combination of our success in retaining high renewal rates with our customers, expanding sales with our existing customers, generating sales from new
customers and executing and collecting annual or multi-year contracts which are paid for up front. We cannot be certain we will achieve the required renewal
rates, increase sales from existing and new customers nor generate or collect based on the contract terms for the sales, which will improve our cash flow from
operating activities or deliver sustainable profitability. In addition, due to our continued investment in the growth of our business, we expect our operating
expenses to increase over the next several years as we hire additional personnel, retain existing personnel in a competitive market and continue to enhance our
solutions and identity security platform and deliver new services to the market. Any failure to increase our revenue could prevent us from achieving profitability
or maintaining or increasing cash flow from operating activities on a consistent basis. In addition, we may have difficulty achieving profitability under U.S.
GAAP due to share-based compensation expense and other non-cash charges. If we are unable to navigate these challenges as we encounter them, our business,
financial condition, and operating results may suffer.
We are subject to a number of regulatory and geopolitical risks associated with global sales and operations, which could materially affect our business.
We are a global company subject to varied and complex laws, regulations, and customs. The application of these laws and regulations to our business is
often unclear, subject to interpretation and may, at times, conflict. Compliance with these laws and regulations may involve significant costs or require changes
in our business practices or solutions, resulting in reduced revenue and profitability. Furthermore, business practices in the global markets that we serve may
differ from those in the United States and may require us to include non-standard terms in customer contracts, such as extended payment or warranty terms.
Further, there may be higher costs of doing business globally, including costs incurred by maintaining office space, securing adequate staffing, and localizing
our contracts.
Additionally, our global sales and operations are subject to a number of risks, including the following:
•
failure to fully comply with various global data privacy and data protection laws;
•
fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business;
•
social, economic and political instability, war, civil disturbance or acts of terrorism, conflicts (including the conflicts in the Middle East, for example
between Israel and Hamas), security concerns, and any pandemics or epidemics;
•
noncompliance with the U.S. Federal requirements which mandate management and auditor reports on the effectiveness of our internal control over
financial reporting (such as the Sarbanes-Oxley Act);
•
greater difficulty in enforcing contracts and managing collections, as well as longer collection periods;
•
noncompliance with certain anti-bribery laws or unfair or corrupt business practices in certain geographies;
•
certain of our activities and solutions are subject to U.S., European Union, Israeli, and possibly other export and trade control and economic sanctions
laws and regulations, which have and may additionally prohibit or restrict our ability to engage in business with certain countries and customers or
distribute or implement our solutions in certain countries. If the applicable requirements related to export and trade controls change or expand,
including as a result of future relationships between the U.S. and various other countries, if we change the encryption functionality in our solutions, or
if we develop other solutions, or export solutions from/to certain jurisdictions, we may fail to comply with such regulations or may need to satisfy
additional requirements or obtain specific licenses to continue to export our solutions in the same global scope;
•
changes in tax regulations and uncertain tax obligations and effective tax rates may impact our financial results or result in changes in the valuation of
our deferred tax assets and liabilities;
•
new and developing laws and regulations, and compliance with, and uncertainty regarding, laws and regulations that apply or may in the future apply
to our business;
•
reduced or uncertain protection of intellectual property rights in some countries; and
17
•
management communication and integration problems resulting from cultural and geographic dispersion.
These and other factors could harm our ability to generate future global revenues and, consequently, materially impact our business, results of
operations and financial condition. Non-compliance could also result in government investigations, fines, damages, or criminal sanctions against us, our officers
or our employees, prohibitions on the conduct of our business, and damage to our reputation.
Intellectual property claims may increase our costs or require us to cease selling certain solutions, which could adversely affect our financial condition and
results of operations.
The information security industry is characterized by the existence of a large number of relevant patents and frequent claims and litigations regarding
patents and other intellectual property rights. Leading companies in the information security industry have extensive patent portfolios. In addition, the scope of
copyright protection and other legal protections for intellectual property generated by certain new technologies, such as generative AI, is uncertain. From time to
time, third parties have asserted, and in the future may assert, their patent, copyright, trademark, and other intellectual property rights against us, our channel
partners, or our customers. Furthermore, we may be subject to indemnification obligations with respect to third-party intellectual property rights pursuant to our
agreements with our customers and channel partners. Such indemnification provisions are customary in our industry. We cannot ensure that we will have the
resources to defend against such claims. Successful claims of infringement or misappropriation by a third party against us or a third party that we indemnify,
could prevent us from distributing certain solutions or performing certain services or could require us to pay substantial damages (including, for example, treble
damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or
other fees. Such claims also could require us to cease making, licensing, or using solutions that are alleged to infringe or misappropriate the intellectual property
of others, to expend additional development resources to attempt to redesign our solutions or otherwise to develop non-infringing technology, to enter into
potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights, and to indemnify
our customers and channel partners (and parties associated with them). The failure to obtain a license or the costs associated with any license could cause our
business, results of operations, or financial condition to be materially and adversely affected. Defending against claims of infringement, regardless of their
validity, or being deemed to be infringing the intellectual property rights of others could be very expensive and time-consuming to defend, harm our reputation,
and impair our ability to innovate, develop, distribute, and sell our current and planned solutions.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.
Our functional and reporting currency is the U.S. dollar. In 2024, most of our revenues were denominated in U.S. dollars and the remainder was
primarily in Euros and British pounds. In 2024, most of our cost of revenues and operating expenses were denominated in U.S. dollars and New Israeli Shekels
(NIS) and the remainder primarily in Euros and British pounds. Our foreign currency-denominated expenses consist primarily of personnel, facilities and travel
costs. The exchange rates between the U.S. dollar and foreign currencies have fluctuated substantially in recent years and may continue to fluctuate substantially
in the future. Since the portion of our expenses denominated in NIS and British pounds is greater than our revenues in NIS and British pounds, respectively, any
appreciation of the NIS or the British pound relative to the U.S. dollar could adversely impact our operating results. In addition, since the portion of our
revenues denominated in Euros is greater than our expenses in Euros, any depreciation of the Euro relative to the U.S. dollar could adversely impact our
operating results. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our software and renewals to customers outside the
United States, which could adversely affect our business, results of operations, financial condition and cash flows. We periodically evaluate the various
currencies to which we are exposed and, as appropriate, enter into hedging transactions designed to reduce or eliminate certain currency exchange rate impacts.
We cannot guarantee that our hedging activities will effectively protect us from adverse impacts from currency exchange rate fluctuations. Hedging may expose
us to liquidity constraints that may limit our ability to adjust or exit positions, and potential losses if market conditions change unexpectedly or if hedging
instruments do not perform as anticipated. Furthermore, the costs associated with hedging, regulatory requirements, and accounting complexities may
negatively impact our financial results and operational flexibility. In addition, we have monetary assets and liabilities that are denominated in non-U.S. dollar
currencies. For example, we have a significant NIS-linked liability related to our operating leases in Israel. As a result, significant exchange rate fluctuations
could have a negative effect on our net income.
18
If our solutions fail to help our customers achieve and maintain compliance with certain government regulations and industry standards, our business and
results of operations could be materially and adversely affected.
We generate a substantial portion of our revenues from our solutions that enable our customers to achieve and maintain compliance with certain
government regulations and industry standards, and we expect that to continue for the foreseeable future. Governments and other customers may require our
solutions to comply with certain privacy, security or other certifications and standards with respect to those solutions utilized by them as a control demonstrating
compliance with government regulations and industry standards. We have maintained SOC 2 and SOC 3 accreditation for multiple solutions since 2019 and
2022, respectively. Additionally, we have maintained the ISO 27001 annual certification since April 2017 and attained ISO 27018 certification in 2023. The
main modules of our Privilege Access Management self-hosted solution (Vault, PSM, PSMP, CPM and PVWA) are Common Criteria certified for the Dutch
Scheme (NSCIB) and the American Scheme (NIAP), supporting federal agencies. We are also in the process of seeking authorization from FedRAMP, for
certain SaaS solutions. However, we are unable to guarantee that we will achieve such authorizations in a timely manner, or at all, or maintain compliance with
them once they have been achieved. If our solutions are late in achieving or failing to achieve or maintain compliance with these certifications and standards, or
our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our solutions to such customers, or may
otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.
Additionally, industry standards may change with little or no notice, including changes that could make them more or less onerous for businesses,
including in connection with AI. If we are unable to adapt our solutions to changing government regulations and industry standards in a timely manner, or if our
solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our solutions and could switch to solutions offered by our
competitors. In addition, if government regulations and industry standards related to information security are changed in a manner that makes them less onerous,
our customers may view compliance as less critical to their businesses and may be less willing to purchase our solutions. In either case, our sales and financial
results would suffer.
If we are unable to adequately protect our proprietary technology and intellectual property rights, our business could suffer substantial harm.
The success of our business depends on our ability to protect our proprietary technology, brands and other intellectual property and to enforce our
rights in that intellectual property. We attempt to protect our intellectual property under patent, copyright, trademark and trade secret laws, and through a
combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.
As of December 31, 2024, we had 189 issued patents in the United States and 46 pending U.S. patent applications. We also had 92 issued patents and
13 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional
patent applications in the future.
The process of obtaining patent protection is expensive and time-consuming, and we may not be able to complete all necessary or desirable patent
applications at a reasonable cost or in a timely manner all the way to the successful issuance of a patent. We may choose not to seek patent protection for certain
innovations and may choose not to pursue patent protection in certain jurisdictions. Furthermore, it is possible that our patent applications may not be approved,
that the scope of our issued patents will be insufficient or not have the coverage originally sought, that our issued patents will not provide us with any
competitive advantages, and that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes
or litigation. Finally, issuance of a patent does not guarantee that we have an absolute right to practice the patented invention. Our policy is to require our
employees (and our consultants and service providers that develop intellectual property included in our solutions) to execute written agreements in which they
assign to us their rights, if such exist, in potential inventions and other intellectual property created within the scope of their employment (or, with respect to
consultants and service providers, their engagement to develop such intellectual property. We cannot be certain that we have adequately protected our rights in
every such agreement or that we have executed an agreement with every such party. Finally, in order to benefit from the protection of patents and other
intellectual property rights, we must monitor and detect infringement and pursue infringement claims under certain circumstances in relevant jurisdictions.
Litigating claims related to the enforcement of intellectual property rights is very expensive and can be burdensome in terms of management time and resources.
Any litigation related to intellectual property rights or claims against us could result in loss or compromise of our intellectual property rights or could subject us
to significant liabilities. As a result, we may not be able to obtain adequate protection or to effectively enforce our issued patents or other intellectual property
rights.
19
In addition to patents, we rely on trade secret rights, copyrights and other rights to protect our unpatented proprietary intellectual property and
technology. Unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our solutions or obtain
and use our trade secrets or other confidential information. We generally enter into confidentiality agreements with our employees, consultants, service
providers, vendors, channel partners, subcontractors and customers, and generally limit access to and distribution of our proprietary information and proprietary
technology through certain procedural safeguards. These agreements may not effectively prevent unauthorized use or disclosure of our intellectual property or
technology and may not provide an adequate remedy in the event of unauthorized use or disclosure of our intellectual property or technology. We cannot be
certain that the steps taken by us will prevent misappropriation of our intellectual property or technology or infringement of our intellectual property rights. In
addition, the laws of some foreign countries where we sell our solutions do not protect intellectual property rights and technology to the same extent as the laws
of the United States, and these countries may not enforce these laws as diligently as government agencies and private parties in the United States. If we are
unable to protect our intellectual property, we may find ourselves at a competitive disadvantage to others who do not incur the additional expense, time and
effort to create the innovative solutions nevertheless benefiting from such innovation due to misappropriation.
Our use of open-source software, third-party software, and other intellectual property may negatively affect our ability to offer our solutions and expose us
to litigation or other risks.
We integrate certain open-source software components from third parties into our software, and we expect to continue to use open-source software in
the future. Some open-source software licenses require, among other things, that users who distribute or make available as a service, open-source software with
their own software solutions, add appropriate copyright notices and disclaimers, publicly disclose all or part of the source code of the users’ developed software
or make available any derivative works of the open-source code under open-source license terms or at no cost. Our efforts to use the open-source software in a
manner consistent with the relevant license terms that would not require us to disclose our proprietary code or license our proprietary software at no cost may
not be successful. We may face claims by third parties seeking to enforce the license terms applicable to such open-source software, including by demanding the
release of our proprietary source code, or we may face termination of such licenses if the owner of the open-source software asserts that we are in breach of its
license terms. In addition, if the license terms for the open-source code change or the license is terminated, we may be forced to re-engineer our software or
incur additional costs. In addition, open-source software typically comes without warranties or indemnities from the owner, whereas we are expected to offer
our customers both. Accordingly, if there were technical problems with open-source software that we used in our solutions, or if such open-source software
infringed third-party intellectual property rights, we could have a warranty obligation or infringement indemnity obligation to our customer without a
corresponding warranty or indemnification obligation from the owner of the open-source software. In addition, regardless of the validity of claims against us,
our business, financial condition, and results of operations could be harmed by litigation and defense costs, payment of damages, the disclosure of our source
code, additional expenditure to enter into royalty or licensing agreements, and additional expenses and research and development time to render existing
solutions non-infringing.
We have no assurance that any open-source software that we use in our solutions and any patch will be free from vulnerabilities or malicious code.
While customary in the industry, our use of open-source software and third-party software in our solutions may expose us, and our customers using our
solutions, to additional vulnerabilities and security breaches, which may result in significant adverse impacts on us and our customers, especially if such open-
source software or third-party software is not maintained by its authors.
Further, some of our solutions include other software or intellectual property licensed from third parties, and we also use software and other intellectual
property licensed from third parties for our own business operations. This exposes us to risks over which we may have little or no control. For example, a
licensor may have difficulties keeping up with technological changes or may stop supporting the software or other intellectual property that it licenses to us.
There can be no assurance that the licenses we use will be available on acceptable terms, if at all. In addition, a third party may assert that we or our customers
are in breach of the terms of a license, which could, among other things, give such third party the right to terminate a license or seek damages from us, or both.
Our inability to obtain or maintain certain licenses or other rights or to obtain or maintain such licenses or rights on favorable terms, or the need to engage in
litigation regarding these matters, could result in delays in releases of new solutions, and could otherwise disrupt our business, until equivalent technology can
be identified, licensed, or developed.
20
Risks Related to Our Ordinary Shares
Our share price may be volatile, and our shareholders may lose all or part of their investment.
From January 2022 through January 2025, our ordinary shares have traded on the Nasdaq Global Select Market (Nasdaq) at a price per share between a
range of $107.33 and $375.5. In addition, the market price of our ordinary shares could be highly volatile and may fluctuate substantially as a result of many
factors, some of which are beyond our control, including, but not limited to:
•
actual or anticipated fluctuations in our results of operations and the results of other similar companies;
•
variance in our financial performance from the expectations of market analysts;
•
announcements by us or our competitors of significant business developments, changes in service provider relationships, acquisitions or
expansion plans;
•
changes in the prices of our solutions or in our pricing models;
•
our involvement in litigation;
•
our sale of ordinary shares or other securities in the future;
•
market conditions in our industry;
•
speculation in the press or the investment community;
•
the trading volume of our ordinary shares;
•
changes in the estimation of the future size and growth rate of our markets;
•
any merger and acquisition activities; and
•
general economic and market conditions.
In addition, the stock markets have experienced price and volume fluctuations. Broad market and industry factors may materially harm the market price
of our ordinary shares, regardless of our operating performance, and may affect our ability to access new capital, which may materially harm our liquidity, and
limit our ability to grow our business. In the past, following periods of volatility in the market price of a company’s securities, securities class action litigation
has often been instituted against that company. If we are involved in any similar litigation, we could incur substantial costs and our management’s attention and
resources could be diverted, which could materially and adversely affect our business.
Our business could be negatively affected as a result of the actions of activist shareholders, and such activism could impact the trading value of our
securities.
In recent years, U.S. and non-U.S. companies listed on securities exchanges in the United States have been faced with governance-related demands
from activist shareholders, unsolicited tender offers and proxy contests. Although as a foreign private issuer we are not subject to U.S. proxy rules, responding
to any action of this type by activist shareholders could be costly and time-consuming, disrupting our operations and diverting the attention of management and
our employees. Such activities could interfere with our ability to execute our strategic plans. In addition, a proxy contest for the election of directors at our
annual meeting would require us to incur significant legal fees and proxy solicitation expenses and require significant time and attention by management and
our Board of directors. The perceived uncertainties due to such actions of activist shareholders could also affect the market price of our securities.
As a foreign private issuer whose ordinary shares are listed on Nasdaq, we may follow certain home country corporate governance practices instead of
otherwise applicable SEC and Nasdaq requirements and are exempt from a number of requirements under U.S. securities laws. This may result in less
protection for, or limit the information available to, our shareholders.
As a foreign private issuer whose ordinary shares are listed on Nasdaq, we are permitted to follow certain home country corporate governance practices
instead of certain rules of Nasdaq. See “Item 16G. Corporate Governance” for a summary of the significant ways in which our corporate governance practices
differ from those followed by U.S. companies listed on Nasdaq, which may result in less protection for, or limit the information available to, our shareholders.
In addition, as a foreign private issuer, we are exempt from a number of requirements under U.S. securities laws that apply to public companies that are
not foreign private issuers. In particular, we are exempt from the rules and regulations under the Exchange Act related to the furnishing and content of proxy
statements, and our officers, directors and principal shareholders are exempt from the reporting and short-swing profit recovery provisions contained in Section
16 of the Exchange Act. In addition, we are not required under the Exchange Act to file annual, quarterly, and current reports and financial statements with the
SEC, as frequently or as promptly as domestic companies whose securities are registered under the Exchange Act. We are also exempt from the provisions of
Regulation FD, which prohibits issuers from making selective disclosure of material non-public information. Even though we intend to comply voluntarily with
Regulation FD, these exemptions and leniencies will reduce the frequency and scope of information and protections to which our shareholders are entitled as
investors. For so long as we qualify as a foreign private issuer, we are not required to comply with the proxy rules applicable to U.S. domestic companies.
Because of these exemptions for foreign private issuers, our shareholders do not have the same information generally available to investors holding shares in
public companies that are not foreign private issuers.
21
We may raise additional capital through equity or debt financing, which could dilute existing shareholders, or change our financial risk profile, and
potentially reduce the market price of our ordinary shares.
To support our operations, growth, and liquidity needs, we may issue additional ordinary shares, convertible securities, or debt instruments, including
drawing on or expanding our revolving credit facility. Our revolving credit facility imposes certain financial and operational restrictions, including limitations
on incurring additional debt, and compliance with financial covenants such as liquidity requirements. If we fail to meet these obligations, we could face higher
borrowing costs, reduced access to credit, or even a default requiring immediate repayment. These restrictions may also limit our flexibility in pursuing strategic
initiatives, acquisitions, or other business opportunities. Furthermore, elevated interest rates or adverse credit market conditions could increase our borrowing
costs, making debt financing more expensive. Additionally, future issuances of ordinary shares or convertible securities could dilute shareholders and impact our
share price. In addition, issuing additional ordinary shares or raising money through a convertible bond or other equity-linked instrument may cause the market
price for our shares to decline.
We may lose our foreign private issuer status, which would then require us to comply with the rules and regulations applicable to U.S. domestic issuers and
cause us to incur significant legal, accounting and other expenses.
Since a majority of our voting securities are either directly or indirectly owned by residents of the United States, we would lose our foreign private
issuer status if any of the following were to occur: (i) the majority of our executive officers or directors were U.S. citizens or residents, (ii) more than 50 percent
of our assets were located in the United States, or (iii) our business was administered principally in the United States. Similarly, if we were to acquire a U.S.
company in the future, it could put us at heighted risk of losing our foreign private issuer status. Although we have elected to comply with certain U.S.
regulatory provisions, our loss of foreign private issuer status would make such provisions mandatory. In addition, we would lose our ability to rely on Nasdaq
exemptions from certain corporate governance requirements that are available to foreign private issuers. If we were to lose our foreign private issuer status, the
regulatory and compliance costs to us under U.S. securities laws as a U.S. domestic issuer may be significantly higher.
Our U.S. shareholders may suffer adverse tax consequences if we are classified as a “passive foreign investment company.”
Generally, if for any taxable year, after the application of certain look-through rules, 75% or more of our gross income is passive income, or at least
50% of the average quarterly value of our assets (which may be measured in part by the market value of our ordinary shares, which is subject to change) are
held for the production of, or produce, passive income (as defined in the relevant provisions of the Internal Revenue Code of 1986, as amended (Code), we
would be characterized as a “passive foreign investment company” (PFIC), for U.S. federal income tax purposes under the Code. Based on our market
capitalization and the nature of our income, assets and business, we believe that we should not be classified as a PFIC for the taxable year that ended December
31, 2024. However, PFIC status is determined annually and requires a factual determination that depends on, among other things, the composition of our
income, assets and activities in each taxable year, and can only be made after the close of each taxable year. Furthermore, because the value of our gross assets
is likely to be determined in part by reference to our market capitalization, a decline in the value of our ordinary shares may result in our becoming a PFIC.
Accordingly, there can be no assurance that we will not be considered a PFIC for any taxable year. If we are a PFIC for any taxable year during which a U.S.
Holder (as defined in “Item 10.E. Taxation — Certain United States Federal Income Tax Consequences”) holds our ordinary shares, certain adverse U.S. federal
income tax consequences could apply to such U.S. Holder. Prospective U.S. Holders should consult their tax advisors regarding the potential application of the
PFIC rules to them.
22
If a U.S. person is treated as owning at least 10% of our ordinary shares, such holder may be subject to adverse U.S. federal income tax consequences.
If a U.S. person is treated as owning (directly, indirectly or constructively) at least 10% of the value or voting power of our ordinary shares, such
person may be treated as a “U.S. shareholder” with respect to each controlled foreign corporation (CFC), in our group (if any). If our group includes one or
more U.S. subsidiaries (as has been the case for 2024), certain of our non-U.S. subsidiaries will be treated as CFCs regardless of whether we are treated as a
CFC. A U.S. shareholder of a CFC may be required to report annually and include in its U.S. taxable income its pro rata share of such CFC’s “Subpart F
income,” “global intangible low taxed income” and investments in U.S. property by CFCs, regardless of whether we make any distributions. An individual who
is a U.S. shareholder with respect to a CFC generally would not be allowed certain tax deductions or foreign tax credits that would be allowed to a U.S.
shareholder that is a U.S. corporation. Failure to comply with these reporting obligations may subject a U.S. shareholder to significant monetary penalties and
may prevent the statute of limitations with respect to such U.S. shareholder’s U.S. federal income tax return for the year for which reporting was due from
starting. We cannot provide any assurances that we will be able to assist holders of ordinary shares in determining whether any of our non-U.S. subsidiaries is
treated as a CFC or whether any holder of ordinary shares should be treated as a U.S. shareholder with respect to any such CFC or furnish to any U.S.
shareholders information that may be necessary to comply with the aforementioned reporting and tax paying obligations. The United States Internal Revenue
Service provided limited guidance on situations in which investors may rely on publicly available alternative information to comply with their reporting and tax
paying obligations with respect to foreign controlled CFCs. U.S. investors are strongly advised to consult their own tax advisors regarding the potential
application of these rules to their investment in our ordinary shares.
Changes in tax law relating to multinational corporations could adversely affect our tax position.
There can be no assurance that our effective tax rate will not increase over time as a result of changes in corporate income tax rates or other changes in
the tax laws in the jurisdictions in which we operate. Any changes in tax laws could have an adverse impact on our financial results. Corporate tax reform, base-
erosion efforts and tax transparency continue to be high priorities in many tax jurisdictions where we have business operations. As a result, policies regarding
corporate income and other taxes in numerous jurisdictions are under heightened scrutiny, and tax reform legislation is being proposed or enacted in a number of
jurisdictions.
For example, the recent Inflation Reduction Act enacted in the United States introduced, among other changes, a 15% corporate minimum tax on certain
United States corporations and a 1% excise tax on certain stock redemptions by United States corporations (which the U.S. Treasury indicated may also apply to
certain stock redemptions by a foreign corporation funded (or deemed funded) by certain United States affiliates). In addition, there is growing pressure in many
jurisdictions and from multinational organizations such as the Organization for Economic Cooperation and Development (OECD) and the EU to amend existing
international taxation rules in order to align the tax regimes with current global business practices. Specifically, in October 2015, the OECD published its final
package of measures for reform of the international tax rules as a product of its Base Erosion and Profit Shifting (BEPS) initiative, which was endorsed by the
G20 finance ministers. Many of the initiatives in the BEPS package required and resulted in specific amendments to the domestic tax legislation of various
jurisdictions and to existing tax treaties. We continuously monitor these developments. Although many of the BEPS measures have already been implemented or
are currently being implemented globally (including, in certain cases, through adoption of the OECD’s “multilateral convention” (to which Israel is also a party)
to effect changes to tax treaties which entered into force on July 1, 2018 and through the European Union’s “Anti-Tax Avoidance” Directives), it is still difficult
in some cases to assess to what extent these changes will have on our tax liabilities in the jurisdictions in which we conduct our business or to what extent they
may impact the way in which we conduct our business or our effective tax rate due to the unpredictability and interdependency of these potential changes. In
January 2019, the OECD announced further work in continuation of the BEPS project, focusing on two “pillars.” In October 2021, 137 countries approved a
statement known as the OECD BEPS Inclusive Framework, which builds upon the OECD’s continuation of the BEPS project. The first pillar is focused on the
allocation of taxing rights between countries for in-scope large multinational enterprises (with revenue in excess of €20 billion and profitability of at least 10%)
that sell goods and services into countries with little or no local physical presence. We do not expect to be within the scope of the first Pillar. The second pillar is
focused on developing a global minimum tax rate of at least 15% applicable to in-scope multinational enterprises (with global revenue of at least €750 million in
at least two years out of the four previous years). Taxpayers in scope should calculate their effective tax rate according to the relevant rules in each jurisdiction,
which are essentially based on the OECD model rules, for Pillar Two. According to the model rules provisions for relevant jurisdictions they should pay top-up
tax on the difference between their effective tax rate per jurisdiction and a 15% minimum tax rate. In addition, such taxpayers will be subject to compliance
requirements in the relevant jurisdictions.
A temporary relief from the scope of Pillar Two effective tax rate calculations is provided for jurisdictions in which the multinational enterprise operates,
if it can be demonstrated that the specific jurisdiction satisfies one of three “safe harbor” tests during a “transitional period” (2024-2026).
23
The agreement reached by 137 of the 140 members of the OECD BEPS Inclusive Framework targeted law enactment to take effect in 2023 with
applicability from fiscal years beginning on or after December 31, 2023. On December 20, 2021, the OECD published model rules to implement the Pillar Two
rules with commentary to those rules released in March 2022 and administrative guidance published in February 2023 and July 2023. The model rules
commentary and guidance allow the OECD BEPS Inclusive Framework members to begin implementing the Pillar Two rules in accordance with the agreement
reached in October 2021. Israel is one of the 137 jurisdictions that has agreed in principle to the adoption of the global minimum tax rate and has recently
announced it would implement some parts of Pillar Two commencing January 1, 2026, specifically the Qualified Domestic Top Up Tax, which would require in
scope Israeli companies to supplement Israeli corporate tax if their effective tax rate as computed under the rules of Pillar Two is below 15%. As the two-pillar
solution is subject to implementation by each member country, the timing and ultimate impact of any such changes on our tax obligations, including the impact
on Preferred Technological Enterprises currently eligible for reduced corporate tax rate of 12%, is uncertain. Further, given these developments, it is generally
expected that tax authorities in various jurisdictions in which we operate may increase their audit activity and may seek to challenge some of the tax positions
we have adopted. It is difficult to assess if and to what extent such challenges, if raised, might impact and potentially increase our future effective tax rate.
In addition, our U.S. subsidiaries may be subject to the base erosion and anti-abuse tax (BEAT) from 2025 onward. The BEAT operates as a minimum
tax and generally is calculated as a percentage (10% for certain taxable years before 2026 and 12.5% thereafter) of the “modified taxable income” of an
“applicable taxpayer.” Modified taxable income is calculated by adding back to a taxpayer’s regular taxable income the amount of certain “base erosion tax
benefits” with respect to certain intercompany payments made to non-U.S. affiliates, as well as the “base erosion percentage” of any net operating loss
deductions. The BEAT applies only to the extent it exceeds a taxpayer’s regular corporate income tax liability (determined without regard to certain tax credits)
and only in years in which the “base erosion percentage” exceeds a specified percentage. If applicable in any given year, the BEAT may significantly increase
the tax liability of our U.S. subsidiaries for such year.
We do not intend to pay dividends on our ordinary shares for the foreseeable future, so any returns will be limited to changes in the value of our ordinary
shares.
We have never declared or paid any cash dividends on our ordinary shares. We currently anticipate that we will retain future earnings for the
development, operation, and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to
shareholders will, therefore, be limited to the increase, if any, of our share price, which may or may not occur.
Risks Relating to Our Incorporation and Location in Israel
Conditions in Israel, including conflicts with Hamas and other conflicts in the region, as well as political and economic instability in Israel, may adversely
affect our operations and limit our ability to market our solutions, potentially leading to a decrease in revenues.
Our headquarters, certain members of our Board of directors and management, most of our research and development activities, and other significant
operations are located in Israel. We may be negatively impacted by regional instability, political, economic and security conditions, or conflicts in Israel and the
surrounding region. Any political instability, terrorism, armed conflicts, reserve mobilization, cyberattacks, boycotts, direct or indirect sanctions and restrictions,
or other hostilities involving Israel, or any other disruption or reduction in trade between Israel and its partners, could adversely affect our operations.
Following the October 7, 2023 attacks by Hamas, Israel declared war against Hamas and has since been involved in military conflicts with Hamas,
Hezbollah, Iran, and their proxies, including the Houthi movement in Yemen and armed groups in Iraq. Additionally, following the fall of the Assad regime in
Syria, Israel has conducted targeted military operations against Syrian, Iranian and Hezbollah-linked assets. While certain ceasefire agreements have been
reached with Hamas and Lebanon (with respect to Hezbollah), there is no assurance that these agreements will be upheld. Hostilities persist at varying levels,
and the situation remains volatile, with a risk of escalation into broader regional conflict involving additional terrorist organizations and countries.
While our facilities have not been damaged during the current conflicts, the hostilities have caused and may continue to cause damage to private and
public facilities, infrastructure, utilities, and telecommunication networks, which could disrupt our operations and supply chains. Our commercial insurance
excludes war and terrorism-related losses, and while the Israeli government currently provides compensation for certain direct damages, there is no assurance
that this support will continue or be sufficient. Additionally, as an Israeli company, we face an increased risk of cyberattacks on our IT networks and those of our
supply chain partners, particularly during wartime. This could lead to increased costs, threats to employee safety, operational challenges, and financial losses.
24
The continuation of these hostilities, along with broader macroeconomic challenges, has contributed to a decline in certain indicators of Israel’s
economic standing, including, a downgrade in Israel’s credit rating by rating agencies. These developments may negatively impact Israel’s economy or financial
conditions and may also impair our ability to effectively conduct our operations.
The global perception of Israel and Israeli companies, influenced by the actions of international judicial bodies, may lead to increased sanctions,
boycotts, business restrictions or other negative measures against Israel, and Israeli companies. If these efforts become widespread, along with any current or
future rulings from international tribunals against Israel, this could materially and negatively impact our business operations.
Prior to the October 2023 war, the Israeli government pursued judicial reforms and has recently renewed these efforts. In response, individuals,
organizations, and institutions, both in and outside of Israel have voiced concerns about potential negative impacts on the business environment in Israel. These
reforms could also lead to political instability or civil unrest. If implemented, they may have an adverse effect on our business, results of operations, and our
ability to raise funds.
The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could
increase our costs and taxes.
We were granted an Approved Enterprise status under the Israeli Law for the Encouragement of Capital Investments, 5719-1959 (Investment Law). In
the past, we elected the alternative benefits program, pursuant to which income derived from the Approved Enterprise program was tax-exempt for two years
and enjoyed a reduced tax rate of 10.0% to 25.0% for up to a total of eight years, depending on the percentage of foreign investors’ ownership. We were also
eligible for certain tax benefits provided to Benefited Enterprises under the Investment Law. In March 2013, we notified the Israel Tax Authority that we applied
the new tax Preferred Enterprise regime under the Investment Law instead of our Approved Enterprise and Benefited Enterprise. Accordingly, we were eligible
for certain tax benefits provided to Preferred Enterprises under the Investment Law. If we do not meet the conditions stipulated in the Investment Law and the
regulations promulgated thereunder, as amended, for the Preferred Enterprise, any of the associated tax benefits may be cancelled, and we would be required to
repay the amount of such benefits, in whole or in part, including interest and CPI linkage (or other monetary penalties). Starting from 2017, we were recognized
as eligible for the Technological Preferred Enterprise regime, a sub-category of the Preferred Enterprise regime, which grants enhanced tax benefits to
enterprises with significant research and development activities. In the future these tax benefits may be reduced or discontinued. If these tax benefits are
reduced, cancelled or discontinued, our Israeli taxable income could be subject to regular Israeli corporate tax rates, which could negatively affect our financial
condition and results of operation. Additionally, if we increase our activities outside of Israel through acquisitions, for example, our expanded activities may not
be eligible for inclusion under future Israeli tax benefit regimes.
We may become subject to claims for remuneration or royalties for assigned service invention rights by our employees.
We enter into assignment-of-invention agreements with our employees pursuant to which such individuals agree to assign to us all rights to any
inventions created in the scope of their employment or engagement with us. A significant portion of our intellectual property has been developed by our
employees during the course of their employment by us. Under the Israeli Patent Law, 5727-1967, inventions conceived by an employee during the scope of his
or her employment with a company are regarded as “service inventions” which belong to the employer, absent a specific agreement between the employee and
employer giving the employee service invention rights. Although our employees have agreed to assign to us service invention rights, as a result of uncertainty
under Israeli law with respect to service invention rights and the efficacy of related waivers, including with respect to remuneration and its extent, we may face
claims demanding remuneration in consideration for assigned inventions. As a consequence of such claims, we could be required to pay additional remuneration
or royalties to our current and/or former employees, or be forced to litigate such claims, which could negatively affect our business.
As a public company incorporated in Israel, we may become subject to further compliance obligations and market trends or restrictions, which may strain
our resources and divert management’s attention.
Being an Israeli publicly traded company in the United States and being subject to both U.S. and Israeli rules and regulations may make it more
expensive for us to obtain and maintain directors and officers liability insurance. These factors could also make it more difficult for us to attract and retain
qualified members of our Board of directors, particularly to serve on our audit committee, and qualified executive officers. In accordance with the provisions of
the Companies Law, approval of our directors’ and officers’ insurance is limited to the terms of our duly approved compensation policy, unless otherwise
approved by our shareholders.
25
Provisions of Israeli law and our articles of association may delay, prevent, or otherwise impede a merger with or an acquisition of us, even when the terms
of such a transaction are favorable to us and our shareholders.
Our articles of association contain certain provisions that may delay or prevent a change of control. These provisions include that our directors (other
than external directors, if applicable) are elected on a staggered basis, and therefore a potential acquirer cannot readily replace our entire Board of directors at a
single annual general shareholder meeting. In addition, Israeli corporate law regulates acquisitions of shares through tender offers and mergers, requires special
approvals for transactions involving directors, officers or significant shareholders and regulates other matters that may be relevant to such types of transactions.
Furthermore, Israeli tax considerations may make potential transactions unappealing to us or to our shareholders whose country of residence does not
have a tax treaty with Israel exempting such shareholders from Israeli tax. For example, Israeli tax law does not recognize tax-free share exchanges to the same
extent as U.S. tax law. With respect to mergers involving an exchange of shares, Israeli tax law allows for tax deferral in certain circumstances but makes the
deferral contingent on the fulfillment of a number of conditions, including, in some cases, a holding period of two years from the date of the transaction during
which sales and dispositions of shares of the participating companies are subject to certain restrictions. Moreover, with respect to certain share swap
transactions, the tax deferral is limited in time, and when such time expires, the tax becomes payable even if no disposition of the shares has occurred. These
provisions of Israeli law and our articles of association could have the effect of delaying or preventing a change in control in us and may make it more difficult
for a third party to acquire us, even if doing so would be beneficial to our shareholders, and may limit the price that investors may be willing to pay in the future
for our ordinary shares.
It may be difficult to enforce a judgment of a U.S. court against us, our officers and directors or the Israeli auditors named in this annual report in Israel or
the United States, to assert U.S. securities laws claims in Israel or to serve process on our officers and directors and these auditors.
We are incorporated in Israel and our Israeli auditors named in this annual report reside outside of the United States. Further, a majority of our directors
and executive officers, and most of our assets and most of the assets of these persons are located outside of the United States. Therefore, a judgment obtained
against us, or any of these persons, including a judgment based on the civil liability provisions of the U.S. federal securities laws, may not be collectible in the
United States and may not be enforced by an Israeli court. It also may be difficult for our shareholders to effect service of process on these persons in the United
States or to assert U.S. securities law claims in original actions instituted in Israel. Israeli courts may refuse to hear a claim based on an alleged violation of U.S.
securities laws reasoning that Israel is not the most appropriate forum in which to bring such a claim. In addition, even if an Israeli court agrees to hear a claim,
it may determine that Israeli law and not U.S. law is applicable to the claim. If U.S. law is found to be applicable, the content of applicable U.S. law must be
proven as a fact by expert witnesses, which can be a time consuming and costly process. Certain matters of the procedure will also be governed by Israeli law.
There is little binding case law in Israel that addresses the matters described above. As a result of the difficulty associated with enforcing a judgment against us
in Israel, our shareholders may not be able to collect any damages awarded by either a U.S. or foreign court.
The rights and responsibilities of our shareholders are, and will continue to be, governed by Israeli law which differs in some material respects from the
rights and responsibilities of shareholders of U.S. corporations.
The rights and responsibilities of the holders of our ordinary shares are governed by our articles of association and by Israeli law. These rights and
responsibilities differ in some material respects from the rights and responsibilities of shareholders in U.S. corporations. In particular, a shareholder of an Israeli
company has a duty to act in good faith and in a customary manner in exercising its rights and performing its obligations towards the company and other
shareholders, and to refrain from abusing its power in the company, including, among other things, in voting at a general meeting of shareholders on matters
such as amendments to a company’s articles of association, increases in a company’s authorized share capital, mergers and acquisitions and related party
transactions requiring shareholder approval. In addition, shareholders have a general duty to refrain from discriminating against other shareholders and a
shareholder who is aware that it possesses the power to determine the outcome of a shareholder vote or to appoint or prevent the appointment of a director or
chief executive officer in the company has a duty of fairness toward the company with regard to such vote or appointment. There is limited case law available to
assist us in understanding the nature of this duty or the implications of these provisions. These provisions may be interpreted to impose additional obligations
and liabilities on holders of our ordinary shares that are not typically imposed on shareholders of U.S. corporations.
26
ITEM 4.
INFORMATION ON THE COMPANY
A.
History and Development of the Company
Our History
CyberArk Software Ltd. was founded in 1999 with the vision of protecting high-value business data and pioneering our Digital Vault technology. That same
year, we released our first product, the Sensitive Information Management Solution (previously called the Sensitive Document Vault), which provided a secure
platform that enabled our customers’ employees to share sensitive files. From there, we evolved our offering into a comprehensive solution to secure identities
anchored on PAM. In 2005, we introduced our PAM Solution, upon which we built our leadership position in the PAM market, providing critical security
controls that protect high-level and high-value access across an organization. On September 23, 2014, we listed our ordinary shares on the Nasdaq Stock Market
LLC (Nasdaq). In addition to investing in organic research and development, in 2015 we began to execute a merger and acquisition strategy and acquired
Viewfinity, Inc., a provider of Windows least privilege management and application control software, as well as Cybertinel Ltd., a cybersecurity company
specializing in cyber threat detection technology. In May 2017, we acquired Conjur Inc., a provider of DevOps security software. In May 2020, we acquired
IDaptive Holdings, Inc., an Identity as a Service (IDaaS) provider. In March 2022, we acquired Aapi.io, a provider of no-code application integration and
workflow automation solutions, and in July 2022, we acquired C3M, LLC, a provider of multi-cloud security and compliance solutions. In October 2024, we
acquired Venafi Holdings, Inc., a provider of machine identity management solutions, and in February 2025, we acquired Zilla Security Inc, a provider of
identity governance and administration solutions. Our organic investment in research and development to drive new solutions and innovation, combined with
the incremental acquisitions of selected technologies and the execution of our go-to-market (GTM) strategy, today positions CyberArk as the global leader in
Identity Security, with the most comprehensive platform for securing both human and machine identities. By securing every identity with the right level of
privilege controls, we enable secure access for all human and machine identities to help organizations secure critical business assets and applications, protect
their distributed workforce and customers, minimize risk and increase resiliency, and accelerate business across cloud, hybrid and self-hosted environments. Our
solutions enable zero trust by enforcing least privilege with continuous identity threat detection and protection. In early 2024, CyberArk refined its approach to
persona-based solution selling and marketing to better align with customer needs and highlight our differentiated approach to securing all identities. By shifting
to a solution-based framework, we present a holistic approach from our platform to securing every identity—workforce, IT, developers, and machine identities
—helping to ensure organizations apply the right level of privilege controls across all identities. This solutions-based selling approach has resonated well with
customers and partners as it addresses an individual customer’s unique challenges, focusing on the value it brings to their organization. This marketing approach
has made it easier for us to communicate our value and for customers to buy the capabilities they need. We believe that our deep security expertise combined
with a solutions-based approach further differentiates us in the market.
We are a company limited by shares organized under the laws of the State of Israel. We are registered with the Israeli Registrar of Companies. Our registration
number is 51-229164-2. Our principal executive offices are located at 9 Hapsagot St., Park Ofer B, POB 3143, Petach-Tikva, 4951040, Israel, and our telephone
number is +972 (3) 918-0000. Our website address is www.cyberark.com. Information contained on, or that can be accessed through, our website is not part of
this annual report and is not incorporated by reference herein. We have included our website address in this annual report solely for informational purposes. Our
SEC filings are available to you on the SEC’s website at http://www.sec.gov. This site contains reports, proxy and information statements, and other information
regarding issuers that file electronically with the SEC. Our agent for service of process in the United States is CyberArk Software, Inc., located at 60 Wells
Avenue, Newton, MA 02459, and our telephone number is (617) 965-1544.
Principal Capital Expenditures
Our cash capital expenditures for fiscal years 2022, 2023 and 2024 amounted to $12.5 million, $4.9 million, and $11.1 million, respectively. Capital
expenditures consist primarily of investments in computers and related equipment, leasehold improvements for our office space, purchases of furniture, and
internal use software capitalization. We anticipate our capital expenditures in fiscal year 2025 to be approximately 1.5% of revenues. We anticipate our capital
expenditures in 2025 will be financed with cash on hand and cash provided by operating activities.
27
B.
Business Overview
CyberArk is the global leader in Identity Security, trusted by organizations around the world to secure human and machine identities in the modern enterprise.
CyberArk’s AI-powered Identity Security Platform applies intelligent privilege controls to every identity with continuous threat prevention, detection and
response across the identity lifecycle. With CyberArk, organizations can minimize operational and security risks by enabling zero trust and least privilege with
complete visibility, empowering all users and identities, including workforce, IT, developers and machines, to securely access any resource, located anywhere,
from everywhere. As the category-defining leader in PAM, we are uniquely positioned to deliver on Identity Security because our core competency is securing
the “keys to the kingdom.” These “keys to the kingdom” enable our customers to control access to sensitive infrastructure and applications; keeping them out of
the hands of malicious or careless insiders or external attackers and preventing disruption to the business.
With the rapid rise in mobile workers, hybrid and multi-cloud adoption, and digitalization of the enterprise, physical and network security barriers are less
relevant for securing data and assets than ever before. Compromised identities and their associated privileges now represent the fastest attack path to an
organization’s most valuable assets. As a result, identity controls are now becoming the new security perimeter and are a critical foundation for implementing
zero trust strategies. Our approach is unique as CyberArk recognizes that every identity can become privileged under certain conditions, and we offer the
broadest range of security controls to reduce that risk while delivering a high-quality experience to the end user. This includes securing our customers’
workforce, information technology (IT), developers, and machine identities by replacing complex, patchworked and siloed legacy access and PAM solutions to
improve security and operational efficiencies.
With the increase in identity-related incidents over the past year, it is imperative for organizations to secure every identity with the right level of privilege
controls. In the Identity and Access Management (IAM) market, the silos of Access Management (AM), PAM and Identity Governance and Administration
(IGA) overlap and thus there may be inefficiencies if they are provided by separate vendors, or from vendors who bundle discreet solutions without the benefit
of a unified platform. Standalone, legacy Access Management is focused on managing identities, not securing them. Legacy PAM vendors focus on a narrow
scope around IT administrators and ignore other personas, and legacy IGA solutions are sprawling and complex. We believe that a siloed approach is inefficient
and does not provide adequate security.
We believe an Identity Security Platform must do far more than manage one group of identities; it must provide solutions to secure and govern all identities,
across all environments. Our goal is to reinvent and modernize capabilities across the established silos while inventing new ways to secure modern identities. By
further expanding the CyberArk Identity Security Platform to include a modern IGA offering based on the innovative and transformative capabilities from our
acquisition of Zilla Security Inc., we will offer the most complete identity security platform for securing all identities, including human and machine. We believe
the CyberArk Identity Security Platform - powered by CORA AI – will provide the most comprehensive capabilities to discover and onboard identities with
context and risk mapping, apply the right level of privilege controls – across entitlement management, session management, credential management and
authentication management - while providing automated lifecycle management, policy, governance and compliance.
When we look at all identities that need to be secured across a typical organization, we see that there is a spectrum in four key groups: workforce, IT, developers
and machines. Each of these secured identity groups have a different level of risk and complexity associated with their access based on their target resources and
typical activities. All of these identities can become privileged or high risk, and they all need to be secured differently than they have been in the past.
By reinventing the standalone IAM markets into a comprehensive Identity Security Platform, which provides solutions to secure all identities with the right
level of privilege controls and appropriate type of access, we help organizations to stay a step ahead of attackers.
Since 2024, CyberArk has taken steps to focus its GTM strategy on a solution-based framework that will enable CyberArk to evolve from product-focused sales
to solution selling, which is expected to better align with our customers’ problems. We expect that this change will move us from a more fragmented market
positioning to messaging our core differentiators holistically to stand out in the market and continue to drive our Identity Security leadership. Our new secured
identity framework and solutions are expected to help our GTM teams to take full advantage of the market opportunity while delivering value-based solutions
for customers.
In order to facilitate this new framework, we have identified and designed solutions taken from our platform capabilities. These solutions, derived from across
our existing platform, focus on the capabilities that are needed to secure each identity. The solutions will be presented through a simplified packaging and
pricing model, which is expected to facilitate a more efficient buying process and enhance our ability to secure a broader range of identities within our
customers’ employee base. These solutions are expected to make it easier for our customers to buy the capabilities they need to secure every identity across their
organization.
28
CyberArk has reimagined what it means to secure workforce users by recognizing that privileged access is not limited to IT users but that the workforce must be
able to do their job without security getting in their way. We have modernized and extended our PAM capabilities beyond traditional IT users to cloud
operations and third parties who need flexible access controls to all their target resources. We have invented new, secure technologies based on our foundation of
privilege controls to enable developers to securely work at the speed of their developments.
During 2024, we continued to add new customers and cross-sell to existing customers directly and through channels. As of December 31, 2024, we had more
than 9,700 customers. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance,
healthcare, energy and utilities, transportation, retail, technology, and telecommunications, as well as federal and local government agencies in multiple
countries. We sell our solutions through a high-touch hybrid model that includes direct sales, channel sales, managed security service providers, and advisory
firm partners.
As we continue to sell more subscription licenses and services, we expect perpetual licenses to continue to decline as a percentage of overall sales.
Throughout 2025, we will continue to build on this momentum and operate as a subscription company.
Our Growth Strategy
The key elements of our long-term growth strategy include:
•
Strengthening our Identity Security leadership position by delivering ongoing innovation. We intend to extend our leadership position by enhancing
our solutions, including utilization of AI, introducing new functionality and developing new offerings to address additional human and machine
identity security use cases. Our strategy includes both internal development and an active mergers and acquisition program in which we acquire or
invest in complementary businesses or technologies.
•
Deepening and expanding relationships and influence with the C-Suite. We have developed deep relationships with our customers. Through our
innovation, we are a platform company today, and to fully execute against our platform strategy, we intend to build deeper relationships across the C-
suite and in the board room. We are increasing our marketing and program investments across executive engagement, strategic sales initiatives,
curated thought leadership content and experiences delivered through our Customer Experience Centers.
•
Extending our GTM reach. We market and sell our solutions through a high-touch hybrid model that includes direct and indirect sales. We leverage
our sophisticated marketing capabilities, such as account-based and inbound marketing, GTM plays, and our CyberArk IMPACT and IMPACT World
Tour conferences, to drive demand and generate pipeline. We plan to expand our sales reach by adding new direct sales capacity, expanding our
indirect channels by deepening our relationships with existing partners and by adding new partners, including value-added resellers, system
integrators, managed security service providers, distributors, and C3 Alliance partners. We are also expanding our routes to market to include cloud
provider marketplaces. We will leverage this elite ecosystem to further extend our reach and strengthen our offerings.
•
Growing our customer base. The global threat landscape, digitalization of the enterprise, cloud migration and the broad security skills shortage are
contributing to the need for Identity Security solutions. We believe that every organization, regardless of size or vertical, needs Identity Security. We
plan to pursue new customers in the enterprise and corporate segments of the market with our sales and partner teams, as well as through our brand
awareness and lead generation campaigns.
•
Expanding our relationships with existing customers. As of December 31, 2024, we had more than 9,700 customers. We work diligently to develop
and continually strengthen relationships with our customers. Our Customer Success team will focus on expanding these relationships by growing the
number of users who access our solutions and cross-selling additional solutions.
•
Driving strong adoption of our solutions and retaining our customer base. An important part of our overall strategy, particularly for our SaaS and
self-hosted subscription customers, is delivering fast time to value from our solutions. The Venafi and Zilla Security acquisitions have expanded our
core capabilities and portfolio, positioning us to address the growing demand for machine identity security and modern IGA solutions, differentiate us
from our competitors, and drive innovation and market adoption. We will continue to deliver high levels of customer service and support and invest in
our Customer Success team to help ensure that our customers are up and running quickly and derive benefit from our software, which we believe will
result in higher customer retention rates.
•
Attracting, developing and retaining our employee base. A key pillar of our growth strategy is attracting, developing and retaining our employees.
Our people are one of our most valuable assets, and our culture is a key business differentiator for CyberArk. We value belonging and inclusion,
which allows for the exchange of ideas, creates a strong community, and helps ensure our employees feel valued and respected.
29
Industry Background
Securing identities and their associated privileges are a main focus of solutions investment due to the growth of our market and several key drivers that we have
identified based on multi-year trends.
AI and Identity Security
The integration of generative AI into the fabric of modern IT infrastructure presents both unparalleled opportunities and significant security challenges. As
industries increasingly rely on generative AI for a wide range of applications, from content creation to predictive analytics, the security of these systems
becomes paramount. In generative AI environments, the traditional concept of a security perimeter dissolves, shifting the focus to the security of identities, both
human and machine, that interact with AI systems. As these technologies gain capabilities and access within organizations, managing the identities and
permissions associated with generative AI becomes a formidable challenge. Every day, new AI models, data scientists, automated processes, and interconnected
systems expand the scope of access, requiring robust and dynamic identity security measures. There are three critical pillars at the intersection where AI meets
Identity Security: Securing against threats that leverage AI, using AI to enhance our security posture, and ensuring the security of AI systems, including the new
identities that they create.
The Growing Challenge of Machine Identities in a Digital-First Era
In today’s rapidly evolving digital landscape, the exponential growth of machine identities presents a pressing challenge for organizations. Unlike human
identities, machine identities, spanning applications, bots, microservices, application programming interfaces (APIs), containers, and cloud-native workloads,
communicate using secrets, certificates, SSH (Secure Shell) keys, and other identifiers. Managing these identities securely is critical, but the sheer volume,
diversity, and complexity they introduce often outpaces traditional security approaches.
The rise of AI transformation and pervasive cloud computing has further accelerated this trend, with machines now outnumbering human users by 45 to 1.
Every AI-driven process, whether generating code, making decisions, or analyzing data, requires a unique identity, significantly expanding the attack surface.
Mismanagement of machine identities exposes enterprises to severe security and operational risks, as seen in real-world breaches where compromised service
accounts and access tokens led to high-profile incidents involving Okta, Cloudflare, and AnyDesk. Additionally, operational disruptions, like expired certificates
affecting Microsoft Azure and Starlink, highlight the potential for downtime and reputational damage when identity management fails.
Modern IT environments are highly dynamic, with cloud-native applications, DevOps pipelines, and IoT deployments demanding continuous updates and
identity rotations. Each machine identity, whether for a microservice, API, or signing key, must be issued, tracked, rotated, and revoked within increasingly short
lifecycles. Compounding the challenge, siloed and manual processes often lead to fragmented policies, inconsistent security, and human error. The trend toward
shorter certificate lifetimes, with industry giants like Google and Apple proposing validity periods as short as 45 days, places even more pressure on teams to
ensure seamless security and visibility.
Digital Transformation and Shift Left: The digitalization of business creates a larger digital landscape full of opportunities for improved engagement with
customers, vendors and employees, but also greater exposure to cyber threats. New digital technologies require expanded privileged access for both humans and
machines that must be properly secured. Companies are adopting DevOps methodologies to speed up the pace of innovation. Hybrid and multi-cloud adoption
drive the need for centralized solutions that help secure access to all types of identities enterprise-wide. This trend has continued as companies provide hybrid
and remote capabilities for the workforce and look for additional online options to stay viable.
Cloud Migration and SaaS Applications: Broad acceptance and adoption of hybrid and cloud-based infrastructure, the level of speed and automation across IT
environments, and an increasing reliance on SaaS applications, significantly impact how organizations approach security and identity management. Until a few
years ago, organizations would typically prioritize protection of their most critical systems and data, with a particular focus on protecting privileged access.
“Privileged users” were understood at the time to be mostly IT administrators accessing shared administrative accounts in systems and applications. However, in
today’s cloud and SaaS environment, every identity can become privileged under certain conditions.
30
All identities operating in a modern environment (such as employees, partners, IT administrators, DevOps team members and developers, applications and
robots, vendors and customers) might have some level of privilege that, if improperly secured, can provide an attack path into an organization’s most valuable
assets. This trend is coupled with the rapid expansion and adoption of hybrid and cloud infrastructure, applications and APIs, mobile and remote workers, and
use of third parties. We now live in a world where the number, types and interrelationships of identities have exploded, creating new dimensions to the threat
landscape.
In addition, the underlying environments are highly dynamic with much more ephemeral infrastructure where compute capacity is easily scaled up or scaled
down. The rates of change in these modern environments are exponentially faster, which requires organizations to implement more automation into their identity
security controls for both traditional and cloud native applications built using DevOps methodologies.
Zero Trust Security: A conventional security approach that relies on perimeter-based security is relatively less effective and applicable in a modern
environment, as organizations adopt cloud and SaaS applications and as more of the workforce continues to work remotely. In parallel, it has become
increasingly difficult to keep attackers out of an organization’s network altogether. The expansion of the attack surface and prevalence of threats has led to a
growing application of a zero trust approach to security.
While traditional, perimeter-based security relies on a strategy of trying to separate legitimate users from threat actors and assumes that systems and traffic
within the corporate networks and data centers can be trusted, zero trust assumes that the threat actors have already established a network presence and have
access to an organization’s applications and systems. In a zero trust security model, organizations aim to have every identity continuously authenticated and
authorized before granting it access.
“Zero trust” is not a single technology, but an approach that ensures every user’s identity is verified, their device is validated, and their access is intelligently
limited to just what they need – and taken away when they no longer need it. CyberArk’s Identity Security solutions deliver capabilities that are foundational to
adopting a zero trust approach.
Skills Gap: The skills gap in cybersecurity creates meaningful challenges, not only for Chief Information Security Officer (CISO), but also for implementing
mission-critical strategic initiatives. As cloud adoption accelerates the speed of business, companies are relying more heavily on applications, technology and
automation to compete. CISOs are evaluating staffing requirements for adding new security tools and implementing new projects and business initiatives. To
address the staffing shortage and skills gap, organizations are looking at opportunities to consolidate vendors and increase the implementation of automation to
free up security and IT teams to focus on more value-added initiatives.
Governance and Compliance: Industry regulations such as the Sarbanes Oxley Act, HIPAA, GDPR, U.K. Data Protection Act 2018 (UK DPA) and the UK
GDPR, Digital Operational Resilience Act, California Privacy Rights Act, EU AI Act, and industry frameworks, such as the Payment Card Industry Data
Security Standard, SWIFT Customer Security Controls Framework, U.S. National Institute of Standards and Technology (NIST) and the Center for Internet
Security, for example, require and/or reflect strong Identity Security controls as an important part of safeguarding data privacy and data sovereignty. Interest in
CyberArk’s Identity Security solutions is also being fueled by customers who are purchasing cyber insurance policies, engaging in diligence as part of a
corporate transaction, or recovering from a major cybersecurity incident; and in each of these cases, customers need to demonstrate a sound plan to implement
and manage Identity Security controls to obtain insurance coverage and lower their premiums.
Spectrum of Identities
In a modern enterprise, securing identities requires a comprehensive strategy that spans four critical segments: workforce, IT professionals, developers, and
machine identities. Each of these groups introduces unique risks and complexities, driven by the resources they access and their typical activities. Relying on
separate tools or vendors to manage these identities in isolation is inefficient and leaves organizations vulnerable. Recent breaches underscore that simply
managing identities is not enough. Applying appropriate privilege controls across all identity types is essential for reducing risk.
31
A Closer Look at Identity Segments and Risk Levels
•
Workforce Users: This segment includes employees accessing endpoints, applications, and data for daily tasks. The risk profile varies depending on the
sensitivity of resources accessed. For example, application administrators managing SaaS platforms represent a higher risk due to their elevated
permissions within critical systems.
•
IT Professionals: The IT group encompasses roles that have evolved from traditional infrastructure management to include cloud administrators and
DevOps engineers. With the ability to configure cloud environments and modify workloads, IT professionals present a higher level of complexity and
potential impact on enterprise security.
•
Developers: Developers hold powerful access to code repositories, workloads, and applications. Their capability to alter code, combined with persistent
cloud access, poses significant risks, particularly in dynamic DevOps environments where rapid changes demand continuous security vigilance.
•
Machine Identities: Spanning AI, workloads and devices, machine identities require secure communication using secrets, certificates, and tokens. As
their numbers multiply, managing the complexity of their interactions and privileges becomes increasingly challenging.
Every identity, whether human or machine, has the potential to become privileged or high risk. Traditional approaches to identity security no longer suffice. By
applying consistent privilege management across the entire identity spectrum, organizations can reduce security gaps and operational complexity. This holistic
framework positions CyberArk to extend its reach beyond its traditional IT administrator stronghold, securing the entire workforce and the expanding universe
of machine identities.
Our Solutions
Our solutions are comprised of:
Workforce
The CyberArk Identity Security platform ensures a security-first approach to giving users seamless access to the right resources at the right time. Our workforce
solutions not only reimagine what it means to protect users beyond legacy access management capabilities like Multi-factor Authentication (MFA) and Single
Sign-on (SSO), but also add additional, modern access management capabilities like secure browsing and workforce password management. We also layer in
the right level of privilege controls, like endpoint privilege security and secure web sessions, because privileged users are no longer just IT administrators.
While performing their duties, members of the workforce travel the risk spectrum, moving between typical and high-risk access throughout the day depending
on the tools they access and the tasks they are performing.
32
IT
The CyberArk Identity Security Platform provides end-to-end security for IT administrators, third-party vendors and cloud operations teams across hybrid
environments with our PAM capabilities. The platform secures high-risk access used to migrate, scale and operate applications on-premises or in the cloud. It
supports shared or federated access for customer-facing or internal applications. It layers the needed access management capabilities with the right level of PAM
and governance across the various types of identities. Additionally, the Platform offers role-specific least privilege, just-in-time and Zero Standing Privilege
workflows. By providing the right level of privilege control with the right type of access, organizations can protect the working environment of the most
targeted users in the organization.
Developers
The CyberArk Identity Security Platform provides extensive controls to secure native access to every layer of a cloud environment – from Cloud Native services
to dynamic workloads running on the cloud, to lift-and-shift workloads and SaaS applications. The solution helps organizations to better control and secure
multi-cloud environments, elevating just-in-time access with Zero Standing Privileges. By taking this approach, developers receive the permissions they need to
do their job, while reducing risks of credential theft by removing excessive access and unnecessary entitlements. Developers retain their native user experience
without impacting their productivity.
Machine Identities
Credentials in application code and across the software supply chain are increasingly being targeted for cyberattacks. With CyberArk, organizations can
establish strong machine authentication, provide secure standing access or just-in-time access, and centrally rotate and manage credentials. By replacing
hardcoded and static secrets with rotated and dynamic secrets, the platform dramatically increases security while avoiding significant change to developer
workflows.
For organizations looking to combine secure access for developers, cloud teams and the secrets that they use, our developer solution can be combined with our
machine solutions to secure access to the layers of the cloud environment and provide a centralized secrets management capability to ensure developers can
continue to move at the speed of the business while remaining secure.
Our Capabilities
Our Identity Security Platform provides a complete and flexible set of Identity Security capabilities across four main areas: (1) Contextual Discovery of Risk,
(2) Automated Lifecycle, (3) Automated Policy, and (4) Privilege Controls and Compliance.
33
These capabilities are delivered by our CyberArk Identity Security Platform across the following categories:
Privileged Access Management
CyberArk’s PAM solutions can be used to secure, manage, and monitor privileged access. Privileged accounts can be found on endpoints, in applications, and
from hybrid to multi-cloud environments.
•
Privileged Access Manager. CyberArk Privileged Access Manager and CyberArk Privilege Cloud include risk-based credential security and session
management to protect against attacks involving privileged access. CyberArk’s self-hosted Privileged Access Manager solution can be deployed in a
self-hosted data center or in a hybrid cloud or a public cloud environment. CyberArk Privileged Cloud is a SaaS solution.
•
Remote Access. CyberArk Remote Access is a SaaS solution that integrates with Privileged Access Manager or Privilege Cloud to provide fast, easy
and secure privileged access to third-party vendors who need access to critical internal systems via CyberArk, without the need to use passwords. By
not requiring VPNs or agents, Remote Access removes operational overhead for administrators, makes it easier and quicker to deploy and improves
organizational security.
•
Secure Infrastructure Access. CyberArk Secure Infrastructure Access is a SaaS solution that provisions just-in-time (JIT), privileged access to
infrastructure. The solution leverages attribute-based access control and full session isolation to drive measurable risk reduction. Secure Infrastructure
Access allows organizations to unify controls for JIT and standing privileged access across public cloud and on-premises systems, enabling operational
efficiencies while progressing towards Zero Standing Privileges and zero trust initiatives.
Endpoint Privilege Security
•
Endpoint Privilege Manager. CyberArk Endpoint Privilege Manager is a SaaS solution that secures privileges on the endpoint (Windows servers,
Windows desktops and Mac desktops) and helps contain attacks early in their lifecycle. It enables revocation of local administrator rights, while
minimizing impact on user productivity, by seamlessly elevating privileges for authorized applications or tasks. Application control, with automatic
policy creation, allows organizations to prevent malicious applications from executing, and runs unknown applications in a restricted mode. This,
combined with credential theft protection, helps prevent malware such as ransomware from gaining a foothold and designed to contain attacks on the
endpoint.
•
Secure Desktop. CyberArk Secure Desktop is a solution that lets businesses protect access to endpoints and enforce the principle of least privilege
without complicating IT operations or hindering user productivity. The unified endpoint multifactor authentication and privilege management solution
helps organizations strengthen access security, optimize user experiences, and eliminate the manually intensive, error-prone administrative processes
that can lead to overprovisioning and privilege abuse.
34
Workforce & Customer Access
We deliver robust IDaaS which provides a comprehensive, security-first approach to managing identities that is both adaptive and context-aware. CyberArk
Identity includes capabilities to secure both workforce and customer identities.
Workforce Identity Security Capabilities:
•
Adaptive MFA. Adaptive MFA enforces risk-aware and strong identity assurance controls within an organization. These controls include a broad range
of built-in authentication factors such as passwordless authenticators like Windows Hello and Apple TouchID, high assurance authenticators like USB
security keys, and our patented Zero Sign-on certificate-based authentication.
•
Single Sign-On. SSO facilitates secure access to many different applications, systems, and resources while only requiring a single authentication. Our
SSO capability offers a modern identity provider supporting popular SSO protocols to any system or app that supports SAML, WS-Fed, OIDC and
OAuth2, as well as an extensive application catalogue with out-of-the-box integration for thousands of applications.
•
Secure Web Sessions. Secure Web Sessions records, audits and protects end-user activity within designated web applications. The solution uses a
browser extension on an end-user’s endpoint to monitor and segregate web apps that are accessed through SSO and deemed sensitive by business
application owners, enterprise IT and security administrators.
•
Workforce Password Management. CyberArk Workforce Password Management is an enterprise-focused password manager providing a user-
friendly solution to store data from business applications -like website URLs, usernames, passwords and notes, in a centralized vault and securely share
it with other users in the organization.
•
Application Gateway. With the CyberArk Identity Application Gateway service, customers can enable secure remote access and expand SSO benefits
to on-premises web apps, like SharePoint and SAP, without the complexity of installing and maintaining VPNs.
•
Identity Lifecycle Management. This module enables CyberArk Identity customers to automate the joiner, mover, and leaver processes within the
organization. This automation is critical to ensure that privileges do not accumulate, and a user’s access is turned off as soon as the individual changes
roles or leaves the organization.
•
Directory Services. Allows customers to use identity where they control it. In other words, we do not force our customers to synchronize their on-
premises Active Directory implementation with our cloud. Our cloud architecture can work seamlessly with existing directories, such as Active
Directory, LDAP-based directories, and other federated directories. CyberArk Identity also provides its own highly scalable and flexible directory for
customers who choose to use it.
•
Customer Identity offers authentication and authorization services, MFA, directory, and user management to enable organizations to provide
customers and partners with easy and secure access to websites and applications.
•
Secure Browser. The CyberArk Secure Browser is a hardened and purpose-built technology that further extends the CyberArk Identity Security
Platform to the web browser. It provides enhanced security, privacy and productivity across the enterprise, while delivering a familiar and customized
user experience. The CyberArk Secure Browser minimizes the risk of unauthorized access by helping to prevent the malicious use of compromised
identities, endpoints, and credentials both at and beyond the login stage. It provides secure access to sensitive data for the complete workforce across
the complete identity journey. By providing a centralized, consistent and secure launchpad to every resource and application across the enterprise, it can
help safeguard the most sensitive and valuable resources while increasing productivity and privacy.
Identity Management
Our capabilities in Identity Management include Lifecycle Management, Identity Flows, Identity Compliance and directory services. Our Identity Management
solutions are designed to provide a single view of who has access to what, ensuring that the right access is granted for the right amount of time to the right
people. CyberArk Lifecycle Management streamlines provisioning and management of entitlements throughout a user’s employment, including approval
workflows, access certifications and providing and revoking access. CyberArk Identity Flows is a no-code identity management workflow solution that reduces
complexity and manual tasks to easily create workflows and automate business processes. CyberArk Identity Compliance enables customers to discover, certify,
remediate and audit access, ensuring that an organization can implement zero trust across the enterprise. On February 12, 2025, we completed the acquisition of
Zilla, a leader in modern IGA solutions. Zilla’s innovative, AI-powered IGA capabilities will expand our industry-leading Identity Security Platform with
scalable automation that enables accelerated identity compliance and provisioning across digital environments, while maximizing security and operational
efficiency.
35
Cloud Security
Secure Cloud Access. Secure Cloud Access is a service provided from the Identity Security Platform, offering secure, native access to cloud consoles, native
services and workloads with zero standing privileges. This service addresses the needs of developers, site reliability engineers and administrators accessing
services in their cloud environments via the console or command line interface (CLI). Secure Cloud Access greatly reduces the risk of compromised access in
the public cloud, while providing native user experiences for the Cloud Engineering and DevOps teams leading digital transformation.
Machine Identity Security
Our machine identity security capabilities provide comprehensive solutions for securing and managing machine credentials, keys, secrets and certificates that
are essential for establishing trusted communications between machines, applications, and digital services. With advanced automation, we help organizations
discover, manage, and rotate machine identities across hybrid and multi-cloud environments to prevent unauthorized access and reduce the risk of data breaches.
The platform integrates seamlessly with existing DevOps tools and CI/CD pipelines, such that security does not compromise speed or agility in modern
development workflows. By enforcing consistent policies, reducing certificate-related outages, and enhancing visibility into machine identity usage, we deliver
significant value by strengthening overall security posture, mitigating operational risks, and ensuring compliance with regulatory requirements.
Machine Identity Security Capabilities:
•
Secrets Manager Credential Providers. Credential Providers can be used to provide and manage the credentials used by third-party solutions such as
security tools, RPA, and IT management software, and can also support internally developed applications built on traditional monolithic application
architectures. Credential Providers works with CyberArk’s on-premises and SaaS-based solutions.
•
Conjur Enterprise and Conjur Cloud. For cloud-native applications built using DevOps methodologies, Conjur Enterprise and Conjur Cloud provide
a secrets management solution tailored specifically to the unique requirements of these environments delivered either on-premises or in the cloud. We
also provide an open-source version to better meet the needs of the developer community.
•
Secrets Hub. CyberArk Secrets Hub enables security teams to have centralized visibility and management across secrets in native vaults, such as AWS
Secrets Manager and Azure Key Vault, without impacting developer workflows.
•
Venafi TLS Protect. Venafi TLS Protect allows security teams, application owners and developers to effectively keep up with the rapid growth of
transport layer security (TLS) machine identities to prevent outages, while also improving security by minimizing risks introduced by humans and
manual processes. TLS Protect identifies all TLS keys and certificates, continually validates that they are installed and operating properly and
automates the TLS machine identity lifecycle.
•
Venafi TLS Protect for Kubernetes. Venafi TLS Protect for Kubernetes helps organizations easily and reliably manage their machine
identity security infrastructure in complex multicloud and multicluster environments. It provides the enterprise with discovery, observability, control
and consistency of cloud native machine identities (e.g., TLS, mTLS, SPIFFE) to improve application reliability and reduce development and
operational costs.
•
Venafi Zero Touch PKI. Venafi Zero Touch PKI is a SaaS-based service with effortless onboarding provided by Venafi experts. A modern PKI is built
to customer specifications, leveraging the certificate authorities, roots and intermediaries needed by a customer’s business. Each customized PKI is
designed with current best practices for design, deployment and security in mind, so that the PKI leverages the latest capabilities and protocols.
•
Venafi SSH Protect. Venafi SSH Protect discovers SSH host and authorized keys throughout a customer’s infrastructure and adds them to
a continually updated inventory. In this database, the type of key, location of all copies, public and private components, algorithm and key sizes are
routinely assessed and tracked.
•
Venafi Firefly. Venafi Firefly is a workload identity issuer to give cloud security and information security teams superior governance, compliance and
consistency for authenticating all types of workloads across clouds, platforms and application environments. Firefly bootstraps ephemeral trust anchors
for issuing validated short-lived identities in the environment in which the workload is running. This provides a developer-friendly, enterprise-scale
trust root system with security governance, providing consistent and compliant workload authentication.
•
Venafi CodeSign Protect. Venafi CodeSign Protect secures enterprise code signing processes by providing centralized and secure key storage along
with role-based policy enforcement. Providing code signing-as-a-service reduces the burden on development teams by integrating with the tools and
processes they already use.
36
Core Technology
Our platform provides a comprehensive and flexible set of Identity Security capabilities that leverage the following core technologies:
CORA AI. CyberArk CORA AI provides identity security focused AI embedded across the CyberArk Identity Security Platform, making organizations more
secure, efficient and effective. CyberArk offers detection and response-focused capabilities to increase a customer’s security levels and time saving capabilities
with ease-of-use assistance powered by generative AI. By fundamentally transforming how users interact with and get insights from the Platform, CyberArk
CORA AI boosts security, productivity, and time to value.
Secure Digital Vault Technology. Our proprietary Digital Vault technology provides a highly secure, isolated environment, independent of other software, and is
engineered with multiple layers of security. Our on-premises and SaaS PAM offerings use the highly secured Digital Vault to safely store, audit and manage
passwords, privileged credentials, policy information and privileged access session data.
Privileged Session Recording and Controls. Our innovative privileged session recording and control mechanisms provide the ability to isolate an organization’s
IT systems from end-user desktops, while monitoring and auditing privileged session activities. The architecture blocks direct communication between an end-
user’s desktop and a target system, thus preventing potential malware on the desktop from infiltrating the target system. This architecture further ensures that
privileged credentials will remain protected and will not be exposed to the end-user or reach the desktop. CyberArk session monitoring solutions support native
connectivity, whether from browser, native remote desktop protocol or SSH tools, and via the CLI. Risk scoring can be applied to each recorded session,
automating the review of all privileged sessions and enabling auditors to prioritize and deprioritize workloads based on risk.
Secure Remote Access. The cloud-based, multifactor authentication provided with Remote Access leverages the biometric capabilities from smartphones which
in turn allows authorized remote vendors simple just-in-time secure privileged access. Once authenticated, all privileged sessions are automatically recorded for
full audit and monitored in real-time.
Strong Application Authentication and Credential Management. The Secrets Manager architecture allows an organization to eliminate hard-coded application
credentials, such as passwords and encryption keys, from applications and scripts. Our secure, proprietary technology permits authentication of an application
during run-time, based on any combination of the application’s signature, executable path or IP address, and operating system user. Following application
authentication, the authenticated application uses a secure API, to request privileged account credentials during run-time and, based on the application
permissions in Privileged Access Manager, up-to-date credentials are provided to the application.
Strong Endpoint Security. Our endpoint agent technology provides policy-based privilege management, application control and credential theft protection
capabilities. The agent detects privileged commands, and application installation or invocation on the endpoint to validate whether it is permissible in
accordance with the organization’s security policy, otherwise blocking the operation or allowing it to run in a restricted mode. Having users operate in a least
privilege mode together with our agent-based technology effectively reduces the attack surface that attackers or malware can exploit. The solution leverages
third-party threat and reputation information to further strengthen controls and block bad or malicious applications based on such security intelligence.
Distributed Workload Identity Issuance: Our innovative workload identity issuance technology allows modern and legacy workloads to obtain trusted and
verifiable machine identities to enable secure access between workloads in multi-platform environments. This technology is highly embeddable and provides
development teams with the freedom of choice and agility they need while also providing security teams the control and governance they want.
37
SaaS Extensibility & Cloud Service Provider Integration: Developer Central provides all the essential resources (APIs, SDKs, Recipes) that developers require
to efficiently build, integrate, and customize solutions that enhance the security and management of machine identities. CyberArk integrates seamlessly with all
major cloud service providers in an agent-less manner to secure machine identities within those environments, simplifying machine identity security across all
cloud service provider environment.
Our Customers
As of December 31, 2024, we had more than 9,700 customers. Our customers include leading organizations in a diverse set of industries, including financial
services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies.
Our business is not dependent on any particular customer. No customer or channel partner accounted for more than 10% of our revenues in the last three years.
Our diverse global footprint is evidenced by the fact that in 2024, we generated 50.3% of our revenues from customers in the United States, 31.1% from the
EMEA region and 18.6% from the rest of the world, including countries in North and South America other than the United States, and countries in the Asia
Pacific and Japan region.
Go-to-Market
Marketing
Our marketing strategy is focused on further strengthening our brand and market leadership position, communicating the benefits of our solutions to our target
audiences, driving market engagement, and creating a pipeline with prospects, resulting in an increase in sales to existing and new customers. We are uniquely
positioned as the global leader in Identity Security, trusted by organizations around the world to secure human and machine identities in the modern enterprise.
Our AI-powered Identity Security Platform applies intelligent privilege controls to every identity with continuous threat prevention, detection and response
across the identity lifecycle. With CyberArk, organizations can minimize operational and security risks by enabling zero trust and least privilege with complete
visibility, empowering all users and identities, including workforce, IT, developers and machines, to securely access any resource, located anywhere, from
everywhere.
We execute our strategy by leveraging a combination of internal marketing professionals and a network of channel partners to communicate our value
proposition and differentiation for our solutions, generating qualified leads for our sales force and channel partners. Our marketing efforts include global
inbound and outbound demand generation campaigns, account-based marketing, highly targeted brand awareness campaigns, public relations in multiple
geographies, analyst relations, and the publication of a broad array of content made available through our website. We also participate in key industry events
around the world, engaging with audiences through exhibits and demonstrations, speaking sessions and executive meetings.
In May 2024, we hosted our 18th annual CyberArk IMPACT Conference for customers, partners and prospects in Nashville, TN. In addition, we executed a
series of IMPACT World Tour events in 20 other cities around the globe, with hundreds of customers, partners and prospects attending at each location. With
more than 8,000 attendees, IMPACT and IMPACT World Tour represent the largest Identity Security conference worldwide.
Sales
We believe that our hybrid sales model, which combines the leverage of high-touch, channel sales with the account control of direct sales, has played an
important role in the growth of our customer base to date. We maintain a highly trained sales force that is responsible for developing and closing new business,
the management of relationships with our channel partners and the support and expansion of relationships with existing customers. Our sales organization is
organized by geographic regions, consisting of the Americas, EMEA, Asia Pacific and Japan. As of December 31, 2024, our global network of channel partners
consisted of more than 1,500 global system integrators, managed service providers, solution providers, strategic outsourcers, advisories and distributors, as well
as global and regional marketplaces. Our channel partners generally complement our sales efforts by helping identify potential sales targets, maintaining
relationships with certain customers, introducing new solutions to existing customers, and offering post-sale professional services and technical support. In
2024, we generated approximately 19% of our revenues from direct sales from our field offices located throughout the world. We work with many global
systems integration partners and several leading regional security value added resellers, such as Optiv Security Inc., Merlin International, Computacenter United
States Inc., Netpoleon, SHI, M.Tech and GuidePoint Security. These companies were each among our top 15 channel partners in 2023 and 2024 by revenues,
and we have derived a meaningful amount of revenues from sales to each of them during the last two years. Further, we work with advisory firms such as
Deloitte, PricewaterhouseCoopers LLP, and KPMG in co-marketing and co-delivery of our solutions and providing implementation services to our customers.
38
Through CyberArk’s C3 Alliance, our global technology partner program, we bring together enterprise software, IT, Security, and cloud providers to build on the
power of Identity Security to better protect customers from cyber threats. Our CyberArk Marketplace provides a trusted platform for customers to easily find
and deploy integrations from the C3 Alliance, partners, and community members.
In 2025, we plan to make our Managed Service Provider SaaS Solution generally available to simplify and improve the operations and security of our managed
service provider tenants, with the goal of enabling simple customer onboarding and management, including the monitoring of their environments and usage.
Our sales cycle varies by customer size, the number of solutions purchased and the complexity of the customer’s IT infrastructure, ranging from several weeks
for incremental sales to existing customers to several months for large deployments. We also typically experience seasonality in our sales, particularly
demonstrated by increased sales in the last month of a quarter and the last quarter of the year. To support our broadly dispersed global channel partners and
customer base in our hybrid model, we had sales personnel in 48 countries as of December 31, 2024. We plan to continue investing in our sales organization to
support both the growth of our channel partners and our direct sales organization.
Professional and Support Services
Maintenance and Support
Our maintenance and support program provides all customers who purchase maintenance and support in conjunction with their perpetual licenses, and
customers who purchase self-hosted and SaaS subscriptions, the right to software bug repairs, the latest software enhancements, and updates on an if-and-when
available basis during the maintenance period or subscription term, and access to our technical support services. Customers who purchase maintenance and
support in conjunction with their initial perpetual license purchase typically buy for one year or three years and can subsequently continue to renew maintenance
and support for additional one- or three-year periods. These two alternative maintenance and support periods are common in the software industry. Customers
typically pay for each alternative in full at the beginning of their terms. However, in select situations, customers can opt for annual payments.
Our technical support services are provided to perpetual and subscription customers via our online support center, which enables customers to submit new
support queries and monitor the status of open and past queries. Our online support system also provides customers with access to our CyberArk Knowledge
Base, an online user-driven information repository that provides customers with the ability to address their own queries. Additionally, we offer email and
telephone support during business hours to customers that purchase a standard support package and 24/7 availability to customers that purchase our 24/7 support
or subscription package.
Our global customer support organization has expertise in our software and how it interacts with complex IT environments. We typically provide all levels of
support directly to our customers. However, when sales are made through channels, the channel partner may provide the first and second level support, and we
typically provide third level support if the issue cannot be resolved by the channel partner.
Professional Services
Our solutions are designed to allow for online trials, or to allow customers to download, install and deploy them on their own or with training and professional
assistance. Our solutions are highly configurable, and many customers will select either one of our many trained channel partners or our CyberArk Security
Services team to provide expert professional services. Our Security Services team can be contracted to assist customers in planning, installing, and configuring
our solution to meet the needs of their security and IT environment, and provide technical account management services. Our Security Services team provides
ongoing consulting services regarding best practices for achieving Identity Security and recommends ways to implement our solutions to meet specific customer
requirements. Additionally, they share best practices associated with Identity Security to educate customers and partners on such best practices through virtual
classroom, live face-to-face, or self-paced classes. We also have Red Team services, which specialize in adversary simulations to test customers’ and prospects’
cloud and hybrid environments, DevOps pipelines and processes to help make their environment more secure.
39
In 2022, we expanded our professional services packages by offering outcome-based services that corresponded with each of our SaaS solutions. This was done
to complement our existing professional services solutions, which are aimed at delivering faster time to value and helping customers streamline the deployment
of certain CyberArk SaaS solutions, while providing a resource to help to implement a phased approach to a PAM program, from planning, to pilot, to
production.
The most comprehensive program of its kind, CyberArk Blueprint is designed to help customers take a future-proof, phased and measurable approach to
reducing Identity Security risks. The experience of the CyberArk Labs and Red Team (CyberArk teams involved in cybersecurity research) and incident
response engagements shows that nearly every targeted attack follows a similar pattern of identity and privileged credential compromise. These patterns
influenced CyberArk Blueprint’s three guiding principles, which are foundational to the program: prevent credential theft; stop lateral and vertical movement;
and limit privilege escalation and abuse. The CyberArk Blueprint uses a simple, prescriptive approach based on these guiding principles to reduce risk across
five stages of Identity Security maturity. Customers benefit from being able to prioritize quick wins, progressively address advanced Identity Security use cases,
and align security controls to digital transformation efforts across hybrid environments.
Research and Development
Continued investment in research and development is critical to our business. Our research and development efforts are focused primarily on improving and
continuing to enhance existing solutions, as well as developing new solutions, services, features and functionality to meet market needs. We believe the timely
development of new solutions and capabilities is essential to maintaining our competitive position. The majority of our newly released solutions are delivered as
SaaS, but we continue to invest in both our self-hosted and SaaS solutions, in which we regularly incorporate new features and enhancements to existing
features. Following the Venafi Acquisition, the scope of our research and development efforts have expanded in the domain of securing machine identities to
complement our existing suite of solutions. We also maintain a dedicated CyberArk Labs team that researches reported cyberattacks, emerging attack techniques
and post-exploit methods that lead to new security development initiatives for our solutions, and provides thought-leadership on new solutions capabilities and
targeted attack mitigation. As part of the expansion of our research and development and solutions development resources, we also have dedicated teams to
advance the use of AI and machine learning to improve security and productivity for our customers, by exploring opportunities to embed AI into our existing
solutions, as well as researching the impact of generative AI on attacker innovation to help evolve AI-powered defenses. Our CyberArk Labs research team is
also taking part in certain AI-related research, supported and funded by the Israeli Innovation Authority.
As of December 31, 2024, we had 1,205 employees focused on research and development. We conduct our research and development activities primarily in
Israel, as well as other locations such as the United States and India. We believe this provides access to world class engineering talent. Our research and
development expenses were $190.3 million, $211.4 million and $243.1 million in 2022, 2023, and 2024, respectively.
Intellectual Property
We rely on a combination of patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions to protect our technology
and the related intellectual property.
As of December 31, 2024, we had 189 issued patents in the U.S., and 46 pending U.S. patent applications. We also had 92 issued patents and 13 applications
pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications
in the future.
The inventions for which we have sought patent protection relate to current and future elements of our solutions and technologies. The following list of
solutions identifies some of those with patent-protected features, but other solutions may also be the subject matter of one or more patents: Privileged Access
Security (PAS) solutions, including Privileged Access Manager, Remote Access (Vendor Privileged Access Manager), Privileged Session Manager (PSM),
Enterprise Password Vault (EPV), Privilege Cloud, Secure Infrastructure Access (SIA), CyberArk DNA (Discovery and Audit), Privileged Threat Analytics
(PTA), Endpoint Privilege Manager (EPM), Sensitive Information Management (SIM) and Cloud Entitlements Manager (CEM); Secret Management Solutions,
including Conjur Enterprise, Conjur Open Source, Conjur Cloud, Credential Providers, Secretless and Secretless Broker; Access Management Solutions,
including CyberArk Identity, Workforce Identity, Customer Identity and Secure Web Sessions; and Machine Identity Solutions, including Venafi TLS Protect.
40
We generally enter into confidentiality agreements with our employees, consultants, service providers, resellers and customers and generally limit internal and
external access to, and distribution of, our proprietary information and proprietary technology through certain procedural safeguards. These agreements and
measures may not effectively prevent unauthorized use or disclosure of our intellectual property or technology and may not provide an adequate remedy in the
event of unauthorized use or disclosure of our intellectual property or technology.
Our industry is characterized by the existence of many relevant patents and frequent claims and related litigation regarding patent and other intellectual property
rights. Leading companies in the security industry have extensive patent portfolios. As our market position continues to grow, we believe that competitors will
be more likely to try to develop solutions that are like ours and that may infringe our proprietary rights. It may also be more likely that competitors or third
parties will claim that our solutions infringe their proprietary rights. From time to time, third parties have asserted and may assert their patent, copyright,
trademark and other intellectual property rights against us, our channel partners, users, or customers, whom our standard license and other agreements may
obligate us to indemnify against such claims under certain circumstances. Successful claims of infringement or misappropriation by a third party could prevent
us from developing, distributing, licensing, using certain solutions, performing certain services or could require us to pay substantial damages (including, for
example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed
copyrights), royalties or other fees. Such claims also could require us to expend additional development resources to attempt to redesign our solutions or
otherwise to develop non-infringing technology; enter into potentially unfavorable royalty or license agreements to obtain the right to use necessary
technologies or intellectual property rights; and to indemnify our customers and partners (and parties associated with them). Even if third parties may offer a
license to their technology, the terms of any offered license may not be acceptable, and the failure to obtain a license or the costs associated with any license
could cause our business, results of operations or financial condition to be materially and adversely affected.
Competition
The information security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological
solutions and services, and evolving security threats. We compete with multiple established and emerging companies that offer a broad array of information
security solutions that employ different approaches and delivery models. Given the complementary nature of many of our solutions with our competitors, in
some instances in the field, CyberArk’s team will work with a competitor on a customer engagement either directly or through one of our partners.
Specifically, our Identity Security Platform competes across a variety of markets and competitors, including, but not limited to:
•
PAM, including Endpoint Privilege Management, such as Delinea and BeyondTrust;
•
Access Management, such as Okta and Microsoft;
•
Secrets Management, such as Hashi Corporation;
•
Machine Identity, such as Keyfactor; and
•
Identity Governance and Administration, such as SailPoint and Saviynt.
The maturity and growth of the information security market could also make it appealing for new players, such as large or emerging cybersecurity vendors or
those in related markets, to enter markets where we specialize. For example, CrowdStrike, Okta and SailPoint have announced that they are introducing
solutions or intend to introduce solutions that provide features and functionality related to the PAM market. As cybersecurity vendors pivot their messaging
toward more identity-related use cases, it may create some confusion with customers who are evaluating the various alternatives. Given the importance of
identity in the attack chain, which is increasing demand for identity security solutions such as ours, larger vendors, including cloud hyperscalers and large
cybersecurity platform vendors, may meaningfully enter the identity security market. These organizations have extensive resources, and competing with them
could impact our business.
41
Additionally, consolidation among cybersecurity vendors may create an opportunity for our competitors and other cybersecurity vendors to provide a greater
breadth of offerings, including more integrations and bundled solutions. If customers trend towards consolidating with a vendor or vendors providing multiple
cybersecurity capabilities and we fail to successfully execute our development and sales strategy of delivering our solutions on a framework that can compete
effectively against such cybersecurity vendors, this may place us at a competitive disadvantage. Furthermore, organizations continuously evaluate their security
priorities and investments, and may allocate their information security budgets to other solutions and strategies, including solutions offered by our competitors,
and may not adopt or expand use of our solutions. Accordingly, we may also compete for budget priority, to a certain extent, with other cybersecurity solutions
offered by Microsoft, Palo Alto Networks, and CrowdStrike. The principal competitive factors in our market include:
•
the breadth and completeness of a security solution;
•
reliability and effectiveness in protecting, detecting and responding to cyberattacks;
•
analytics and accountability at an individual user level;
•
the ability of customers to achieve and maintain compliance with compliance standards and audit requirements;
•
strength of sale and marketing efforts, including advisory firms and channel partner relationships;
•
global reach and customer base;
•
scalability and ease of integration with an organization’s existing IT infrastructure and security investments;
•
brand awareness and reputation;
•
innovation, including AI and generative AI capabilities, and thought leadership;
•
quality of customer support and professional services;
•
the speed at which a solution can be deployed and implemented; and
•
the price of a solution, including bundled or free offerings, and cost of maintenance and professional services.
We believe we compete favorably with our competitors based on these factors. However, some of our current competitors may enjoy one or some combination
of potential competitive advantages, such as greater name recognition, longer operating history, larger market share, larger existing user base and greater
financial, technical, and operational capabilities. For more information regarding competition, see Item 3.D. Risk Factors — “We face intense competition from
a wide variety of information security vendors operating in different market segments and across diverse IT environments. This may challenge our ability to
maintain or improve our competitive position or to meet planned growth rates.”
Properties
Our corporate headquarters are in Petach-Tikva, Israel, in an office consisting of approximately 139,100 square feet to which we moved in September 2017. The
current lease expires in September 2027 with an extension option for one successive 24-month period. Our U.S. headquarters are in Newton, Massachusetts in
an office consisting of approximately 32,463 square feet. Portions of the lease expire between December 2025 and through April 2027. We maintain additional
offices, either through leases or through coworking arrangements, in Israel, the U.S., the U.K., Singapore, France, Germany, Spain, Italy, Bulgaria, Denmark,
Turkey, Australia, Japan, India, and the Netherlands. We believe that our facilities are sufficient to meet our current needs and that we will be able to obtain
additional facilities on commercially reasonable terms if we require additional space to accommodate our growth.
Internal Cybersecurity
As we offer Identity Security solutions and services, we are sensitive to potential cyberattacks that may result in unauthorized access to our information, and
potentially that of our customers. We are also aware that, as an Israeli company, we are likely to be targeted by cyber terrorists, cyber criminals, nation-state
actors, or nation-state affiliated actors. Any actual or perceived breach of our networks, systems or data could adversely impact the market perception of our
solutions and services and expose us to potential liability.
For more information regarding the risks involved with cybersecurity, see “Item 3.D. Risk Factors— Real or perceived security vulnerabilities and gaps in our
solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, may result in significant
reputational, financial, and legal adverse impact” and “—If our IT network systems, or those of our third-party providers, are compromised by cyberattacks or
other security incidents, or by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially adversely
affected.”
42
By staying informed on the latest cybersecurity threats and trends, we continuously focus on implementing and maintaining technologies and solutions to assist
in the prevention of potential cyberattacks, as well as protective measures and contingency plans in the event of an actual attack. We maintain cybersecurity risk
management policies and procedures, including internal controls, audits and disclosure protocols for handling and responding to cybersecurity events. These
policies and procedures include conducting regular penetration testing and security assessments to identify and address vulnerabilities, internal notifications and
engagements and, as necessary, cooperation with law enforcement. Our controls are designed to limit and monitor access to our systems, networks, and data,
prevent inappropriate or unauthorized access or modification, and monitor for threats or vulnerabilities. We periodically review and modify our cybersecurity
risk management policies and procedures to reflect changes in technology, the regulatory environment, industry and security practices and other business needs.
For example, we assess the impact of emerging technologies such as AI on our cybersecurity posture and adjust our security policies and security measures,
accordingly, including through the incorporation of advanced AI technologies into our solutions and systems like AI-powered threat detection and behavioral
analytics. We conduct periodic trainings for our employees, including on phishing, malware and other cybersecurity risks, and we have mechanisms in place
designed to promote rapid internal reporting of potential or actual cybersecurity breaches.
We continue to make significant investments in technical and organizational measures to establish and manage compliance with laws and regulations governing
our activities regarding protected data (such as GDPR), which enhance our data protection and cybersecurity. Furthermore, we monitor cybersecurity risks,
certifications or assessments at our third-party cloud infrastructure providers and other IT service providers and re-evaluate those contractual relationships as
appropriate.
The audit committee of our Board of directors periodically reviews our cybersecurity risks and controls with senior management, keeping our Board of directors
informed of key issues.
Government Regulations
For information regarding the material effects of government regulations, see “—Industry Background” above, “Item 3.D. Risk Factors— The dynamic
regulatory environment around privacy, data protection, and AI may limit our offering or require modification of our solutions, which could limit our ability to
attract new customers and support our current customers and increase our operational expenses. We could also be subject to investigations, litigation, or
enforcement actions alleging that we fail to comply with regulatory requirements, which could harm our operating results and adversely affect our business,”
“—We are subject to a number of regulatory and geopolitical risks associated with global sales and operations, which could materially affect our business,”
“The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase
our costs and taxes,” and “Item 5. Operating and Financial Review and Prospects—Operating Results—Israeli Tax Considerations and Government Programs.”
Legal Proceedings
See “Item 8.A. Consolidated Statements and Other Financial Information—Legal Proceedings.”
C.
Organizational Structure
The legal name of our Company is CyberArk Software Ltd., and we are organized under the laws of the State of Israel.
43
The following table sets forth our significant subsidiaries, all of which are 100% owned directly or indirectly by CyberArk Software Ltd.:
Name of Subsidiary
Place of Incorporation
CyberArk Software, Inc.
Delaware, United States
Cyber-Ark Software (UK) Limited
United Kingdom
CyberArk Software (Singapore) Pte. Ltd.
Singapore
CyberArk Software (DACH) GmbH
Germany
CyberArk Software Italy S.r.l.
Italy
CyberArk Software (France) SARL
France
CyberArk Software (Netherlands) B.V.
Netherlands
CyberArk Software (Australia) Pty Ltd
Australia
CyberArk Software (Japan) K.K.
Japan
CyberArk Software Canada Inc.
Canada
CyberArk USA Engineering, GP, LLC
Delaware, United States
CyberArk Software (Spain), S.L.
Spain
CyberArk Software (India) Private Limited
India
C3M India Private Limited
India
CyberArk Turkey Siber Güvenlik Yazılımı Anonim Şirketi
Turkey
Venafi, Inc.
Delaware, United States
Venafi Ltd.
United Kingdom
Venafi EOOD
Bulgaria
Zilla Security, Inc.
Delaware, United States
D.
Property, Plant and Equipment
See “Item 4.B.—Business Overview—Properties” for a discussion of property, plant and equipment, as applicable.
ITEM 4A.
UNRESOLVED STAFF COMMENTS
Not applicable.
ITEM 5. OPERATING AND FINANCIAL REVIEW AND PROSPECTS
The following discussion and analysis should be read in conjunction with our consolidated financial statements and the related notes contained elsewhere in
this annual report. This discussion and analysis may contain forward-looking statements based upon current expectations that involve risks and uncertainties.
Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those set forth in
“Item 3.D. Risk Factors” of this annual report. Our financial statements have been prepared in accordance with U.S. GAAP.
Company Overview
CyberArk is the global leader in identity security, trusted by organizations around the world to secure human and machine identities in the modern enterprise.
CyberArk’s AI-powered Identity Security Platform applies intelligent privilege controls to every identity with continuous threat prevention, detection and
response across the identity lifecycle. With CyberArk, organizations can minimize operational and security risks by enabling zero trust and least privilege with
complete visibility, empowering all users and identities, including workforce, IT, developers and machines, to securely access any resource, located anywhere,
from everywhere.
CyberArk secures human and machine identities with the right level of privilege controls to help organizations ensure secure access to critical business assets,
protect their distributed workforce and customers, and accelerate business in the cloud. Our Identity Security Platform contextually authenticates each identity,
dynamically authorizes the least amount of privilege required, secures credentials, and thoroughly audits the entire cycle – giving organizations peace of mind to
drive their businesses fearlessly forward.
As the category-defining leader in PAM, we are uniquely positioned to deliver on Identity Security because our core competency is securing the “keys to the
kingdom.” These “keys to the kingdom” enable our customers to control access to sensitive infrastructure and applications, keeping them out of the hands of
malicious or careless insiders or external attackers and preventing disruption to the business.
Securing these human and machine identities is now more important than ever. With the rapid rise in mobile workers, hybrid and multi-cloud adoption, AI and,
in particular, generative AI, and digitalization of the enterprise, physical and network security barriers are less relevant at securing data and assets than ever
before. Compromised identities and their associated privileges represent an attack path to an organization’s most valuable assets. We believe that identity has
become the new security perimeter and is at the foundation of zero trust security models. Our approach is unique since CyberArk recognizes that every identity
can become privileged under certain conditions, and we offer the broadest range of security controls to reduce risk while delivering a high-quality experience to
the end user. This includes securing workforce, IT, developer, partner, customer and machine identities by replacing complex, patchworked, and siloed legacy
access management solutions to improve security and operational efficiencies.
44
We believe an Identity Security Platform must do far more than manage one group of identities. It must provide solutions to secure all identities, across all
environments. Our goal is to reinvent and modernize capabilities across the established silos of AM, PAM, IGA, and MIM, while inventing new ways to secure
modern identities of all types.
In early 2024, we began selling solutions centered around solving critical customer security challenges for every type of identity: workforce, IT, developers and
machines. Our solutions are delivered through the CyberArk Identity Security Platform, which includes capabilities around PAM, AM, Secrets Management,
Endpoint Privilege Security, Secure Cloud Access and IGA. The solutions are offered through a simplified packaging and pricing model, facilitating a more
efficient buying process and enhancing our ability to secure a broader range of identities and for our customers to buy the capabilities they need to secure every
identity across the organization.
We sell our solutions primarily through subscriptions, including both SaaS and self-hosted subscriptions. We believe that ARR, subscription portion of ARR,
recurring revenues, Remaining Performance Obligations (RPO), deferred revenue and Net cash provided by operating activities are indicators of the overall
health of the business. For the full year 2024, we increased our ARR by 51% to $1.169 billion as of December 31, 2024. The growth in ARR was driven by an
increase in bookings from SaaS and self-hosted subscriptions. Our subscription revenues increased by 55% to $733.3 million in 2024, and recurring revenues
increased by 37% to $930.3 million in 2024.
We have made, and will continue to make, investments in research and development to broaden our platform capabilities, strengthen our existing solutions,
enhance user experience and develop additional automation and AI technologies. During the years ended December 31, 2022, 2023 and 2024, our revenues were
$591.7 million, $751.9 million and $1.0 billion, respectively, representing year-over-year growth of 27.1% and 33.1% in 2023 and 2024, respectively. Our net
loss for the years ended December 31, 2022, 2023 and 2024 was $(130.4) million, $(66.5) million and $(93.5) million, respectively.
We have also increased our number of employees and subcontractors from 3,018 as of December 31, 2023, to 3,793 as of December 31, 2024, including 405
employees from the Venafi acquisition. We intend to continue to execute our strategy of growing our business to meet the needs of our customers and to pursue
opportunities in new and existing verticals, geographies, and solutions. We intend to continue to invest in our sales and marketing teams, with a particular focus
on expanding our channel partnerships including managed service providers, targeting new customers, expanding our relationships with existing customers,
creating technology partnerships and further building out our customer success operations for existing customers.
Key Performance Indicators and Recent Business Developments
We are focusing on the following metrics to evaluate the health of our business:
Year ended December 31,
2022
2023
2024
($ in millions)
Total ARR (as of period-end)
$
570 $
774 $
1,169
Subscription Portion of ARR (as of period-end)
$
364 $
582 $
977
Recurring revenues
$
498 $
680 $
930
Deferred revenue (as of period-end)
$
408 $
481 $
692
RPO (as of period-end)
$
713 $
972 $
1,386
Net cash provided by operating activities
$
50 $
56 $
232
Annual Recurring Revenue (ARR) is a performance indicator that provides more visibility into the growth of our recurring business in the upcoming year. ARR
is defined as the annualized value of active SaaS, self-hosted subscriptions and their associated maintenance and support services, and maintenance contracts
related to the perpetual licenses in effect at the end of the reported period. ARR should be viewed independently of revenues and total deferred revenue as it is
an operating measure and is not intended to be combined with or to replace either of those measures. ARR is not a forecast of future revenues and can be
impacted by contract start and end dates and renewal rates. This visibility allows us to make informed decisions about our capital allocation and level of
investment.
45
Subscription Portion of Annual Recurring Revenue. The subscription portion of ARR is a performance indicator that provides more visibility into the area of the
business that will drive the long-term growth of our recurring business. The subscription portion of ARR is defined as the annualized value of active SaaS and
self-hosted subscription contracts in effect at the end of the reported period. The subscription portion of ARR excludes maintenance contracts related to
perpetual licenses. The subscription portion of ARR should be viewed independently of revenues and total deferred revenue as it is an operating measure and is
not intended to be combined with or to replace either of those measures. The subscription portion of ARR provides management with more visibility into our
revenue stream for the upcoming year. This visibility allows us to make informed decisions about our capital allocation and level of investment.
Recurring Revenue. Recurring revenue is defined as revenue derived from SaaS and self-hosted subscription contracts, and maintenance contracts related to
perpetual licenses during the reported period. Management monitors the growth of our recurring revenue to evaluate the health of our business. Recurring
revenue also provides enhanced visibility and predictability of future revenues.
Total Deferred Revenue. Our Deferred revenue consists of unrecognized amounts billed under SaaS, self-hosted subscription and maintenance and support
contracts, as well as professional services which have not yet been performed as of the balance sheet date, for which we have an unconditional right for a
consideration or have collected the amounts.
Remaining Performance Obligations. RPOs represent non-cancellable contracts that have not yet been recognized, which include deferred revenues and
amounts not yet received that will be recognized as revenue in future periods. Management monitors the value of RPOs to provide visibility into near term and
multi-year revenue streams. This visibility allows us to make informed decisions about our capital allocations and level of investment.
Net cash provided by operating activities. We monitor Net cash provided by operating activities as a measure of the amount of cash generated by the business
and our overall business performance. Our cash provided by operating activities is driven in part by up-front payments for subscription, maintenance and
professional services offerings. Monitoring cash provided by operating activities enables us to assess our financial performance, excluding non-cash effects of
certain items such as share-based compensation costs or depreciation and amortization, which allows us to better understand and manage the cash needs of our
business.
A.
Operating Results
For a discussion of our results of operations for the year ended December 31, 2022, including a year-to-year comparison between 2023 and 2022, refer to Item
5. “Operating and Financial Review and Prospects” in our annual report on Form 20-F for the fiscal year ended December 31, 2023, filed with the SEC on
March 13, 2024.
Components of Statements of Operations
Revenues
Our revenues consist of the following:
•
Subscription Revenues. Subscription revenues include SaaS and self-hosted subscription revenues, as well as maintenance and support services
associated with self-hosted subscriptions. Subscription revenues are generated primarily from sales of our PAM (Privilege Cloud and self-hosted),
EPM, Secrets Manager, Machine Identity Management, Remote Access, Workforce and Customer Access, Secure Cloud Access and Identity
Management. We see an increasing percentage of our business coming from our SaaS solutions, which have ratable revenue recognition, increasing our
total deferred revenue that will be recognized over time. Our SaaS and self-hosted subscriptions represented 73% of our total revenues in 2024, and we
expect our subscription revenues to continue to grow in the near and long term. Sale of our IT, Workforce and Developer solutions are licensed per user
through standard and enterprise packages. The enterprise packages include more features and functionality than the standard packages. EPM is licensed
by target system (workstations and servers). For Machine Identity Security, we have four solution packages, which combine our secrets management
and Venafi machine identity management capabilities to secure machines licensed per machine and credential. The first is our core secrets management
capabilities that secure secrets of all application types, DevOps and automation tools. The second is securing certificates and PKI for automated
management and renewal of certificates, which offers an easy way to adopt PKI as a service. The third solution is Securing Certificates within cloud
service providers, which introduces a combination of what was Venafi technology and CyberArk technology for securing secrets. The fourth is for
securing Kubernetes applications.
•
Perpetual License Revenues. Perpetual license revenues are generated primarily from sales of our PAM. We are seeing a single digit percentage of our
business coming from perpetual licenses, which have upfront revenue recognition. We expect revenues from perpetual licenses to continue to decrease
as a percentage of total revenue as we continue to operate as a subscription company.
•
Maintenance and Professional Services Revenues. Maintenance revenues are generated from maintenance and support contracts purchased by our
customers who bought perpetual licenses in order to gain access to the latest software enhancements and updates on an if-and-when available basis and
to telephone and email technical support. With the continued decline of new perpetual licenses and related new maintenance contracts, we are
expecting our total maintenance revenues to decline in the near and long term in absolute dollars. We also offer advanced services, including
professional services and technical account management, for consulting, deployment and training of our customers to fully leverage the use of our
solutions. We increasingly leverage partners to provide services around implementation and ongoing management of our solutions and we are shifting
our service delivery team toward higher value services that are often recurring in nature, like technical account management.
46
Geographic Breakdown of Revenues
The United States is our biggest market, with the balance of our revenues generated from the EMEA region and the rest of the world, which includes Canada,
Central and South America, and the Asia Pacific and Japan region. The following table sets forth the geographic breakdown of our revenues by region for the
periods indicated:
Year ended December 31,
2022
2023
2024
Amount
% of
Revenues
Amount
% of
Revenues
Amount
% of
Revenues
($ in thousands)
United States
$
312,816
52.9% $
393,355
52.3% $
503,359
50.3%
EMEA
178,344
30.1
225,738
30.0
311,595
31.1
Rest of World
100,550
17.0
132,795
17.7
185,788
18.6
Total revenues
$
591,710
100.0% $
751,888
100.0% $
1,000,742
100.0%
Cost of Revenues
Our total cost of revenues consists of the following:
•
Cost of Subscription Revenues. The cost of subscription revenues consists primarily of personnel costs related to our customer support and cloud
operations. Personnel costs consist primarily of salaries, benefits, bonuses and share-based compensation. The cost of subscription revenues also
includes cloud infrastructure costs, amortization of intangible assets and depreciation of internal use software capitalization. As our business grows,
including the expansion of our SaaS offerings, we expect the absolute cost of subscription revenues to increase. In addition, amortization of acquired
intangible assets included in cost of subscription revenue is expected to increase due to our recent acquisitions of Venafi and Zilla.
•
Cost of Perpetual License Revenues. The cost of perpetual license revenues consists primarily of appliance expenses and allocated personnel costs to
support delivery and operations related to perpetual licenses. Personnel costs consist primarily of salaries, benefits, bonuses and share-based
compensation. With perpetual licenses now making up a smaller part of our overall revenues, we expect the absolute cost of perpetual license revenues
and the cost of perpetual license revenues as a percentage of total revenues to decrease.
•
Cost of Maintenance and Professional Services Revenues. The cost of maintenance related to perpetual license contracts and professional services
revenues primarily consists of allocated personnel costs for our global customer support, customer success and professional services organization.
Personnel costs consist primarily of salaries, benefits, bonuses, share-based compensation and subcontractors’ fees. We anticipate the absolute dollars
associated with generating professional services revenues to increase due to our expanding customer base and ongoing investment in our services
teams, aimed at delivering exceptional customer experiences.
Gross Profit and Gross Margin
Gross profit is total revenues less total cost of revenues. Gross margin is gross profit expressed as a percentage of total revenues. Our gross margin has
historically fluctuated from period to period as a result of changes in the mix of revenues between SaaS, self-hosted Subscriptions and Perpetual Licenses, as
well as maintenance and professional services revenues, cloud infrastructure costs and personnel costs. Although we continue to streamline our cloud cost
management, we expect our gross margin to slightly decrease over time as the mix of our self-hosted subscription revenue continues to decrease.
47
Operating Expenses
Our operating expenses are classified into three categories: research and development, sales and marketing and general and administrative. For each category,
the largest component is personnel costs, which consist primarily of salaries, employee benefits (including commissions and bonuses) and share-based
compensation expense. Operating expenses also include allocated overhead costs for IT, facilities and office expenses, as well as depreciation and amortization.
Allocated costs for facilities and office expenses primarily consist of rent, office maintenance, utilities and office supplies. We expect personnel and all allocated
costs to continue to increase in absolute dollars as we hire new employees and add facilities to continue to grow our business.
Research and Development. Research and development expenses consist primarily of personnel costs attributable to our research and development personnel,
consultants and contractors, cloud infrastructure and software expenses, and allocated overhead costs. We expect that our research and development expenses
will continue to increase in absolute dollars as we continue to grow our research and development headcount to further strengthen our technology platform and
invest in the development of both existing and new solutions. At the same time, we expect our research and development expenses as a percentage of revenue to
decline as we recognize the benefits of being a recurring revenue company and as we scale the organization.
Sales and Marketing. Sales and marketing expenses are the largest component of our operating expenses and consist primarily of personnel costs, including
commissions, as well as marketing programs and promotional activities, software and related expenses, travel related expenses, amortization expense associated
with acquired customer relationships and trade names and allocated overhead costs. We continue to invest to extend the reach of our sales organization, which
means we continue to invest in both direct and indirect sales channels and related marketing expenses. We expect that sales and marketing expenses will
continue to increase in absolute dollars, as we plan to expand our GTM efforts globally. At the same time, we expect our sales and marketing expenses as a
percentage of revenue to decline, as we recognize the benefits of being a recurring revenue company and as we scale the organization. We continue to expect
that sales and marketing expenses will remain our largest category of operating expenses.
General and Administrative. General and administrative expenses consist primarily of personnel costs for our executive, finance, human resources, legal and
administrative personnel. General and administrative expenses also include acquisition and integration-related costs, external legal, audit, accounting and other
professional service fees, insurance premiums and software and related expenses. We continue to expect that general and administrative expenses will increase
in dollars as we grow and expand our operations.
Financial Income, Net
Financial income, net consists of mainly interest income, change in fair value of derivative assets, amortization of issuance costs, foreign currency exchange
gains or losses and foreign exchange forward transactions expenses. Interest income consists of interest earned on our cash, cash equivalents, short- and long-
term bank deposits, marketable securities and money market funds. We expect a reduction in interest income due to economic indicators pointing towards
continued interest rate cuts and lower cash balances and invested funds due to the acquisitions of Venafi and Zilla, which may be partially offset if our free cash
flow generation increases as we move through the year. Foreign currency exchange changes reflect gains or losses related to transactions denominated in
currencies other than the U.S. dollar.
Tax benefit (taxes on income)
Tax benefit (taxes on income) consists of taxes related to our activity in Israel, the United States, and numerous other foreign jurisdictions in which we conduct
business.
The ordinary corporate tax rate in Israel is 23.0%.
As discussed in greater detail below under “Israeli Tax Considerations and Government Programs,” we have been entitled to various tax benefits under the
Investment Law. Under the Investment Law, our tax rate to be paid with respect to our eligible Israeli taxable income under these benefits programs is generally
12%.
48
Under the Investment Law and other Israeli legislation, we are entitled to certain additional tax benefits, including accelerated deduction of research and
development expenses, accelerated depreciation and amortization rates for tax purposes on certain intangible assets.
Our non-Israeli subsidiaries are taxed according to the tax laws in their respective jurisdictions of tax residency. Due to our multi-jurisdictional operations, we
apply significant judgment to determine our consolidated income tax position.
For a reconciliation of our Tax benefit (taxes on income) to the theoretical income tax benefit according to Israeli statutory rate of 23% and for further
explanation of our provision for income taxes, refer to Note 15 to our consolidated financial statements included in Item 18 of this annual report.
Deferred tax assets are recognized for unused tax losses, unused tax credits, and deductible temporary differences to the extent that it is probable that future
taxable profits will be available, against which they can be used. Deferred taxes for each jurisdiction are presented as a net asset or liability, net of any valuation
allowances.
We establish a valuation allowance, if necessary, to reduce deferred tax assets to their estimated realizable value if it is more likely than not that some portion or
all of the deferred tax assets will not be realized
Significant judgment is required in evaluating our uncertain tax positions. We establish reserves for uncertain tax positions based on the evaluation of whether or
not our uncertain tax position is “more likely than not” to be sustained upon examination based on our technical merits. We record estimated interest and
penalties pertaining to our uncertain tax positions in the financial statements as income tax expense.
Comparison of Period-to-Period Results of Operations
The following table sets forth our results of operations in dollars and as a percentage of revenues for the periods indicated:
Year ended December 31,
2022
2023
2024
Amount
% of
Revenues
Amount
% of
Revenues
Amount
% of
Revenues
($ in thousands)
Revenues:
Subscription
$
280,649
47.4% $
472,023
62.8% $
733,275
73.3%
Perpetual license
49,964
8.5
21,037
2.8
14,449
1.4
Maintenance and professional services
261,097
44.1
258,828
34.4
253,018
25.3
Total revenues
591,710
100.0
751,888
100.0
1,000,742
100.0
Cost of revenues:
Subscription
46,249
7.8
74,623
9.9
115,852
11.6
Perpetual license
2,893
0.5
1,873
0.2
1,594
0.2
Maintenance and professional services
76,904
13.0
79,635
10.6
90,931
9.1
Total cost of revenues
126,046
21.3
156,131
20.7
208,377
20.8
Gross profit
465,664
78.7
595,757
79.3
792,365
79.2
Operating expenses:
Research and development
190,321
32.2
211,445
28.1
243,058
24.3
Sales and marketing
345,273
58.4
405,983
54.0
480,977
48.1
General and administrative
82,520
13.9
94,801
12.6
141,134
14.1
Total operating expenses
618,114
104.5
712,229
94.7
865,169
86.5
Operating loss
(152,450)
(25.8)
(116,472)
(15.5)
(72,804)
(7.3)
Financial income, net
15,432
2.6
53,214
7.1
56,838
5.7
Loss before taxes on income
(137,018)
(23.2)
(63,258)
(8.4)
(15,966)
(1.6)
Tax benefit (taxes on income)
6,650
1.1
(3,246)
(0.4)
(77,495)
(7.7)
Net loss
$
(130,368)
(22.0)% $
(66,504)
(8.8)% $
(93,461)
(9.3)%
49
Year Ended December 31, 2023 Compared to Year Ended December 31, 2024
Revenues
Year ended December 31,
2023
2024
Change
Amount
% of
Revenues
Amount
% of
Revenues
Amount
%
($ in thousands)
Revenues:
Subscription
$
472,023
62.8% $
733,275
73.3% $
261,252
55.3%
Perpetual license
21,037
2.8
14,449
1.4
(6,588)
(31.3)
Maintenance and professional services
258,828
34.4
253,018
25.3
(5,810)
(2.2)
Total revenues
$
751,888
100.0% $
1,000,742
100.0% $
248,854
33.1%
Revenues increased by $248.9 million, or 33.1%, from $751.9 million in 2023 to $1,000.7 million in 2024. This increase was primarily due to the growth of
SaaS and self-hosted subscription sales, partially offset by the decline in perpetual license sales. The increase of self-hosted subscription revenue was despite the
decline of self-hosted subscription contracts duration in 2024, compared to 2023. In addition, our strong SaaS and self-hosted subscription renewals further
contributed to the growth in 2024, and allowed CyberArk to maintain its base of recurring business and build the foundation for growth. The increase in
revenues was also due to the Venafi Acquisition, which closed on October 1, 2024, and contributed $47.1 million revenue in 2024. The largest increase in
revenue occurred in the United States, where revenues increased by $110.0 million, while the increase in EMEA and the rest of the world was $85.9 million and
$53.0 million, respectively. We increased our number of customers from over 8,800 as of December 31, 2023, to more than 9,700 as of December 31, 2024.
Subscription revenues increased by $261.3 million, or 55.3%, from $472.0 million in 2023 to $733.3 million in 2024 as we increased the mix of our subscription
sales. Subscription revenues from the Venafi acquisition were $41.4 million.
Perpetual license revenues declined by $6.6 million, or 31.3%, from $21.0 million in 2023 to $14.4 million in 2024. The decline in perpetual license revenue is
consistent with our transition from selling perpetual licenses to selling SaaS and self-hosted subscription licenses.
Maintenance and professional services revenues declined by $5.8 million, or 2.2%, from $258.8 million in 2023 to $253.0 million in 2024, which includes $5.6
million in revenues from the Venafi acquisition. Maintenance revenues declined by $10.6 million from $207.6 million in 2023 to $197.0 million in 2024.
Despite our strong renewal rates, we did not add enough maintenance associated with new perpetual license sales to offset churn and customers transitioning
from perpetual maintenance contracts to SaaS and self-hosted subscription contracts. Professional services revenues increased by $4.8 million from $51.2
million in 2023 to $56.0 million in 2024. The increase in professional services was driven by the expansion of our professional services packages, which often
include recurring services, and despite more work was performed by our partners in 2024, who transacted directly with customers.
50
Cost of Revenues and Gross Profit
Year ended December 31,
2023
2024
Change
Amount
% of
Revenues
Amount
% of
Revenues
Amount
%
($ in thousands)
Cost of revenues:
Subscription
$
74,623
9.9% $
115,852
11.6% $
41,229
55.2%
Perpetual license
1,873
0.2
1,594
0.2
(279)
(14.9)
Maintenance and professional
services
79,635
10.6
90,931
9.1
11,296
14.2
Total cost of revenues
$
156,131
20.7% $
208,377
20.8% $
52,246
33.5%
Gross profit
$
595,757
79.3% $
792,365
79.2% $
196,608
33.0%
Cost of subscription revenues increased by $41.2 million, or 55.2%, from $74.6 million in 2023 to $115.9 million in 2024. The increase in cost of subscription
revenues was primarily driven by a $19.3 million increase in amortization of intangible assets for acquired technology, mainly related to the Venafi acquisition,
a $13.1 million increase in personnel costs and related expenses due to increased headcount, including employees from the Venafi acquisition, a $7.8 million
increase in cloud infrastructure costs to support the growth in our SaaS revenues, and a $1.8 million increase in the use of third-party consultants for services
rendered, partially offset by a $2.1 million decrease in impairment of capitalized software development costs recognized in 2023, compared to no impairment
costs recognized in 2024.
Cost of maintenance and professional services revenues increased by $11.3 million, or 14.2%, from $79.6 million in 2023 to $90.9 million in 2024. The increase
in cost of maintenance and professional services revenues was primarily driven by an $11.8 million increase in personnel costs and related expenses, including
employees from the Venafi acquisition, partially offset by a $2.1 million decrease in the use of third-party consultants for services rendered.
Our headcount related to cost of revenues grew from 533 at the end of 2023 to 696 at the end of 2024.
Gross profit increased by $196.6 million, or 33.0%, from $595.8 million in 2023 to $792.4 million in 2024. Gross margins decreased from 79.3% in 2023 to
79.2% in 2024.
Operating Expenses
Year ended December 31,
2023
2024
Change
Amount
% of
Revenues
Amount
% of
Revenues
Amount
%
($ in thousands)
Operating expenses:
Research and development
$
211,445
28.1% $
243,058
24.3% $
31,613
15.0%
Sales and marketing
405,983
54.0
480,977
48.1
74,994
18.5
General and administrative
94,801
12.6
141,134
14.1
46,333
48.9
Total operating expenses
$
712,229
94.7% $
865,169
86.5% $
152,940
21.5%
Research and Development. Research and development expenses increased by $31.6 million, or 15.0%, from $211.4 million in 2023 to $243.1 million in 2024.
This increase was primarily attributable to a $25.3 million increase in personnel costs and related expenses due to higher headcount, including employees from
the Venafi acquisition. Additionally, there was a $5.8 million increase in cloud and software costs.
51
Our research and development team headcount grew from 922 at the end of 2023 to 1,205 at the end of 2024.
Sales and Marketing. Sales and marketing expenses increased by $75.0 million, or 18.5%, from $406.0 million in 2023 to $481.0 million in 2024. This increase
was primarily attributable to a $44.7 million increase in personnel costs and related expenses due to higher headcount in all regions, including employees from
the Venafi acquisition. The increase was also attributable to an $11.5 million increase in marketing expenses and sales events, an increase in amortization
expense of $6.6 million for acquired customer relationships and trade names in connection with the Venafi acquisition, a $4.6 million increase in the use of
third-party consultants for services rendered, a $4.3 million increase in cloud and software costs, and a $2.7 million increase in travel expenses.
Our sales and marketing headcount grew from 1,321 at the end of 2023 to 1,573 at the end of 2024.
General and Administrative. General and administrative expenses increased by $46.3 million, or 48.9%, from $94.8 million in 2023 to $141.1 million in 2024.
This increase was primarily attributable to an increase of $20.0 million in personnel costs and related expenses due to increased headcount. The increase was
also attributable to an increase of $21.8 million due to acquisition-related expenses and a $2.8 million increase in services fees for external legal counsel and
accounting advisors.
Our general and administrative headcount grew from 242 at the end of 2023 to 319 at the end of 2024.
Financial Income, Net. Financial income, net increased by $3.6 million, or 6.8%, from $53.2 million in 2023 to $56.8 million in 2024. This increase primarily
resulted from a change in fair value of derivative assets of $4.6 million, and an increase of $3.3 million in interest income despite the significant decrease in
investible funds due to the Venafi acquisition, mainly due to maximization of invested funds, partially offset by a $3.7 million increase in financial expenses
from foreign currency fluctuations.
Taxes on income. Taxes on income increased by $74.2 million, from $3.2 million in 2023 to $77.5 million in 2024. The increase was primarily attributed to the
establishment of a $65.4 million valuation allowance for certain deferred tax assets primarily in Israel, a $7.4 million increase in the liability for unrecognized
tax benefits and a $1.9 million tax liability resulting from intra-entity transactions related to the Venafi acquisition. The remaining increase is primarily
attributable to the decrease in loss before taxes on income offset by an $8.9 million increase in excess tax benefits of share-based compensation.
B. Liquidity and Capital Resources
We fund our operations primarily with cash generated from operating activities and, to a lesser extent, through exercised options. Our primary current uses of
our cash are ongoing operating expenses, strategic acquisitions and capital expenditures.
As of December 31, 2023 and 2024, our principal sources of liquidity were cash, cash equivalents, bank deposits and marketable securities of $1.3 billion and
$0.8 billion, respectively.
On October 1, 2024, we completed the acquisition of Venafi for acquisition consideration of a combination of $1.02 billion in cash and $0.64 billion in
CyberArk ordinary shares. Additionally, we have secured a $250 million committed revolving credit line facility, which is fully available for utilization, as
needed. Furthermore, in connection with the pricing of the 2019 convertible senior notes, we entered into a capped call transaction which was settled in cash for
$261.4 million on November 15, 2024, in conjunction with the maturity of the convertible senior notes.
We believe that our cash generated from operating activities, along with existing cash, cash equivalents, marketable securities and bank deposits will be
sufficient to fund our working capital and capital expenditures for at least the next 12 months and for the foreseeable future. Our future capital requirements will
depend on many factors, including our revenue growth rate, renewal rates and timing of renewals, the expansion of our sales and marketing activities, including
hiring, the timing and extent of spending to support solutions development efforts and expansion into new geographic locations, the timing of introductions of
new solutions, enhancements to existing solutions, the timing and extent of additional expenditures to invest in scaling our operations and the continuing market
acceptance of our offerings. We have, and may in the future, acquire or invest in complementary businesses and technologies.
52
The following table presents the major components of net cash flows for the periods presented:
Year Ended December 31,
2023
2024
($ in thousands)
Net cash provided by operating activities
$
56,204 $
231,887
Net cash used in investing activities
(85,828)
(346,262)
Net cash provided by financing activities
38,084
288,806
A substantial source of our net cash provided by operating activities is our deferred revenue, which is included on our consolidated balance sheet as a liability.
Our deferred revenue consists of unrecognized amounts billed under SaaS, self-hosted subscription and maintenance and support contracts, as well as
professional services which have not yet been performed as of the balance sheet date, for which we have an unconditional right for a consideration or have
collected the amounts as revenues. We assess our liquidity, in part, through an analysis of our short-term and long-term deferred revenue that has not yet been
recognized as revenues together with our other sources of liquidity. Revenues from SaaS contracts and maintenance and support associated with self-hosted
subscription and perpetual license contracts are recognized ratably on a straight-line basis over the term of the related contract, which is typically one year or
three years, and revenues from professional services are substantially recognized as services are performed. Thus, upfront payments add to the liquidity of our
operations since we frequently recognize self-hosted subscription, SaaS, maintenance and support and professional services revenues and expenses in
subsequent periods to when the payments may be received. The duration of our contracts also impacts our deferred revenue.
Net Cash Provided by Operating Activities
Our cash flow reflects our net loss coupled with changes in our non-cash working capital.
Operating activities provided $231.9 million of cash and cash equivalents for the year ended December 31, 2024, which reflects continued growth in revenue,
partially offset by our continued investments in our operations and the timing of working capital adjustments. Cash provided by operating activities reflected
$93.5 million of net loss, adjusted by $168.8 million of non-cash charges related to share-based compensation expense, $66.3 million decrease in deferred
income taxes, $42.0 million related to depreciation and amortization expenses, $2.7 million in non-cash interest expense related to the amortization of issuance
costs and a net change of $78.9 million in non-cash working capital, partially offset by a $28.7 million net change from other long-term assets and liabilities and
a $4.6 million net change in fair value of derivative assets.
The change of $78.9 million in non-cash working capital was due to a $135.2 million increase in short-term deferred revenue, an increase of $22.0 million in
employees and payroll accruals, an increase of $13.3 million in other current liabilities, and an increase of $11.0 million in trade payables, partially offset by an
increase of $93.3 million in trade receivables, and a $9.3 million net change from other current assets.
During the year ended December 31, 2023, operating activities provided $56.2 million in cash as a result of $66.5 million of net loss, adjusted by $140.1 million
of non-cash charges related to share-based compensation expense, $19.3 million related to depreciation and amortization expenses, $3.0 million in non-cash
interest expense related to the amortization of issuance costs and a net change of $9.2 million in non-cash working capital, partially offset by a $41.0 million net
change from other long-term assets and liabilities and a $7.9 million increase in deferred income taxes.
The change of $9.2 million in non-cash working capital was due to an $81.3 million increase in short-term deferred revenue, an increase of $7.0 million in
employees and payroll accruals, and an increase of $6.6 million in other current liabilities, partially offset by an increase of $65.7 million in trade receivables, a
$17.3 million net change from other current assets and a decrease of $2.7 million in trade payables.
During the years ended December 31, 2023 and 2024, our days’ sales outstanding (DSO) were 91 days and 105 days, respectively. The increase in DSO was
mainly due to the increase in open account receivable and unbilled account receivable as a result of an increase in sales.
53
Net Cash Used in Investing Activities
Investing activities have consisted of payments for business acquisitions, investment in, and proceeds from, short-term and long-term deposits, investment in,
and proceeds from sales and maturities of marketable securities and purchases of property and equipment.
Net cash used in investing activities was $85.8 million and $346.3 million for the years ended December 31, 2023 and 2024, respectively.
The increase of $260.5 million in net cash used in investing activities in 2024 was due to an increase in payments of $984.7 million, net of cash acquired, for
business acquisitions in connection with the Venafi acquisition, and an increase of $6.1 million in capital expenditures, partially offset by a $730.3 million net
increase in proceeds from short- and long-term deposits, marketable securities and others.
The increase of $17.4 million in net cash used in investing activities in 2023 was due to a net increase of $66.3 million in investments in short- and long-term
deposits, marketable securities and others, partially offset by a decrease of $41.3 million in payments for business acquisitions, net of cash acquired, and a
decrease of $7.6 million in capital expenditures.
Net Cash Provided by Financing Activities
Our financing activities have consisted of proceeds from settlement of capped call transactions, proceeds from shares issued in connection with our ESPP,
proceeds from the exercise of share options, payments of contingent consideration related to acquisitions, payment of convertible notes, proceeds from
(payments of) withholding tax related to employee stock plans and payment of equity issuance costs.
Net cash provided by financing activities was $38.1 million and $288.8 million for the years ended December 31, 2023 and 2024, respectively.
The increase of $250.7 million in net cash provided by financing activities in 2024 was due to an increase of $261.4 in proceeds from settlement of capped call
transactions and an increase of $3.7 million in proceeds from shares issued in connection with employee stock purchase plan, partially offset by a decrease of
$10.9 million in proceeds from withholding tax related to employee stock plans, a decrease of $2.8 million in proceeds from the exercise of stock options, an
increase of $0.5 million in payment of convertible notes and an increase of $0.2 million in payment of equity issuance costs.
The increase of $25.9 million in net cash provided by financing activities in 2023 was due to an increase of $11.4 million in proceeds from withholding tax
related to employee stock plans, an increase of $9.1 million in proceeds from the exercise of stock options, a decrease of $4.7 million in payments of contingent
consideration related to acquisitions, and an increase of $0.7 million in proceeds from shares issued in connection with employee stock purchase plan.
Our Material Contractual Obligations
The following table summarizes our contractual obligations as of December 31, 2024:
Total
Less than 1
year
1 – 3 years
3 – 5 years
More than 5
years
($ in thousands)
Operating lease obligations(1)
$
30,874 $
11,240 $
12,677 $
6,950 $
7
Uncertain tax obligations(2)
19,973
—
—
—
—
Severance pay(3)
9,115
—
—
—
—
Non-cancellable purchase obligations(4)
175,436
58,035
117,401
—
—
Total
$
235,398 $
69,275 $
130,078 $
6,950 $
7
(1)
Operating lease obligations consist of our contractual rental expenses under operating leases of facilities and certain motor vehicles.
(2)
Consists of accruals for certain income tax positions under ASC 740 that are paid upon settlement, and for which we are unable to reasonably estimate
the ultimate amount and timing of settlement. See Note 15(j) to our consolidated financial statements included elsewhere in this annual report for
further information regarding our liability under ASC 740. Payment of these obligations would result from settlements with tax authorities. Due to the
difficulty in determining the timing of resolution of audits, these obligations are only presented in their total amount.
(3)
Severance pay relates to accrued severance obligations mainly to our Israeli employees as required under Israeli labor laws. These obligations are
payable only upon the termination, retirement or death of the respective employee and may be reduced if the employee’s termination is voluntary.
These obligations are partially funded through accounts maintained with financial institutions and recognized as an asset on our balance sheet. As of
December 31, 2024, $3.2 million is unfunded. See Note 2(l) to our consolidated financial statements included elsewhere in this annual report for further
information.
(4)
Consists of agreements related to the receipt of cloud infrastructure services and subscription-based cloud services.
54
C.
Research and Development, Patents and Licenses, etc.
We conduct our research and development activities primarily in Israel as well as other locations such as India, the United States and Bulgaria. As of December
31, 2024, our research and development department included 1,205 employees and contractors. In 2024, research and development costs accounted for 24.3% of
our total revenues.
For a description of our research and development policies, see “Item 4.B. Business Overview—Research and Development.”
For information regarding our patents, see “Item 4.B. Business Overview—Intellectual Property.”
D.
Trend Information
Other than as disclosed elsewhere in this annual report, we are not aware of any trends, uncertainties, demands, commitments or events since December 31,
2024, that are reasonably likely to have a material adverse effect on our net revenue, income, profitability, liquidity or capital resources, or that caused the
disclosed financial information to be not necessarily indicative of future operating results or financial condition.
E.
Critical Accounting Estimates
Our accounting policies and their effect on our financial condition and results of operations are more fully described in our consolidated financial statements
included elsewhere in this annual report. We have prepared our financial statements in conformity with U.S. GAAP, which requires management to make
estimates and assumptions that in certain circumstances affect the reported amounts of assets and liabilities, revenues and expenses and disclosure of contingent
assets and liabilities. These estimates are prepared using our best judgment, after considering past and current events and economic conditions. While
management believes the factors evaluated provide a meaningful basis for establishing and applying sound accounting policies, management cannot guarantee
that the estimates will always be consistent with actual results. In addition, certain information relied upon by us in preparing such estimates includes internally
generated financial and operating information, external market information, when available, and when necessary, information obtained from consultations with
third parties. Actual results could differ from these estimates and could have a material adverse effect on our reported results. See “Item 3.D. Risk Factors” for a
discussion of the possible risks which may affect these estimates.
We believe that the accounting policies discussed below are critical to our financial results and to the understanding of our past and future performance. These
accounting policies involve estimates that have been made in accordance with generally accepted accounting principles that involve a significant level of
estimation uncertainty and have had or are reasonably likely to have a material impact on our financial condition or results of operations.
Revenue Recognition
We generate substantially all our revenues from providing the right to access SaaS solutions and licensing the rights to use software solutions, as well as from
maintenance and professional services. Subscription revenues include SaaS offerings and on-premises subscription (Self-hosted subscription). We sell solutions
through our direct sales force and indirectly through resellers. Our global network of channel partners consisted of system integrators, managed service
providers, solution providers, strategic outsourcers, advisories and distributors, as well as global and regional marketplaces. Our channel partners generally
complement our sales efforts by helping identify potential sales targets, maintaining relationships with certain customers, introducing new solutions to existing
customers, and offering post-sale professional services and technical support. Payment is typically due within 30 to 90 calendar days of the invoice date.
55
We recognize revenues in accordance with ASC No. 606 “Revenue from Contracts with Customers.” As such, we identify a contract with a customer, identify
the performance obligations in the contract, determine the transaction price, allocate the transaction price to each performance obligation in the contract and
recognize revenues when (or as) we satisfy a performance obligation.
We enter into contracts that can include combinations of products and services, which are generally capable of being distinct and accounted for as separate
performance obligations and may include an option to provide additional solutions or services. SaaS subscriptions, self-hosted subscription, perpetual license,
professional services, updates and technical support are generally distinct since the customer can benefit from the services either on its own or together with
other resources that are readily available and our promise to transfer these services is separately identifiable from other promises in the contract. For options to
provide additional services, we determine whether the option provides a material right to the customer.
The transaction price is determined based on the consideration to which we will be entitled in exchange for transferring goods or services to the customer. We do
not grant a right of return to our customers.
In instances of contracts where revenue recognition differs from the timing of invoicing, we generally determined that those contracts do not include a
significant financing component. The primary purpose of the invoicing terms is to provide customers with simplified and predictable ways of purchasing our
solutions, not to receive or provide financing. We use the practical expedient and do not assess the existence of a significant financing component when the
difference between payment and revenue recognition is a year or less. Revenue is recognized net of any taxes collected from customers, which are subsequently
remitted to the tax authorities
We allocate the transaction price to each performance obligation based on its relative standalone selling price. For maintenance and support, we determine the
standalone selling price based on the price at which we separately sell a renewal contract. For professional services, we determine the standalone selling prices
based on the prices at which we separately sell those services. For SaaS, self-hosted subscriptions and perpetual licenses, we substantially determine the
standalone selling prices by taking into account available information such as historical selling prices, contract value, geographic location, and our price list and
discount policy.
The license portion of self-hosted subscriptions and perpetual licenses are recognized at the point of time when the license is made available for download by
the customer. Maintenance and support revenue related to perpetual license contracts and the maintenance component of the self-hosted subscription offering, as
well as SaaS revenues, are recognized ratably, on a straight-line basis over the term of the related contract, which is generally one to three years, as the services
have a consistent continuous pattern of transfer to a customer during the contract period. Professional services revenues are substantially recognized as the
services are performed, using the method that best depicts the transfer of services to the customer.
Deferred revenue consists of unrecognized amounts billed under SaaS, self-hosted subscription, maintenance and support contracts, as well as professional
services which have not yet been performed as of the balance sheet date, for which we have an unconditional right for a consideration or have collected the
amounts. Deferred revenues are recognized as (or when) the Company performs under the contract. The transaction price allocated to remaining performance
obligations represents non-cancellable contracts that have not yet been recognized, which includes deferred revenues and amounts not yet received that will be
recognized as revenue in future periods.
Deferred Contract Costs
The Company pays sales commissions primarily to sales and certain management personnel based on their attainment of certain predetermined sales goals.
Sales commissions are considered incremental and recoverable costs of obtaining a contract with a customer. Sales commissions paid for initial contracts, which
are not commensurate with sales commissions paid for renewal contracts, are capitalized and amortized proportionately to revenue over an expected benefit
period which is five years. The benefit period is determined by taking into consideration the technology life and other factors. Sales commissions for renewal
contracts are capitalized and amortized over the related contractual renewal period and aligned with the revenue recognized from these contracts.
56
Share-Based Compensation
We account for share-based compensation in accordance with ASC No. 718, “Compensation - Stock Compensation” (ASC No. 718). ASC No. 718 requires
companies to estimate the fair value of equity-based payment awards on the date of grant using an option-pricing model. The value of the award is recognized as
an expense over the requisite service periods, which is generally the vesting period of the respective award, on a straight-line basis when the only condition to
vesting is continued service. If vesting is subject to a performance condition, recognition is based on the implicit service period of the award. Expense for
awards with performance conditions is estimated and adjusted on a quarterly basis based upon the assessment of the probability that the performance condition
will be met.
We selected the Black-Scholes-Merton option-pricing model as the most appropriate fair value method for our option awards and Employee Share Purchase
Plan (ESPP). The fair value of restricted share units (RSUs) and performance share units (PSUs) without market conditions, is based on the closing market value
of the underlying shares at the date of grant. For PSUs subject to market conditions, we use a Monte Carlo simulation model, which utilizes multiple inputs to
estimate payout level and the probability that market conditions will be achieved.
The Black-Scholes-Merton and Monte Carlo models require a number of assumptions, of which the most significant are the expected share price volatility and
the expected option term. We recognize forfeitures of equity-based awards as they occur. For graded vesting awards subject to service conditions, the Company
recognizes compensation cost using the straight-line attribution method. For graded vesting awards subject to market or performance conditions, we recognize
compensation cost using the accelerated attribution method.
These estimates involve uncertainties and the application of judgment. If circumstances are changed and different estimates are used, our expenses could
materially differ in the future.
Business combinations
We account for our business combinations in accordance with ASC No. 805, “Business Combinations” using the acquisition method of accounting, which
requires, among other things, allocation of the fair value of purchase consideration to the tangible and intangible assets acquired and liabilities assumed at their
estimated fair values on the acquisition date. The excess of the fair value of purchase consideration over the values of these identifiable assets and liabilities is
recorded as goodwill. When determining the fair value of assets acquired and liabilities assumed, we make estimates and assumptions, especially with respect to
intangible assets. Our estimates of fair value are based upon assumptions believed to be reasonable, but which are inherently uncertain and unpredictable, and,
as a result, actual results may differ from estimates. During the measurement period, not to exceed one year from the date of acquisition, we may record
adjustments to the assets acquired and liabilities assumed, with a corresponding offset to goodwill if new information is obtained related to facts and
circumstances that existed as of the acquisition date. Acquisition-related expenses, such as legal and consulting fees, are expensed as incurred.
Goodwill and Other Intangible Assets
Goodwill and certain other purchased intangible assets have been recorded in our financial statements as a result of acquisitions.
ASC No. 350, “Intangible—Goodwill and Other” requires goodwill to be tested for impairment at least annually and, in certain circumstances, between annual
tests. The accounting guidance gives the option to perform a qualitative assessment to determine whether further impairment testing is necessary. The qualitative
assessment includes judgement and considers events and circumstances that might indicate that a reporting unit’s fair value is less than its carrying amount.
For the years ended December 31, 2022, 2023 and 2024, no impairment losses were identified.
Capped Call Transactions
In connection with the pricing of the convertible senior notes and the exercise by the initial purchasers of the over-allotment option, the Company entered into
privately negotiated capped call transactions with certain financial institutions. The capped call transactions are considered Level 3 measurements as the
Company applies the Black-Scholes option pricing model and uses historical volatility to determine expected share price volatility which is an unobservable
input that is significant to the valuation.
Legal Contingencies
From time to time, we may be subject to legal proceedings and claims arising in the ordinary course of our business. Such matters are subject to many
uncertainties and outcomes are not predictable with assurance. We accrue for contingencies when the loss is probable and we can reasonably estimate the
amount of any such loss. In determining the probability of a loss and consequently determining a reasonable estimate, we are required to use significant
judgment. We are currently not a party to any material litigation and are not aware of any pending or threatened material legal or administrative proceedings
against us. Regardless of the outcome, litigation can have an adverse impact on us because of defense and settlement costs, diversion of management resources
and other factors.
57
Income Taxes
We calculate income tax provisions based on our results in each jurisdiction in which we operate. The calculation is based on estimated tax consequences and on
assumptions as to our entitlement to various benefits under the applicable local tax laws.
Significant judgment is required in evaluating our uncertain tax positions. We establish reserves for uncertain tax positions based on the evaluation of whether or
not our uncertain tax position is “more likely than not” to be sustained upon examination based on our technical merits. We record estimated interest and
penalties pertaining to our uncertain tax positions in the financial statements as income tax expense.
Deferred tax assets are recognized for unused tax losses, unused tax credits, and deductible temporary differences to the extent that it is probable that future
taxable profits will be available, against which they can be used. Deferred taxes for each jurisdiction are presented as a net asset or liability, net of any valuation
allowances. We estimate the need for any valuation allowance by applying significant judgment and considering all available evidence including past results and
future projections. We reassess our estimates periodically and record a partial or full valuation allowance release if needed.
During the year ended December 31, 2024, we concluded that, based on the evaluation of available evidence, it was no longer more likely than not that some of
the deferred tax assets were recoverable, primarily in Israel. As a result, we recorded a valuation allowance of $65.4 million against deferred tax assets.
We cannot assure that future final tax outcomes will not be different than our tax provisions and reserves for uncertain tax positions. To the extent that the final
tax outcome of these matters is different than the amounts recorded, such differences will impact the provision for income taxes in the period in which such
determination is made.
Israeli Tax Considerations and Government Programs
The following is a summary of the material Israeli tax laws applicable to us, and certain Israeli Government programs that benefit us. To the extent that the
discussion is based on new tax legislation that has not yet been subject to substantive judicial or administrative interpretation, we cannot provide assurance that
the appropriate tax authorities or the courts will accept the views expressed in this discussion. The discussion below is subject to change, including due to
amendments under Israeli law or changes to the applicable judicial or administrative interpretations of Israeli law, which could affect the tax consequences
described below.
General Corporate Tax Structure in Israel
Ordinary taxable income is subject to a corporate tax rate of 23% as of 2018. However, the effective tax rate payable by a company that derives income from an
Approved Enterprise, a Benefited Enterprise, a Preferred Enterprise or a Preferred Technology Enterprise (as discussed below) may be considerably lower.
Capital gains derived by an Israeli company are generally subject to tax at the prevailing ordinary corporate tax rate.
Tax Benefits for Research and Development
Israeli tax law allows, under certain conditions, a tax deduction for research and development expenditures, including capital expenditures, for the year in which
they are incurred. Expenditures are deemed related to scientific research and development projects if:
•
the expenditures are approved by the relevant Israeli government ministry, determined by the field of research;
•
the research and development is for the promotion or development of the company; and
•
the research and development is carried out by or on behalf of the company seeking the deduction.
However, the amount of such deductible expenses shall be reduced by the sum of any funds received through government grants for the finance of such
scientific research and development projects. No deduction under these research and development deduction rules is allowed if such deduction is related to an
expense invested in an asset depreciable under the general depreciation rules of the Ordinance (defined below). As currently implemented by us, expenditures
not so approved are deductible over a three-year period from the first year that the expenditures were made if the research or development is for the promotion
or development of the company.
58
Law for the Encouragement of Industry (Taxes), 5729-1969
The Law for the Encouragement of Industry (Taxes), 5729-1969, generally referred to as the Industry Encouragement Law, provides several tax benefits for
“Industrial Companies.”
The Industry Encouragement Law defines an “Industrial Company” as an Israeli resident company which was incorporated in Israel, of which 90% or more of
its income in any tax year, other than income from certain government loans, is derived from an “Industrial Enterprise” owned by it and located in Israel or in
the “Area,” in accordance with the definition in the section 3A of the Israeli Income Tax Ordinance (New Version) 1961 (the Ordinance). An “Industrial
Enterprise” is defined as an enterprise, which is held by an Industrial Company, whose principal activity in a given tax year is industrial production.
The following tax benefits, among others, are available to Industrial Companies:
•
amortization of the cost of purchased know-how, patents and rights to use a patent and know-how which are used for the development or promotion of
the Industrial Enterprise, over an eight-year period commencing on the year in which such rights were first exercised;
•
under limited conditions, an election to file consolidated tax returns together with Israeli Industrial Companies controlled by it; and
•
expenses related to a public offering of shares in a stock exchange are deductible in equal amounts over three years commencing on the year of
offering.
Eligibility for benefits under the Industry Encouragement Law is not contingent upon the approval of any governmental authority. We believe that we generally
qualify as an Industrial Company within the meaning of the Industry Encouragement Law. The Israel Tax Authority may determine that we do not qualify as an
Industrial Company, which could entail our loss of the benefits that relate to this status. There can be no assurance that we will continue to qualify as an
Industrial Company or that the benefits described above will be available in the future.
Law for the Encouragement of Capital Investments, 5719-1959
The Law for the Encouragement of Capital Investments, 5719-1959, generally referred to as the Investment Law, provides certain incentives for capital
investments in production facilities (or other eligible assets) by “Industrial Enterprises” (as defined under the Investment Law).
The Investment Law was significantly amended effective April 1, 2005 (the 2005 Amendment), further amended as of January 1, 2011 (the 2011 Amendment),
and further amended as of January 1, 2017 (the 2017 Amendment). Pursuant to the 2005 Amendment, tax benefits granted in accordance with the provisions of
the Investment Law prior to its revision by the 2005 Amendment remain in force, but any benefits granted subsequently are subject to the provisions of the 2005
Amendment. Similarly, the 2011 Amendment introduced new benefits to replace those granted in accordance with the provisions of the Investment Law in effect
prior to the 2011 Amendment. However, companies entitled to benefits under the Investment Law as in effect prior to January 1, 2011 were entitled to choose to
continue to enjoy such benefits, provided that certain conditions are met, or elect instead, irrevocably, to forego such benefits and have the benefits of the 2011
Amendment apply. The 2017 Amendment introduced new benefits for Technological Enterprises that meet certain conditions, alongside the existing tax benefits.
Tax Benefits Prior to the 2005 Amendment
An investment program that is implemented in accordance with the provisions of the Investment Law prior to the 2005 Amendment, referred to as an “Approved
Enterprise,” is entitled to certain benefits. A company that wished to receive benefits as an Approved Enterprise must have received approval from the Israeli
Authority for Investments and Development of the Industry and Economy (the Investment Center). Each certificate of approval for an Approved Enterprise
relates to a specific investment program, delineated both by the financial scope of the investment, including sources of funds, and by the physical characteristics
of the facility or other assets.
The tax benefits available under any certificate of approval relate only to taxable income attributable to the specific program and are contingent upon meeting
the criteria set out in such certificate. Income derived from activity that is not integral to the activity of the Approved Enterprise will not enjoy tax benefits.
59
The tax benefits under the alternative benefits track include an exemption from corporate tax on undistributed income which was generated from an Approved
Enterprise for between two and 10 years from the first year of taxable income, depending on the geographic location of the Approved Enterprise facility within
Israel, and the taxation of income generated from an Approved Enterprise at a reduced corporate tax rate of between 10% to 25% for the remainder of the
benefits period, depending on the level of foreign investment in the company in each year, as detailed below.
In addition, a company that has an Approved Enterprise program is eligible for further tax benefits if it qualifies as a Foreign Investors’ Company (FIC), which
is a company with a level of foreign investment, as defined in the Investment Law, of more than 25%.
If a company elects the alternative benefits track and subsequently distributes a dividend out of income derived by its Approved Enterprise during the tax
exemption period it will be subject to corporate tax in respect of the amount of the distributed dividend (grossed-up to reflect the pre-tax income that it would
have had to earn in order to distribute the dividend) at the corporate tax rate which would have been otherwise applicable if such income had not been tax-
exempted under the alternative benefits track. This rate generally ranges from 10% to 25%, depending on the level of foreign investment in the company in each
year, as mentioned above. In addition, dividends paid out to Israeli shareholders of income attributed to an Approved Enterprise (or out of dividends received
from a company whose income is attributed to an Approved Enterprise) are generally subject to withholding tax at source at the rate of 15% (in the case of non-
Israeli shareholders, subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate, 15% or at a lower rate as
provided under an applicable tax treaty). The 15% tax rate is limited to dividends and distributions out of income derived during the benefits period and actually
paid at any time up to 12 years thereafter. After this period, the withholding tax is applied at a rate of up to 30%, or at the lower rate under an applicable tax
treaty (subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate). In the case of a FIC, the 12-year
limitation on reduced withholding tax on dividends does not apply.
The benefits available to an Approved Enterprise are subject to the continued fulfillment of conditions stipulated in the Investment Law and its regulations and
the criteria in the specific certificate of approval, as described above. If a company does not meet these conditions, it would be required to refund the amount of
tax benefits, adjusted to the Israeli consumer price index, and interest, or other monetary penalties.
Tax Benefits Subsequent to the 2005 Amendment
The 2005 Amendment applies to new investment programs commencing after 2004 but does not apply to investment programs approved prior to April 1, 2005.
The 2005 Amendment provides that terms and benefits included in any certificate of approval that was granted before the 2005 Amendment became effective
(April 1, 2005) will remain subject to the provisions of the Investment Law as in effect on the date of such approval. Pursuant to the 2005 Amendment, the
Investment Center will continue to grant Approved Enterprise status to qualifying investments. The 2005 Amendment, however, limits the scope of enterprises
that may be approved by the Investment Center by setting criteria for the approval of a facility as an Approved Enterprise, such as provisions generally requiring
that at least 25% of the Approved Enterprise’s income be derived from exports.
Tax benefits are available under the 2005 Amendment to production facilities (or other eligible facilities) which are generally required to derive more than 25%
of their business income from export to specific markets with a population of at least 14 million in 2012 (such export criteria will further be increased in the
future by 1.4% per annum).
A company qualifying for tax benefits under the 2005 Amendment which pays a dividend out of income derived by its Benefited Enterprise during the tax
exemption period will be subject to corporate tax in respect of the amount of the dividend distributed (grossed-up to reflect the pre-tax income that it would
have had to earn in order to distribute the dividend) at the corporate tax rate which would have otherwise been applicable. Dividends paid out of income
attributed to a Benefited Enterprise (or out of dividends received from a company whose income is attributed to a Benefited Enterprise) are generally subject to
withholding tax at source at the rate of 15% or at a lower rate as may be provided in an applicable tax treaty (subject to the receipt in advance of a valid
certificate from the Israel Tax Authority allowing for a reduced tax rate). The reduced rate of 15% is limited to dividends and distributions out of income
attributed to a Beneficiary Enterprise during the benefits period and actually paid at any time up to 12 years thereafter except with respect to a FIC, in which
case the 12-year limit does not apply.
The benefits available to a Benefited Enterprise are subject to the continued fulfillment of conditions stipulated in the Investment Law and its regulations. If a
company does not meet these conditions, it would be required to refund the amount of tax benefits, adjusted to the Israeli consumer price index, and interest, or
other monetary penalties.
60
On November 15, 2021, the Investment Law was amended to provide, on a temporary basis, a reduced corporate income tax upon the distribution or release,
within a year from such amendment, of tax-exempt profits derived by Approved or Benefited Enterprises. The reduced tax rate was determined based on a
formula, providing for an up to 60% reduction, as long as the corporate income tax rate was not less than 6%. In order to qualify for the reduction, the taxpayer
would also have to invest certain amounts in productive assets and research and development in Israel. The Company did not elect to apply for the
aforementioned temporary order.
In addition to the temporary amendment, the Investment Law was also amended to reduce the ability of companies to retain the tax-exempt profits while
distributing dividends from previously taxed profits. Accordingly, effective August 15, 2021, dividend distributions are deemed made on a pro-rata basis from
all types of earnings, including exempt profits, thus triggering additional corporate income tax. As of August 15, 2021, the Company did not distribute any
dividends and does not intend to do so in the near future.
As of December 31, 2024, approximately $13.9 million was derived from tax exempt profits earned under the “Approved Enterprises” and “Beneficiary
Enterprise.” If the retained tax-exempt income is distributed, the income would be taxed at the applicable corporate tax rate as if it had not elected the alternative
tax benefits under the Investment Law and an income tax liability of up to $3.4 million would have been incurred as of December 31, 2024.
Tax Benefits under the 2011 Amendment
The 2011 Amendment introduced new benefits for income generated by a “Preferred Company” through its “Preferred Enterprise” (as such terms are defined in
the Investment Law) as of January 1, 2011. The definition of a Preferred Company includes a company incorporated in Israel that is not wholly owned by a
governmental entity, and that has, among other things, Preferred Enterprise status and is controlled and managed from Israel. Pursuant to the 2011 Amendment,
a Preferred Company was entitled to a reduced corporate tax rate of 15% with respect to its preferred income derived by its Preferred Enterprise in 2011 and
2012, unless the Preferred Enterprise is located in a development zone A, in which case the rate was 10%. Such corporate tax rate was reduced from 15% and
10%, respectively, to 12.5% and 7%, respectively, in 2013, and then increased to 16% and 9%, respectively, in 2014 until 2016. Pursuant to the 2017
Amendment, in 2017 and thereafter, the corporate tax rate for Preferred Enterprise which is located in development zone A was decreased to 7.5%, while the
reduced corporate tax rate for other development zones remains 16%. Income derived by a Preferred Company from a ‘Special Preferred Enterprise’ (as such
term is defined in the Investment Law) could be entitled, under certain conditions and limitations, to further reduced tax rates.
Dividends paid to Israeli shareholders out of preferred income attributed to a Preferred Enterprise are generally subject to withholding tax at the rate of 20%,
and in case of non-Israeli shareholders, such lower rate as may be provided in an applicable tax treaty (each subject to the receipt in advance of a valid
certificate from the Israel Tax Authority allowing for a reduced tax rate). However, if such dividends are paid to an Israeli company, no tax is required to be
withheld (although, if such dividends are subsequently distributed to individuals or a non-Israeli company, withholding tax at a rate of 20% or such lower rate as
may be provided in an applicable tax treaty will apply).
The 2011 Amendment also provided transitional provisions to address companies already enjoying existing tax benefits under the Investment Law. These
transitional provisions provide, among other things, that unless an irrevocable request is made to apply the provisions of the Investment Law as amended in
2011 with respect to income to be derived as of January 1, 2011: (i) the terms and benefits included in any certificate of approval that was granted to an
Approved Enterprise which chose to receive grants before the 2011 Amendment became effective will remain subject to the provisions of the Investment Law as
in effect on the date of such approval, and subject to certain other conditions; (ii) the terms and benefits included in any certificate of approval that was granted
to an Approved Enterprise which had participated in an alternative benefits track before the 2011 Amendment became effective will remain subject to the
provisions of the Investment Law as in effect on the date of such approval, provided that certain conditions are met; and (iii) a Benefited Enterprise can elect to
continue to benefit from the benefits provided to it before the 2011 Amendment became effective, provided that certain conditions are met.
From time to time, the Israeli Government has discussed reducing the benefits available to companies under the Investment Law. The termination or substantial
reduction of any of the benefits available under the Investment Law could materially increase our tax liabilities.
We applied the new benefits under the 2011 Amendment instead of the benefits provided to our Approved Enterprise and Benefited Enterprise as of 2013 tax
year onwards through 2016 tax year.
61
Tax Benefits under the 2017 Amendment
The 2017 Amendment was enacted as part of the Economic Efficiency Law that was published on December 29, 2016, and is effective as of January 1, 2017.
The 2017 Amendment provides new tax benefits for two types of “Technology Enterprises,” as described below, and is in addition to the other existing tax
beneficial programs under the Investment Law.
The 2017 Amendment provides that a technology company satisfying certain conditions will qualify as a “Preferred Technology Enterprise” (PTE) and will
thereby enjoy a reduced corporate tax rate of 12% on income that qualifies as PTE which is generally generated by “Benefited Intangible Assets,” as defined in
the Investment Law. The tax rate is further reduced to 7.5% for a PTE and/or for its segment located in development Zone A. In addition, a PTE will enjoy a
reduced corporate tax rate of 12% on capital gain derived from the sale of certain “Benefitted Intangible Assets” (as defined in the Investment Law) to a related
foreign company if the Benefitted Intangible Assets were acquired from a foreign company on or after January 1, 2017 for at least NIS 200 million, and the sale
receives prior approval from the National Authority for Technological Innovation (NATI).
The 2017 Amendment further provides that a technology company satisfying certain conditions will qualify as a “Special Preferred Technology Enterprise” and
will thereby enjoy a reduced corporate tax rate of 6% on “Preferred Technology Income” regardless of the company’s geographic location within Israel. In
addition, a Special Preferred Technology Enterprise will enjoy a reduced corporate tax rate of 6% on capital gain derived from the sale of certain “Benefitted
Intangible Assets” to a related foreign company if the Benefitted Intangible Assets were either developed by the Special Preferred Technology Enterprise or
acquired from a foreign company on or after January 1, 2017, and the sale received prior approval from NATI. A Special Preferred Technology Enterprise that
acquires Benefitted Intangible Assets from a foreign company for more than NIS 500 million will be eligible for these benefits for at least 10 years, subject to
certain approvals as specified in the Investment Law.
Dividends distributed to Israeli shareholders by a PTE or a Special Preferred Technology Enterprise, paid out of Preferred Technology Income, are generally
subject to withholding tax at source at the rate of 20%, and in the case of non-Israeli shareholders, such lower rate as may be provided in an applicable tax treaty
(each subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for such reduced tax rate). However, if such dividends are
paid to an Israeli company, no tax is required to be withheld. If such dividends are distributed to a foreign company that holds alone or together with other
foreign companies 90% or more in the Israeli company and other conditions are met, the withholding tax rate will be 4%.
We have obtained a comprehensive tax ruling confirming, among others, that we generally qualify as a PTE from 2018 until 2023 and this status was
acknowledged by the Israeli Tax Authority in corporate tax audit assessment agreements reached in 2021 and in 2022. We are in the process of obtaining an
extension for this tax ruling, which would be relevant for future tax years.
Recently Adopted and Issued Accounting Pronouncements
See Note 2(ac) and Note 2(ad) to our consolidated financial statements included elsewhere in this annual report for information regarding recent accounting
standards adopted and issued.
62
ITEM 6.
DIRECTORS, SENIOR MANAGEMENT AND EMPLOYEES
A.
Directors and Senior Management
The following table sets forth the name, age and position of each member of our senior management as of March 12, 2025:
Name
Age
Position
Senior Management
Ehud (Udi) Mokady (4)
56
Executive Chairman of the Board and Founder
Matthew Cohen
49
Chief Executive Officer and Director
Erica Smith
52
Chief Financial Officer
Eduarda Camacho
53
Chief Operating Officer
Donna Rahav
46
Chief Legal Officer
Omer Grossman
45
Chief Information Officer
Peretz Regev
46
Chief Product Officer
Directors
Gadi Tirosh (1)(3)(4)(5)
58
Lead Independent Director
Ron Gutler (1)(2)(4)(5)
67
Director
Kim Perdikou (1)(2)(3)(5)
67
Director
Amnon Shoshani (3)(5)
61
Director
François Auque (2)(5)
68
Director
Avril England (3)(4)(5)
56
Director
Mary Yang (4)(5)
56
Director
(1)
Member of our compensation committee.
(2)
Member of our audit committee.
(3)
Member of our nominating, environmental, sustainability and governance committee.
(4)
Member of our strategy committee.
(5)
Independent director under the rules of Nasdaq.
Senior Management
Ehud (Udi) Mokady is one of our founders and has served as our chairman of the Board of directors since June 2016 and became Executive Chairman of the
Board of directors in April 2023. He has also served as a member of our Board of directors since November 2004. Mr. Mokady previously served as our Chief
Executive Officer (CEO) from 2005 to April 2023, President from 2005 to 2016 and as our Chief Operating Officer from 1999 to 2005. Mr. Mokady has served
as a member of the board of Directors of SQream Technologies Ltd since April 2023 and of Cheq AI Technologies since December 2023. He has served as a
member of the board of Advisors of Brandeis International Business School since September 2019 and has served as an advisor to General Catalyst since
November 2023. Mr. Mokady served as a member of the board of directors of Demisto, Inc. commencing in January 2018 until its acquisition by Palo Alto
Networks, Inc. in March 2019. From 1997 to 1999, Mr. Mokady served as general counsel at Tadiran Spectralink Ltd., a producer of secure wireless
communication systems. From 1986 to 1989, Mr. Mokady served in a military intelligence unit in the Israel Defense Forces. Mr. Mokady was honored by a
panel of independent judges with the New England EY Entrepreneur of The Year™ 2014 Award in the Technology Security category. Mr. Mokady holds a
Bachelor of Laws (LL.B.) from Hebrew University in Jerusalem, Israel and a Master of Science Management (MSM) from Boston University in Massachusetts.
Matthew Cohen has served as our CEO since April 2023. He previously served as our Chief Operating Officer since December 2020 after he served as our Chief
Revenue Officer since December 2019. Prior to joining CyberArk, Mr. Cohen held several leadership positions in PTC Inc. (Nasdaq: PTC). His most recent
position was Executive Vice President of Field Operations, from February 2018 to November 2019, where he led the GTM strategy and all Sales, Commercial
Marketing, Customer Success, Services, and Partner functions. Prior to that he was Executive Vice President, Customer Success and Partners from July 2016 to
February 2018, Executive Vice President, Global Services from April 2014 through July 2016, and Divisional Vice President, Global Services from October
2013 to March 2014. Before that, Mr. Cohen held various positions in the company’s Global Services group. Mr. Cohen holds a Bachelor of Arts in Psychology
from Harvard University.
63
Erica Smith has served as our Chief Financial Officer (CFO) since January 2025. Ms. Smith joined CyberArk in 2015 and was appointed Deputy CFO in 2024
after serving as Senior Vice President of Finance and Investor Relations, where she led FP&A, investor relations, Treasury and ESG initiatives.
Prior to joining CyberArk, Ms. Smith was Vice President of Investor Relations for Demandware from 2011 to 2015. Demandware completed an initial public
offering and listing on Nasdaq in 2012 and was acquired by Salesforce in 2016. Previously, Ms. Smith held various investor relations, corporate
communications, and finance positions at leading companies, including Boston Private Financial Holdings, Network Engines, StorageNetworks, Sharon Merrill
Associates, and Lehman Brothers. Ms. Smith holds a B.A. in Economics from the College of the Holy Cross.
Donna Rahav has served as our Chief Legal Officer since December 2021. She previously served as our General Counsel and Compliance Officer since March
2014 and as Corporate Secretary from April 2014 until December 2019. Prior to joining CyberArk, Ms. Rahav served as Deputy General Counsel at Allot
Communications Ltd. (Nasdaq and TASE: ALLT) from 2011 to 2014 and as legal counsel at Alvarion Ltd. (Nasdaq and TASE: ALVR) 2009 to 2011 and
MediaMind Technologies, Inc. (formerly Eyeblaster, Inc.; Nasdaq: MDMD) from 2008 to 2009. Prior to that, from 2005 to 2006 she was an associate at an
Israeli law firm specializing in technology transactions. Ms. Rahav holds a Bachelor of Laws (LL.B.) from Tel Aviv University in Israel, and a Master of Laws
(LL.M.) from Tel Aviv University in collaboration with University of California, Berkeley, an executive program focused on corporate and commercial law.
Peretz Regev has served as our Chief Product Officer since September 2022. Prior to joining CyberArk, Mr. Regev served as Vice President of Global Data
Science and Engineering at PayPal Holdings Inc. (Nasdaq: PYPL) from January 2015 to September 2022 and served as the General Manager of PayPal Israel
from May 2017 to September 2022. Mr. Regev also held several leadership positions at Hewlett-Packard Company (now HP Inc.) (NYSE: HPQ), from January
2005 to December 2014, guiding the SaaS products and Big Data Analytics teams. Before that, Mr. Regev served in various positions at Mercury Interactive, an
Israeli software company that was acquired by Hewlett Packard. Mr. Regev holds a BSc in Computer Sciences from Reichman University in Israel and MBA
from the College of Management Academic Studies in Israel.
Omer Grossman has served as our Chief Information Officer (CIO) since December 2022. Prior to joining CyberArk, Mr. Grossman served as the Head of the
IDF’s Cyber Defense Operations Center between July 2022 and July 2023, and as Head of the Center for Computing and Information Systems (Mamram), the
central Cloud Service Provider of the IDF between June 2018 and June 2020. Mr. Grossman holds a Bachelor of Science degree in physics and electrical
engineering from Tel Aviv University and a Master of Science in Government Information Leadership from the National Defense University, College of
Information and Cyberspace in Washington D.C.
Eduarda Camacho has served as our Chief Operating Officer since January 2024. Prior to joining CyberArk, Ms. Camacho served as Chief Customer Officer at
BMC Software from August 2021 to January 2024 and as Senior Vice President of Customer Success from August 2021 to December 2023. Before that Ms.
Camacho served in various leadership positions in PTC Inc. (Nasdaq: PTC), including Executive Vice President and Chief Customer Officer from December
2019 to July 2021, Divisional Vice President, Customer Success from April 2018 to November 2019, Senior Vice President, Customer Success from December
2017 to March 2018, and Senior Vice President, Global Services from July 2016 to November 2017. Ms. Camacho holds a certificate from Harvard Business
School Executive Education and attended Communication Science at Universidade Nova de Lisboa.
Directors
Gadi Tirosh has served as a member of our Board of directors since June 2011, as chairman of the Board of directors between July 2013 and June 2016 and as
lead independent director since June 2016. Since 2020, Mr. Tirosh has served as Venture Partner at DisruptiveAI, an Israeli venture capital firm that focuses on
innovative artificial intelligence companies. From 2018 to 2020, Mr. Tirosh served as Venture Partner at Jerusalem Venture Partners, an Israeli venture capital
firm that focuses, among other things, on cybersecurity companies and operates the JVP Cyber Labs incubator. From 2005 to 2018, he served as Managing
Partner at Jerusalem Venture Partners. From 1999 to 2005, he served as Corporate Vice President of Product Marketing and as a member of the executive
committee for NDS Group Ltd. (Nasdaq: NNDS) later acquired by Cisco Systems, Inc. a provider of end-to-end software solutions to the pay-television
industry, including content protection and video security. Mr. Tirosh holds a Bachelor of Science in computer science and mathematics and an Executive MBA
from the Hebrew University in Jerusalem, Israel.
64
Ron Gutler has served as a member of our Board of directors since July 2014 and served as an external director under the Companies Law between July 2014
and May 2016. Mr. Gutler is currently a director of Wix.com Ltd. (Nasdaq: WIX) and Fiverr International Ltd. (NYSE: FVRR), and was a director of WalkMe
Ltd. (formerly Nasdaq: WKME) until its acquisition by SAP SE in September 2024. Between November 2009 and December 2020. Mr. Gutler served as a
director of Psagot Investment House and between November 2007 and December 2020, he served as a director of Psagot Securities. Between June 2018 and
November 2019, Mr. Gutler served as the Chairman of the board of Psagot Market Making. Between 2014 and 2019 Mr. Gutler served as a director of Hapoalim
Securities USA (HSU). Between August 2012 and January 2018, Mr. Gutler served as chairman of the board of the College of Management Academic Studies in
Israel. Between May 2002 and February 2013, Mr. Gutler served as the Chairman of NICE Systems Ltd., a public company specializing in voice recording, data
security, and surveillance. Between 2000 and 2011, Mr. Gutler served as the Chairman of G.J.E. 121 Promoting Investments Ltd., a real estate company.
Between 2000 and 2002, Mr. Gutler managed the Blue Border Horizon Fund, a global macro fund. Mr. Gutler is a former Managing Director and a Partner of
Bankers Trust Company, which is currently part of Deutsche Bank. He also established and headed the Israeli office of Bankers Trust Company. Mr. Gutler
holds a Bachelor of Arts in economics and international relations and an MBA, both from the Hebrew University in Jerusalem, Israel.
Kim Perdikou has served as a member of our Board of directors since July 2014 and served as an external director under the Companies Law between July 2014
and May 2016. Ms. Perdikou has served as Chairman of The AtSign Company, a private startup Internet Protocol company, since December 2019 and has
served on the board of directors of Nasuni Inc, a Private Hybrid Cloud File storage company, since December 2022. Ms. Perdikou served on the Supervisory
board of Alter Domus, a Financial Services Company based in Luxembourg, from January 2021 to November 2024. From 1998 to August 2013, Ms. Perdikou
served in leadership positions at Juniper Networks, Women.com, Readers Digest, Knight Ridder, and Dun & Bradstreet. Ms. Perdikou holds a Bachelor of
Science degree in computing science with operational research from Paisley University (now the West of Scotland University) in Paisley, Scotland, a Post-
Graduate degree in education from Jordanhill College in Glasgow, Scotland and a Master of Science in information systems from Pace University in New York,
United States.
Amnon Shoshani has served as a member of our Board of directors since November 2009. Since February 1995, Mr. Shoshani has served as the Founder and
Managing Partner of Cabaret Holdings Ltd. and, since March 1999, he has also served as Managing Partner of Cabaret Security Ltd., CyberArk’s founding
investor and Cabaret and ArbaOne Inc. ventures activities where he had a lead role in managing the group’s portfolio companies. Between 2005 and 2018, he
served as CEO and Chairman of the board of Smartech, a portfolio company of Cabaret and ArbaOne, that provides game changing technologies to the
industrial world, which was sold to Hexion in November 2024. Between 2018 and November 2024, Mr. Shoshani served as the President and Chairman of the
board of Smartech, and since its sale, he serves as the President and a board member of Smartech. From 1994 to April 2005, Mr. Shoshani owned a Tel Aviv
boutique law firm engaged in entrepreneurship, traditional industries and high tech, which he founded. Mr. Shoshani holds a Bachelor of Law (LL.B.) from Tel
Aviv University in Israel.
François Auque has served as a member of our Board of directors since February 2019. Mr. Auque serves as the deputy chairman of the board and chairman of
the Audit and Risk Committee of Rexel SA from May 2019, after being an observer on the board from October 2018. Mr. Auque is a partner at InfraVia Capital
Partners, a Private Equity firm based in Paris. Mr. Auque served as the General Partner and Chairman of the Investment Committee of Airbus Ventures, the
venture capital arm of Airbus between 2016 and 2018. From 2000 to 2016, Mr. Auque headed the Airbus space division as a member of Airbus Group’s
Executive Committee. Between 1991 and 2000, Mr. Auque served as Chief Financial Officer of Aerospatiale (then Aerospatiale-Matra), one of the three
founding firms of the European Aeronautic Defense and Space Company (EADS), Europe’s largest aerospace company (currently Airbus). Mr. Auque holds a
Master’s in Finance from Ecole des Hautes Etudes Commercials in Paris, France, a Bachelor of Arts in Public Administration from the Paris Institute of Political
Studies in Paris, France, and is a graduate in economics from Ecole Nationale d’Administration in Paris, France.
Avril England has served as a member of our Board of directors since March 2021. Since September 2013, Ms. England has served as part of the product
leadership of Veeva Systems Inc. (NYSE: VEEV), as the General Manager of Veeva Vault, a fast-growing cloud software platform and suite of applications. Ms.
England holds a Bachelor of Commerce degree from Queen’s University in Ontario, Canada, and has received numerous professional and academic awards.
Mary Yang has served as a member of our Board of directors since November 2023. Ms. Yang serves as a director audit committee member and compensation
committee member of Sunnova Energy International Inc. (NYSE:NOVA) since October 2021. Ms. Yang served as Senior Vice President and Chief Strategy
Officer of Ciena Corporation (NYSE:CIEN) between 2020 and 2022. Between 2016 and 2020 she served as Vice President, Business and Corporate
Development for NIO Inc. (NYSE: NIO). She served as Vice President, Corporate Development and Strategic Alliances for Fortinet Inc. (Nasdaq: FTNT)
between 2014 and 2016, and as Global Head of Security Corporate Development for Cisco Systems Inc. (Nasdaq: CSCO) between 2011 and 2014 and as Global
Business Development between 2008-2011. Ms. Yang holds a Juris Doctorate from Stanford Law School and several academic degrees from Stanford
University, including a Master of Business Administration, a Master of Science in Management Science and Engineering and a Bachelor of Arts in Quantitative
Economics.
65
B.
Compensation
Compensation of Directors and Senior Management
The aggregate compensation expensed, including share-based compensation and other compensation expensed by us and our subsidiaries, with respect to the
year ended December 31, 2024, for our directors and senior management that served at any time during the year ended December 31, 2024, was $43.2 million.
This amount includes approximately $1.3 million set aside or accrued to provide pension, severance, retirement, or similar benefits.
During the year ended December 31, 2024, our directors and senior management were granted 178,300 restricted share units, some of which were subject to
performance criteria, under our 2014 Share Incentive Plan.
The table below sets forth the compensation earned by our five most highly compensated office holders (as defined in the Companies Law and described under
“Board Practices— Disclosure of Compensation of Senior Management” below) during or with respect to the year ended December 31, 2024. We refer to the
five individuals for whom disclosure is provided herein as our “Covered Executives.” For purposes of the table and the summary below, “compensation”
includes base salary, bonuses, equity-based compensation, retirement or termination payments, and any benefits or perquisites such as car, phone and social
benefits, as well as any undertaking to provide such compensation in the future.
Summary Compensation Table
Information Regarding the Covered Executive (1)
Name and Principal Position (2)
Base
Salary
Benefits and
Perquisites
(3)
Variable
Compensation
(4)
Equity-Based
Compensation
(5)
Matthew Cohen, CEO
$
481,000 $
208,643 $
649,350 $
10,550,362
Ehud (Udi) Mokady, Executive Chairman of the Board and Founder
270,000
385,278
364,500
8,644,102
Joshua Siegel, Former CFO (6)
389,793
94,697
414,100
6,022,593
Eduarda Camacho, Chief Operating Officer
391,026
357,808
540,000
2,941,686
Peretz Regev, Chief Product Officer
373,698
123,824
281,800
3,006,509
(1)
All amounts reported in the table are in terms of cost to our Company, as recorded in our financial statements for the year ended December 31, 2024.
(2)
Other than our Executive Chairman of the Board, all current officers listed in the table are full-time employees. Cash compensation amounts
denominated in currencies other than the U.S. dollar were converted into U.S. dollars at the average conversion rate for the year ended December 31,
2024.
(3)
Amounts reported in this column include benefits and perquisites, including those mandated by applicable law. Such benefits and perquisites may
include, to the extent applicable to each executive, payments, contributions and/or allocations for savings funds, pension, severance, vacation, car or
car allowance, medical insurances and benefits, risk insurances (such as life, disability and accident insurances), convalescence pay, payments for
Medicare and social security, tax gross-up payments and other benefits and perquisites consistent with our guidelines, regardless of whether such
amounts have actually been paid to the executive.
(4)
Amounts reported in this column refer to Variable Compensation, such as incentives and earned or paid bonuses as recorded in our financial statements
for the year ended December 31, 2024.
(5)
Amounts reported in this column represent the expense recorded in our financial statements for the year ended December 31, 2024 with respect to
equity-based compensation, reflecting also equity awards made in previous years which have vested during the current year. Assumptions and key
variables used in the calculation of such amounts are described in Note 14 to our audited consolidated financial statements, which are included in this
annual report.
(6)
Joshua Siegel stepped down as CFO on January 1, 2025, and Erica Smith became CFO, effective January 1, 2025.
66
CEO Equity Plan
In June 2023, the Company’s shareholders approved a multi-year CEO Equity Plan, which included an equity grant to the CEO in respect of 2023 and
authorized the compensation committee and Board of directors to approve CEO equity grants between 2024 and 2027 under the terms of such plan.
Accordingly, the CEO was awarded the following equity grants:
RSUs
Business PSUs
Relative TSR PSUs
2023
Percentage
50%
30%
20%
Amount
29,100
17,460
11,640
2024
Percentage
50%
30%
20%
Amount
24,000
14,400
9,600
2025
Percentage
50%
30%
20%
Amount
16,900
10,140
6,760
The performance targets for the 2025 business PSUs are annual recurring revenue and non-GAAP operating income margin, both of which are viewed as key
factors in our long-term success.
2024 Executive Chairman Equity Grant
In June 2024, the Company’s shareholders approved an equity grant to the Executive Chairman of the Board in respect of 2024. Accordingly, he was awarded
the following equity grants:
RSUs
Business PSUs
Relative TSR PSUs
Percentage
50%
30%
20%
Amount
12,000
7,200
4,800
Executive Chairman of the Board and CEO PSU performance
In February 2025, the compensation committee certified the Company’s performance of our 2024 business PSUs performance criteria and the applicable number
of PSUs earned, demonstrating our track record of paying for performance and linking the executives’ achievement rate of the performance criteria as follows:
Year of Grant
Performance Targets
Performance Criteria Achievement Rate
(Weighted Average)
Earning Rate
2024 Business PSUs
• Annual recurring revenue
• Operating Margin
129.5%
165%
Business PSUs are earned based on a one-year performance period and are subject to further time-based vesting.
67
In 2022, the Executive Chairman of the Board and the CEO (in their capacity as CEO and Chief Operating Officer (COO), respectively), were awarded relative
total shareholder return PSUs (rTSR PSUs) that are earned based on our total shareholder return relative to the S&P Software & Services Select Industry index
over a three-year period. In February 2025, the compensation committee certified the Company’s performance of the 2022 rTSR PSUs performance criteria, as
follows:
Year of Grant
Percentile Rate
Earning Rate
2022
92.54%
200.0%
The compensation committee have further certified the earning of the underlying 2024 and 2022 PSUs, as follows:
Number of PSUs Granted
(on Target)
Number of PSUs Earned
2024 Business PSUs
Executive Chairman
7,200
11,890
CEO
14,400
23,780
2022 rTSR PSUs
Executive Chairman
12,300
24,600
CEO
3,140
6,280
The Executive Chairman of the Board and the CEO were also awarded rTSR PSUs in 2023 in their previous capacity as the CEO and COO, respectively, and in
2024, that have not been earned to date, as their performance periods have not yet been completed.
Employment Agreements with Executive Officers
We have entered into written employment agreements with all our executive officers. Most of these agreements contain provisions regarding non-competition
and all these agreements contain provisions regarding confidentiality of information and ownership of inventions. The non-competition provision applies for a
period that is generally 12 months following termination of employment, subject to applicable law. The enforceability of covenants not to compete in Israel and
the United States is subject to limitations. In addition, we are required to provide two to six months’ notice prior to terminating the employment of our executive
officers, other than in the case of a termination for cause.
Directors’ Service Contracts
Other than with respect to Ehud (Udi) Mokady, our Executive Chairman of the Board and Matthew Cohen, our CEO, there are no arrangements or
understandings between us, on the one hand, and any of our directors, on the other hand, providing for benefits upon termination of their service as directors of
our Company, except that directors are permitted to exercise vested options for one year following the termination of their service. Each of our non-executive
directors is entitled to a fixed annual fee and predetermined dollar values of initial and recurring annual equity grants of RSUs.
Equity Incentive Plans
2024 Share Incentive Plan
The 2024 Share Incentive Plan (the 2024 SIP) was adopted by our Board of directors and became effective as of June 1, 2024. The 2024 SIP is designed to grant
equity-based incentive awards to our employees, directors, officers, consultants, advisors and any other person providing services to us or our affiliates.
Shares Available for Grants. The maximum number of ordinary shares available for issuance under the 2024 SIP is equal to the sum of (a) 1,786,992 ordinary
shares, plus (b) on January 1 of each calendar year commencing in 2025, a number of ordinary shares equal to the lesser of: (i) an amount determined by our
Board, if so determined prior to the January 1 of the calendar year in which the increase will occur, (ii) 4% of the total number of ordinary shares of the
Company outstanding on December 31 of the immediately preceding calendar year, and (iii) 4,000,000 ordinary shares. Unless determined otherwise by our
Board of directors, shares underlying awards that expire are cancelled, terminated, forfeited, repurchased, settled in cash or used to pay the exercise price or
withholding tax obligations, may be reissued under the 2024 SIP. Our Board of directors may also reduce the number of ordinary shares reserved and available
for issuance under the 2024 SIP in its discretion. Any share underlying an award granted under the 2014 SIP that is cancelled or terminated or forfeited for any
reason without having been exercised, in accordance with the terms of the plan, will automatically be available for grant under the 2024 SIP. As of December
31, 2024, 262,050 ordinary shares underlying share-based awards were outstanding under the 2024 SIP and 1,517,460 ordinary shares were reserved for future
grant under the 2024 SIP. On January 1, 2025, the aggregate number of ordinary shares reserved for issuance under the 2024 SIP was increased by 1,480,000
shares.
Administration. Our Board of directors, or a duly authorized committee of our Board of directors (the administrator), will administer the 2024 SIP. Eligibility.
The 2024 SIP provides for the grant of options, restricted shares, restricted share units and other share-based awards to our employees, directors, officers,
consultants, advisors and any other person providing services to us or our affiliates. The 2024 SIP provides for granting awards under various tax regimes,
including, without limitation, in compliance with Section 102 of the Ordinance, and Section 3(i) of the Ordinance.
68
2014 Share Incentive Plan
The 2014 Share Incentive Plan (the 2014 SIP) was adopted by our Board of directors and became effective on June 10, 2014. The 2014 SIP was approved by our
shareholders on July 10, 2014. As of December 31, 2024, 2,489,837 ordinary shares underlying share-based awards were outstanding under the 2014 SIP. No
new awards may be granted under the 2014 SIP.
2020 Employee Share Purchase Plan
On January 1, 2021, our ESPP, became effective. The ESPP enables our eligible employees and eligible employees of our designated subsidiaries to elect to
have payroll deductions made during the offering period in an amount not exceeding 15% of the gross base compensation which the employees receive. The
aggregate number of ordinary shares reserved for issuance under the ESPP, as of January 1, 2021 was 125,000 shares (the ESPP Share Pool). On January 1 of
each year between 2022 and 2026 the ESPP Share Pool will be increased by a number of ordinary shares equal to the lowest of (i) 1,000,000 shares, (ii) 1% of
our outstanding shares on December 31 of the immediately preceding calendar year, and (iii) a lesser number of shares determined by our Board of directors. As
of December 31, 2024, 132,904 ordinary shares were reserved for issuance under the ESPP. On January 1, 2025, the aggregate number of ordinary shares
reserved for issuance under the ESPP was increased by 30,000 shares.
The ESPP is administered by our Board of directors or by a committee designated by the Board of directors. Subject to those rights which are reserved to the
Board of directors, or which require shareholder approval under Israeli law, our Board of directors has designated the compensation committee to administer the
ESPP. Eligible employees become participants in the ESPP by enrolling and authorizing payroll deductions by the deadline established by the plan administrator
prior to the relevant enrollment date. We expect that on the first trading day of each purchase period, each participant will automatically be granted an option to
purchase our ordinary shares on the exercise date of such purchase period. The applicable purchase price will be no less than 85% of the lesser of the fair market
value of our ordinary shares on the first day or the last day of the purchase period. The maximum number of ordinary shares that may be purchased under the
ESPP in any offer period, per participant, is 10,000. Participant payroll deductions will be used to purchase shares on the last day of each purchase period. The
plan administrator may amend, suspend or terminate the ESPP at any time. However, shareholder approval must be obtained for any amendment to the ESPP
that increases the aggregate number of shares, changes the type of shares that may be sold pursuant to rights under the ESPP or changes the corporations or
classes of corporations whose employees are eligible to participate in the ESPP.
C.
Board Practices
Board of Directors
Under the Companies Law, our business and affairs are managed under the direction of our Board of directors. Our Board of directors may exercise all powers
and may take all actions that are not specifically granted to our shareholders or to management. Our executive officers are responsible for our day-to-day
management and have individual responsibilities established by our Board of directors. Our CEO is appointed by, and serves at the discretion of, our Board of
directors, subject to the employment agreement that we have entered into with him. All other executive officers are also appointed by our Board of directors and
are subject to the terms of any applicable employment agreements that we may enter into with them.
We comply with the Nasdaq rule that requires a majority of our directors to be independent as defined under Nasdaq corporate governance rules. Our Board of
directors has determined that all of our directors, other than our Executive Chairman of the Board and our CEO, are independent under such rules. Under our
articles of association, our directors serve for a period of three years pursuant to the staggered board provisions of our articles of association. Under our articles
of association, our Board of directors must consist of at least four and not more than nine directors. Our Board of directors currently consists of nine directors.
Pursuant to our articles of association, our directors are divided into three classes with staggered three-year terms. Each class of directors consists, as nearly as
possible, of one-third of the total number of directors constituting the entire Board of directors. At each annual general meeting of our shareholders, the election
or re-election of directors following the expiration of the term of office of the directors of that class of directors is for a term of office that expires on the third
annual general meeting following such election or re-election, such that at each annual general meeting, the term of office of only one class of directors will
expire. Each director will hold office until the annual general meeting of our shareholders in which his or her term expires, unless he or she is removed by a vote
of 65% of the total voting power of our shareholders at a general meeting of our shareholders or upon the occurrence of certain events, in accordance with the
Companies Law and our articles of association.
69
As of the date hereof, our directors are divided among the three classes as follows:
(i) the Class I directors are Matthew Cohen, François Auque and Mary Yang, and their term expires at the annual general meeting of shareholders to be held in
2027 and at the time their successors are elected and qualified;
(ii) the Class II directors are Gadi Tirosh, Amnon Shoshani and Avril England, and their term expires at the annual general meeting of shareholders to be held in
2025 and at the time their successors are elected and qualified; and
(iii) the Class III directors are Ehud (Udi) Mokady, Ron Gutler and Kim Perdikou, and their term expires at the annual general meeting of shareholders to be
held in 2026 and at the time their successors are elected and qualified.
In addition, our articles of association allow our Board of directors to appoint directors, create new directorships, or fill vacancies on our Board of directors up
to the maximum number of directors permitted under our articles of association. In case of an appointment by our Board of directors to fill a vacancy on our
Board of directors due to a director no longer serving, the term of office shall be equal to the remaining period of the term of office of the director(s) whose
office(s) have been vacated, and in the case of a new appointment where the number of directors serving is less than the maximum number stated in our articles
of association, our Board of directors shall determine at the time of appointment the class to which the new director shall be assigned.
Under the Companies Law and our articles of association, nominations for directors may be made by any shareholder(s) holding together at least 5% of our
outstanding voting power. However, any such shareholder may make such a nomination only if a written notice of such shareholder’s intent to make such
nomination has been timely and duly given to our Secretary (or, if we have no Secretary, our CEO), as set forth in our articles of association. Any such notice
must include certain information regarding the proposing shareholder and the proposed director nominee, the consent of the proposed director nominee(s) to
serve as our director(s) if elected, and a declaration signed by the proposed director nominee(s) as required by the Companies Law and that all of the
information that is required to be provided to us in connection with such election under the Companies Law and under our articles of association has been
provided.
Under the Companies Law, our Board of directors must determine the minimum number of directors who are required to have accounting and financial
expertise. A director with accounting and financial expertise is a director who, due to education, experience and skills, possesses an expertise in, and an
understanding of, financial and accounting matters and financial statements, such that he or she is able to understand the financial statements of the company
and initiate a discussion about the presentation of financial data.
In determining the number of directors required to have such expertise, a board of directors must consider, among other things, the type and size of the company
and the scope and complexity of its operations. Our Board of directors has determined that the minimum number of directors of our Company who are required
to have accounting and financial expertise is one.
External Directors
Under the Companies Law, companies incorporated under the laws of the State of Israel that are public companies, including companies with shares listed on
Nasdaq, are required to appoint at least two external directors.
Pursuant to regulations enacted under the Companies Law, the board of directors of a public company whose shares are listed on certain non-Israeli stock
exchanges, including Nasdaq, that do not have a controlling shareholder (as such term is defined in the Companies Law), may, subject to certain conditions,
elect to “opt-out” of the requirements of the Companies Law regarding the election of external directors and to the composition of the audit committee and
compensation committee, provided that the company complies with the requirements as to director independence and audit committee and compensation
committee composition applicable to companies that are incorporated in the jurisdiction in which its stock exchange is located. In May 2016, our Board of
directors elected to opt-out of the Companies Law requirements to appoint external directors and related Companies Law rules concerning the composition of
the audit committee and compensation committee.
The foregoing exemptions will continue to be available to us so long as: (i) we do not have a “controlling shareholder” (as such term is defined under the
Companies Law), (ii) our shares are traded on a U.S. stock exchange, including Nasdaq, and (iii) we comply with Nasdaq listing rules applicable to domestic
U.S. companies. If, in the future, we were to have a controlling shareholder, we would again be required to comply with the requirements relating to external
directors and composition of the audit committee and compensation committee.
70
Under the Securities Law 1968-5728 (the Securities Law) and the Companies Law, the term “controlling shareholder” means a shareholder with the ability to
direct the activities of the company, other than by virtue of being an office holder. A shareholder is presumed to be a controlling shareholder if the shareholder
holds 50% or more of the voting rights in a company or has the right to appoint the majority of the directors of the company or its general manager. For the
purpose of approving transactions with controlling shareholders, the term “controlling shareholder” also includes any shareholder that holds 25% or more of the
voting rights of the company if no other shareholder holds more than 50% of the voting rights in the company.
Lead Independent Director
Mr. Mokady, our founder, who served as our CEO from 2005 until April 2023, has been on the Board of directors since the Company’s inception and has served
as Chairman of the Board since June 2016. When the roles of CEO and chairman of the Board were combined, our Board of directors appointed a lead
independent director. In April 2023, we separated the roles of CEO and Chairman of the Board. Mr. Mokady assumed the role of Executive Chairman of the
Board, and Matthew Cohen was appointed as CEO and joined the Board. Even though the roles of CEO and Chairman of the Board are not currently combined,
Mr. Mokady continues to be employed by the Company and, as such, he does not qualify as “independent.” Accordingly, in order to facilitate strong,
independent Board leadership and ensure effective independent oversight, the Board of directors believes it is in the Company’s best interest to maintain the
Lead Independent Director role.
Our Lead Independent Director is selected by our non-executive Board members from among the independent directors of the Board, who has served a
minimum of one year as a director. If, at any meeting of the Board, the Lead Independent Director is not present, for the purpose and duration of such meeting,
the Chairman of the Audit Committee, Chairman of the Compensation Committee, or an independent member of the Board of directors appointed by a majority
of the independent members of the Board of directors present will act as the Lead Independent Director, in the order listed above. Mr. Tirosh has been our Lead
Independent Director since June 2016.
The authorities and responsibilities of the Lead Independent Director include, but are not limited to, the following:
•
providing leadership to the Board if circumstances arise in which the role of the Executive Chairman of the Board may be, or may be perceived to be,
in conflict with the interests of the Company, and responding to any reported conflicts of interest, or potential conflicts of interest, arising for any
director;
•
presiding as chairman of meetings of the Board at which the Executive Chairman of the Board is not present, including executive sessions of the
independent members of the Board of directors;
•
serving as a liaison between the CEO and the independent members of the Board of directors;
•
providing feedback on Board meeting agendas, information and ongoing training provided to the Board, and requiring changes to the same;
•
approving meeting schedules to ensure there is sufficient time for discussion of all agenda items;
•
having the authority to call meetings of the independent members of the Board;
•
being available for consultation and direct communication with shareholders, as appropriate;
•
recommending that the Board of directors retain consultants or advisers that report directly to the Board;
•
conferring with the Executive Chairman of the Board or CEO on important Board of directors matters and key issues and tasks facing the Company,
and ensuring the Board of directors focuses on the same;
•
presiding over the Board’s annual self-assessment process and the independent directors’ evaluation of the effectiveness of the Executive Chairman of
the Board, CEO, and management; and
•
performing such other duties as the Board of directors may, from time to time, delegate to assist the Board of directors in the fulfillment of its duties.
71
Audit Committee
Under the Companies Law, the board of directors of a public company must appoint an audit committee. Our audit committee consists of three independent
directors, Ron Gutler (Chairperson), Kim Perdikou, and François Auque.
Audit Committee Composition
Under Nasdaq corporate governance rules, we are required to maintain an audit committee consisting of at least three independent directors, each of whom is
financially literate and one of whom has accounting or related financial management expertise.
All members of our audit committee meet the requirements for financial literacy under the applicable rules and regulations of the SEC and Nasdaq corporate
governance rules. Our Board of directors has determined that each of Ron Gutler, Kim Perdikou, and François Auque is an audit committee financial expert, as
defined by SEC rules, and each has the requisite financial experience as defined by Nasdaq corporate governance rules.
Each of the members of the audit committee is “independent” as such term is defined in Rule 10A-3(b)(1) under the Exchange Act, which is different from the
general test for independence of board members and members of other committees.
Audit Committee Role
Our Board of directors has an audit committee charter that sets forth the responsibilities of the audit committee consistent with the rules of the SEC and the
listing requirements of Nasdaq, as well as the requirements for such committee under the Companies Law. The responsibilities of the audit committee under the
audit committee charter include, among others, the following:
•
overseeing our accounting and financial reporting process and the audits of our financial statements, the effectiveness of our internal control over
financial reporting and making such reports as may be required of an audit committee under the rules and regulations promulgated under the Exchange
Act;
•
retaining and terminating our independent registered public accounting firm subject to the approval of our Board of directors and, in the case of
retention, of our shareholders and recommending the terms of audit and non-audit services provided by the independent registered public accounting
firm for pre-approval by our Board of directors and related fees and terms;
•
establishing systems of internal control over financial reporting, including communication and implementation thereof and the assessment of the
internal controls in accordance with the Sarbanes-Oxley Act, and any attestation by the independent registered public accounting firm;
•
determining whether there are deficiencies in the business management practices of our Company, including in consultation with our Head of Internal
Audit or the independent registered public accounting firm, and making recommendations to the Board of directors to improve such practices;
•
determining whether to approve certain related party transactions (see “Item 6.C. Board Practices —Approval of Related Party Transactions under
Israeli Law”);
•
recommending to the Board of directors the retention and termination of our Head of Internal Audit, and determining the Head of Internal Audit’s
remuneration, in accordance with the Companies Law;
•
approving the work plan proposed by the Head of Internal Audit and reviewing and discussing the work of the internal auditor on a quarterly basis;
•
reviewing our cybersecurity risks and controls with senior management, keeping our Board of directors informed of key issues related to cybersecurity;
•
establishing procedures for the handling of employees’ complaints as to the deficiencies in the management of our business and the protection to be
provided to such employees;
•
conducting or authorizing investigations into any matters within the scope of its responsibilities as it deems appropriate; and
•
performing such other duties consistent with the audit committee charter, our governing documents, stock exchange rules and applicable law that may
be requested by the Board of directors from time to time, including discussing with management policies and practices that govern the process by
which the Company undertakes risk assessment and management in sensitive areas.
72
Compensation Committee
Under the Companies Law, the board of directors of any public company must appoint a compensation committee. Our compensation committee consists of
three independent directors, Kim Perdikou (Chairperson), Gadi Tirosh and Ron Gutler.
Compensation Committee Composition
Under Nasdaq corporate governance rules, we are required to maintain a compensation committee consisting of at least two independent directors. Each of the
members of the compensation committee is “independent” as such term is defined in Rule 10C-1(b)(1) under the Exchange Act, which is different from the
general test for independence of board members and members of other committees.
Compensation Policy pursuant to the Israeli Companies Law
The duties of the compensation committee include the recommendation to the company’s board of directors of a policy regarding the terms of engagement of
office holders, as such term is defined under the Companies Law, to which we refer as a compensation policy. That compensation policy must be adopted by the
company’s board of directors, after considering the recommendations of the compensation committee, and must be brought for approval by the company’s
shareholders at least once every three years, which approval requires a Special Approval for Compensation (as defined below under “— Approval of Related
Party Transactions under Israeli Law—Disclosure of Personal Interests of an Office Holder and Approval of Certain Transactions”).
Under special circumstances, the board of directors may approve the compensation policy despite the objection of the shareholders on the condition that the
compensation committee and then the board of directors decide, based on detailed grounds and after discussing again the compensation policy, that approval of
the compensation policy, despite the objection of the meeting of shareholders, is for the benefit of the company.
The compensation policy must serve as the basis for decisions concerning the financial terms of employment or engagement of office holders, including
exculpation, insurance, indemnification or any monetary payment, obligation of payment or other benefit in respect of employment or engagement. The
compensation policy must be determined and later re-evaluated according to certain factors, including the advancement of the company’s objectives, business
plan and its long-term strategy and creation of appropriate incentives for office holders, while considering, among other things, the company’s risk management
policy, the size and the nature of its operations and with respect to variable compensation, the contribution of the office holder towards the achievement of the
company’s long-term goals and the maximization of its profits, all with a long-term objective and according to the position of the office holder. The
compensation policy must include certain principles, such as: a link between variable compensation and long-term performance, which variable compensation
shall, other than with respect to office holders who report to the CEO, be primarily based on measurable criteria; the relationship between variable and fixed
compensation; and the minimum holding or vesting period for variable, equity-based compensation. The compensation committee is responsible for (a)
recommending the compensation policy to a company’s board of directors for its approval (and subsequent approval by our shareholders) and (b) duties related
to the compensation policy and to the compensation of company’s office holders (as described below). Accordingly, following the recommendation and
approval of our compensation committee and Board, our shareholders approved our compensation policy at the June 2022 annual general meeting.
73
Compensation Committee Role
Our Board of directors has adopted a compensation committee charter that sets forth the responsibilities of the compensation committee. The responsibilities of
the committee set forth in its charter and the Companies Law include, among others, the following:
•
recommending to the board of directors for its approval a compensation policy and subsequently reviewing it from time to time, assessing its
implementation and recommending periodic updates, whether a new compensation policy should be adopted or an existing compensation policy should
continue in effect;
•
reviewing, evaluating, and making recommendations regarding the terms of office, compensation, and benefits for our office holders, including the non-
employee directors, taking into account our compensation policy;
•
exempting certain compensation arrangements from the requirement to obtain shareholder approval under the Companies Law (including with respect
to the CEO); and
•
reviewing and granting equity-based awards pursuant to our equity incentive plans to the extent such authority is delegated to the compensation
committee by our Board of directors and the reserving of additional shares for issuance thereunder.
Under our compensation policy, which was approved by our shareholders in June 2022, the compensation committee is responsible for the general
administration of the policy.
Nominating, Environmental, Sustainability and Governance Committee
Our nominating, environmental, sustainability and governance committee consists of four independent directors, Gadi Tirosh (Chairperson), Kim Perdikou,
Amnon Shoshani, and Avril England.
Nominating Environmental, Sustainability and Governance Committee Role
Our Board of directors has a nominating, environmental, sustainability and governance committee charter that sets forth the responsibilities of the nominating,
environmental, sustainability and governance committee, which include:
•
overseeing and assisting our Board of directors in reviewing and recommending nominees for election as directors and as members of the committees
of the board of directors;
•
establishing procedures for, and administering the performance of the members of our Board of directors and its committees;
•
evaluating and making recommendations to our Board of directors regarding the termination of membership of directors;
•
reviewing, evaluating, and making recommendations regarding management succession and development;
•
reviewing and making recommendations to our Board of directors regarding board member qualifications, composition and structure and the nature and
duties of the committees and qualifications of committee members;
•
establishing and maintaining effective corporate governance principles and practices, including, but not limited to, developing and recommending to
our Board of directors a set of corporate governance guidelines applicable to our Company; and
•
providing oversight of the Company’s efforts with regard to ESG matters, disclosure and strategy, as well as coordinating, as necessary, with other
committees of the board of directors and the Company’s ESG committee and steering committee, which are comprised of key Company employees and
management.
Disclosure of Compensation of Executive Officers
For so long as we qualify as a foreign private issuer, we are not required to comply with the proxy rules applicable to U.S. domestic companies, including the
requirement applicable to certain domestic issuers that do not qualify as emerging growth companies to disclose on an individual, rather than an aggregate basis,
the compensation of our named executive officers as defined in Item 402 of Regulation S-K. Nevertheless, the Companies Law requires that we disclose the
annual compensation of our five most highly compensated office holders (as defined under the Companies Law) on an individual basis. Under the Companies
Law regulations, this disclosure is required to be included in the annual proxy statement for our annual meeting of shareholders each year, which we will furnish
to the SEC under cover of a Report of Foreign Private Issuer on Form 6-K. Because of that disclosure requirement under Israeli law, we are also including such
information in this annual report, pursuant to the disclosure requirements of Form 20-F.
For additional information, see “Item 6.B. Compensation— Compensation of Directors and Senior Management.”
74
Compensation of Directors
Under the Companies Law, compensation of directors requires the approval described below under “Approval of Related Party Transactions under Israeli Law –
Disclosure of Personal Interests of an Office Holder and Approval of Certain Transactions.”
The directors are also entitled to be paid reasonable travel, hotel and other expenses incurred in attending board meetings and performing their functions as
directors of the Company, all of which is to be determined by the board of directors.
For additional information, see “Item 6.B. Compensation—Compensation of Directors and Senior Management.”
Internal Auditor
Under the Companies Law, the board of directors of an Israeli public company must appoint an internal auditor recommended by the audit committee. An
internal auditor may not be:
•
a person (or a relative of a person) who holds more than 5% of the company’s outstanding shares or voting rights;
•
a person (or a relative of a person) who has the power to appoint a director or the general manager of the company;
•
an office holder (including a director) of the company (or a relative thereof); or
•
a member of the company’s independent accounting firm, or anyone on his or her behalf.
The role of the internal auditor is to examine, among other things, our compliance with applicable law and orderly business procedures. The audit committee is
required to oversee the activities and to assess the performance of the internal auditor as well as to review the internal auditor’s work plan. Dror Bar Moshe
served as our internal auditor, as Head of Internal Audit for the year ended December 31, 2024.
Approval of Related Party Transactions under Israeli Law
Fiduciary Duties of Directors and Office Holders
The Companies Law codifies the fiduciary duties that office holders owe to a company. The term “office holder” is defined under the Companies Law as a
general manager, chief business manager, deputy general manager, vice general manager, any other person assuming the responsibilities of any of these
positions (regardless of that person’s title), a director and any other manager reporting directly to the general manager.
An office holder’s fiduciary duties consist of a duty of care and a duty of loyalty. The duty of care requires an office holder to act with the level of care with
which a reasonable office holder in the same position would have acted under the same circumstances. The duty of loyalty requires that an office holder act in
good faith and in the best interests of the company.
The duty of care includes a duty to use reasonable means to obtain:
•
information on the advisability of a given action brought for his or her approval or performed by virtue of his or her position; and
•
all other important information pertaining to any such action.
75
The duty of loyalty includes a duty to:
•
refrain from any conflict of interest between the performance of his or her duties to the company and his or her duties or personal affairs;
•
refrain from any action which competes with the company’s business;
•
refrain from exploiting any business opportunity of the company in order to receive a personal gain for himself or herself or others; and
•
disclose to the company any information or documents relating to the company’s affairs which the office holder received as a result of his or her
position as an office holder.
We may approve an act specified above that would otherwise constitute a breach of the duty of loyalty of an office holder, provided, that the office holder acted
in good faith, the act or its approval does not harm the company, and the office holder discloses his or her personal interest, including any related material
information or document, a sufficient time before the approval of such act. Any such approval is subject to the terms of the Companies Law, setting forth,
among other things, the organs of the company entitled to provide such approval, and the methods of obtaining such approval.
Disclosure of Personal Interests of an Office Holder and Approval of Certain Transactions
The Companies Law requires that an office holder promptly disclose to the board of directors any personal interest that he or she may be aware of and all related
material information or documents concerning any existing or proposed transaction with the company. An interested office holder’s disclosure must be made
promptly, and, in any event, no later than the first meeting of the board of directors in which the transaction is considered.
Under the Companies Law, a “personal interest” includes an interest of any person in an act or transaction of a company, including a personal interest of such
person’s relative or of a corporate body in which such person or a relative of such person is a 5% or greater shareholder, director or general manager, or in which
he or she has the right to appoint at least one director or the general manager, but excluding a personal interest stemming from one’s ownership of shares in the
company. A personal interest furthermore includes the personal interest of a person for whom the office holder holds a voting proxy or the personal interest of
the office holder with respect to his or her vote on behalf of a person for whom he or she holds a proxy even if such shareholder has no personal interest in the
matter. An office holder is not, however, obliged to disclose a personal interest if it derives solely from the personal interest of his or her relative in a transaction
that is not considered an extraordinary transaction. Under the Companies Law, an extraordinary transaction is defined as any of the following:
•
a transaction other than in the ordinary course of business;
•
a transaction that is not on market terms; or
•
a transaction that may have a material impact on a company’s profitability, assets or liabilities.
If it is determined that an office holder has a personal interest in a transaction, approval by the board of directors (and, in certain circumstances, of its applicable
committee) is required for the transaction, unless the company’s articles of association provide for a different method of approval. Further, so long as an office
holder has disclosed his or her personal interest in a transaction and acted in good faith and the transaction or action does not harm the company’s best interests,
the board of directors may approve an action by the office holder that would otherwise be deemed a breach of duty of loyalty.
The compensation of, or an undertaking to indemnify or insure, an office holder requires approval first by the company’s compensation committee, then by the
company’s board of directors, and, if such compensation arrangement or an undertaking to indemnify or insure is that of a director, the approval of the
shareholders by an ordinary majority. If such compensation arrangement or an undertaking to indemnify or insure is inconsistent with the company’s stated
compensation policy then such arrangement is subject to the approval of a majority vote of the shares present and voting at a shareholders meeting, provided
that either, which we refer to as the Special Approval for Compensation:
(a) such majority includes at least a majority of the shares held by all shareholders who do not have a personal interest in such compensation
arrangement and are not controlling shareholders, excluding abstentions; or
(b) the total number of shares of shareholders who do not have a personal interest in the compensation arrangement and who vote against the
arrangement does not exceed 2% of the company’s aggregate voting rights.
76
Generally, a person who has a personal interest in a matter which is considered at a meeting of the board of directors or the audit committee may not be present
at such a meeting or vote on that matter, unless the chairman of the relevant committee or board of directors (as applicable) determines that he or she should be
present in order to present the transaction that is subject to approval, in which case, such person may do so but may not vote on the matter. If a majority of the
members of the audit committee or the board of directors (as applicable) have a personal interest in the approval of a transaction, then all directors may
participate in discussions of the audit committee or the board of directors (as applicable) on such transaction and the voting on approval thereof. However, in the
event that a majority of the members of the board have a personal interest in a transaction, shareholder approval is also required for such a transaction.
Disclosure of Personal Interests of Controlling Shareholders and Approval of Certain Transactions
We currently do not have a controlling shareholder. If, in the future, we were to have a controlling shareholder, disclosure requirements regarding personal
interests will apply and shareholder approval (meeting a special majority requirement) will be required with respect to transactions specified in the Companies
Law involving the controlling shareholder, parties having certain relationships with the controlling shareholder and certain other specific transactions. In such
cases, the votes of a controlling shareholder and certain parties associated with it would be excluded for purposes of special majority voting requirements.
Additionally, the Companies Law provides a different, broader definition of a controlling shareholder with respect to the provisions pertaining to the approval of
related party transactions.
Shareholder Duties
Pursuant to the Companies Law, a shareholder has a duty to act in good faith and in a customary manner toward the company and other shareholders and to
refrain from abusing his or her power in the company, including, among other things, in voting at a general meeting and at shareholder class meetings with
respect to the following matters:
•
an amendment to the company’s articles of association;
•
an increase of the company’s authorized share capital;
•
a merger; or
•
the approval of related party transactions and acts of office holders that require shareholder approval.
In addition, a shareholder also has a general duty to refrain from discriminating against other shareholders.
Certain shareholders also have a duty of fairness toward the company. These shareholders include any controlling shareholder, any shareholder who knows that
he or she has the power to determine the outcome of a shareholder vote and any shareholder who has the power to appoint or to prevent the appointment of an
office holder of the company or other power towards the company. The Companies Law does not define the substance of the duty of fairness, except to state that
the remedies generally available upon a breach of contract will also apply in the event of a breach of the duty to act with fairness.
Exculpation, Insurance and Indemnification of Directors and Officers
Under the Companies Law, a company may not exculpate an office holder from liability for a breach of the duty of loyalty. An Israeli company may exculpate
an office holder in advance from liability to the company, in whole or in part, for damages caused to the company as a result of a breach of duty of care but only
if a provision authorizing such exculpation is included in its articles of association. Our articles of association include such a provision. The company may not
exculpate in advance a director from liability arising out of a prohibited dividend or distribution to shareholders.
77
Under the Companies Law and the Securities Law, a company may indemnify an office holder in respect of the following liabilities, payments and expenses
incurred for acts performed by him or her as an office holder, either pursuant to an undertaking made in advance of an event or following an event, provided its
articles of association include a provision authorizing such indemnification:
•
a monetary liability incurred by or imposed on him or her in favor of another person pursuant to a judgment, including a settlement or arbitrator’s award
approved by a court. However, if an undertaking to indemnify an office holder with respect to such liability is provided in advance, then such
undertaking must be limited to certain events which, in the opinion of the board of directors, can be foreseen based on the company’s activities when
the undertaking to indemnify is given, and to an amount or according to criteria determined by the board of directors as reasonable under the
circumstances, and such undertaking shall detail the foreseen events and described above amount or criteria;
•
reasonable litigation expenses, including reasonable attorneys’ fees, incurred by the office holder (1) as a result of an investigation or proceeding
instituted against him or her by an authority authorized to conduct such investigation or proceeding, provided that (i) no indictment was filed against
such office holder as a result of such investigation or proceeding; and (ii) no financial liability was imposed upon him or her as a substitute for the
criminal proceeding as a result of such investigation or proceeding or, if such financial liability was imposed, it was imposed with respect to an offense
that does not require proof of criminal intent; or (2) in connection with a monetary sanction or liability imposed on him or her in favor of an injured
party in certain administrative proceedings;
•
expenses incurred by an office holder in connection with administrative proceedings instituted against such office holder, or certain compensation
payments made to an injured party imposed on an office holder by administrative proceedings, including reasonable litigation expenses and reasonable
attorneys’ fees; and
•
reasonable litigation expenses, including attorneys’ fees, incurred by the office holder or imposed by a court in proceedings instituted against him or her
by the company, on its behalf, or by a third party, or in connection with criminal proceedings in which the office holder was acquitted, or as a result of a
conviction for an offense that does not require proof of criminal intent.
Under the Companies Law and the Securities Law, a company may insure an office holder against the following liabilities incurred for acts performed by him or
her as an office holder if and to the extent provided in the company’s articles of association:
•
a breach of duty of care to the company or to a third party, to the extent such a breach arises out of the negligent conduct of the office holder;
•
a breach of the duty of loyalty to the company, provided that the office holder acted in good faith and had a reasonable basis to believe that the act
would not harm the company;
•
a monetary liability imposed on the office holder in favor of a third party;
•
a monetary liability imposed on the office holder in favor of an injured party in certain administrative proceedings; and
•
expenses incurred by an office holder in connection with certain administrative proceedings, including reasonable litigation expenses and reasonable
attorneys’ fees.
Under the Companies Law, a company may not indemnify, exculpate, or insure an office holder against any of the following:
•
a breach of the duty of loyalty, except for indemnification and insurance for a breach of the duty of loyalty to the company to the extent that the office
holder acted in good faith and had a reasonable basis to believe that the act would not prejudice the company;
•
a breach of duty of care committed intentionally or recklessly, excluding a breach arising out of the negligent conduct of the office holder;
•
an act or omission committed with intent to derive illegal personal benefit; or
•
a civil or criminal fine, monetary sanction or forfeit levied against the office holder.
78
Under the Companies Law, exculpation, indemnification, and insurance of office holders in a public company must be approved by the compensation committee
and the board of directors and, with respect to certain office holders or under certain circumstances, also by the shareholders. See “Item 6.C. Board Practices—
Approval of Related Party Transactions under Israeli Law.”
We have entered into indemnification agreements with our office holders to exculpate, indemnify, and insure our office holders to the fullest extent permitted or
to be permitted by our articles of association and applicable law (including without limitation), the Companies Law, the Securities Law, and the Israeli
Restrictive Trade Practices Law, 5758-1988. We have obtained director and officer liability insurance for the benefit of our office holders and intend to continue
to maintain such insurance as deemed adequate and to the extent permitted by the Companies Law.
D.
Employees
As of December 31, 2024, we had 3,793 employees and subcontractors with 1,353 located in the United States, 1,062 in Israel, 416 in India, 217 in the United
Kingdom and 745 across 47 other countries. The following table shows the breakdown of our global workforce of employees and subcontractors by category of
activity as of the dates indicated:
As of December 31,
Department
2022
2023
2024
Sales and marketing
1,157
1,321
1,573
Research and development
901
922
1,205
Services and support
493
533
696
General and administrative
217
242
319
Total
2,768
3,018
3,793
All our employment agreements are governed by local labor laws and, where applicable, the relevant collective bargaining agreements (CBA) which may
dictate matters such as working hours, treatment of family leave, pension rights and vacation entitlement, depending on the CBA in question. CBAs apply to
employees based in the following countries: all employees in Italy work under the national CBA for trade and commerce sector (CCNL Commercio); all
employees in France work under the CBA for offices of technical studies, offices of consulting engineers and consulting firms (SYNTEC CBA); and all
employees in Spain work under the relevant CBA for the Sale of Metal of the Region of either Madrid, Barcelona, Malaga or Seville, depending on their
location.
With respect to our Israeli employees, Israeli labor laws govern the length of the workday, minimum wages for employees, procedures for hiring and dismissing
employees, determination of severance pay, annual leave, sick days, advance notice of termination of employment, equal opportunity and anti-discrimination
laws and other conditions of employment. Subject to certain exceptions, Israeli law generally requires severance pay upon the retirement, death or dismissal of
an employee, and requires us and our employees to make payments to the National Insurance Institute, which is similar to the U.S. Social Security
Administration. Our Israeli employees have pension plans that comply with the applicable Israeli legal requirements, and we make monthly contributions to
severance pay funds for all Israeli employees, which cover potential severance pay obligations.
Extension orders issued by the Israeli Ministry of Economy and Industry apply to our employees in Israel and affect matters such as, living adjustments to
salaries, length of working hours and week, recuperation pay, travel expenses, and pension rights. We have never experienced labor-related work stoppages or
strikes and believe that our relations with our employees are satisfactory.
79
Environmental, Social & Governance
We view ESG principles as being part of our broader strategy and values and believe that transparently disclosing our initiatives related to our ESG program
will allow our stakeholders to be informed about our progress.
Our approach to ESG is guided by an internal ESG Committee, which is comprised of members of key business areas including Finance, Legal and Compliance,
Human Resources, Investor Relations, Information Technology and Product Management. The ESG Committee reports to an Executive Steering Committee that
includes the CEO. Ultimately, the ESG Committee is overseen by the Board’s Nominating, Environmental, Sustainability and Governance Committee and the
full Board. We believe this structure increases the Board’s effectiveness as it oversees our progress, including the establishment of key metrics and targets.
We continued executing our ESG program in 2024, incorporating various stakeholder perspectives to better understand how ESG factors could impact our
business. The principles of our ESG Program include communicating and seeking feedback from internal and external stakeholders, maintaining trust through
disclosure and honest discussion about our progress and making measurable and sustainable progress on focus areas that are most impactful to our business and
stakeholders. Our ESG highlights, as of the fiscal year ended December 31, 2024, include the following:
Governance, Ethics, and Compliance
We are committed to promoting integrity, honesty, and professionalism and to maintaining the highest standards of ethical conduct in all our activities. Our Code
of Conduct, updated in 2022, aligns with our values and aims to address the compliance risks most relevant to our business. All CyberArk employees and
executive officers must certify their compliance with the Code and other company policies annually. Our Governance, Ethics, and Compliance strategy is
overseen by our Chief Legal Officer and supported by our VP of Compliance & Ethics. We periodically review our compliance program to ensure that risk
mitigation efforts meet relevant regulatory requirements. Our progress is regularly reviewed by our CFO and our CEO. The Audit Committee of the board of
directors has primary oversight of our Ethics and Compliance program. See “Item 16B. Code of Ethics” for additional details.
Environment and Climate. We recognize the importance of environmental stewardship. We have taken and continue to take steps to better understand our
carbon footprint and this process will provide the starting point from which we can explore opportunities to identify the best ways to reduce our environmental
impact.
Culture and Talent. Our People strategy (also Human Capital Management) is built on four pillars: Attract, Belong, Communicate and Develop – the ABCDs.
The ABCD strategy supports the wellbeing, retention, and career development of our people, since our culture continues to be a key ingredient in our success.
We believe that the combined experience across the ABCD pillars, coupled with the right tone at the top, enables our employees and our culture to thrive. We
are committed to hiring talented, smart, bold and humble employees who love a challenge. Our Chief Human Resource Officer, who reports directly to our
CEO, oversees our broad and comprehensive initiatives to promote a strong culture, including employee recognition programs, matching charitable donations, a
wide range of community volunteering opportunities, team building events, regular executive round table discussions and employee engagement surveys. Given
its importance to our overall strategic execution, our human capital management and inclusion and belonging (I&B) program is overseen by the Compensation
Committee of the board of directors. Our CEO and our Chief Human Resource Officer regularly report to the Board and the Compensation Committee on
human capital and I&B matters.
Our Culture
Our culture is an important contributing factor to our success and a key differentiator in our strategy. We are committed to cultivating an environment where
people feel valued and can build strong relationships that form the heart of the CyberArk community. We believe that by equipping and encouraging our people
to achieve their full potential, we can successfully contribute to creating a safer, more secure world. In 2024, across all regions, we received eight employer of
choice recognitions.
80
Attract: Recruitment & Wellbeing
As a growing business, we focus on attracting employees who embrace and demonstrate a commitment to our Core Values.
In the United States, Israel, India and Singapore, and across the Company, we welcomed approximately 100 college students to our 2024 internship program.
They gained invaluable first-hand work experience, while contributing to a variety of teams, including R&D, Customer Support, Marketing, Sales, IT, HR and
Finance.
We offer a pay-for-performance total rewards approach. Our methodology includes competitive base salaries, variable pay programs to drive target
achievements, long-term incentives such as equity grants and customized benefits packages across all our regions. We regularly review our total compensation
offerings to address constantly changing trends and developments in the complex global and local markets in which we operate. We have a hybrid work model
to promote our employees’ ability to meet their individual work-environment needs.
We provide our employees and their families with robust healthcare benefits and a variety of health and wellness programs. From our benefits and workspaces
to our employee engagement and focus on values, we are cultivating an environment that fosters communication, collaboration, and community. We invest in
our employees through various training and wellness programs focused on physical, emotional, and financial wellbeing, including lectures and webinars,
meditation sessions, physical fitness classes and challenges, corporate and regional employee newsletters, and a variety of team-building and volunteer
activities.
Belong: Inclusion and Belonging
Inclusion and belonging (I&B) is critical to the successful execution of our strategy. Cultivating an inclusive culture where people feel they belong drives
innovation, strengthens decision-making processes, and creates a strong community that enables employees to be their authentic selves. In 2024, we welcomed a
senior director of global inclusion and belonging to lead this important work and drive our I&B strategy. We also launched a Global Council for Inclusion &
Belonging, which consists of senior leaders from around CyberArk and is responsible for, among other things, setting a three-year roadmap for our I&B
strategy.
We have also taken important strides in cultivating a more equitable and inclusive culture by launching and supporting four Employee Resource Groups (ERGs)
– one for women, one for the LGBTQIA2S+ community, one for empowering employees across different backgrounds, and a new ERG that supports
neurodivergent individuals. ERGs are open to all employees, regardless of how they personally identify. We highlighted the contributions of our ERGs during a
special all-employee program and saw increased interest in ERG participation in 2024.
81
Communicate: Employee Engagement, Recognition & Satisfaction
Two-way communication helps drive alignment and higher levels of employee engagement and satisfaction. We regularly engage with our employees through
programs such as our quarterly all-hands meetings and roundtable sessions to increase communication and transparency between senior leaders and all
employees. Providing bi-annual feedback dialogues between each employee and their manager is another avenue for career planning and assessment to outline
achievements, challenges, and growth opportunities.
Using a third-party platform, we regularly conduct comprehensive employee engagement surveys throughout all regions and departments. In our latest survey
our participation rate of 83%, and engagement score was well above the industry benchmark, indicating that 86% of our employees were pleased with their
overall experience and would recommend CyberArk to a peer. We utilize this feedback to enhance and improve the overall employee experience, our culture,
and our strategy, designed to highlight the positive customer experiences across the organization and educate employees about programs that support their career
development and progression.
Develop: Learning and Career Development
We encourage all employees to shape their own learning journey and take advantage of the broad variety of learning and development opportunities that we
offer. Learning and development help our colleagues enhance their skills and competencies to become more impactful in their current role as well as in future
roles. In addition, we deliver learning solutions using various methodologies, including classroom-based sessions, hackathons, virtual webinars, coaching, and
experiential learning to meet the needs of our employees. We aim to offer innovative opportunities to empower employees to grow and advance their careers. In
2024, we launched our new Career Lattice program, designed to support career progression beyond promotions by enabling them to expand their current role.
This includes equipping managers with tools to coach employees through this process.
E.
Share Ownership
For additional information regarding the share ownership of our directors and senior management, please also refer to “Item 6.B. Compensation.”
Shares Beneficially Owned
Name of Beneficial Owner
Number
%
Senior Management and Directors
Ehud (Udi) Mokady (1)
*
*
Matthew Cohen
*
*
Erica Smith
*
*
Eduarda Camacho
*
*
Donna Rahav
*
*
Peretz Regev
*
*
Omer Grossman
*
*
Gadi Tirosh
*
*
Ron Gutler
*
*
Kim Perdikou
*
*
Amnon Shoshani
*
*
François Auque
*
*
Avril England
*
*
Mary Yang
*
*
All senior management and directors as a group (14 persons)
*
*
*Less than 1%
(1)
Mr. Mokady’s shares include 12,600 shares held in trust for family members over which Mr. Mokady is the beneficial owner.
F. Disclosure of a Registrant’s Action to Recover Erroneously Awarded Compensation
None.
82
ITEM 7. MAJOR SHAREHOLDERS AND RELATED PARTY TRANSACTIONS
A.
Major Shareholders
The table above sets forth information with respect to the beneficial ownership of our shares as of January 31, 2025 by:
•
each person or entity known by us to own beneficially 5% or more of our outstanding shares;
•
each of our directors and senior management individually; and
•
all of our senior management and directors as a group.
The beneficial ownership of ordinary shares is determined in accordance with the rules of the SEC and generally includes any ordinary shares over which a
person exercises sole or shared voting or investment power, or the right to receive the economic benefit of ownership. For purposes of the table above, we deem
shares subject to equity-based awards that are currently exercisable or exercisable within 60 days of January 31, 2025, to be outstanding and to be beneficially
owned by the person holding the equity-based awards for the purposes of computing the percentage ownership of that person but we do not treat them as
outstanding for the purpose of computing the percentage ownership of any other person. The percentage of shares beneficially owned is based on 49,458,713
ordinary shares outstanding as of January 31, 2025.
As of January 31, 2025, we had six holders of record of our ordinary shares in the United States, including Cede & Co., the nominee of The Depository Trust
Company. These shareholders held in the aggregate 48,312,415 of our outstanding ordinary shares, or 97.6% of our outstanding ordinary shares as of January
31, 2025. The number of record holders in the United States is not representative of the number of beneficial holders nor is it representative of where such
beneficial holders are resident since many of these ordinary shares were held by brokers or other nominees.
All of our shareholders, including the shareholders listed above, have the same voting rights attached to their ordinary shares. See “Item 10.B. Memorandum
and Articles of Association.” None of our principal shareholders, if any, or our directors and senior management have different or special voting rights with
respect to their ordinary shares. Unless otherwise noted below, each shareholder’s address is CyberArk Software Ltd., 9 Hapsagot St., Park Ofer B, POB 3143,
Petach-Tikva, 4951040, Israel.
A description of any material relationship that our principal shareholders have had with us or any of our predecessors or affiliates since January 31, 2025 is
included under “Item 7.B. Related Party Transactions.”
Significant Changes
No significant changes have occurred since December 31, 2024, except as otherwise disclosed in this annual report.
83
B.
Related Party Transactions
Our policy is to enter into transactions with related parties on terms that, on the whole, are no more favorable, or no less favorable, than those available from
unaffiliated third parties. Based on our experience in the business sectors in which we operate and the terms of our transactions with unaffiliated third parties,
we believe that all of the transactions described below met this policy standard at the time they occurred.
The following is a description of material transactions, or series of related material transactions, since January 1, 2024, to which we were or will be a party and
in which the other parties included or will include our directors, executive officers, holders of more than 10% of our voting securities or any member of the
immediate family of any of the foregoing persons.
Registration Rights
Our investor rights agreement entitles our shareholders to certain registration rights. None of our shareholders are currently entitled to registration rights
pursuant to the investor rights agreement.
Registration Rights Agreement
On October 1, 2024, the Company and Seller entered into a customary Registration Rights Agreement (the “Registration Rights Agreement”), the form of which
was agreed at the time of the signing of the Merger Agreement. Subject to the terms and conditions of the Registration Rights Agreement, the Company is
required to register with the SEC the ordinary shares of the Company issued to Seller in connection with the Merger (the “Seller Shares”). The Registration
Rights Agreement permits Seller to make a limited number of requests from the Company to perform underwritten shelf offerings, subject to certain volume
restrictions. In addition, if the Company proposes to register any of its ordinary shares, Seller will have the right, pursuant to the Registration Rights Agreement,
to be included in such registration, subject to customary cutbacks. Under the Registration Rights Agreement, the Company has agreed to pay the fees and
expenses associated with registration of the Seller Shares. The Registration Rights Agreement contains customary provisions with respect to registration
proceedings, underwritten offerings and indemnity and contribution rights.
A copy of the Registration Rights Agreement is filed as Exhibit 2.3 to this Annual Report.
Agreements with Directors and Officers
Employment and Related Agreements. We have entered into written employment agreements with each of our officers. These agreements provide for notice
periods of varying duration for termination of the agreement by us or by the relevant executive officer, during which time the officer will continue to receive
base salary and benefits. These agreements also contain customary provisions regarding confidentiality of information and ownership of inventions.
Equity Awards. Since our inception we have granted options to purchase, and restricted share units underlying our ordinary shares to our officers and certain of
our directors. Such award agreements contain acceleration provisions upon certain merger, acquisition, death, or change of control transactions. We describe our
equity incentive plans under “Item 6.B. Compensation—Equity Incentive Plans” and the equity-based compensation received by certain of our senior managers
in “Item 6.B. Compensation—Compensation of Directors and Senior Management.” If the relationship between us and a senior manager, or a director, is
terminated, except for cause (as defined in the various option agreements), all options that are vested will remain exercisable for 90 days after such termination
in the case of our executive officers, or one year in the case of our directors.
Exculpation, Indemnification and Insurance. Our articles of association permit us to exculpate, indemnify, and insure certain of our office holders to the fullest
extent permitted by Israeli law. We have entered into agreements with certain of our office holders, including our directors, exculpating them from a breach of
their duty of care to us to the fullest extent permitted by law and undertaking to indemnify them to the fullest extent permitted by law, subject to certain
exceptions. See “Item 6.C. Board Practices—Exculpation, Insurance and Indemnification of Directors and Officers.”
C.
Interests of Experts and Counsel
Not applicable.
84
ITEM 8. FINANCIAL INFORMATION
A. Consolidated Statements and Other Financial Information
Consolidated Financial Statements
We have appended as part of this annual report our consolidated financial statements starting at page F-1.
Legal Proceedings
From time to time, we may be subject to legal proceedings and claims arising in the ordinary course of business. We are currently not a party to any material
litigation, and we are not aware of any pending or threatened material legal or administrative proceedings against us. Regardless of the outcome, litigation can
have an adverse impact on us because of defense and settlement costs, diversion of management resources and other factors.
Dividend Policy
We have never declared or paid any cash dividends on our ordinary shares. We do not anticipate paying any cash dividends in the foreseeable future. We
currently intend to retain future earnings, if any, to finance operations and expand our business. Our Board of directors has sole discretion whether to pay
dividends. If our Board of directors decides to pay dividends, the form, frequency and amount will depend upon our future operations and earnings, capital
requirements and surplus, general financial condition, contractual restrictions and other factors that our directors may deem relevant. The distribution of
dividends may also be limited by Israeli law, which permits the distribution of dividends only out of retained earnings or otherwise upon the permission of an
Israeli court. However, as a company listed on an exchange outside of Israel, court approval is not required if the proposed distribution is in the form of an
equity repurchase, provided that we notify our creditors of the proposed equity repurchase and allow such creditors an opportunity to initiate a court proceeding
to review the repurchase. If within 30 days such creditors do not file an objection, then we may proceed with the repurchase without obtaining court approval.
B.
Significant Changes
No significant changes have occurred since December 31, 2024, except as otherwise disclosed in this annual report.
85
ITEM 9. THE OFFER AND LISTING
A.
Offer and Listing Details
Our ordinary shares are quoted on Nasdaq under the symbol “CYBR.”
B.
Plan of Distribution
Not applicable.
C.
Markets
See “—Offer and Listing Details” above.
D.
Selling Shareholders
Not applicable.
E.
Dilution
Not applicable.
F.
Expenses of the Issue
Not applicable.
ITEM 10. ADDITIONAL INFORMATION
A.
Share Capital
Not applicable.
B.
Memorandum and Articles of Association
A copy of our amended and restated articles of association is incorporated by reference as Exhibit 1.1 to this annual report on Form 20-F. The information called
for by this Item is set forth in Exhibit 2.4 to this annual report on Form 20-F and is incorporated by reference into this annual report on Form 20-F.
C.
Material Contracts
For a description of the registration rights that we granted under our Fourth Amended Investor Rights Agreement and our Registration Rights Agreement, please
refer to “Item 7.B. Related Party Transactions—Registration Rights.”
For a description of our leases, see “Item 4.B.—Business Overview—Properties.”
For a description of our issuance of convertible notes, see Note 12 to our consolidated financial statements included within this annual report.
Merger Agreement
On May 19, 2024, the Company entered into an Agreement and Plan of Merger (the “Merger Agreement”) with Venafi, Venafi Parent, LP, a Delaware
partnership (“Seller”), and Triton Merger Sub, Inc., a Delaware corporation and indirect wholly-owned subsidiary of the Company (“Merger Sub”), pursuant to
which Merger Sub would merge with and into Venafi (the “Merger”) with Venafi continuing after the Merger as a wholly-owned indirect subsidiary of the
Company.
The Merger was completed on October 1, 2024 at a transaction price of $1.66 billion in a combination of cash (approximately $1.02 billion) and Company
ordinary shares (approximately $0.64 billion). The ordinary shares of the Company were issued to Seller without registration under the Securities Act of 1933 in
reliance on the private offering exemption provided by Section 4(a)(2) thereof.
A copy of the Merger Agreement is filed as Exhibit 4.11 to this Annual Report.
86
D. Exchange Controls
In 1998, Israeli currency control regulations were liberalized significantly, so that Israeli residents generally may freely deal in foreign currency and foreign
assets, and non-residents may freely deal in Israeli currency and Israeli assets. There are currently no Israeli currency control restrictions on remittances of
dividends on the ordinary shares or the proceeds from the sale of the shares provided that all taxes were paid or withheld; however, legislation remains in effect
pursuant to which currency controls can be imposed by administrative action at any time.
Non-residents of Israel may freely hold and trade our securities. Neither our articles of association nor the laws of the State of Israel restrict in any way the
ownership or voting of ordinary shares by non-residents, except that such restrictions may exist with respect to citizens of countries which are in a state of war
with Israel. Israeli residents are allowed to purchase our ordinary shares.
E. Taxation
Certain Israeli Tax Consequences
The following description is not intended to constitute a complete analysis of all tax consequences relating to the acquisition, ownership and disposition of our
ordinary shares. You should consult your tax advisor concerning the specific and individual tax consequences of your particular situation, as well as any tax
consequences that may arise under the laws of any state, local, foreign or other taxing jurisdiction. This summary does not discuss all of the aspects of Israeli tax
law that may be relevant to a particular investor in light of his or her personal investment circumstances or to some types of investors subject to special
treatment under Israeli law. Examples of such investors include residents of Israel or traders in securities who are subject to special tax regimes not covered in
this discussion. Some parts of this discussion are based on tax legislation which has not been subject to judicial or administrative interpretation. The discussion
should not be construed as legal or professional tax advice and does not cover all possible tax considerations.
Capital Gains
Capital gains tax is generally imposed on the disposal of capital assets by an Israeli resident, and on the disposal of such assets by a non-Israel resident if those
assets are either (i) located in Israel, (ii) are shares or a right to a share in an Israeli resident corporation, or (iii) represent, directly or indirectly, rights to assets
located in Israel, unless a tax treaty in force between Israel and the seller’s country of residence provides otherwise. The Ordinance distinguishes between “Real
Capital Gain” and the “Inflationary Surplus.” Real Capital Gain is the excess of the total capital gain over Inflationary Surplus computed generally on the basis
of the increase in the Israeli Consumer Price Index (CPI) between the date of purchase and the date of disposal.
The Real Capital Gain accrued by individuals on the sale of our ordinary shares (that were purchased after January 1, 2012, whether listed on a stock exchange
or not) will be taxed at the rate of 25%. However, if such shareholder is a “Significant Shareholder” (i.e., a person who holds, directly or indirectly, alone or
together with such person’s relative or another person who collaborates with such person on a permanent basis, 10% or more of one of the Israeli resident
company’s means of control) at the time of sale or at any time during the preceding 12 month period and/or claims a deduction for interest and linkage
differences expenses in connection with the purchase and holding of such shares, such gain will be taxed at the rate of 30%. “Means of control” generally
include the right to vote, receive profits, nominate a director or an executive officer, receive assets upon liquidation, or order someone who holds any of the
aforesaid rights how to act, regardless of the source of such right.
The Real Capital Gain derived by corporations will generally be subject to the ordinary corporate tax (23% in 2018 and thereafter).
An individual shareholder dealing in securities, or to whom such income is otherwise taxable as ordinary business income are taxed in Israel at their marginal
tax rates applicable to business income (up to 47% in 2024). Certain Israeli institutions who are exempt from tax under section 9(2) or section 129(C)(a)(1) of
the Ordinance (such as exempt trust fund, pension fund) may be exempt from capital gains tax from the sale of our ordinary shares.
87
Capital Gains Taxes Applicable to Non-Israeli Resident Shareholders
A non-Israeli resident who derives capital gains from the sale of shares in an Israeli resident company that were purchased after the company was listed for
trading on a stock exchange outside of Israel should generally be exempt from Israeli capital gains tax so long as the capital gains derived from the sale of the
shares was not attributed to a permanent establishment that the non-resident maintains in Israel and that such shareholders are not subject to the Israeli Income
Tax Law (Inflationary Adjustments) 5745-1985. However, non-Israeli corporations will not be entitled to the foregoing exemption if Israeli residents: (i) have a
controlling interest of more than 25% in such non-Israeli corporation or (ii) are the beneficiaries of, or are entitled to, 25% or more of the revenues or profits of
such non-Israeli corporation, whether directly or indirectly. Such exemption is not applicable to a person whose gains from selling or otherwise disposing of the
shares are deemed to be a business income.
Additionally, a sale of shares by a non-Israeli resident (either an individual or a corporation) may be exempt from Israeli capital gains tax under the eligibility to
enjoy the provisions of an applicable tax treaty benefits which should generally supersede Israeli domestic legislation. For example, under the Convention
between the United States and the Government of the State of Israel with respect to Taxes on Income (the United States-Israel Tax Treaty), the disposition of
shares by a shareholder who (i) is a U.S. resident (for purposes of the United States -Israel Tax Treaty), (ii) holds the shares as a capital asset, and (iii) is entitled
to claim the benefits afforded to such person by the United States-Israel Tax Treaty, is generally exempt from Israeli capital gains tax. Such exemption will not
apply if: (i) the capital gain arising from the disposition can be attributed to royalties; (ii) the shareholder holds, directly or indirectly, shares representing 10%
or more of the voting capital during any part of the 12-month period preceding such sale, exchange or disposition, subject to certain conditions; (iii) such U.S.
resident is an individual and was present in Israel for a period or periods aggregating to 183 days or more during the relevant taxable year; (iv) the capital gain
arising from such sale, exchange or disposition is attributed to real estate located in Israel; or (v) the shareholder is a U.S. resident (for purposes of the U.S.-
Israel Treaty) and deemed a dealer or otherwise is deemed to have business income from such sale, exchange or disposition of the shares attributed to a
permanent establishment in Israel. In such case, the sale, exchange or disposition of our ordinary shares would be subject to Israeli tax, to the extent applicable;
however, under the United States-Israel Tax Treaty, a U.S. resident would be permitted to claim a credit for such taxes against the U.S. federal income tax
imposed with respect to such sale, exchange or disposition, subject to the limitations under U.S. law applicable to foreign tax credits. The United States-Israel
Tax Treaty does not relate to tax credits against U.S. state or local taxes.
In some instances where our shareholders may be liable for Israeli tax on the sale of their ordinary shares, the payment of the consideration may be subject to
the withholding of Israeli tax at source. Shareholders may be required to demonstrate that they are exempt from tax on their capital gains in order to avoid
withholding at source at the time of sale. Specifically, in transactions involving a sale of all of the shares of an Israeli resident company, in the form of a merger
or otherwise, the Israel Tax Authority may require from shareholders who are not liable for Israeli tax to sign declarations in forms specified by this authority or
to apply for and obtain a specific withholding tax certificate of exemption from the Israel Tax Authority to confirm their particular status as non-Israeli resident,
and, in the absence of such declarations or exemptions, may require the purchaser of the shares to withhold taxes at source.
Taxation of Non-Israeli Shareholders on Receipt of Dividends
Non-Israeli residents (either an individual or a corporation) are generally subject to Israeli income tax on the receipt of dividends paid on our ordinary shares at
the rate of 25%, unless an applicable relief is provided in a treaty between Israel and the shareholder’s country of residence. With respect to a person who is a
“Significant Shareholder” at the time of receiving the dividend or on any time during the preceding 12 months, the applicable tax rate is 30%. Such dividends
paid to non-Israeli residents are generally subject to Israeli withholding tax at a rate of 25% so long as the shares are registered with a Nominee Company
(whether the recipient is a Significant Shareholder or not), unless a reduced tax rate is provided under an applicable tax treaty, provided that a certificate from
the Israel Tax Authority allowing for a reduced withholding tax rate is obtained in advance. However, subject to the receipt in advance of a valid certificate from
the Israel Tax Authority allowing for a reduced tax rate, a distribution of dividends to non-Israeli residents is subject to withholding tax at source at a rate of
15% if the dividend is distributed from income attributed to an Approved Enterprise or generally 20% if the dividend is distributed from income attributed to a
Preferred Enterprise (including Preferred Technological Enterprise based on which the Company is taxed as from 2017 onwards), unless a reduced tax rate is
provided under an applicable tax treaty (subject to the receipt in advance of a valid certificate from the Israel Tax Authority allowing for a reduced tax rate).
Under the United States-Israel Tax Treaty, the maximum rate of tax withheld at source in Israel on dividends paid to a holder of our ordinary shares who is a
U.S. resident (for purposes of the United States-Israel Tax Treaty) is 25%. However, the maximum rate of withholding tax on dividends, not generated from an
Approved Enterprise or Benefited Enterprise, that are paid to a United States corporation holding 10% or more of the outstanding voting capital throughout the
tax year in which the dividend is distributed as well as during the previous tax year, is 12.5%, provided that no more than 25% of the gross income for such
preceding year consists of certain types of dividends and interest. Notwithstanding the foregoing, a distribution of dividends to non-Israeli residents is subject to
withholding tax at source at a rate of 15% if the dividend is distributed from income attributed to an Approved Enterprise for such U.S. corporation shareholder,
provided that the condition related to our gross income for the previous year (as set forth in the previous sentence) is met. The aforementioned rates under the
United States-Israel Tax Treaty will not apply if the dividend income was attributed to a permanent establishment that the U.S. resident maintains in Israel. U.S.
residents who are subject to Israeli withholding tax on a dividend may be entitled to a credit or deduction for United States federal income tax purposes in the
amount of the taxes withheld, subject to detailed rules contained in U.S. tax legislation. We cannot assure you that in the event we declare a dividend we will
designate the income out of which the dividend is paid in a manner that will reduce shareholders’ tax liability.
88
If the dividend is attributable partly to income derived from an Approved Enterprise, Benefited Enterprise or Preferred Enterprise, and partly to other sources of
income, the withholding rate will be a blended rate reflecting the relative portions of the two types of income. U.S. residents who are subject to Israeli
withholding tax on a dividend may be entitled to a credit or deduction for United States federal income tax purposes in the amount of the taxes withheld, subject
to detailed rules contained in U.S. tax legislation. As indicated above, application for this reduced tax rate requires appropriate documentation presented to and
specific instruction received from the Israel Tax Authority.
A non-Israeli resident who receives dividends from which tax was duly withheld is generally exempt from the obligation to file tax returns in Israel with respect
to such income, provided that (i) such income was not generated from business conducted in Israel by the taxpayer; (ii) the taxpayer has no other taxable sources
of income in Israel with respect to which a tax return is required to be filed, and (iii) the taxpayer is not liable to Excess Tax (as further explained below).
Payers of dividends on our ordinary shares, including the Israeli stockbroker effectuating the transaction, or the financial institution through which the securities
are held, are generally required, subject to any of the foregoing exemptions, reduced tax rates and the demonstration of foreign residence of the shareholder, to
withhold tax upon the distribution of dividends at the rate of 25%, so long as the shares are registered with a nominee company.
Excess Tax
Individuals who are subject to tax in Israel (whether any such individual is an Israeli resident or non-Israeli resident) are also subject to an additional tax at a rate
of 3% on annual income exceeding a certain threshold (NIS 721,560 for 2024), which amount is generally linked to the annual change in the Israeli consumer
price index (with the exception that based on Israeli new legislation such amount, and certain other statutory amounts will not be linked to the Israeli consumer
price index for the years 2025-2027), including, but not limited to, dividends, interest and capital gains. According to new legislation, in effect as of January 1,
2025, an additional 2% excess tax is imposed on Capital-Sourced Income (defined as income from any source other than employment income, business income
or income from “personal effort), to the extent that the Individual’s Capital Sourced Income exceeds the specified threshold of NIS 721,560 (and regardless of
the employment/business income amount of such individual). This new excess tax applies, among other things, to income from capital gains, dividends, interest,
rental income, or the sale of real property.
Estate and Gift Tax
Israeli law presently does not impose estate or gift taxes.
89
Certain United States Federal Income Tax Consequences
The following is a description of certain United States federal income tax consequences relating to the acquisition, ownership and disposition of our ordinary
shares by a U.S. Holder (as defined below). This description addresses only the United States federal income tax consequences to U.S. Holders that hold such
ordinary shares as capital assets within the meaning of Section 1221 of the Internal Revenue Code of 1986, as amended (the Code). This description does not
address tax considerations applicable to U.S. Holders that may be subject to special tax rules, including, without limitation:
•
banks, financial institutions or insurance companies;
•
real estate investment trusts, regulated investment companies or grantor trusts;
•
brokers, dealers or traders in securities, commodities or currencies;
•
tax-exempt entities, accounts or organizations, including an “individual retirement account” or “Roth IRA” as defined in Section 408 or 408A of the
Code, respectively;
•
certain former citizens or long-term residents of the United States;
•
persons that receive our ordinary shares as compensation for the performance of services;
•
persons that hold our ordinary shares as part of a “hedging,” “integrated” or “conversion” transaction or as a position in a “straddle” for United States
federal income tax purposes;
•
persons subject to special tax accounting rules as a result of any item of gross income with respect to the ordinary shares being taken into account in
an applicable financial statement;
•
partnerships (including entities or arrangements classified as partnerships for United States federal income tax purposes) or other pass-through
entities or arrangements, or indirect holders that hold our ordinary shares through such an entity or arrangement;
•
S corporations;
•
holders whose “functional currency” is not the U.S. dollar; or
•
holders that own directly, indirectly or through attribution 10.0% or more of the voting power or value of our shares.
Moreover, this description does not address the United States federal estate, gift or any alternative minimum tax consequences, or any state, local or non-U.S.
tax consequences, of the acquisition, ownership and disposition of our ordinary shares.
This description is based on the Code, existing, proposed and temporary United States Treasury Regulations and judicial and administrative interpretations
thereof, in each case as in effect and available on the date hereof. All of the foregoing is subject to change, which change could apply retroactively and could
affect the tax consequences described below. There can be no assurances that the U.S. Internal Revenue Service (IRS), will not take a different position
concerning the tax consequences of the ownership and disposition of our ordinary shares or that such a position would not be sustained. Holders should consult
their tax advisors concerning the U.S. federal, state, local and foreign tax consequences of acquiring, owning and disposing of our ordinary shares in their
particular circumstances.
For purposes of this description, a “U.S. Holder” is a beneficial owner of our ordinary shares that, for United States federal income tax purposes, is:
•
a citizen or individual resident of the United States;
•
a corporation (or other entity treated as a corporation for United States federal income tax purposes) created or organized in or under the laws of the
United States or any state thereof, including the District of Columbia;
•
an estate the income of which is subject to United States federal income taxation regardless of its source; or
•
a trust if such trust has validly elected to be treated as a United States person for United States federal income tax purposes or if (1) a court within the
United States is able to exercise primary supervision over its administration and (2) one or more United States persons have the authority to control
all of the substantial decisions of such trust.
If a partnership (or any other entity or arrangement treated as a partnership for United States federal income tax purposes) holds our ordinary shares, the tax
treatment of a partner in such partnership will generally depend on the status of the partner and the activities of the partnership. Such a partner or partnership
should consult its tax advisor as to the particular United States federal income tax consequences of acquiring, owning and disposing of our ordinary shares in its
particular circumstance.
90
You should consult your tax advisor with respect to the United States federal, state, local and foreign tax consequences of acquiring, owning and
disposing of our ordinary shares.
Distributions
Subject to the discussion below under “Passive Foreign Investment Company Considerations,” the gross amount of any distribution made to you with respect to
our ordinary shares before reduction for any Israeli taxes withheld therefrom, other than certain distributions, if any, of our ordinary shares distributed pro rata to
all our shareholders, generally will be includible in your income as dividend income on the date on which the dividends are actually or constructively received,
to the extent such distribution is paid out of our current or accumulated earnings and profits as determined under United States federal income tax principles. To
the extent that the amount of any distribution by us exceeds our current and accumulated earnings and profits as determined under United States federal income
tax principles, it will be treated first as a tax‑free return of your adjusted tax basis in our ordinary shares and thereafter as capital gain. However, we do not
expect to maintain calculations of our earnings and profits under United States federal income tax principles. Therefore, you should expect that the entire
amount of any distribution generally will be reported as dividend income to you. Subject to applicable limitations, dividends paid to certain non-corporate U.S.
Holders may qualify for the preferential rates of taxation with respect to dividends on ordinary shares if certain requirements, including stock holding period
requirements, are satisfied by the recipient and our ordinary shares are readily tradeable on an establishes securities market in the United States. U.S. Treasury
Department guidance indicates that our Ordinary Shares, which are listed on the Nasdaq, are readily tradable on an established securities market in the United
States. Thus, we believe that any dividends that we pay on our ordinary shares will be potentially eligible for the lower tax rates. However, such dividends will
not be eligible for the dividends received deduction generally allowed to corporate U.S. Holders.
Subject to certain conditions and limitations, Israeli tax withheld on dividends may be, at your election, either deducted from your taxable income or credited
against your United States federal income tax liability. Dividends paid to you with respect to our ordinary shares will generally be treated as foreign source
income and “passive category income” for purposes of the foreign tax credit, which may be relevant in calculating your foreign tax credit limitation. Final
Treasury regulations (the Foreign Tax Credit Regulations) have imposed additional requirements for foreign taxes to be eligible for a foreign tax credit, and
there can be no assurance that those requirements will be satisfied. However, recent notices from the IRS (the Notices) indicate that the U.S. Department of the
Treasury and the IRS are considering proposing amendments to such Treasury regulations and allowing, subject to certain conditions, taxpayers to defer the
application of many aspects of such Treasury regulations until the date when a notice or other guidance withdrawing or modifying the temporary relief is issued
(or any later date specified in such notice or other guidance). In addition, for periods in which we are a “United States-owned foreign corporation,” a portion of
dividends (generally attributable to earnings and profits from sources within the United States) paid by us may be treated as U.S. source solely for purposes of
the foreign tax credit. A United States-owned foreign corporation is any foreign corporation if 50% or more of the total value or total voting power of its stock is
owned, directly, indirectly or by attribution, by United States persons. We believe that we may be treated as a United States-owned foreign corporation. As a
result, if 10% or more of our earnings and profits are attributable to sources within the United States, a portion of the dividends paid on our ordinary shares
allocable to United States source earnings and profits may be treated as United States source, and, as such, a U.S. Holder may not offset any Israeli withholding
taxes withheld as a credit against United States federal income tax imposed on that portion of dividends. A U.S. Holder entitled to benefits under the United
States-Israel Tax Treaty may, however, elect to treat any dividends as foreign source income for foreign tax credit purposes if the dividend income is separated
from other income items for purposes of calculating the U.S. Holder’s foreign tax credit. The rules governing the treatment of foreign taxes imposed on a U.S.
Holder and foreign tax credits are very complex, and U.S. Holders should consult their tax advisors about the impact of, and any exception available to, the
special sourcing rule described in this paragraph, and the desirability of making, and the method of making, such an election.
91
Sale, Exchange or Other Taxable Disposition of Ordinary Shares
Subject to the discussion below under “Passive Foreign Investment Company Considerations,” you generally will recognize gain or loss on the sale, exchange
or other taxable disposition of our ordinary shares equal to the difference between the amount realized on such sale, exchange or other taxable disposition and
your adjusted tax basis in our ordinary shares, and such gain or loss will be capital gain or loss. The adjusted tax basis in an ordinary share generally will be
equal to the cost of such ordinary share. If you are a non-corporate U.S. Holder, capital gain from the sale, exchange or other taxable disposition of ordinary
shares is generally eligible for a preferential rate of taxation applicable to capital gains, if your holding period for such ordinary shares exceeds one year (i.e.,
such gain is long-term capital gain). The deductibility of capital losses for United States federal income tax purposes is subject to limitations under the Code.
Any such gain or loss that a U.S. Holder recognizes generally will be treated as U.S. source income or loss for U.S. foreign tax credit limitation purposes. As a
result, in the event any Israeli tax is imposed upon gains in respect of our ordinary shares, the use of U.S. foreign tax credits relating to such tax may be limited.
In addition, subject to the Notices (as described above), any foreign taxes on disposition gains are likely not creditable under the Foreign Tax Credit Regulations
unless you are eligible for and elect the benefits of the United States-Israel Tax Treaty. The rules governing the treatment of foreign taxes imposed on a U.S.
Holder and foreign tax credits are very complex, and U.S. Holders should consult their tax advisors regarding the tax consequences if Israeli taxes are imposed
on a taxable disposition of our ordinary shares and their ability to credit any Israeli tax against their U.S. federal income tax liability.
Passive Foreign Investment Company Considerations
If we were to be classified as a “passive foreign investment company” (PFIC), in any taxable year, a U.S. Holder would be subject to special rules generally
intended to reduce or eliminate any benefits from the deferral of U.S. federal income tax that a U.S. Holder could derive from investing in a non-U.S. company
that does not distribute all of its earnings on a current basis.
A non-U.S. corporation will be classified as a PFIC for federal income tax purposes in any taxable year in which, after applying certain look-through rules with
respect to the income and assets of subsidiaries, either:
•
at least 75% of its gross income is “passive income”; or
•
at least 50% of the average quarterly value of its total gross assets (which may be measured in part by the market value of our ordinary shares, which
is subject to change) is attributable to assets that produce “passive income” or are held for the production of passive income.
Passive income for this purpose generally includes dividends, interest, royalties, rents, gains from commodities and securities transactions and the excess of
gains over losses from the disposition of assets which produce passive income. There are several exceptions, however. For example, certain royalties that are
considered active under the relevant Treasury regulations are not treated as passive income. If a non-U.S. corporation owns directly or indirectly at least 25% by
value of the stock of another corporation, the non-U.S. corporation is treated for purposes of the PFIC tests as owning its proportionate share of the assets of the
other corporation and as receiving directly its proportionate share of the other corporation’s income. If we are classified as a PFIC in any year with respect to
which a U.S. Holder owns our ordinary shares, we will continue to be treated as a PFIC with respect to such U.S. Holder in all succeeding years during which
the U.S. Holder owns our ordinary shares, regardless of whether we continue to meet the tests described above.
Based on our market capitalization and the nature of our income, assets and business, we believe that we should not be classified as a PFIC for the taxable year
that ended December 31, 2024. However, PFIC status is determined annually and requires a factual determination that depends on, among other things, the
composition of our income, assets and activities in each taxable year, and can only be made annually after the close of each taxable year. Furthermore, because
the value of our gross assets is likely to be determined in part by reference to our market capitalization, a decline in the value of our ordinary shares may result
in our becoming a PFIC. Accordingly, there can be no assurance that we will not be considered a PFIC for any taxable year.
Under certain attribution rules, if we are considered a PFIC, U.S. Holders may be deemed to own their proportionate share of equity in any PFIC owned by us
(if any), such entities referred to as “lower-tier PFICs,” and will be subject to U.S. federal income tax in the manner discussed below on (1) a distribution to us
on the shares of a “lower-tier PFIC” and (2) a disposition by us of shares of a “lower-tier PFIC,” both as if the holder directly held the shares of such “lower-tier
PFIC.”
92
If we are considered a PFIC for any taxable year during which a U.S. Holder holds (or, as discussed in the previous paragraph, is deemed to hold) its ordinary
shares, such holder will be subject to adverse U.S. federal income tax rules. In general, if a U.S. Holder disposes of shares of a PFIC (including an indirect
disposition or a constructive disposition of shares of a lower-tier PFIC), gain recognized or deemed recognized by such holder would be allocated ratably over
such holder’s holding period for the shares. The amounts allocated to the taxable year of disposition and to years before the entity became a PFIC, if any, would
be treated as ordinary income.
The amount allocated to each other taxable year would be subject to tax at the highest rate in effect for such taxable year for individuals or corporations, as
appropriate, and an interest charge would be imposed on the tax attributable to such allocated amounts. Further, any distribution in respect of shares of a PFIC
(or a distribution by a lower-tier PFIC to its shareholders that is deemed to be received by a U.S. Holder) in excess of 125% of the average of the annual
distributions on such shares received or deemed to be received during the preceding three years or the U.S. Holder’s holding period, whichever is shorter, would
be subject to taxation in the manner described above. In addition, dividend distributions made to you will not qualify for the preferential rates of taxation
applicable to long-term capital gains discussed above under “Distributions.”
Where a company that is a PFIC meets certain reporting requirements, a U.S. Holder can avoid certain adverse PFIC consequences described above by making a
“qualified electing fund” (QEF), election to be taxed currently on its proportionate share of the PFIC’s ordinary income and net capital gains. However, we do
not intend to prepare or provide the information that would enable U.S. Holders to make a qualified electing fund election.
If we are a PFIC and our ordinary shares are “regularly traded” on a “qualified exchange,” a U.S. Holder may make a mark-to-market election with respect to
our ordinary shares (but generally, not the shares of any lower-tier PFICs), which may help mitigate the adverse tax consequences resulting from our PFIC status
(but generally, not that of any lower-tier PFICs). Shares will be treated as “regularly traded” in any calendar year in which more than a de minimis quantity of
the ordinary shares are traded on a qualified exchange on at least 15 days during each calendar quarter (subject to the rule that trades that have as one of their
principal purposes the meeting of the trading requirement are disregarded). Nasdaq is a qualified exchange for this purpose and, consequently, if our ordinary
shares are regularly traded, the mark-to-market election will be available to a U.S. Holder; however, there can be no assurance that trading volumes will be
sufficient to permit a mark-to-market election. In addition, because a mark-to-market election with respect to us generally does not apply to any equity interests
in “lower-tier PFICs” that we own, a U.S. Holder generally will continue to be subject to the PFIC rules with respect to its indirect interest in any investments
held by us that are treated as equity interests in a PFIC for U.S. federal income tax purposes.
If a U.S. Holder makes the mark-to-market election, for each year in which we are a PFIC, the holder will generally include as ordinary income the excess, if
any, of the fair market value of ordinary shares at the end of the taxable year over their adjusted tax basis, and will be permitted an ordinary loss in respect of the
excess, if any, of the adjusted tax basis of our ordinary shares over their fair market value at the end of the taxable year (but only to the extent of the net amount
of previously included income as a result of the mark-to-market election). A U.S. Holder that makes a valid mark-to-market election will not include mark-to-
market gain or loss in income for any taxable year that we are not classified as a PFIC (although cessation of our status as a PFIC will not terminate the mark-to-
market election). Thus, if we are classified as a PFIC in a taxable year after a year in which we are not classified as a PFIC, the U.S. Holder’s original election
(unless revoked or terminated) continues to apply and the U.S. Holder must include any mark-to-market gain or loss in such year. If a U.S. Holder makes the
election, the holder’s tax basis in our ordinary shares will be adjusted to reflect any such income or loss amounts. Any gain recognized on a sale or other
disposition of our ordinary shares will be treated as ordinary income. Any losses recognized on a sale or other disposition of our ordinary shares will be treated
as ordinary loss to the extent of any net mark-to-market gains for prior years. U.S. Holders should consult their tax advisors regarding the availability and
consequences of making a mark-to-market election in their particular circumstances. In particular, U.S. Holders should consider carefully the impact of a mark-
to-market election with respect to our ordinary shares if we have “lower-tier PFICs” for which such election is not available. Once made, the mark-to-market
election cannot be revoked without the consent of the IRS unless our ordinary shares cease to be “regularly traded.”
93
If a U.S. Holder owns ordinary shares during any year in which we are a PFIC, the U.S. Holder generally will be required to file an IRS Form 8621 (Information
Return by a Shareholder of a Passive Foreign Investment Company or Qualified Electing Fund) with respect to the Company (regardless of whether a QEF or
mark-to-market election is made), generally with the U.S. Holder’s U.S. federal income tax return for that year. If our Company were a PFIC for a given taxable
year, then you should consult your tax advisor concerning your annual filing requirements.
U.S. Holders should consult their tax advisors regarding whether we are a PFIC and the potential application of the PFIC rules.
Medicare Tax
Certain U.S. Holders that are individuals, estates or trusts are subject to a 3.8% tax on all or a portion of their “net investment income,” which may include all or
a portion of their dividend income and net gains from the disposition of ordinary shares. Each U.S. Holder that is an individual, estate or trust is urged to consult
its tax advisors regarding the applicability of the Medicare tax to its income and gains in respect of its investment in our ordinary shares.
Backup Withholding Tax and Information Reporting Requirements
United States backup withholding tax and information reporting requirements may apply to certain payments to certain holders of stock. Information reporting
generally will apply to payments of dividends on, and to proceeds from the sale or redemption of, our ordinary shares made within the United States, or by a
United States payor or United States middleman, to a holder of our ordinary shares, other than an exempt recipient (including a payee that is not a United States
person that provides an appropriate certification and certain other persons). A payor will be required to withhold backup withholding tax from any payments of
dividends on, or the proceeds from the sale or redemption of, ordinary shares within the United States, or by a United States payor or United States middleman,
to a holder, other than an exempt recipient, if such holder fails to furnish its correct taxpayer identification number or otherwise fails to comply with, or establish
an exemption from, such backup withholding tax requirements. Backup withholding is not an additional tax. Any amounts withheld under the backup
withholding rules may be allowed as a credit against the beneficial owner’s United States federal income tax liability, if any, and any excess amounts withheld
under the backup withholding rules may be refunded, provided that the required information is timely furnished to the IRS.
Foreign Asset Reporting
Certain U.S. Holders who are individuals or certain other non-corporate entities may be required to report information relating to an interest in our ordinary
shares, subject to certain exceptions (including an exception for shares held in accounts maintained by U.S. financial institutions) by filing IRS Form 8938
(Statement of Specified Foreign Financial Assets) with their federal income tax return. U.S. Holders are urged to consult their tax advisors regarding their
information reporting obligations, if any, with respect to their ownership and disposition of our ordinary shares.
The above description is not intended to constitute a complete analysis of all tax consequences relating to acquisition, ownership and disposition of our
ordinary shares. You should consult your tax advisor concerning the tax consequences of your particular situation.
F.
Dividends and Paying Agents
Not applicable.
G.
Statement by Experts
Not applicable.
H.
Documents on Display
We are subject to the informational requirements of the Exchange Act that are applicable to foreign private issuers, and under those requirements file reports
with the SEC. Those other reports or other information may be inspected without charge at the locations described above. As a foreign private issuer, we are
exempt from the rules under the Exchange Act related to the furnishing and content of proxy statements, and our officers, directors, and principal shareholders
will be exempt from reporting under short-swing profit recovery provisions contained in Section 16 of the Exchange Act. In addition, we are not required under
the Exchange Act to file annual, quarterly and current reports and financial statements with the SEC as frequently or as promptly as United States companies
whose securities are registered under the Exchange Act. However, we will file with the SEC, within 120 days after the end of each subsequent fiscal year, or
such applicable time as required by the SEC, an annual report on Form 20-F containing financial statements audited by an independent registered public
accounting firm, and we will submit to the SEC reports on Form 6-K containing unaudited quarterly financial information.
Our filings with the SEC are also available to the public through the SEC’s website at http://www.sec.gov. This site contains reports, proxy and information
statements, and other information regarding issuers that file electronically with the SEC. The information on that website is not part of this annual report and is
not incorporated by reference herein.
94
I.
Subsidiary Information
Not applicable.
J.
Annual Report to Security Holders
Not applicable.
95
ITEM 11. QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK
We are exposed to a variety of risks, including foreign currency exchange fluctuations, changes in interest rates and inflation. We regularly assess currency,
interest rate and inflation risks to minimize any adverse effects on our business as a result of those factors.
Foreign Currency Risk
Our results of operations and cash flows are affected by fluctuations due to changes in foreign currency exchange rates. In 2024, the majority of our revenues
were denominated in U.S. dollars and the remainder in other currencies, primarily Euros and British pounds. In 2024, the majority of our cost of revenues and
operating expenses were denominated in U.S. dollars and NIS and the remainder in other currencies, primarily Euros and British pounds. Our foreign currency-
denominated expenses consist primarily of personnel, facilities and travel costs. The exchange rates between the U.S. dollar and foreign currencies have
fluctuated substantially in recent years and may continue to fluctuate substantially in the future. Since the portion of our expenses denominated in NIS and
British pounds is greater than our revenues in NIS and British pounds, respectively, any appreciation of the NIS or the British pound relative to the U.S. dollar
could adversely impact our operating results. In addition, since the portion of our revenues denominated in Euros is greater than our expenses in Euros, any
depreciation of the Euro relative to the U.S. dollar could adversely impact our operating results.
The following table presents information about the changes in the exchange rates of the NIS against the U.S. dollar:
Period
Change in
Average
Exchange
Rate of the
NIS
Against the
U.S. dollar
(%)
2024
0.4
2023
9.7
2022
4.0
The figures above represent the change in the average exchange rate in the given period compared to the average exchange rate in the immediately preceding
period. A 10% strengthening or weakening in the value of the NIS against the U.S. dollar would have increased or decreased, respectively, our operating loss by
approximately $18.8 million in 2024. We estimate that a 10% strengthening or weakening in the value of the Euro against the U.S. dollar would have decreased
or increased, respectively, our operating loss by approximately $1.1 million in 2024. We estimate that a 10% strengthening or weakening in the value of the
British pounds against the U.S. dollar would have increased or decreased, respectively, our operating loss by approximately $2.0 million in 2024. These
estimates of the impact of fluctuations in currency exchange rates on our historic results of operations may be different from the impact of fluctuations in
exchange rates on our future results of operations since the mix of currencies comprising our revenues and expenses may change.
For purposes of our consolidated financial statements, monetary assets and liabilities in local currency are translated at the rate of exchange to the U.S. dollar on
the balance sheet date and local currency revenues and expenses are translated at the exchange rate at the date of the transaction or the average exchange rate
during the reporting period.
In addition, we have a significant NIS linked liability related to our operational leases in Israel.
96
To protect against the increase in value of forecasted foreign currency cash flow resulting from expenses paid in NIS during the year, we have instituted a
foreign currency cash flow hedging program. We hedge portions of the anticipated payroll of our Israeli employees in NIS for a period of one to 12 months with
forward contracts and other derivative instruments. In addition, from time to time we enter into foreign exchange forward transactions or hold corresponding
foreign currency-based time deposits, as relevant, to economically hedge certain net asset or liability balances in NIS, Euros and British pounds. We do not use
derivative financial instruments for speculative or trading purposes.
Interest Rate Risk
The primary objectives of our investment activities are to preserve principal, support liquidity requirements, and maximize income without significantly
increasing risk. Our investments are subject to market risk due to changes in interest rates, which may affect our interest income and fair market value of our
investments.
To minimize this risk, we maintain our portfolio of cash, cash equivalents and short- and long-term investments in a variety of securities, including money
market funds, U.S. government and agency securities, and corporate debt securities. We do not believe that a 10% increase or decrease in interest rates would
have a material impact on our operating results or cash flows.
Other Market Risks
We do not believe that we have any material exposure to inflationary risks.
ITEM 12. DESCRIPTION OF SECURITIES OTHER THAN EQUITY SECURITIES
Not applicable.
97
PART II
ITEM 13. DEFAULTS, DIVIDEND ARREARAGES AND DELINQUENCIES
None.
ITEM 14. MATERIAL MODIFICATIONS TO THE RIGHTS OF SECURITY HOLDERS AND USE OF PROCEEDS
None.
ITEM 15. CONTROLS AND PROCEDURES
Disclosure controls and procedures
Our CEO and CFO, after evaluating the effectiveness of our disclosure controls and procedures (as defined in Rule 13a-15(e) and 15d-15(e) of the Exchange
Act) as of December 31, 2024, have concluded that, based on such evaluation, as of such date, our disclosure controls and procedures were effective such that
information required to be disclosed by us in reports that we file or submit under the Exchange Act is accumulated and communicated to our management,
including our CEO and CFO, to allow timely decisions regarding required disclosure and is recorded, processed, summarized and reported within the time
periods specified by the SEC’s rules and forms.
Management annual report on internal control over financial reporting
Our management, under the supervision of our CEO and CFO, is responsible for establishing and maintaining adequate internal control over financial reporting
as defined in Rules 13a-15(f) and 15d-15(f) under the Exchange Act. Our internal control over financial reporting is a process to provide reasonable assurance
regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting
principles. Our internal control over financial reporting includes those policies and procedures that:
•
pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of our assets;
•
provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally
accepted accounting principles, and that our receipts and expenditures are being made only in accordance with authorizations of our management and
directors; and
•
provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of our assets that could have a
material effect on the financial statements.
Our management assessed the effectiveness of internal control over financial reporting as of December 31, 2024 based on the criteria established in “Internal
Control-Integrated Framework (2013)” published by the Committee of Sponsoring Organizations of the Treadway Commission. Based on this assessment,
management has concluded that our internal control over financial reporting was effective as of December 31, 2024.
In accordance with guidance issued by the SEC staff, companies are permitted to exclude acquisitions from their final assessment of internal control over
financial reporting for the first fiscal year in which the acquisition occurred. Accordingly, our management excluded Venafi from its assessment of internal
control over financial reporting as of December 31, 2024. We have included the financial results of Venafi in the consolidated financial statements from the date
of the Venafi Acquisition. Total revenue from the Venafi Acquisition represented approximately 4.7% of our consolidated total revenue for the year ended
December 31, 2024. Total assets and net assets from the Venafi Acquisition represented approximately 3.1% and 0.1% of our consolidated total assets and net
assets, respectively.
Our independent registered public accounting firm, Kost Forer Gabbay & Kasierer, a member of Ernst & Young Global, has audited the consolidated financial
statements included in this annual report on Form 20-F, and as part of its audit, has issued its audit report on the effectiveness of our internal control over
financial reporting as of December 31, 2024. The report of Kost Forer Gabbay & Kasierer is included with our consolidated financial statements included
elsewhere in this annual report and is incorporated herein by reference.
98
Changes in internal control over financial reporting
There were no changes in our internal control over financial reporting (as such term is defined in Rules 13a-15(f) and 15d-15(f) under the Exchange Act) that
occurred during the period covered by this annual report that have materially affected, or that are reasonably likely to materially affect, our internal control over
financial reporting.
ITEM 16A. AUDIT COMMITTEE FINANCIAL EXPERT
Our Board of directors has determined that each of Ron Gutler, Kim Perdikou and François Auque is an audit committee financial expert as defined by the SEC
rules, has the requisite financial experience as defined by Nasdaq corporate governance rules and is “independent” as such term is defined in Rule 10A-3(b)(1)
under the Exchange Act.
ITEM 16B. CODE OF ETHICS
We have adopted a corporate Code of Conduct applicable to our executive officers, directors and all other employees. This Code of Conduct is made available to
every employee of CyberArk Software Ltd. and all of its subsidiaries and is also available to investors and members of the public on our website at
http://investors.cyberark.com or by contacting our investor relations department. The Code of Conduct includes, in compliance with Section 406 of the
Sarbanes-Oxley Act of 2002, our Code of Ethics, which is applicable to our CEO, our CFO and all other senior financial officers. Pursuant to Item 16B of Form
20-F, if a waiver or amendment of the Code of Conduct (including the Code of Ethics) applies to our CEO, CFO or other persons performing similar functions
and relates to standards promoting any of the values described in Item 16B(b) of Form 20-F, we will disclose such waiver or amendment on our website within
five business days following the date of amendment or waiver in accordance with the requirements of Instruction 4 to such Item 16B. We granted no waivers
under our code in 2024.
ITEM 16C. PRINCIPAL ACCOUNTANT FEES AND SERVICES
Principal Accountant Fees and Services
We have recorded the following fees for professional services rendered by Kost Forer Gabbay & Kasierer, a member of EY Global, an independent registered
public accounting firm, for the years ended December 31, 2023 and 2024:
2023
2024
($ in thousands)
Audit Fees
$
1,010 $
1,575
Tax Fees
262
750
All Other Fees
45
14
Total
$
1,317 $
2,339
“Audit fees” include fees for the audit of our annual financial statements. This category also includes services that generally the independent accountant
provides, such as consents, comfort letters and assistance with and review of documents filed with the SEC.
“Audit-related fees” include fees for assurance and related services that are reasonably related to the performance of the audit and are not reported under audit
fees. These fees primarily include accounting consultations regarding the accounting treatment of matters that occur in the regular course of business,
implications of new accounting pronouncements, acquisitions and other accounting issues that occur from time to time.
“Tax fees” include fees for professional services rendered by our independent registered public accounting firm for tax compliance and tax advice on actual or
contemplated transactions.
“All other fees” include fees for services rendered by our independent registered public accounting firm with respect to government incentives and other
matters.
Our audit committee has adopted a pre-approval policy for the engagement of our independent accountant to perform certain audit and non-audit services.
Pursuant to this policy, which is designed to assure that such engagements do not impair the independence of our auditors, the audit committee pre-approves
each type of audit, audit-related, tax and other permitted service. The audit committee has delegated the pre-approval authority with respect to audit, audit-
related, tax and permitted non-audit services up to a maximum of $25,000 to its chairperson and may in the future delegate such authority to one or more
additional members of the audit committee, provided that all decisions by that member to pre-approve any such services must be subsequently reported, for
informational purposes only, to the full audit committee. All audit and non-audit services provided by our auditors in 2023 and 2024 were approved in
accordance with our policy.
99
ITEM 16D.
EXEMPTIONS FROM THE LISTING STANDARDS FOR AUDIT COMMITTEES
Not applicable.
ITEM 16E.
PURCHASES OF EQUITY SECURITIES BY THE ISSUER AND AFFILIATED PURCHASERS
Not applicable.
ITEM 16F.
CHANGE IN REGISTRANT’S CERTIFYING ACCOUNTANT
Not applicable.
ITEM 16G.
CORPORATE GOVERNANCE
As a foreign private issuer, we are permitted to comply with Israeli corporate governance practices instead of certain of Nasdaq Listing Rules, provided that we
disclose those Nasdaq Listing Rules with which we do not comply and the equivalent Israeli requirements that we follow instead. We currently rely on this
“foreign private issuer exemption” as follows:
Quorum requirement. As permitted under the Companies Law, pursuant to our articles of association, the quorum required for an ordinary meeting of
shareholders consists of at least two shareholders present in person or by proxy who hold or represent between them at least 25% of the voting power of our
shares (and, with respect to an adjourned meeting, generally one or more shareholders who hold or represent any number of shares), instead of 33 1/3% of the
issued share capital provided under Nasdaq Listing Rule 5260(c).
Distribution of Annual and Interim Reports. Unlike Nasdaq Listing Rule 5250(d), which requires listed issuers to make annual reports on Form 20-F available to
shareholders in one of a number of specific manners, Israeli law does not require us to distribute such reports directly to shareholders, and the generally
accepted business practice in Israel is not to distribute such reports to shareholders but to make such reports available through a public website. In addition, we
will make our annual report on Form 20-F containing audited financial statements available to our shareholders at our offices (in addition to a public website).
Otherwise, we comply with Nasdaq corporate governance rules requiring that listed companies have a majority of independent directors and maintain audit,
compensation and nominating committees composed entirely of independent directors.
Adoption or Amendment of Equity-Based Compensation Plans. We have elected to follow Israeli corporate governance practice instead of the Nasdaq Listing
Rule 5635(c), which requires listed issuers to obtain shareholder approval for the establishment or material amendment of certain equity-based compensation
plans and arrangements. Under Israeli law and practice, in general, the approval of the board of directors is required for the establishment or amendment of
equity-based compensation plans and arrangements.
ITEM 16H. MINE SAFETY DISCLOSURE
Not applicable.
ITEM 16I. DISCLOSURE REGARDING FOREIGN JURISDICTIONS THAT PREVENT INSPECTIONS
Not applicable.
100
ITEM 16J. INSIDER TRADING POLICIES
We have adopted an Insider Trading Prevention Policy that governs the purchase, sale, and/or other dispositions of our securities by directors, officers and
employees that is reasonably designed to promote compliance with insider trading laws, rules and regulations, and any listing standards applicable to the
Company. A copy of our Insider Trading Prevention Policy is filed as Exhibit 11.1 to this Annual Report.
ITEM 16K. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical
systems and information.
Our cybersecurity risk management program is centered on management of risks related to our network, product and cloud security, including security measures
and controls designed to identify, protect, detect, respond to, and recover from cybersecurity risks. We use the NIST Cybersecurity Framework (NIST CSF) as a
guide. This does not imply that we meet any particular technical standards, specifications, or requirements of NIST CSF, only that we use the NIST CSF as a
framework to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is integrated into our overall risk management process and shares common methodologies, reporting channels and
governance processes that apply across the risk management process to other risk areas, such as compliance and business continuity risks.
Key aspects of our cybersecurity risk management program include:
•
risk assessments designed to help identify material cybersecurity risks to our critical systems and information;
•
security teams principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to
cybersecurity incidents;
•
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes;
•
cybersecurity and data privacy training and awareness for employees, contractors, incident response personnel, and senior management;
•
a cybersecurity incident response plan and policy that includes procedures for responding to cybersecurity incidents and defines how security
incidents are identified, classified, reported, remediated and mitigated; and
•
a risk management process for key third-party providers based on our assessment of their respective risk profiles and function.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us,
including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized,
are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Item 3.D. Risk Factors
— If our IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system
disruption or failure, then our reputation, financial condition and operating results could be materially adversely affected,” “—We increasingly rely on third-
party providers of cloud infrastructure services to deliver our SaaS solutions to customers, and any disruption of or interference with our use of these services,
including any specifications limitations, could adversely affect our business” and “—Real or perceived security vulnerabilities and gaps in our solutions or
services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, may result in significant reputational,
financial, and legal adverse impact.”
Cybersecurity Governance
Our Board of directors considers cybersecurity risk as a critical part of its risk oversight function and has delegated to our audit committee oversight of
cybersecurity and other information technology risks. Our audit committee oversees management’s implementation of our cybersecurity risk management
program, including product and information security.
Our audit committee receives periodic updates of our cybersecurity risks and controls from our management members, including the CIO, who is currently
acting as CISO, and along with our Senior Vice President of R&D, as relevant. In addition, the CIO along with other relevant managers, update the audit
committee, as necessary, regarding cybersecurity incidents they consider significant. Our audit committee also monitors our annual mitigation plan, which
includes the results of our annual cybersecurity risk assessment on our information technology. Our audit committee reports to the full Board of directors
regarding its activities, including our cyber risk management program.
In addition, we have two steering committees, each assigned with overseeing and managing different aspects of cybersecurity risks: the Information Security
Steering Committee (ISSC) and a Service and Product Security Steering Committee (SPSSC). The ISSC is comprised of our CEO, CIO, Chief Product Officer
(CPO), and Chief Legal Officer, as well as leaders from our Information Security, R&D and Security Services teams and typically meets monthly to discuss key
security matters, mitigation plans and progress. The SPSSC includes our CPO, Senior Vice President of R&D, Senior Vice President of Product Management,
CISO, Managing Counsel and other service and product security leaders in our Information Security, Product Management and R&D departments.
101
On the management team, our CIO has overall responsibility for assessing and managing our material risks from cybersecurity threats, and is assisted in this
regard by the information and product security teams. As applicable, the teams will also involve our CPO for assessing and managing the relevant risks. Our
CIO has extensive experience in cyber risk management. Prior to joining CyberArk, our CIO served as Head of the Cyber Defense Operations Center of the IDF
and Head of the Center for Computing and Information Systems of the IDF. He holds a Bachelor of Science degree in physics and electrical engineering from
Tel Aviv University and a Master of Science in Government Information Leadership from the National Defense University, College of Information and
Cyberspace in Washington, D.C. Our CPO has an extensive experience in Fraud Detection. Prior to joining CyberArk, our CPO served as Head of Global Data
Science and Engineering at PayPal. He holds a Bachelor of Science Degree in Computer Science and a Master in Business Management.
Our CIO takes steps to stay informed about and monitor the identification, prevention, detection, protection, mitigation, and remediation of key cybersecurity
risks and incidents through various means, which may include briefings with the internal cybersecurity team members and external consultants, threat
intelligence and other information obtained from governmental, public or private sources, and alerts and reports that are generated by security tools deployed in
the information systems’ environments.
PART III
ITEM 17. FINANCIAL STATEMENTS
Not applicable.
ITEM 18. FINANCIAL STATEMENTS
See pages F-2 through F-49 of this annual report.
ITEM 19. EXHIBITS
The following are filed as exhibits hereto:
102
INDEX OF EXHIBITS
Exhibit No.
Description
1.1
Amended and Restated Articles of Association of the Registrant (filed herewith)
2.1
Specimen share certificate (incorporated by reference to Exhibit 4.1 to the Registrant’s Registration Statement on Form F-1, as amended
(Registration No. 333-196991))
2.2
Fourth Amended Investor Rights Agreement, dated July 10, 2014, by and among the Registrant and the other parties thereto (incorporated by
reference to Exhibit 10.1 to the Registrant’s Registration Statement on Form F-1, as amended (Registration No. 333-196991))
2.3
Registration Rights Agreement, dated October 1, 2024, by and between CyberArk Software Ltd. and Triton Seller, LP (f/k/a Venafi Parent, LP)
(incorporated by reference to Exhibit 10.1 to the Registrant’s Registration Statement on Form F-3 (Registration No. 333-282772), filed with
the SEC on October 22, 2024)
2.4
Description of the Registrant’s Securities Registered Pursuant to Section 12 of the Securities Exchange Act of 1934 (filed herewith)
4.1
Form of Amended Indemnification Agreement (incorporated by reference to Appendix B of Exhibit 99.1 to the Registrant’s Report of Foreign
Private Issuer on Form 6-K filed with the SEC on May 22, 2024)
4.2
Office Lease Agreement, dated October 28, 2013, between Cyber-Ark Software, Inc. and Wells 60 Realty LLC (incorporated by reference to
Exhibit 10.4 to the Registrant’s Registration Statement on Form F-1, as amended (Registration No. 333-196991))
4.3
First Amendment of Lease, dated October 23, 2014, between Cyber-Ark Software, Inc. and Wells 60 Realty LLC (incorporated by reference to
Exhibit 10.6 to the Registrant’s Registration Statement on Form F-1, as amended (Registration No. 333-202329))
4.4
Letter Agreement, dated June 28, 2018, between CyberArk Software, Inc. and Wells 60 Realty LLC (incorporated by reference to Exhibit 4.4
to the Registrant’s Annual Report on Form 20-F for the year ended December 31, 2018)
4.5
Summary of Office Lease Agreement, dated February 26, 2015, between the Registrant and Azorei Mallal Industries Ltd., as amended from
time to time (incorporated by reference to Exhibit 4.5 to the Registrant’s Annual Report on Form 20-F for the year ended December 31, 2021)
∞
4.6
Second Amendment of Lease, dated February 27, 2018, between CyberArk Software, Inc. and Wells 60 Realty LLC (incorporated by
reference to Exhibit 4.4 to the Registrant’s Annual Report on Form 20-F for the year ended December 31, 2017)
4.7
CyberArk Software Ltd. 2024 Share Incentive Plan (incorporated by reference to Exhibit 4.1 to the Registrant’s Registration Statement on
Form S-8 filed with the SEC on June 20, 2024)
4.8
CyberArk Software Ltd. 2014 Share Incentive Plan, as amended (incorporated by reference to Exhibit 4.10 to the Registrant’s Annual Report
on Form 20-F for the year ended December 31, 2015)
4.9
CyberArk Executive Compensation Policy (incorporated by reference to Appendix B of Exhibit 99.1 to the Registrant’s Report of Foreign
Private Issuer on Form 6-K furnished with the SEC on May 24, 2022)
4.10
Third Amendment of Lease, dated September 8, 2023, between CyberArk Software, Inc. and Wells 60 Realty LLC (incorporated by reference
to Exhibit 4.18 to the Registrant’s Annual Report on Form 20-F for the year ended December 31, 2023)
4.11
Agreement and Plan of Merger, dated May 19, 2024, by and among CyberArk Software Ltd., Venafi Holdings, Inc., Venafi Parent, LP and
Triton Merger Sub, Inc. (incorporated by reference to Exhibit 2.1 to the Registrant’s Registration Statement on Form F-3 (Registration No.
333-282772), filed with the SEC on October 22, 2024)
8.1
List of subsidiaries of the Registrant (filed herewith)
11.1
CyberArk Software Ltd. Insider Trading Prevention Policy (filed herewith)
12.1
Certification of Principal Executive Officer required by Rule 13a-14(a) and Rule 15d-14(a) (Section 302 Certifications) (filed herewith)
12.2
Certification of Principal Financial Officer required by Rule 13a-14(a) and Rule 15d-14(a) (Section 302 Certifications) (filed herewith)
13.1
Certification of Principal Executive Officer required by Rule 13a-14(b) and Rule 15d-14(b) (Section 906 Certifications), furnished herewith
13.2
Certification of Principal Financial Officer required by Rule 13a-14(b) and Rule 15d-14(b) (Section 906 Certifications), furnished herewith
15.1
Consent of Kost Forer Gabbay & Kasierer (a member of EY Global) (filed herewith)
97.1
Policy for Recovery of Erroneously Awarded Compensation (incorporated by reference to Exhibit 97.1 to the Registrant’s Annual Report on
Form 20-F for the year ended December 31, 2023)
101.INS
iXBRL Document
101.SCH
iXBRL Taxonomy Extension Schema Document
101.CAL
iXBRL Taxonomy Extension Calculation Linkbase Document
101.DEF
iXBRL Taxonomy Definition Linkbase Document
101.LAB
iXBRL Taxonomy Extension Label Linkbase Document
101.PRE
iXBRL Taxonomy Extension Presentation Linkbase Document
104
Cover Page Interactive Data File (the cover page iXBRL tags are embedded within the Inline iXBRL document)
∞ English summary of original Hebrew document
103
SIGNATURES
The registrant hereby certifies that it meets all of the requirements for filing on Form 20-F and that it has duly caused and authorized the undersigned to sign this
annual report on its behalf.
CyberArk Software Ltd.
Date: March 12, 2025
By: /s/ Matthew Cohen
Matthew Cohen
Chief Executive Officer
104
CYBERARK SOFTWARE LTD.
CONSOLIDATED FINANCIAL STATEMENTS
AS OF DECEMBER 31, 2024
INDEX
Page
Reports of Independent Registered Public Accounting Firm (PCAOB ID 1281)
F-2 – F-6
Consolidated Balance Sheets
F-7 – F-8
Consolidated Statements of Comprehensive Loss
F-9
Consolidated Statements of Shareholders' Equity
F-10
Consolidated Statements of Cash Flows
F-11 - F-12
Notes to Consolidated Financial Statements
F-13 – F-56
- - - - - - - - - -
Kost Forer Gabbay & Kasierer
144 Menachem Begin Road, Building
A,
Tel-Aviv 6492102, Israel
Tel: +972-3-6232525
Fax: +972-3-5622555
ey.com
Report of Independent Registered Public Accounting Firm
To the Shareholders and the Board of Directors of CyberArk Software Ltd.
Opinion on the Financial Statements
We have audited the accompanying consolidated balance sheets of CyberArk Software Ltd. (the Company) as of December 31, 2023 and 2024, the
related consolidated statements of comprehensive loss, shareholders' equity and cash flows for each of the three years in the period ended December 31, 2024,
and the related notes (collectively referred to as the "consolidated financial statements"). In our opinion, the consolidated financial statements present fairly, in
all material respects, the financial position of the Company at December 31, 2023 and 2024, and the results of its operations and its cash flows for each of the
three years in the period ended December 31, 2024, in conformity with U.S. generally accepted accounting principles.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the Company's
internal control over financial reporting as of December 31, 2024, based on criteria established in Internal Control-Integrated Framework issued by the
Committee of Sponsoring Organizations of the Treadway Commission (2013 framework), and our report dated March 12, 2025 expressed an unqualified
opinion thereon.
Basis for Opinion
These financial statements are the responsibility of the Company's management. Our responsibility is to express an opinion on the Company's financial
statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in
accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain
reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing
procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to
those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements. Our audits also
included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the financial
statements. We believe that our audits provide a reasonable basis for our opinion.
Critical Audit Matters
The critical audit matters communicated below are matters arising from the current period audit of the financial statements that were communicated or
required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the financial statements and (2) involved
our especially challenging, subjective or complex judgments. The communication of critical audit matters does not alter in any way our opinion on the
consolidated financial statements, taken as a whole, and we are not, by communicating critical audit matters below, providing separate opinion on the critical
audit matters or on the accounts or disclosures to which they relate.
F - 2
Revenue recognition
Description of the
Matter
As explained in Note 2 to the consolidated financial statements, the Company generates revenues from providing the rights to access
its SaaS solutions and licensing the rights to use its software products, maintenance and professional services. The Company enters
into contracts with customers that include combinations of products and services, which are generally distinct and recorded as
separate performance obligations. The transaction price is then allocated to the distinct performance obligations based on a relative
standalone selling price basis and revenue is recognized when control of the distinct performance obligation is transferred to the
customer.
Auditing the Company's recognition of revenue involved a high degree of auditor judgment due to the effort to evaluate 1) the
identification and determination of whether products and services, such as software licenses and related services, are considered
distinct performance obligations and the timing of revenue recognition and 2) the determination of stand-alone selling prices for
each distinct performance obligation.
How We Addressed the
Matter in Our Audit
We obtained an understanding, evaluated the design and tested the operating effectiveness of internal controls related to the
identification and determination of distinct performance obligations and the timing of revenue recognition, and the determination of
stand-alone selling prices for each distinct performance obligation.
Our audit procedures also included, among others, selecting a sample of customer contracts and reading contract source documents
for each selection, including the executed contract and purchase order and evaluating the appropriateness of management's
application of significant accounting policies on the contracts. We tested management's identification of significant contract terms,
regarding the identification and determination of distinct performance obligations and the timing of revenue recognition. We also
evaluated the reasonableness of management's estimate of stand-alone selling prices for products and services and tested the
mathematical accuracy of management's calculations of revenue. Finally, we assessed the appropriateness of the related disclosures
in the consolidated financial statements.
Business combinations
Description of the
Matter
As described in Note 3 to the consolidated financial statements, On October 1, 2024, the Company completed the acquisition of all
the equity shares of Venafi Holdings, Inc. ("Venafi") for a total consideration of $1.66 billion (the "Venafi acquisition"). The Venafi
acquisition was accounted for as a business combination in accordance with ASC 805 "Business Combinations". Accordingly, the
purchase price was allocated to the assets acquired and liabilities assumed based on their respective fair values, including intangible
assets of $539.1 million, which consist primarily of $377.1 million of technology and $155 million of customer relationships.
Auditing the Company's accounting for the Venafi acquisition was complex due to the significant estimation uncertainty in
determining the fair values of certain identified intangible assets, principally consisting of developed technology and customer
relationships. The significant estimation uncertainty was primarily due to the sensitivity of the respective fair values to underlying
assumptions about the future performance of the acquired business.
The significant assumptions used to estimate the fair value of the technology and customer relationships intangible assets included
discount rates and certain assumptions that form the basis of the forecasted results, such as revenue growth rates, royalty rates,
obsolescence/attrition rates, sales and marketing expenses, discount rates, profitability margins and estimated costs. These significant
assumptions are forward-looking and could be affected by future economic and market conditions.
F - 3
How We Addressed the
Matter in Our Audit
We obtained an understanding, evaluated the design and tested the operating effectiveness of internal controls over the Venafi
acquisition. This included testing controls over the estimation process supporting the recognition and measurement of identified
intangible assets, and management's judgment and evaluation of underlying assumptions and estimates with regards to the fair values
of the identified intangible assets.
To test the estimated fair value of the technology and customer relationships intangible assets, we performed audit procedures that
included, among others, evaluating the Company's selection of the valuation methodology, evaluating the methods and significant
assumptions used by the Company, and evaluating the completeness and accuracy of the underlying data supporting the significant
assumptions and estimates. For example, we compared the revenue growth rates, expected costs and profitability to historical
financial information, comparable companies and market and economic trends. We involved our valuation specialists to assist with
our evaluation of the methodology used by the Company and significant assumptions included in the fair value estimates. Our
valuation specialists’ procedures included, among others, developing a range of independent estimates for the discount rates used in
the valuation models and comparing those to the discount rates selected by management.
KOST FORER GABBAY & KASIERER
A Member of EY Global
We have served as the Company`s auditor since 2000.
Tel-Aviv, Israel
March 12, 2025
F - 4
Report of Independent Registered Public Accounting Firm
To the Shareholders and the Board of Directors of CyberArk Software Ltd.
Opinion on Internal Control Over Financial Reporting
We have audited CyberArk Software Ltd.'s internal control over financial reporting as of December 31, 2024, based on criteria established in Internal
Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (2013 framework) (the COSO criteria). In
our opinion, CyberArk Software Ltd. (the Company) maintained, in all material respects, effective internal control over financial reporting as of December 31,
2024, based on the COSO criteria.
As indicated in the accompanying Management's Annual Report on Internal Control over Financial Reporting, management’s assessment of and
conclusion on the effectiveness of internal control over financial reporting did not include the internal controls of Venafi Holdings, Inc., which is included in the
2024 consolidated financial statements of the Company and constituted 3.1% and 0.1% of total and net assets, respectively, as of December 31, 2024 and 4.7%
of revenue, for the year then ended. Our audit of internal control over financial reporting of the Company also did not include an evaluation of the internal
control over financial reporting of Venafi Holdings, Inc.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the consolidated
balance sheets of the Company as of December 31, 2023 and 2024, the related consolidated statements of comprehensive loss, shareholders' equity and cash
flows for each of the three years in the period ended December 31, 2024, and the related notes and our report dated March 12, 2025 expressed an unqualified
opinion thereon.
Basis for Opinion
The Company's management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness
of internal control over financial reporting included in the accompanying Management's Annual Report on Internal Control over Financial Reporting. Our
responsibility is to express an opinion on the Company's internal control over financial reporting based on our audit. We are a public accounting firm registered
with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules
and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable
assurance about whether effective internal control over financial reporting was maintained in all material respects.
Our audit included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and
evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered
necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.
F - 5
Definition and Limitations of Internal Control Over Financial Reporting
A company's internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting
and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal control over
financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the
transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of
financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in
accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation
of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance
with the policies or procedures may deteriorate.
KOST FORER GABBAY & KASIERER
A Member of EY Global
Tel-Aviv, Israel
March 12, 2025
F - 6
CYBERARK SOFTWARE LTD.
CONSOLIDATED BALANCE SHEETS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
December 31,
2023
2024
ASSETS
CURRENT ASSETS:
Cash and cash equivalents
$
355,933 $
526,467
Short-term bank deposits
354,472
256,953
Marketable securities
283,016
36,356
Trade receivables (net of allowance for credit losses of $6 and $0 at December 31, 2023 and 2024, respectively)
186,472
328,465
Prepaid expenses and other current assets
31,550
45,292
Total current assets
1,211,443
1,193,533
LONG-TERM ASSETS:
Marketable securities
324,548
21,345
Property and equipment, net
16,494
19,581
Intangible assets, net
20,202
534,726
Goodwill
153,241
1,317,374
Other long-term assets
214,816
258,531
Deferred tax assets
81,464
3,305
Total long-term assets
810,765
2,154,862
TOTAL ASSETS
$
2,022,208 $
3,348,395
The accompanying notes are an integral part of the consolidated financial statements.
F - 7
CYBERARK SOFTWARE LTD.
CONSOLIDATED BALANCE SHEETS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
December 31,
2023
2024
LIABILITIES AND SHAREHOLDERS' EQUITY
CURRENT LIABILITIES:
Trade payables
$
10,971 $
23,671
Employees and payroll accruals
95,538
133,400
Accrued expenses and other current liabilities
36,562
53,486
Convertible senior notes, net
572,340
-
Deferred revenues
409,219
596,874
Total current liabilities
1,124,630
807,431
LONG-TERM LIABILITIES:
Deferred revenues
71,413
95,190
Other long-term liabilities
33,839
75,970
Total long-term liabilities
105,252
171,160
TOTAL LIABILITIES
1,229,882
978,591
COMMITMENTS AND CONTINGENCIES
SHAREHOLDERS' EQUITY:
Ordinary shares of NIS 0.01 par value – Authorized: 250,000,000 shares at December 31, 2023 and 2024; Issued and
outstanding: 42,255,336 shares and 49,426,711 shares at December 31, 2023 and 2024, respectively
111
130
Additional paid-in capital
827,260
2,494,158
Accumulated other comprehensive income (loss)
(1,849)
2,173
Accumulated deficit
(33,196)
(126,657)
Total shareholders' equity
792,326
2,369,804
TOTAL LIABILITIES AND SHAREHOLDERS' EQUITY
$
2,022,208 $
3,348,395
The accompanying notes are an integral part of the consolidated financial statements.
F - 8
CYBERARK SOFTWARE LTD.
CONSOLIDATED STATEMENTS OF COMPREHENSIVE LOSS
U.S. dollars in thousands (except per share data and unless otherwise indicated)
Year ended
December 31,
2022
2023
2024
Revenues:
Subscription
$
280,649 $
472,023 $
733,275
Perpetual license
49,964
21,037
14,449
Maintenance and professional services
261,097
258,828
253,018
Total revenues
591,710
751,888
1,000,742
Cost of revenues:
Subscription
46,249
74,623
115,852
Perpetual license
2,893
1,873
1,594
Maintenance and professional services
76,904
79,635
90,931
Total cost of revenues
126,046
156,131
208,377
Gross profit
465,664
595,757
792,365
Operating expenses:
Research and development
190,321
211,445
243,058
Sales and marketing
345,273
405,983
480,977
General and administrative
82,520
94,801
141,134
Total operating expenses
618,114
712,229
865,169
Operating loss
(152,450)
(116,472)
(72,804)
Financial income, net
15,432
53,214
56,838
Loss before taxes on income
(137,018)
(63,258)
(15,966)
Tax benefit (taxes on income)
6,650
(3,246)
(77,495)
Net loss
$
(130,368) $
(66,504) $
(93,461)
Basic net loss per ordinary share
$
(3.21) $
(1.60) $
(2.12)
Diluted net loss per ordinary share
$
(3.21) $
(1.60) $
(2.12)
Other comprehensive income (loss), net of tax
Change in net unrealized gains (losses) on marketable securities:
Net unrealized gains (losses) arising during the year
(11,889)
7,920
3,098
Net (gains) losses reclassified into net loss
156
(17)
556
(11,733)
7,903
3,654
Change in unrealized net gain (loss) on cash flow hedges:
Net unrealized gains (losses) arising during the year
(11,418)
(2,898)
2,373
Net (gains) losses reclassified into net loss
7,194
8,706
(2,005)
(4,224)
5,808
368
Other comprehensive income (loss), net of taxes of $(2,176), $1,870 and $(252) for 2022, 2023 and
2024, respectively
(15,957)
13,711
4,022
Total comprehensive loss
$
(146,325) $
(52,793) $
(89,439)
The accompanying notes are an integral part of the consolidated financial statements.
F - 9
CYBERARK SOFTWARE LTD.
STATEMENTS OF SHAREHOLDERS' EQUITY
U.S. dollars in thousands (except share data and unless otherwise indicated)
Ordinary shares
Additional
paid-in
capital
Accumulated
other
comprehensive
income (loss)
Retained
earnings
(accumulated
deficit)
Total
shareholders'
equity
Shares
Amount
Balance as of January 1, 2022
40,041,870 $
104 $
588,937 $
397 $
137,074 $
726,512
Exercise of options and vested RSUs
granted to employees
868,599
3
1,838
-
-
1,841
Other comprehensive loss, net of tax
-
-
-
(15,957)
-
(15,957)
Share-based compensation
-
-
121,579
-
-
121,579
Issuance of ordinary shares under employee
stock purchase plan
118,102
*
13,867
-
-
13,867
Adjustments from adoption of ASU 2020-
06
-
-
(65,932)
-
26,602
(39,330)
Net loss
-
-
-
-
(130,368)
(130,368)
Balance as of December 31, 2022
41,028,571 $
107 $
660,289 $
(15,560) $
33,308 $
678,144
Exercise of options and vested RSUs
granted to employees
1,107,869
3
11,062
-
-
11,065
Other comprehensive income, net of tax
-
-
-
13,711
-
13,711
Share-based compensation
-
-
140,404
-
-
140,404
Issuance of ordinary shares under employee
stock purchase plan
118,896
1
15,505
-
-
15,506
Net loss
-
-
-
-
(66,504)
(66,504)
Balance as of December 31, 2023
42,255,336 $
111 $
827,260 $
(1,849) $
(33,196) $
792,326
Exercise of options and vested RSUs
granted to employees
1,134,607
3
8,306
-
-
8,309
Other comprehensive income, net of tax
-
-
-
4,022
-
4,022
Share-based compensation
-
-
169,280
-
-
169,280
Issuance of ordinary shares under employee
stock purchase plan
105,098
*
19,185
-
-
19,185
Conversion of Convertible Senior Notes
3,646,594
10
574,448
-
-
574,458
Reclassification of Capped Call
Transactions
-
-
256,740
-
-
256,740
Shares issued related to Venafi acquisition,
net of issuance costs
2,285,076
6
638,939
-
-
638,945
Net loss
-
-
-
-
(93,461)
(93,461)
Balance as of December 31, 2024
49,426,711 $
130 $
2,494,158 $
2,173 $
(126,657) $
2,369,804
* Represents an amount lower than $1.
The accompanying notes are an integral part of the consolidated financial statements.
F - 10
CYBERARK SOFTWARE LTD.
CONSOLIDATED STATEMENTS OF CASH FLOWS
U.S. dollars in thousands (except per share data and unless otherwise indicated)
Year ended
December 31,
2022
2023
2024
Cash flows from operating activities:
Net loss
$
(130,368) $
(66,504) $
(93,461)
Adjustments to reconcile net loss to net cash provided by operating activities:
Depreciation and amortization
16,203
19,250
41,983
Share-based compensation
120,821
140,101
168,766
Amortization of premium and accretion of discount on marketable securities, net and other
3,894
(4,570)
(3,537)
Deferred income taxes, net
(15,630)
(7,879)
66,293
Amortization of debt issuance costs
2,980
2,996
2,660
Increase in trade receivables
(7,606)
(65,655)
(93,303)
Change in fair value of derivative assets
-
-
(4,618)
Increase in prepaid expenses, other current and long-term assets and others
(37,141)
(45,016)
(47,456)
Changes in operating lease right-of-use assets
4,558
6,566
8,544
Increase (decrease) in trade payables
4,053
(2,669)
11,000
Increase in short-term and long-term deferred revenue
91,167
72,190
150,780
Increase in employees and payroll accruals
714
6,981
22,001
Increase in accrued expenses and other current and long-term liabilities
4,801
7,507
10,965
Changes in operating lease liabilities
(8,738)
(7,094)
(8,730)
Net cash provided by operating activities
49,708
56,204
231,887
Cash flows from investing activities:
Investment in short-term and long-term deposits
(496,894)
(337,835)
(368,577)
Proceeds from short-term and long-term deposits
532,563
319,542
460,077
Investment in marketable securities and other
(375,731)
(406,633)
(143,391)
Proceeds from maturities of marketable securities
319,105
340,657
218,061
Proceeds from sales of marketable securities and other
6,367
3,389
483,296
Purchase of property and equipment and other assets
(12,517)
(4,948)
(11,059)
Payments for business acquisitions, net of cash acquired
(41,285)
-
(984,669)
Net cash used in investing activities
(68,392)
(85,828)
(346,262)
Cash flows from financing activities:
Payment of equity issuance costs
-
-
(190)
Proceeds from (payments of) withholding tax related to employee stock plans
(184)
11,188
273
Proceeds from exercise of stock options
1,968
11,065
8,309
Proceeds in connection with employee stock purchase plan
15,143
15,831
19,598
Payment of convertible notes
-
-
(542)
Proceeds from settlement of Capped Call Transactions
-
-
261,358
Payments of contingent consideration related to acquisitions
(4,702)
-
-
Net cash provided by financing activities
12,225
38,084
288,806
Increase (decrease) in cash and cash equivalents
(6,459)
8,460
174,431
Effect of exchange rate differences on cash and cash equivalents
(3,053)
135
(3,897)
Cash and cash equivalents at the beginning of the year
356,850
347,338
355,933
Cash and cash equivalents at the end of the year
$
347,338 $
355,933 $
526,467
F - 11
CYBERARK SOFTWARE LTD.
CONSOLIDATED STATEMENTS OF CASH FLOWS
U.S. dollars in thousands (except per share data and unless otherwise indicated)
Year ended
December 31,
2022
2023
2024
Non-cash activities:
Lease liabilities arising from obtaining right-of-use-assets
$
28,256 $
896 $
4,853
Non-cash purchases of property and equipment
$
1,769 $
1,022 $
1,657
Non-cash purchases of intangible assets
$
- $
- $
3,661
Issuance of ordinary shares for conversions of convertible senior notes
$
- $
- $
574,458
Supplemental disclosure of cash flow activities:
Cash paid during the year for taxes, net
$
9,302 $
11,435 $
14,835
The accompanying notes are an integral part of the consolidated financial statements.
F - 12
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 1:-
GENERAL
CyberArk Software Ltd. (together with its subsidiaries, the “Company”) is an Israeli company that develops, markets and sells software-based
identity security solutions and services. The Company's solutions and services secure access for any identity – human or machine – to help
organizations secure critical business assets, protect their distributed workforce and customers, and accelerate business in the cloud. CyberArk’s
AI-powered Identity Security Platform applies intelligent privilege controls to every identity with continuous threat prevention, detection and
response across the identity lifecycle. With CyberArk, organizations can minimize operational and security risks by enabling zero trust and least
privilege with complete visibility, empowering all users and identities, including workforce, IT, developers and machines, to securely access any
resource, located anywhere, from everywhere.
F - 13
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES
The consolidated financial statements have been prepared in accordance with U.S. generally accepted accounting principles ("U.S. GAAP").
a.
Use of estimates:
The preparation of financial statements in conformity with U.S. GAAP requires management to make estimates, judgments and
assumptions that affect the amounts reported in the consolidated financial statements and accompanying notes. Such management
estimates and assumptions are related, but not limited to contingent liabilities, income tax uncertainties, deferred taxes, share-based
compensation, fair value of assets acquired and liabilities assumed in business combinations, fair value of the Capped Call Transactions (as
defined in Note 12), as well as the determination of standalone selling prices in revenue transactions with multiple performance obligations
and the estimated period of benefit for deferred contract costs. The Company's management believes that the estimates, judgments and
assumptions used are reasonable based upon information available at the time they are made. These estimates, judgments and assumptions
can affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities at the dates of the consolidated
financial statements, and the reported amounts of revenues and expenses during the reporting periods. Actual results could differ from
those estimates.
b.
Principles of consolidation:
The consolidated financial statements include the financial statements of CyberArk Software Ltd. and its wholly owned subsidiaries. All
intercompany transactions and balances have been eliminated upon consolidation.
c.
Financial statements in U.S. dollars:
A majority of the Company's revenues are generated in U.S. dollars. In addition, the equity investments were in U.S. dollars and a
substantial portion of the Company's costs are incurred in U.S. dollars. The Company's management believes that the U.S. dollar is the
currency of the primary economic environment in which the Company and each of its subsidiaries operates. Thus, the functional and
reporting currency of the Company is the U.S. dollar.
Accordingly, monetary accounts maintained in currencies other than the U.S. dollar are re-measured into U.S. dollars in accordance with
Accounting Standard Codification ("ASC") No. 830 "Foreign Currency Matters." All transaction gains and losses of the re-measured
monetary balance sheet items are reflected in the statement of comprehensive loss as financial income or expenses, as appropriate.
d.
Cash and cash equivalents:
Cash and cash equivalents consist of cash on hand and highly liquid investments with original maturities of three months or less, at the date
of purchase.
F - 14
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
e.
Short-term bank deposits:
Short-term bank deposits are deposits with maturities of greater than three months and remaining maturities of less than one year. As of
December 31, 2023 and 2024, the Company's bank deposits are denominated in U.S. dollars (“USD”) and New Israeli Shekels ("NIS").
The USD deposits bear yearly interest at weighted average rates of 6.4% and 5.5%, respectively. The NIS deposits bear yearly interest at
weighted average rates of 4.7% and 4.5%, respectively. Short-term bank deposits are presented at their cost, including accrued interest.
f.
Investments in marketable securities:
The Company accounts for investments in marketable debt securities in accordance with ASC No. 320, "Investments - Debt Securities".
The Company determines the appropriate classification of its investments at the time of purchase and reevaluates such designation at each
balance sheet date. The Company classifies all of its marketable securities as available-for-sale as the Company may sell these securities at
any time for use in its current operations or for other purposes, even prior to maturity. Available-for-sale securities are carried at fair value,
with the unrealized gains and losses, net of tax, reported in accumulated other comprehensive income (loss) in shareholders' equity. Gains
and losses are determined using the specific identification method and recognized when realized in the consolidated statements of
comprehensive loss.
The Company periodically evaluates its available-for-sale debt securities for impairment in accordance with ASU 2016-13, Financial
Instruments - Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments. If the amortized cost of an individual
security exceeds its fair value, the Company considers its intent to sell the security or whether it is more likely than not that it will be
required to sell the security before recovery of its amortized basis. If either of these criteria are met, the Company writes down the security
to its fair value and records the impairment charge in the Consolidated Statements of Comprehensive Loss. If neither of these criteria are
met, the Company assesses whether credit loss exists. In making this assessment, the Company considers the extent to which fair value is
less than amortized cost, any changes to the rating of the security by a rating agency, and any adverse conditions specifically related to the
security, among other factors. If this assessment indicates that a credit loss may exist, the present value of cash flows expected to be
collected from the security are compared to the amortized cost basis of the security. If the present value of cash flows expected to be
collected is less than the amortized cost basis, a credit loss exists and an allowance for credit losses will be recorded, limited by the amount
that the fair value is less than the amortized cost basis. Any additional impairment not recorded through an allowance for credit losses is
recognized in other comprehensive income (loss).
During the years ended December 31, 2022, 2023 and 2024, credit losses were immaterial.
F - 15
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
g.
Property and equipment:
Property and equipment are stated at cost, net of accumulated depreciation. Depreciation is calculated using the straight-line method over
the estimated useful lives of the assets at the following annual rates:
%
Computers, software and related equipment
20 – 33
Office furniture and equipment
15 – 20
Leasehold improvements
Over the shorter of
the related lease
period or the life of
the asset
h.
Long-lived assets impairment:
The long-lived assets of the Company, including finite-lived intangible assets, are reviewed for impairment in accordance with ASC No.
360, "Property, Plant and Equipment", whenever events or changes in circumstances indicate that the carrying amount of an asset may not
be recoverable. The recoverability of assets to be held and used is measured by a comparison of the carrying amount of an asset to the
future undiscounted cash flows expected to be generated by the assets.
If such assets are considered to be impaired, the impairment to be recognized is measured by the amount by which the carrying amount of
the assets exceeds the fair value of the assets. During the years ended December 31, 2022, 2023 and 2024, no impairment losses have been
recognized.
i.
Business combinations:
The Company accounts for its business acquisitions in accordance with ASC No. 805, "Business Combinations." While the Company uses
its best estimates and assumptions as part of the purchase price allocation process to value assets acquired and liabilities assumed at the
business combination date, these estimates and assumptions are subject to refinement. The total purchase price allocated to the tangible and
intangible assets acquired is assigned based on the fair values as of the date of the acquisition. During the measurement period, which does
not exceed one year from the acquisition date, the Company may record adjustments to the assets acquired and liabilities assumed, with the
corresponding offset to goodwill. Goodwill generated from the business combinations is primarily attributable to synergies between the
Company and acquired companies` respective solutions. Acquisition-related expenses are recognized separately from the business
combination and are expensed as incurred.
F - 16
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
j.
Goodwill and other intangible assets:
Goodwill and certain other purchased intangible assets have been recorded in the Company's financial statements as a result of
acquisitions. Goodwill represents excess of the purchase price in a business combination over the fair value of identifiable tangible and
intangible assets acquired. Goodwill is not amortized, but rather is subject to an impairment test.
ASC No. 350, "Intangible-Goodwill and other" requires goodwill to be tested for impairment at least annually and, in certain
circumstances, between annual tests. The accounting guidance gives the option to perform a qualitative assessment to determine whether
further impairment testing is necessary. The qualitative assessment considers events and circumstances that might indicate that a reporting
unit's fair value is less than its carrying amount. If it is determined, as a result of the qualitative assessment, that it is more likely than not
that the fair value of a reporting unit is less than its carrying amount, a quantitative test is performed. The Company operates as one
reporting unit. The Company elects to perform an annual impairment test of goodwill as of October 1 of each year, or more frequently if
impairment indicators are present.
For the years ended December 31, 2022, 2023 and 2024, no impairment losses were identified.
Purchased intangible assets with finite lives are carried at cost, less accumulated amortization. Amortization is computed over the
estimated useful lives of the respective assets, which range from one to 12 years. Intangible assets, consisting primarily of technology and
customer relationships, are amortized over their estimated useful lives on a straight-line basis or in proportion to their economic benefits
realized.
Amortization is calculated using the straight-line method over the estimated useful lives of the assets at the following annual rates:
%
Technology
20
Customer relationships
8-12.5
Other
25-100
k.
Derivative instruments:
ASC No. 815, "Derivative and Hedging," requires companies to recognize all of their derivative instruments as either assets or liabilities on
the balance sheet at fair value.
For those derivative instruments that are designated and qualify as hedging instruments, a company must designate the hedging instrument,
based upon the exposure being hedged, as a fair value hedge, cash flow hedge or a hedge of a net investment in a foreign operation.
Gains and losses on the derivatives instruments that are designated and qualify as a cash flow hedge are recorded in accumulated other
comprehensive income (loss) and reclassified into earnings in the same accounting period in which the designated forecasted transaction or
hedged item affects earnings.
F - 17
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
To hedge against the risk of changes in cash flows mainly resulting from foreign currency salary payments during the year, the Company
instituted a foreign currency cash flow hedging program. The Company hedges portions of its forecasted expenses denominated in NIS.
These forward and swap contracts are designated as cash flow hedges, as defined by ASC No. 815, and are all effective, as their critical
terms match underlying transactions being hedged.
As of December 31, 2023 and 2024, the amount recorded in accumulated other comprehensive income (loss) from the Company's currency
forward and swap transactions was $2,670 and $3,038, respectively.
As of December 31, 2024, the notional amounts of foreign exchange forward and swap contracts into which the Company entered were
$129,250. The foreign exchange contracts will expire by December 2025. The fair value of derivative instruments assets balances as of
December 31, 2023 and 2024, totaled $3,074 and $3,137, respectively. The fair value of derivative instruments liabilities balances as of
December 31, 2023 and 2024, totaled $40 and $98, respectively.
The following table presents gains (losses) reclassified from accumulated other comprehensive income (loss) to the statements of
comprehensive loss per line item:
Year ended
December 31,
2022
2023
2024
Cost of revenues
$
509 $
590 $
(127)
Research and development
5,381
6,486
(1,507)
Sales and marketing
927
1,104
(251)
General and administrative
1,358
1,713
(393)
Total gains (losses), before tax benefit (taxes on income)
8,175
9,893
(2,278)
Tax benefit (taxes on income)
(981)
(1,187)
273
Total gains (losses), net of tax benefit (taxes on income)
$
7,194 $
8,706 $
(2,005)
F - 18
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
In addition to the derivatives that are designated as hedges as discussed above, the Company enters into certain foreign exchange forward
and swap transactions and holds foreign exchange deposits to economically hedge certain net asset balances in Euros and British Pounds
Sterling. Gains and losses related to such derivative instruments are recorded in financial income, net. As of December 31, 2024, with
respect to these transactions, the notional amounts of foreign exchange forward contracts into which the Company entered were $94,592.
The foreign exchange forward contracts will expire by January 2029. The fair value of derivative instruments assets balances as of
December 31, 2023 and 2024, totaled $6 and $3,477, respectively. The fair value of derivative instruments liabilities balances as of
December 31, 2023 and 2024 totaled $996 and $26, respectively.
For the years ended December 31, 2022, 2023 and 2024, the Company recorded financial income (expense), net from hedging transactions
of $2,281, $(1,051), and $4,494, respectively.
As further described in Note 12, Convertible Senior Notes, net, on September 17, 2024, the Company recognized a derivative asset of
$259.3 million related to the Capped Call Transactions which were settled in cash on November 15, 2024.
l.
Severance pay:
The Israeli Severance Pay Law, 1963 ("Severance Pay Law"), specifies that employees are entitled to severance payment, following the
termination of their employment. Under the Severance Pay Law, the severance payment is calculated as one month salary for each year of
employment, or a portion thereof.
The majority of the Company's liability for severance pay is covered by the provisions of Section 14 of the Severance Pay Law ("Section
14"). Under Section 14, employees are entitled to monthly deposits, at a rate of 8.33% of their monthly salary, made on behalf of the
employee with insurance companies. Payments in accordance with Section 14 release the Company from any future severance payments in
respect of those employees.
As a result, the Company does not recognize any liability for severance pay due to these employees and the deposits under Section 14 are
not recorded as an asset in the Company's balance sheet.
For the Company's employees in Israel who are not subject to Section 14, the Company calculated the liability for severance pay pursuant
to the Severance Pay Law based on the most recent salary of these employees multiplied by the number of years of employment as of the
balance sheet date. The Company's liability for these employees is fully provided for via monthly deposits with severance pay funds,
insurance policies and accruals. The value of these deposits recorded as an asset on the Company's balance sheet under other long-term
assets as of December 31, 2023 and 2024 is $5,131 and $5,960, respectively. The amount of accrued severance payable recorded as a
liability on the Company's balance sheet under long-term liabilities as of December 31, 2023 and 2024 is $8,337 and $9,115, respectively.
Severance expenses for the years ended December 31, 2022, 2023 and 2024 amounted to $7,836, $8,447 and $9,526, respectively.
F - 19
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
m.
U.S. defined contribution plan:
The U.S. subsidiaries have a 401(k) defined contribution plan covering certain full time and part time employees in the U.S. who meet
certain eligibility requirements, excluding leased employees and contractors. All eligible employees may elect to contribute up to an annual
maximum of 100% of their annual compensation to the plan through salary deferrals, subject to Internal Revenue Service limits, but not
greater than $23.0 per year (for certain employees over 50 years of age the maximum contribution is $30.5 per year).
The U.S. subsidiaries match amounts equal to 100% of the first 3% of the employee's compensation that they contribute to the defined
contribution plan and 50% of the next 2% of their compensation that they contribute to the defined contribution plan with a limit of
$13.8 per year per employee. For the years ended December 31, 2022, 2023 and 2024, the U.S. subsidiary recorded expenses for matching
contributions of $5,629, $6,575 and $7,181, respectively.
F - 20
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
n.
Convertible senior notes:
The Company accounts for convertible debt instruments pursuant to ASC 470 as a single liability measured at its amortized cost as long as
it was not issued at a substantial premium and no other features require bifurcation and recognition as derivatives pursuant to ASC 815.
The debt host is then measured at its amortized cost using the effective interest method.
o.
Revenue recognition:
The Company generates substantially all of its revenues from providing the right to access its SaaS solutions and licensing the rights to use
its software solutions, maintenance and professional services. Subscription revenues include Software as a Service ("SaaS") offerings and
on-premises subscriptions (“Self-hosted Subscriptions”). The Company sells its solutions through its direct sales force and indirectly
through resellers. Payment is typically due within 30 to 90 calendar days of the invoice date.
F - 21
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
The Company recognizes revenues in accordance with ASC No. 606, "Revenue from Contracts with Customers" ("ASC No. 606"). As
such, the Company identifies a contract with a customer, identifies the performance obligations in the contract, determines the transaction
price, allocates the transaction price to each performance obligation in the contract and recognizes revenues when (or as) the Company
satisfies a performance obligation.
The Company enters into contracts that can include combinations of products and services, which are generally capable of being distinct
and accounted for as separate performance obligations and may include an option to provide additional solutions or services. SaaS
subscriptions, Self-hosted Subscriptions, Perpetual license, professional services, updates and technical support are generally distinct since
the customer can benefit from the services either on its own or together with other resources that are readily available and the Company's
promise to transfer these products and services is separately identifiable from other promises in the contract. For options to provide
additional services, the Company determines whether the option provides a material right to the customer.
The transaction price is determined based on the consideration to which the Company will be entitled in exchange for transferring goods or
services to the customer. The Company does not grant a right of return to its customers.
In instances of contracts where revenue recognition differs from the timing of invoicing, the Company generally determined that those
contracts do not include a significant financing component. The primary purpose of the invoicing terms is to provide customers with
simplified and predictable ways of purchasing the Company's solutions, not to receive or provide financing. The Company uses the
practical expedient and does not assess the existence of a significant financing component when the difference between payment and
revenue recognition is a year or less. Revenue is recognized net of any taxes collected from customers which are subsequently remitted to
the tax authorities.
F - 22
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
Trade Receivables are recorded when the right to consideration becomes unconditional.
The Company records unbilled receivables from contracts when the revenue recognized exceeds the amount billed to the customer. As of
December 31, 2023 and 2024, $20,194 and $37,495 short-term unbilled receivables are included in trade receivables, respectively, and
$1,000 and $5,580 long-term unbilled receivables are included in other long-term assets, respectively.
The Company allocates the transaction price to each performance obligation based on its relative standalone selling price. For maintenance
and support, the Company determines the standalone selling price based on the price at which the Company separately sells a renewal
contracts. For professional services, the Company determines the standalone selling prices based on the prices at which the Company
separately sells those services. For SaaS, Self-hosted Subscriptions and perpetual license, the Company substantially determines the
standalone selling prices by taking into account available information such as historical selling prices, contract value, geographic location,
and the Company's price list and discount policy.
The license portion of Self-hosted Subscriptions and perpetual license are recognized at the point of time when the license is made
available for download by the customer. Maintenance and Support revenue related to perpetual license contracts and the maintenance
component of the Self-hosted Subscriptions offering as well as SaaS revenues are recognized ratably, on a straight-line basis over the term
of the related contract, which is generally one to three years, as the services have a consistent continuous pattern of transfer to a customer
during the contract period. Professional services revenues are substantially recognized as the services are performed, using the method that
best depicts the transfer of services to the customer.
The following table presents the Company's revenue by category:
Year ended
December 31,
2022
2023
2024
SaaS
$
166,361 $
298,331 $
468,680
Self-hosted subscription*
114,288
173,692
264,595
Perpetual license
49,964
21,037
14,449
Maintenance and support
217,695
207,561
196,982
Professional services
43,402
51,267
56,036
$
591,710 $
751,888 $ 1,000,742
* Self-hosted subscription also includes maintenance associated with Self-hosted Subscriptions.
For additional information regarding disaggregated revenues, please refer to Note 18 below.
F - 23
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
Deferred revenue consists of unrecognized amounts billed under SaaS, Self-hosted Subscriptions, and maintenance and support contracts,
as well as professional services which have not yet been performed as of the balance sheet date, for which the Company has an
unconditional right for a consideration or has collected the amounts. Deferred revenues are recognized as (or when) the Company performs
under the contract. During the year ended December 31, 2024, the Company recognized $397,998 that were included in the deferred
revenues balance as of December 31, 2023.
Remaining Performance Obligations:
Transaction price allocated to remaining performance obligations represents non-cancellable contracts that have not yet been recognized,
which includes deferred revenues and amounts not yet received that will be recognized as revenue in future periods.
The aggregate amount of the transaction price allocated to remaining performance obligations was $1,386 million as of December 31,
2024, out of which, the Company expects to recognize approximately 60% in 2025 and the remainder thereafter.
p.
Deferred contract costs:
The Company pays sales commissions primarily to sales and certain management personnel based on their attainment of certain
predetermined sales goals. Sales commissions are considered incremental and recoverable costs of obtaining a contract with a customer.
Sales commissions paid for initial contracts, which are not commensurate with sales commissions paid for renewal contracts, are
capitalized and amortized proportionately to revenue over an expected benefit period which is 5 years. The benefit period is determined by
taking into consideration the technology life and other factors. Sales commissions for renewal contracts are capitalized and amortized over
the related contractual renewal period and aligned with the revenue recognized from these contracts.
For the year ended December 31, 2023 and 2024, the amortization of deferred contract costs was $56,071 and $64,740, respectively.
Amortization expense of these costs is substantially included in sales and marketing expenses.
As of December 31, 2023 and 2024, the Company presented deferred contract costs from contracts which are for periods of less than 12
months of $696 and $1,043, respectively, in prepaid expenses and other current assets, and deferred contract costs in respect of contracts
which are greater than 12 months of $166,733 and $197,807, respectively, in other long-term assets, respectively.
F - 24
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
q.
Trade Receivables and Allowances:
Trade receivables include original invoiced amounts less an allowance for any potential uncollectible amounts and less invoiced amounts
from maintenance and professional services contracts which haven't been recognized yet. Trade receivables also include unbilled
receivables amounts that will be paid in the following year. The Company makes estimates of expected credit losses for the allowance for
credit losses based upon its assessment of various factors, including historical experience, the age of the trade receivable balances, credit
quality of its customers, current economic conditions, reasonable and supportable forecasts of future economic conditions, and other
factors that may affect its ability to collect from customers. The estimated credit loss allowance is recorded as general and administrative
expenses on the Company's consolidated statements of comprehensive loss.
r.
Leases:
In accordance with (ASU) No. 2016-02, "Leases" (Topic 842)", the Company determines if an arrangement is a lease and the classification
of that lease at inception based on: (1) whether the contract involves the use of a distinct identified asset, (2) whether the Company obtains
the right to substantially all the economic benefits from the use of the asset throughout the period, and (3) whether the Company has a right
to direct the use of the asset. The Company elected to not recognize a lease liability and a right-of-use ("ROU") asset for leases with a term
of 12 months or less. The Company also elected the practical expedient to not separate lease and non-lease components for its leases.
ROU assets represent the right to use an underlying asset for the lease term and lease liabilities represent the obligation to make minimum
lease payments arising from the lease. ROU assets are initially measured at amounts, which represents the discounted present value of the
lease payments over the lease, plus any initial direct costs incurred. The lease liability is initially measured at lease commencement date
based on the discounted present value of minimum lease payments over the lease term. The implicit rate within the operating leases is
generally not determinable, therefore the Company uses its Incremental Borrowing Rate ("IBR") based on the information available at
commencement date in determining the present value of lease payments. The Company's IBR is estimated to approximate the interest rate
for collateralized borrowing with similar terms and payments and in economic environments where the leased asset is located. Certain
leases include options to extend or terminate the lease. An option to extend the lease is considered in connection with determining the ROU
asset and lease liability when it is reasonably certain that the Company will exercise that option. An option to terminate is considered
unless it is reasonably certain that the Company will not exercise the option.
Payments under the Company's lease arrangements are primarily fixed, however, certain lease agreements contain variable payments,
which are expensed as incurred and not included in the operating lease right-of-use assets and liabilities. Variable lease payments are
primarily comprised of payments affected by common area maintenance and utility charges.
F - 25
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
s.
Research and development costs:
Research and development costs are charged to the statements of comprehensive loss as incurred except to the extent that such costs are
associated with internal-use software that qualifies for capitalization.
ASC No. 985-20, "Software - Costs of Software to Be Sold, Leased, or Marketed" requires capitalization of certain software development
costs subsequent to the establishment of technological feasibility. Based on the Company's solution development process, technological
feasibility is established upon completion of a working model. Costs incurred by the Company between completion of the working model
and the point at which the solution is ready for general release, have been insignificant.
t.
Internal use software and website development cost:
The Company capitalizes qualifying costs associated with the development of its website and incurred during the application development
stage related to software developed for internal-use in accordance with ASC No. 350-40 "Internal-use Software" ("ASC No. 350-40").
These costs are capitalized based on qualifying criteria. Such costs are amortized over the software's estimated life of five years. Costs
incurred to develop software applications consist of (a) certain external direct costs of materials and services incurred in developing or
obtaining internal-use computer software, and (b) payroll and payroll-related costs for employees who are directly associated with, and
who devote time to, the development or implementation of the software. Capitalized internal-use software and website costs are included in
property and equipment, net in the consolidated balance sheets.
The Company also capitalizes implementation costs incurred in a cloud computing arrangement that is a service contract. The capitalized
implementation costs and their related amortization and cash flows are presented on the financial statements in consistent with the prepaid
amounts and fees related to the associated cloud computing arrangement. Capitalized implementation costs are amortized over the term of
the arrangement, beginning when the module or component of the cloud computing arrangement that is a service contract is ready for its
intended use.
The Company recognized an impairment of internal use software in the amount of $2,067 during the year ended December 31, 2023. The
impairment is presented under cost of subscriptions revenues. During the years ended December 31, 2022 and December 31, 2024, no
impairments were recognized.
u.
Advertising and marketing expenses:
Advertising and marketing expenses consist primarily of marketing campaigns and tradeshows. Advertising and marketing expenses are
charged to the statement of comprehensive loss, as incurred. Advertising and marketing expenses for the years ended December 31, 2022,
2023 and 2024, amounted to $34,438, $35,625 and $46,877, respectively.
F - 26
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
v.
Share-based compensation:
The Company accounts for share-based compensation in accordance with ASC No. 718, "Compensation - Stock Compensation" ("ASC
No. 718"). ASC No. 718 requires companies to estimate the fair value of equity-based payment awards on the date of grant using an
option-pricing model. The value of the award is recognized as an expense over the requisite service periods, which is generally the vesting
period of the respective award, on a straight-line basis when the only condition to vesting is continued services. If vesting is subject to a
performance condition, recognition is based on the implicit service period of the award. Expense for awards with performance conditions is
estimated and adjusted on a quarterly basis based upon the assessment of the probability that the performance condition will be met.
The Company has selected the Black-Scholes-Merton option pricing model as the most appropriate fair value method for its option awards
and Employee Share Purchase Plan ("ESPP"). The fair value of restricted share units ("RSUs") and performance share units ("PSUs")
without market conditions, is based on the closing market value of the underlying shares at the date of grant. For PSUs subject to market
conditions, the Company uses a Monte Carlo simulation model, which utilizes multiple inputs to estimate payout level and the probability
that market conditions will be achieved.
The Black-Scholes-Merton and Monte Carlo models require a number of assumptions, of which the most significant are the expected share
price volatility and the expected option term.
The Company recognizes forfeitures of equity-based awards as they occur. For graded vesting awards subject to service conditions, the
Company recognizes compensation cost using the straight-line attribution method. For graded vesting awards subject to market or
performance conditions, the Company recognizes compensation cost using the accelerated attribution method
w.
Income taxes:
The Company accounts for income taxes in accordance with ASC No. 740-10, "Income Taxes" ("ASC No. 740-10"). ASC No. 740-10
prescribes the use of the asset and liability method whereby deferred tax asset and liability account balances are determined based on
temporary differences between financial reporting and tax bases of assets and liabilities and are measured using the enacted tax rates and
laws that will be in effect when the differences are expected to reverse. The Company establishes a valuation allowance, if necessary, to
reduce deferred tax assets to their estimated realizable value if it is more likely than not that some portion or all of the deferred tax assets
will not be realized. As of December 31, 2024, the company established full valuation allowance on deferred tax assets in Israel and the US
as further describe in Note 15, Income Taxes.
The Company established reserves for uncertain tax positions based on the evaluation of whether or not the Company's uncertain tax
position is "more likely than not" to be sustained upon examination based on its technical merits. The Company records interest and
penalties pertaining to its uncertain tax positions in the financial statements as income tax expense.
F - 27
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
x.
Basic and diluted net loss per share:
Basic net loss per ordinary share is computed by dividing net loss for each reporting period by the weighted-average number of ordinary
shares outstanding during each year. Diluted net loss per ordinary share is computed by dividing net loss for each reporting period by the
weighted average number of ordinary shares outstanding during the period, plus dilutive potential ordinary shares considered outstanding
during the period, in accordance with ASC No. 260-10 "Earnings Per Share". The Company experienced a loss in the years ended
December 31, 2022, 2023 and 2024; hence all potentially dilutive ordinary shares were excluded due to their anti-dilutive effect.
y.
Comprehensive income (loss):
The Company accounts for comprehensive income (loss) in accordance with ASC No. 220, "Comprehensive Income." This statement
establishes standards for the reporting and display of comprehensive income (loss) and its components in a full set of general purpose
financial statements.
z.
Concentration of credit risks:
Financial instruments that potentially subject the Company to concentrations of credit risk consist principally of cash and cash equivalents,
short-term bank deposits, marketable securities, trade receivables, severance pay funds and derivative instruments.
The majority of the Company's cash and cash equivalents and short-term bank deposits are invested with major banks in Israel and the
United States. Such investments in the United States are in excess of insured limits and are not insured in other jurisdictions. Generally,
these investments may be redeemed upon demand and the Company believes that the financial institutions that hold the Company's cash
deposits are financially sound and, accordingly, bear minimal risk.
The Company's marketable securities consist of investments, which are highly rated by credit agencies, in government, corporate and
government sponsored enterprises debentures. The Company's investment policy limits the amount that the Company may invest in any
one type of investment or issuer, in order to reduce credit risk concentrations.
The trade receivables of the Company are mainly derived from sales to a diverse set of customers located primarily in the United States,
Europe and Asia. The Company performs ongoing credit evaluations of its customers and, to date, has not experienced any significant
losses.
The Company has entered into forward contracts with major banks in Israel to protect against the risk of changes in exchange rates. The
derivative instruments hedge a portion of the Company's non-dollar currency exposure.
F - 28
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
aa.
Fair value of financial instruments:
The estimated fair value of financial instruments has been determined by the Company using available market information and valuation
methodologies. Considerable judgment is required in estimating fair values. Accordingly, the estimates may not be indicative of the
amounts the Company could realize in a current market exchange.
The following methods and assumptions were used by the Company in estimating the fair value of their financial instruments:
The carrying values of cash and cash equivalents, short-term bank deposits, trade receivables, prepaid expenses and other long-term and
current assets, trade payables, employees and payroll accruals and accrued expenses and other current liabilities approximate their fair
values due to the short-term maturities of these instruments.
The Company applies ASC No. 820, "Fair Value Measurements and Disclosures" ("ASC No. 820"), with respect to fair value
measurements of all financial assets and liabilities.
The fair value of foreign currency contracts (used for hedging purposes) is estimated by obtaining current quotes from banks.
Fair value is an exit price, representing the amount that would be received to sell an asset or paid to transfer a liability in an orderly
transaction between market participants at the measurement date. As such, fair value is a market-based measurement that should be
determined based on assumptions that market participants would use in pricing an asset or a liability. A three-tier fair value hierarchy is
established as a basis for considering such assumptions and for inputs used in the valuation methodologies in measuring fair value:
Level 1 -
Inputs are unadjusted quoted prices in active markets for identical assets or liabilities that can be accessed at the
measurement date.
Level 2 -
Inputs are quoted prices for similar assets and liabilities in active markets or inputs that are observable for the assets or
liabilities, either directly or indirectly through market corroboration, for substantially the full term of the financial
instruments.
Level 3 -
Inputs are unobservable inputs based on the Company's own assumptions used to measure assets and liabilities at fair value.
The inputs require significant management judgment or estimation.
The fair value hierarchy also requires an entity to maximize the use of observable inputs and minimize the use of unobservable inputs
when measuring fair value.
F - 29
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
In accordance with ASC No. 820, the Company measures its foreign currency derivative instruments, at fair value using the market
approach valuation technique. Foreign currency derivative contracts as detailed in Note 2(k) are classified within Level 2 value hierarchy,
as the valuation inputs are based on quoted prices and market observable data of similar instruments.
As of December 31, 2023, the estimated fair value of the Company’s convertible senior notes, net as further described in Note 12, was
determined based on the closing quoted price of the convertible senior note, net as of the last day of trading for the period, and is
considered Level 2 measurement. The fair value of the convertible senior notes is primarily affected by the trading price of the Company`s
common stock and market interest rates.
The Capped Call Transactions (as defined in Note 12) are considered Level 3 measurement as the Company applies the Black-Scholes-
Merton option pricing model and uses historical volatility to determine expected share price volatility, which is an unobservable input that
is significant to the valuation.
Money Market Funds are classified within Level 1 as these assets are valued using quoted market prices for identical assets in active
markets.
Marketable securities are classified within Level 2 as these assets are valued using alternative pricing sources utilizing market observable
inputs.
ab.
Investments in privately held companies:
The Company holds equity investments, in which it does not have control or significant influence, in private companies without readily
determinable fair values. These investments are measured using the measurement alternative, which is cost, less any impairment, adjusted
for changes in fair value are resulted from observable transactions for identical or similar investments of the same issuer. The investments
are reviewed periodically to determine if impairments or adjustments to the fair value are needed. Adjustments and impairments are
recorded in financial income, net on the consolidated statements of comprehensive loss.
The investments in privately held companies are included in other long-term assets on the consolidated balance sheets.
The carrying amounts of the Company’s investments in privately held companies without readily determinable market values as of
December 31, 2023 and 2024, were $3,566 and $3,546, respectively.
During 2023 and 2024, the Company recorded in financial income, net unrealized gains (losses) of $1,313 and $(16), respectively, related
to revaluation of its investments in privately held companies based on observable price changes.
During 2023 and 2024, the Company recorded in financial income, net realized gains of $1,444 and $0, respectively, related to selling of its
investments in privately held companies.
F - 30
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 2:-
SIGNIFICANT ACCOUNTING POLICIES (Cont.)
ac.
Recently adopted accounting standards:
In November 2023, the FASB issued ASU 2023-07, Segment Reporting (Topic 280), Improvements to Reportable Segment Disclosures,
which expands annual and interim disclosure requirements for reportable segments, primarily through enhanced disclosures about
significant segment expenses. In addition, it provides new segment disclosure requirements for entities with a single reportable segment.
This ASU is effective for the Company’s fiscal year 2024. The Company adopted this standard for its annual period beginning January 1,
2024. See Note 18 - Segment Reporting for further information.
ad.
Recently issued accounting standards:
In December 2023, the FASB issued ASU 2023-09, Income Taxes (Topic 740), Improvements to Income Tax Disclosures, which requires
disaggregated information about the effective tax rate reconciliation as well as information on income taxes paid. The guidance will be
effective for the Company for annual periods beginning January 1, 2025, with early adoption permitted. The Company is currently
evaluating the impact on its financial statement disclosures.
In November 2024, the FASB issued ASU 2024-03, Income Statement - Reporting Comprehensive Income - Expense Disaggregation
Disclosures (Topic 220): Disaggregation of Income Statement Expenses, which requires disaggregated disclosure in the notes to the
financial statements of prescribed categories of expenses within relevant income statement captions. ASU 2024-03 is effective for fiscal
years beginning after December 15, 2026 and interim periods within fiscal years beginning after December 15, 2027. Early adoption is
permitted. The Company is currently evaluating the impact on its financial statement disclosures.
ae.
Reclassification:
Certain comparative figures have been reclassified to conform to the current year presentation.
F - 31
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 3:-
BUSINESS COMBINATIONS
Acquisition of Venafi
On October 1, 2024, the Company completed the acquisition of all outstanding shares of Venafi. The Company expects to combine Venafi’s
machine identity management capabilities with the Company’s leading identity security capabilities including its Secret Management offerings, to
establish a unified platform for end-to-end machine identity security at enterprise scale. The acquisition date fair value of the consideration
transferred amounted to $1.66 billion in a combination of $1.02 billion in cash and 2,285,076 of the Company ordinary shares with an aggregate
value of $639.1 million. Issuance costs amounted to $190 and were classified to Additional Paid in Capital.
Acquisition related expenses of $21.8 million were expensed by the Company in general and administrative expenses in its consolidated
statements of comprehensive loss for the year ended December 31, 2024.
The consolidated statements of comprehensive loss include $47.1 million of revenue and $13.8 million of operating loss attributable to Venafi for
the year ended December 31, 2024.
The transaction was accounted for as a business combination in accordance with ASC No. 805, “Business Combinations.” The total purchase
price was preliminarily allocated using information currently available to the Company and may be subject to change as additional information is
received during the respective measurement period, up to one year from the acquisition date. Preliminary allocation of the purchase price to the
tangible and identifiable intangible assets acquired and liabilities assumed based on their estimated fair values as of the acquisition date is as
follows:
Fair Value
Cash and Cash Equivalents
$
35,940
Accounts Receivable, net
48,690
Other Assets
8,910
Intangible Assets, net
543,575
Goodwill
1,164,133
Deferred Revenue
(60,652)
Other Liabilities
(25,486)
Deferred Tax Liability
(55,366)
Total Purchase Consideration
$ 1,659,744
F - 32
Fair Value
Estimated
useful life
(in years)
Technology (1)
377,076
5
Customer Relationship (2)
154,962
8
Trademark (1)
7,029
1
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 3:-
BUSINESS COMBINATIONS (Cont.)
The excess of the purchase price over the tangible assets acquired, the identifiable intangible asset acquired and assumed liabilities was recorded
as goodwill. We believe that the amount of goodwill reflects the expected synergistic benefits of being able to leverage the technology acquired
with our existing solutions offerings and being able to successfully market and sell to our customer base. Goodwill is not expected to be
deductible for income tax purposes.
The following table presents the identified intangible asset acquired:
(1) The income approach, specifically the relief from royalty method, was used to evaluate the fair value of the technology and trademark assets
identified in the transaction.
(2) The income approach, specifically the multi-period excess earnings method (MEEM), was used to evaluate the fair value of the customer
relationships identified in the transaction.
Unaudited Pro Forma Financial Information
The following pro forma financial information presents the combined results of operations of CyberArk and Venafi as if the acquisition had
occurred on January 1, 2023, after giving effect to certain pro forma adjustments.
The pro forma financial information does not reflect any adjustments for anticipated expense savings or revenue generating synergies resulting
from the acquisition and is not necessarily indicative of the operating results that would have actually occurred had the transaction been
consummated on January 1, 2023.
Year Ended December 31,
2023
2024
Revenues
$
905,859 $
1,125,356
Net loss
$
(104,808) $
(133,939)
The unaudited pro forma financial information presented is for informational purposes only and is not necessarily indicative of the results of
operations that would have been achieved if the Venafi acquisition was completed at the beginning of fiscal year 2023 and is not indicative of the
future operating results of the combined company. The pro forma results include adjustments related to purchase accounting, primarily
amortization of acquisition-related intangible assets.
F - 33
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 3:-
BUSINESS COMBINATIONS (Cont.)
2022 Acquisitions
In March 2022, the Company acquired all of the share capital of AAPI1, Inc., a Delaware corporation ("Aapi"), for total gross consideration of
$17,689. The Company acquired Aapi to bolster Identity Lifecycle Management capabilities and broaden Identity Automation and Orchestration
capabilities across its Identity Security Platform. Aapi specializes in the field of automation of identity. With identity automation, embedded App
functions and micro access control, Aapi develops an identity, communications and incident response platform. The Company expensed the
related acquisition costs of $252 in General and Administrative. The Company accounted for the acquisition as business combination in
accordance with ASC No. 805, "Business Combinations." Goodwill generated from this business combination is primarily attributable to the
assembled workforce and expected post-acquisition synergies from integrating Aapi`s technology into the Company`s portfolio. Pro forma results
of operations have not been presented because the acquisition was not material to the Company's results of operations.
In July 2022, the Company acquired all of the share capital of C3M, LLC ("C3M") for total gross consideration of $28,298. CyberArk acquired
C3M to strengthen the Company’s platform by offering cloud privilege security offerings and further expand the Company’s capabilities. C3M
specializes in multi-cloud security and compliance solutions. The Company expensed the related acquisition costs of $1,992. The Company
accounted for the acquisition as business combination in accordance with ASC No. 805, "Business Combinations." Goodwill generated from this
business combination is primarily attributable to the assembled workforce and expected post-acquisition synergies from integrating C3M`s
technology into the Company`s portfolio. Pro forma results of operations have not been presented because the acquisition was not material to the
Company's results of operations.
F - 34
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 4:-
MARKETABLE SECURITIES
The following tables summarize the amortized cost, unrealized gains and losses, and fair value of available-for-sale marketable securities as of
December 31, 2023 and 2024:
December 31, 2023
Amortized
cost
Gross
unrealized
losses
Gross
unrealized
gains
Fair value
Corporate debentures
$
324,485 $
(4,998) $
357 $
319,844
Government debentures
288,214
(828)
334
287,720
Total
$
612,699 $
(5,826) $
691 $
607,564
December 31, 2024
Amortized
cost
Gross
unrealized
losses
Gross
unrealized
gains
Fair value
Corporate debentures
$
58,265 $
(871) $
6 $
57,400
Government debentures
301
-
-
301
Total
$
58,566 $
(871) $
6 $
57,701
The following table summarizes the continuous unrealized loss position and fair value of available-for-sale marketable securities as of December
31, 2023 and 2024, by duration of continuous unrealized loss:
December 31,
2023
2024
Gross
unrealized
losses
Fair value
Gross
unrealized
losses
Fair value
Continuous unrealized loss position for less than 12 months
$
(590) $
186,910 $
(31) $
10,266
Continuous unrealized loss position for more than 12 months
(5,236)
190,560
(840)
40,842
$
(5,826) $
377,470 $
(871) $
51,108
During 2023 and 2024, the Company recorded in financial income, net, gross realized gains of $23 and $775, respectively.
During 2023 and 2024, the Company recorded in financial income, net, gross realized losses of $(3) and $(1,407), respectively.
F - 35
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 4:-
MARKETABLE SECURITIES (Cont.)
The following table summarizes the amortized cost and fair value of available-for-sale marketable securities as of December 31, 2023 and 2024,
by contractual years-to maturity:
December 31,
2023
2024
Amortized
cost
Fair value
Amortized
cost
Fair value
Due within one year
$
285,012 $
283,016 $
36,775 $
36,356
Due between one and four years
327,687
324,548
21,791
21,345
$
612,699 $
607,564 $
58,566 $
57,701
F - 36
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 5:-
PREPAID EXPENSES AND OTHER CURRENT ASSETS
December 31,
2023
2024
Prepaid expenses
$
19,133 $
25,826
Hedging transaction assets
3,080
5,818
Government authorities
7,513
10,462
Deferred contract costs
696
1,043
Other current assets
1,128
2,143
$
31,550 $
45,292
NOTE 6:-
PROPERTY AND EQUIPMENT, NET
The composition of property and equipment, net is as follows:
December 31,
2023
2024
Cost:
Computers, software and related equipment *)
$
42,570 $
51,230
Leasehold improvements
10,600
14,239
Office furniture and equipment
4,352
5,976
57,522
71,445
Less - accumulated depreciation
41,028
51,864
Depreciated cost
$
16,494 $
19,581
*) For the years ended December 31, 2023 and 2024, the Company capitalized $1,686 and $2,359 including $303 and $514 of share-based
compensation costs, relating to its internal use software and website development, respectively.
Depreciation expense amounted to $9,548, $9,809 and $8,751 for the years ended December 31, 2022, 2023, and 2024, respectively, including
$2,137, $2,576 and $2,039, respectively, relating to its internal use software and website development.
F - 37
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 7:-
GOODWILL AND OTHER INTANGIBLE ASSETS, NET
Changes in the carrying amount of goodwill:
December 31,
2023
2024
Balance as of beginning of the year
$
153,241 $
153,241
Goodwill acquired
- 1,164,133
Closing balance
$
153,241 $ 1,317,374
The composition of intangible assets is as follows:
December 31,
2023
2024
Original amount:
Technology
$
55,922 $
432,998
Customer relationships
9,586
164,548
Other
732
16,450
66,240
613,996
Less - accumulated amortization
46,038
79,270
Intangible assets, net
$
20,202 $
534,726
Amortization expense amounted to $6,655, $7,374 and $33,232 for the years ended December 31, 2022, 2023, and 2024, respectively.
As of December 31, 2024, the weighted-average remaining useful lives (in years) of Technology, and Customer relationships was 4.7 and 7.7,
respectively.
The estimated future amortization expense of intangible assets as of December 31, 2024 is as follows:
2025
107,345
2026
100,785
2027
99,710
2028
95,404
2029
77,311
Thereafter
54,171
$
534,726
F - 38
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 8:-
ACCRUED EXPENSES AND OTHER CURRENT LIABILITIES
December 31,
2023
2024
Government authorities
$
8,464 $
10,923
Accrued expenses
12,879
20,723
Unrecognized tax benefits
5,960
10,609
Lease liabilities, current
8,240
11,107
Hedging transaction liabilities
1,019
124
$
36,562 $
53,486
NOTE 9:-
COMMITMENTS AND CONTINGENT LIABILITIES
a.
Legal contingencies:
From time to time, the Company becomes involved in legal proceedings or is subject to claims arising in its ordinary course of business.
Such matters are generally subject to many uncertainties and outcomes are not predictable with assurance. The Company accrues for
contingencies when the loss is probable and it can reasonably estimate the amount of any such loss. The Company is currently not a party
to any material legal or administrative proceedings and is not aware of any material pending or threatened material legal or administrative
proceedings against the Company.
b.
Bank guarantees:
The Company obtained bank guarantees of $2,782 primarily in connection with office lease agreements.
c.
Non-cancellable purchase obligations:
The Company entered into non-cancellable agreements for the receipt of cloud infrastructure services and subscription-based cloud
services. Future payments under non-cancellable purchase obligations as of December 31, 2024 are as follows:
2025
58,035
2026
64,488
2027
52,913
$
175,436
F - 39
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 10:-
LEASES
The Company entered into operating leases primarily for offices. The leases have remaining lease terms of up to 5 years, some of which may
include options to extend the leases for up to an additional 5 years.
The components of operating lease costs were as follows:
Year ended
December 31,
2023
2024
Operating lease cost
$
8,888 $
10,195
Short-term lease cost
1,858
1,483
Variable lease cost
1,491
1,534
Total net lease costs
$
12,237 $
13,212
Supplemental balance sheet information related to operating leases is as follows:
December 31,
2023
2024
Operating lease ROU assets (under other long-term assets in the balance sheets)
$
32,186 $
31,154
Operating lease liabilities, current
$
8,240 $
11,107
Operating lease liabilities, long-term (under other long-term liabilities in the balance sheets) $
22,293 $
18,208
Weighted average remaining lease term (in years)
4.8
3.7
Weighted average discount rate
2.9%
3.3%
Maturities of the Company’s operating lease liabilities as of December 31, 2024 are as follows:
December 31,
2024
2025
11,240
2026
7,136
2027
5,541
2028
4,055
2029
2,895
Thereafter
7
Total undiscounted lease payments
30,874
Less: imputed interest
(1,559)
Present value of lease liabilities
$
29,315
F - 40
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 11:
FAIR VALUE MEASUREMENTS
The following tables present the fair value of money market funds and marketable securities as of December 31, 2023 and 2024:
December 31,
2023
2024
Level 1
Level 2
Total
Level 1
Level 2
Total
Cash equivalents:
Money market funds
$
315,784 $
- $
315,784 $
455,712 $
- $
455,712
Corporate debentures and
commercial paper
-
1,001
1,001
-
-
-
Government debentures
-
1,194
1,194
-
-
-
Marketable securities:
Corporate debentures and
commercial paper
-
319,844
319,844
-
57,400
57,400
Government debentures
-
287,720
287,720
-
301
301
Total money market funds and
marketable securities measured at
fair value
$
315,784 $
609,759 $
925,543 $
455,712 $
57,701 $
513,413
NOTE 12:
CONVERTIBLE SENIOR NOTES, NET
a.
Convertible senior notes, net:
In November 2019, the Company issued $500 million aggregate principal amount, 0% coupon rate, of convertible senior notes due 2024
and an additional $75 million aggregate principal amount of such notes pursuant to the exercise in full of the over-allotment option of the
initial purchasers (collectively, "Convertible Notes").
The Convertible Notes were convertible based upon an initial conversion rate of 6.3478 of the Company's ordinary shares, par value NIS
0.01 per share, per $1 principal amount of Convertible Notes (equivalent to a conversion price of approximately $157.53 per ordinary
share). The Convertible Notes were senior unsecured obligations of the Company.
During the year ended December 31, 2024, the conditions allowing holders of the Convertible Notes to convert were met, and $574.5
million in aggregate principal amount of the Convertible Notes were converted for physical settlement prior to November 15, 2024 (the
"Maturity Date"), and $0.5 million were repaid in cash at par at the Maturity Date.
Prior to May 15, 2024, a holder was able to convert all or a portion of its Convertible Notes only under the following circumstances:
(1)
During any calendar quarter commencing after the calendar quarter ending on March 31, 2020 (and only during such calendar
quarter), if the last reported sale price of the Company's ordinary shares for at least 20 trading days (whether or not consecutive)
during a period of 30 consecutive trading days ending on, and including, the last trading day of the immediately preceding calendar
quarter was greater than or equal to 130% of the conversion price on each applicable trading day;
F - 41
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 12:-
CONVERTIBLE SENIOR NOTES, NET (Cont.)
(2)
During the five business day period after any 10 consecutive trading day period ("measurement period") in which the trading price,
determined pursuant to the terms of the Convertible Notes, per $1 principal amount of Convertible Notes for each trading day of the
measurement period was less than 98% of the product of the last reported sale price of the ordinary shares and the conversion rate
on each such trading day;
(3)
If the Company called the Convertible Notes for redemption in certain circumstances, at any time prior to the close of business on
the third scheduled trading day immediately preceding the redemption date; or
(4)
Upon the occurrence of specified corporate events.
On or after May 15, 2024 until the close of business on the third scheduled trading day immediately preceding the Maturity Date, a holder
was able to convert its Convertible Notes at any time, regardless of the foregoing circumstances.
Upon conversion, the Company could pay or deliver cash, ordinary shares or a combination of cash and ordinary shares, at the Company's
election.
The Company could not redeem the notes prior to November 15, 2022, except in the event of certain tax law changes. The Company could,
at any time and from time to time, redeem for cash all or any portion of the notes, at the Company's option, on or after November 15, 2022,
if the last reported sale price of the Company`s ordinary shares had been at least 130% of the conversion price then in effect for at least 20
trading days (whether or not consecutive) during any 30 consecutive trading day period (including the last trading day of such period)
ending on, and including, the trading day immediately preceding the date on which it delivered notice of redemption at a redemption price
equal to 100% of the principal amount of the notes to be redeemed.
Upon the occurrence of a Fundamental Change as defined in the Indenture, holders could require the Company to repurchase for cash all or
any portion of their Convertible Notes at a fundamental change repurchase price equal to 100% of the principal amount of the Convertible
Notes to be repurchased (plus accrued and unpaid special interest payable under certain circumstances set forth in the terms of the
Convertible Notes (if any) to, but excluding, the fundamental change repurchase date). In addition, in connection with a make-whole
fundamental change (as defined in the Indenture), or following the Company's delivery of a notice of redemption, the Company would, in
certain circumstances, increase the conversion rate for a holder who elected to convert its notes in connection with such a corporate event
or redemption, as the case may be.
On March 2024, the Company and the Convertible Notes trustee, entered into a supplemental indenture to change the Settlement Method
(as defined in the Indenture) elected, or deemed elected, if it does not timely elect a Settlement Method applicable to a conversion of
Convertible Notes, to Physical Settlement (as defined in the Indenture).
F - 42
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 12:-
CONVERTIBLE SENIOR NOTES, NET (Cont.)
As of December 31, 2023, the Convertible Notes were classified as a current liability.
The net carrying amount of the liability of the Convertible Notes as of December 31, 2023 and 2024 was as follows:
December 31,
2023
2024
Liability component:
Remaining principal amount
$
575,000 $
-
Unamortized issuance costs
(2,660)
-
Net carrying amount
$
572,340 $
-
Interest expense related to the Convertible Notes was as follows:
Year ended
December 31,
2022
2023
2024
Amortization of debt issuance costs
$
2,980 $
2,996 $
2,660
Total interest expense recognized
$
2,980 $
2,996 $
2,660
b.
Capped Call Transactions:
In connection with the pricing of the Convertible Notes and the exercise by the Initial Purchasers of the over-allotment option, the
Company entered into privately negotiated capped call transactions ("Capped Call Transactions") with certain financial institutions
("Option Counterparties"). The Capped Call Transactions covered, collectively, the number of the Company's ordinary shares underlying
the Convertible Notes, subject to anti-dilution adjustments substantially similar to those applicable to the Convertible Notes.
The Capped Call Transactions had an initial strike price of approximately $157.53 per share, subject to certain adjustments, which
corresponded to the approximate initial conversion price of the Convertible Notes.
The cap price of the Capped Call Transactions was initially $229.14 per share and was subject to certain adjustments under the terms of the
Capped Call Transactions. The Capped Call Transactions were separate transactions, in each case, entered into by the Company with the
Option Counterparties, and were not part of the terms of the Convertible Notes and would not have changed the holders' rights under the
Convertible Notes.
F - 43
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 12:-
CONVERTIBLE SENIOR NOTES, NET (Cont.)
During the year ended December 31, 2024, the Company reclassified the Capped Call Transactions from equity at fair value. The Capped
Call Transactions were previously recorded as part of equity since the Company could have elected the settlement method and equity
classification was not precluded under ASC 815. When the Company could no longer change the settlement method, cash settlement
became mandatory and therefore the Capped Call Transactions were required to be reclassified and measured at fair value through
earnings.
As such, $256.7 million was reclassified from additional paid-in capital to derivative assets. The change in fair value of the derivative asset
from the reclassification date to December 31, 2024, was $4.6 million and was recorded to financial income, net on the consolidated
statements of comprehensive loss.
On November 15, 2024, the Company received $261.4 million in cash from the Option Counterparties as final settlement of the Capped
Call Transactions.
NOTE 13:-
REVOLVING CREDIT FACILITY
On June 25, 2024, the Company entered into a revolving credit facility agreement (“Credit Facility”) with Bank Leumi le-Israel B.M. (“Lender”).
The Credit Facility enables the Company to borrow up to $250 million and matures on June 24, 2026.
The borrowings under the Credit Facility bear interest at a base rate plus a spread of 0.8% to 1.8%, or a three-month Secured Overnight Financing
Rate plus a spread of 2.45% to 4%. The ongoing fee on undrawn amounts is 0.7%.
The Credit Facility requires the Company to maintain at all times a minimum amount of $150 million unrestricted Cash and Cash equivalents, of
which a minimum amount of $60 million is in a specified bank account of the Lender. In addition, the Company is required to maintain a
maximum quarterly net debt to adjusted EBITDA ratio of 4.5, stepping down to 2.5 over time. Non-compliance with a financial covenant may be
cured by the next consecutive quarter. In addition, the Credit Facility requires the consent of the Lender in relation to change in control, merger,
consolidation or incurrence of pledges.
As of December 31, 2024, the Company has no outstanding amounts under the Credit Facility and was in compliance with all financial covenants.
F - 44
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 14:-
SHAREHOLDERS' EQUITY
a.
Composition of share capital of the Company:
December 31,
2023
2024
Authorized
Issued and
outstanding
Authorized
Issued and
outstanding
Number of shares
Ordinary shares of NIS 0.01 par
value each
250,000,000
42,255,336
250,000,000
49,426,711
b.
Ordinary shares:
The ordinary shares of the Company confer upon the holders the right to receive notices of and to participate and vote in general meetings
of the Company, rights to receive dividends and rights to participate in distribution of assets upon liquidation.
c.
Share-based compensation:
The 2024 Share Incentive Plan (the “2024 Plan”) was adopted by our board of directors and became effective on June 1, 2024. 1,787,022
ordinary shares reserved for issuance were transferred from the 2014 Share Incentive Plan to the 2024 Plan.
The maximum aggregate number of shares that may be issued pursuant to awards under this 2024 Plan is the sum of (a) 1,786,992 ordinary
shares, plus (b) on January 1 of each calendar year commencing in 2025, a number of ordinary shares equal to the lesser of: (i) an amount
determined by the Board, if so determined prior to the January 1 of the calendar year in which the increase will occur, (ii) 4% of the total
number of ordinary shares of the Company outstanding on December 31 of the immediately preceding calendar year, and (iii) 4,000,000
ordinary shares.
On January 1, 2021, the Company’s ESPP became effective. The ESPP enables eligible employees of the Company and its designated
subsidiaries to elect to have payroll deductions made during a six-month offering period in an amount not exceeding 15% of the gross base
compensation which the employees receive. The applicable purchase price will be no less than 85% of the lesser of the fair market value of
the Company’s ordinary shares on the first day or the last day of the purchase period. The total number of ordinary shares initially reserved
under the ESPP as of January 1, 2021 was 125,000 shares (the “ESPP Share Pool”). On January 1 of each year between 2022 and 2026, the
ESPP Share Pool will be increased by a number of ordinary shares equal to the lower of (i) 1,000,000 ordinary shares, (ii) 1% of the
Company’s outstanding ordinary shares on December 31 of the immediately preceding calendar year, and (iii) a lesser number of ordinary
shares determined by the Company’s board of directors.
Under the 2024 Plan, options, restricted stock units (“RSUs”), performance share units (“PSUs”) and other share-based awards may be
granted to employees, officers, non-employee consultants and directors of the Company.
Under the 2024 Plan and ESPP, as of December 31, 2024, an aggregate number of 1,650,364 ordinary shares were reserved for future
grant. Any share under the 2024 Plan underlying an award that is cancelled, terminated or forfeited for any reason without having been
exercised will automatically be available for grant under the 2024 Plan.
F - 45
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 14:-
SHAREHOLDERS' EQUITY (Cont.)
The total share-based compensation expense related to all of the Company's equity-based awards, recognized for the years ended
December 31, 2022, 2023 and 2024 is comprised as follows:
Year ended
December 31,
2022
2023
2024
Cost of revenues
$
15,060 $
17,612 $
21,724
Research and development
27,102
29,458
34,953
Sales and marketing
51,099
58,790
67,924
General and administrative
27,560
34,241
44,165
Total share-based compensation expense
$
120,821 $
140,101 $
168,766
The total unrecognized compensation cost amounted to $352,891 as of December 31, 2024 and is expected to be recognized over a
weighted average period of 2.59 years.
d.
Options granted to employees:
There were no options granted during the year ended December 31, 2024.
A summary of the activity in options granted to employees for the year ended December 31, 2024 is as follows:
Amount
of
options
Weighted
average
exercise
price
Weighted
average
remaining
contractual
term
(in years)
Aggregate
intrinsic
value
Balance as of December 31, 2023
244,787 $
78.85
4.24 $
34,320
Exercised
119,120 $
69.76
$
25,031
Forfeited
2,249 $
147.9
$
319
Expired
34 $
51.86
$
7
Balance as of December 31, 2024
123,384 $
86.37
3.69 $
30,449
Exercisable as of December 31, 2024
117,648 $
83.23
3.5 $
29,403
The expected volatility of the Company's ordinary shares is based on the Company's historical volatility. The expected option term
represents the period of time that options granted are expected to be outstanding, based upon historical experience.
F - 46
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 14:-
SHAREHOLDERS' EQUITY (Cont.)
The Company has historically not paid dividends and has no foreseeable plans to pay dividends and, therefore, uses an expected dividend
yield of zero in the option pricing model. The risk-free interest rate is based on the yield of U.S. treasury bonds with equivalent terms.
The following tables sets forth the parameters used in computation of the options and ESPP compensation to employees for the years
ended December 31, 2022, 2023 and 2024:
Year ended
December 31,
Options
2022
2023
2024
Expected volatility
46%-50%
51%
-
Expected dividends
0%
0%
-
Expected term (in years)
3.73-3.76
3.77-3.78
-
Risk free rate
1.67%-4.40% 3.58%-3.97%
-
Year ended
December 31,
ESPP
2022
2023
2024
Expected volatility
55.67%-64.20% 39.46%-44.12% 28.23%-29.27%
Expected dividends
0%
0%
0%
Expected term (in years)
0.5
0.5
0.5
Risk free rate
2.15%-4.65% 5.33%-5.44% 4.43%-5.39%
A summary of options data for the years ended December 31, 2022, 2023 and 2024, is as follows:
Year ended
December 31,
2022
2023
2024
Weighted-average grant date fair value of options granted
$
39.69 $
62.25 $
-
Total intrinsic value of the options exercised
$
30,031 $
22,935 $
25, 031
The aggregate intrinsic value is calculated as the difference between the per-share exercise price and the fair value of an ordinary share for
each share subject to an option multiplied by the number of shares subject to options at the date of exercise.
F - 47
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 14:-
SHAREHOLDERS' EQUITY (Cont.)
e.
A summary of RSU and PSU activity for the year ended December 31, 2024 is as follows:
Amount
of
RSUs and
PSUs
Weighted
average
grant date
fair value
Unvested as of December 31, 2023
2,639,337 $
136.15
Granted
1,122,240
246.78
Vested
1,015,487
130.44
Forfeited
117,308
152.82
Unvested as of December 31, 2024
2,628,782 $
184.84
The total fair value of RSUs and PSUs vested (based on fair value of the Company's ordinary shares at vesting date) during the years ended
December 31, 2022, 2023 and 2024 was $117,812, $135,873 and $257,379, respectively.
The amount of unvested PSU as of December 31, 2024 is 382,140.
NOTE 15:-
INCOME TAXES
CyberArk Software Ltd.'s subsidiaries are separately taxed under the domestic tax laws of the jurisdiction of incorporation of each entity.
a. Corporate tax in Israel:
Ordinary taxable income is subject to a corporate tax rate of 23% for the years 2022-2024. Refer to Note 15g for tax benefits in Israel.
b.
Loss before taxes on Income is comprised as follows:
Year ended
December 31,
2022
2023
2024
Domestic loss
$ (167,606) $ (116,661) $
(27,469)
Foreign income
30,588
53,403
11,503
$ (137,018) $
(63,258) $
(15,966)
F - 48
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 15:-
INCOME TAXES (Cont.)
c.
Deferred income taxes:
Deferred taxes reflect the net tax effect of temporary differences between the carrying amounts of assets and liabilities for financial
reporting purposes and the amounts recorded for tax purposes. Significant components of the Company's deferred tax assets and liabilities
are as follows:
December 31,
2023
2024
Deferred tax assets:
Carry-forwards losses and credits
$
59,911 $
117,493
Capitalized research and development
22,859
40,324
Deferred revenues
12,841
19,749
Intangible assets
8,267
7,727
Share-based compensation
26,897
29,123
Operating lease liability
4,737
4,971
Accruals and others
4,276
9,680
Gross deferred tax assets before valuation allowance
139,788
229,067
Less: Valuation allowance
24,569
94,663
Total deferred tax assets
$
115,219 $
134,404
Deferred tax liabilities:
Intangible assets
$
(3,527) $ (133,928)
Deferred commissions
(24,999)
(31,133)
Operating lease ROU asset
(4,696)
(4,948)
Property and equipment and other
(700)
(655)
Gross deferred tax liabilities
$
(33,922) $ (170,664)
Net deferred tax assets (liabilities)
$
81,297 $
(36,260)
In assessing the realizability of deferred tax assets, management considers whether it is more likely than not that some portion or all of the
deferred tax assets will be realized. During the year ended December 31, 2024, the Company concluded that, based on its evaluation of
available evidence, it was no longer more likely than not that some of the Company's deferred tax assets were recoverable, primarily in
Israel. As a result, the Company recorded a valuation allowance of $65.4 million against its deferred tax assets.
As of December 31, 2024, $117,301 of undistributed earnings held by the Company's foreign subsidiaries are designated as
indefinitely reinvested. If these earnings were repatriated to Israel, it would be subject to Israeli income taxes and to foreign withholding
taxes and an adjustment for foreign tax credits. Determination of the amount of unrecognized deferred tax liability on undistributed
earnings is not practicable.
F - 49
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 15:-
INCOME TAXES (Cont.)
d.
Income taxes are comprised as follows:
Year ended
December 31,
2022
2023
2024
Current
$
8,980 $
11,125 $
11,202
Deferred
(15,630)
(7,879)
66,293
$
(6,650) $
3,246 $
77,495
Year ended
December 31,
2022
2023
2024
Domestic
$
(19,716) $
(14,105) $
3,766
Foreign
13,066
17,351
73,729
$
(6,650) $
3,246 $
77,495
e.
A reconciliation of the Company's theoretical income tax benefit to actual income tax expense (benefit) is as follows:
Year ended
December 31,
2022
2023
2024
Loss before income taxes
$ (137,018) $
(63,258) $
(15,966)
Statutory tax rate
23.0%
23.0%
23.0%
Theoretical tax benefit
(31,514)
(14,549)
(3,672)
Excess tax benefits related to share-based compensation
(1,817)
(3,817)
(12,788)
Non-deductible expenses
6,325
2,963
6,560
Changes in valuation allowance
1,538
3,320
70,758
Changes in unrecognized tax benefits
(1,914)
3,155
10,550
Foreign and preferred enterprise tax rates differential
18,450
12,826
4,726
Prior years and others
2,282
(652)
1,361
Income tax expense (tax benefit)
$
(6,650) $
3,246 $
77,495
F - 50
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 15:-
INCOME TAXES (Cont.)
f.
Net operating loss and tax credits carry-forwards:
As of December 31, 2024, the Company has aggregate federal and state net operating loss carryforwards of $273,127 and $201,600,
respectively, attributed to the U.S. subsidiaries. The federal net operating losses, if not utilized, can be carried forward indefinitely, but are
subject to the 80% taxable income limitation upon utilization. $95,052 of the state net operating loss carryforwards, can be carried forward
indefinitely. The remaining amount will begin to expire in 2025 through 2044. Utilization of some of these U.S. net operating losses are
subject to annual limitation due to the "change in ownership" provisions of the U.S. Internal Revenue Code and similar state
provisions. The annual limitation may result in the expiration of net operating losses before utilization.
The Company has federal and state research and development credits carryforwards of $19,939. If not utilized, the research and
development credits carryforwards will begin to expire in 2026 through 2044. Additionally, foreign tax credits carryforwards in U.S.
totaled $15,496. If not utilized, the foreign tax credits carryforwards will begin to expire in 2025 through 2034.
As of December 31, 2024, net operating loss carryforwards in Israel totaled $193,583 and can be carried forward indefinitely. Additionally,
foreign tax credits carryforwards in Israel totaled $1,444 and will begin to expire in 2027 through 2030.
g.
Tax benefits under the Law for the Encouragement of Capital Investments, 1959:
As of December 31, 2024, approximately $13,945 was derived from tax exempt profits earned by the Company's "Approved Enterprises"
and "Beneficiary Enterprise". The Company and its Board of Directors have determined that such tax-exempt income will not be
distributed as dividends and intends to reinvest the amount of its tax-exempt income earned by the Company. Accordingly, no provision for
deferred income taxes has been provided on income attributable to the Company's "Approved Enterprises" and "Beneficiary Enterprises"
as such income is essentially permanently reinvested.
If the Company's retained tax-exempt income is distributed, the income would be taxed at the applicable corporate tax rate as if it had not
elected the alternative tax benefits under the Law for the Encouragement of Capital Investments ("Investment Law") and an income tax
liability of up to $3,424 would have been incurred as of December 31, 2024.
In December 2016, the Israeli Knesset passed Amendment 73 to the Investment Law which included a number of changes to the
Investment Law regimes through regulations approved on May 1, 2017 and that have come into effect from January 1, 2017.
Applicable benefits under the new regime include:
-
Introduction of a benefit regime for "Preferred Technology Enterprises" ("PTE") granting a 12% tax rate in central Israel – on
qualified income deriving from Benefited Intellectual Property, subject to a number of conditions being fulfilled, including a
minimal amount or ratio of annual R&D expenditure and R&D employees, as well as having at least 25% of annual income derived
from exports to large markets.
-
A 12% capital gains tax rate on the sale of a preferred intangible asset to a foreign affiliated enterprise, provided that the asset was
initially purchased from a foreign resident at an amount of NIS 200 million or more.
F - 51
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 15:-
INCOME TAXES (Cont.)
-
A withholding tax rate of 20% for dividends paid from PTE income (with an exemption from such withholding tax applying to
dividends paid to an Israeli company). Such rate may be reduced to 4% on dividends paid to a foreign resident company, subject to
certain conditions regarding percentage of foreign ownership of the distributing entity.
The Company adopted the PTE since 2017 and it is generally eligible for its benefits.
In addition, the Company received a comprehensive ruling from the Israeli tax authorities for tax years 2018 through 2023 which approves
the Company’s PTE status and derived PTE's benefits. The Company believes that its eligibility for the PTE tax benefits continues and
accordingly operates to obtain an extension approval for this ruling from the Israeli tax authorities for future tax years.
h.
Tax benefits under the Law for the Encouragement of Industry (Taxation), 1969:
Management believes that the Company currently qualifies as an "industrial company" under the above law and as such, is entitled to
certain tax benefits including accelerated depreciation, deduction of public offering expenses in three equal annual installments and
amortization of other intangible property rights for tax purposes.
i.
Tax assessments:
As of December 31, 2024, the Company has open tax years, which can be subject to tax examination in Israel for the tax years 2021
through 2024 and in the UK for the tax years 2022 through 2024.
For the U.S. subsidiary’s tax years ended December 31, 2021 through 2024, the statue of limitations has not yet expired expect to the
extent of unused operating losses or net operating losses used during this period
F - 52
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 15:-
INCOME TAXES (Cont.)
j.
Unrecognized tax benefits:
A reconciliation of the opening and closing amounts of total unrecognized tax benefits related to uncertain tax positions is as follows:
Year ended
December 31,
2022
2023
2024
Opening balance
$
3,870 $
2,805 $
5,960
Decrease related to settlements with taxing authorities
(2,353)
-
-
Increase related to prior year tax positions
429
743
702
Increase related to current year tax positions
859
2,412
9,848
Increase related to current year business acquisitions
-
-
3,463
Closing balance
$
2,805 $
5,960 $
19,973
During the years ended December 31, 2022, 2023 and 2024, the Company recorded $(87), $44 and $298, respectively, for interest expense
(income) related to uncertain tax positions. As of December 31, 2023 and 2024, accrued interest was $69 and $367, respectively.
As of December 31, 2024 the Company had $8.5 million of unrecognized tax benefits, which, if recognized, would affect the Company’s
effective tax rate.
Although the Company believes that it has adequately provided for any reasonably foreseeable outcomes related to tax audits and
settlement, there is no assurance that the final tax outcome of its tax audits will not be different from that which is reflected in the
Company's income tax provisions. Such differences could have a material effect on the Company's income tax provision, cash flow from
operating activities and net loss in the period in which such determination is made.
NOTE 16:-
FINANCIAL INCOME, NET
Year ended
December 31,
2022
2023
2024
Bank charges and other
$
(269) $
(359) $
(1,407)
Exchange rate income (loss), net
1,564
1,567
(2,131)
Interest income and gains (losses) from investment in privately held
companies
17,117
55,002
58,418
Amortization of debt issuance costs
(2,980)
(2,996)
(2,660)
Change in fair value of derivative assets
-
-
4,618
Financial income, net
$
15,432 $
53,214 $
56,838
F - 53
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 17:-
BASIC AND DILUTED NET LOSS PER SHARE
Year ended
December 31,
2022
2023
2024
Numerator:
Net loss available to shareholders of ordinary shares
$
(130,368) $
(66,504) $
(93,461)
Denominator:
Weighted-average shares used in computing basic and diluted net loss per
ordinary shares
40,583,002 41,658,424 44,182,071
Net loss per share, basic and diluted
$
(3.21) $
(1.60) $
(2.12)
The total weighted average number of shares related to outstanding options, RSUs and PSUs that have been excluded from the computation of
diluted net loss per ordinary share due to their antidilutive effect was 2,839,883, 3,013,220 and 2,781,892 for the years ended December 31, 2022,
2023 and 2024, respectively.
Additionally, 3,649,985 shares underlying the Convertible Notes have been excluded from the computation of diluted net loss per share for the
years ended December 31, 2022 and 2023 as the effect would be anti-dilutive.
3,021,323 shares have been excluded for the same anti-dilutive effect for the year ended December 31, 2024,
F - 54
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 18:-
SEGMENTS, CUSTOMERS AND GEOGRAPHIC INFORMATION
a.
The Company identifies its operating segments in accordance with ASC Topic 280, "Segment Reporting." Operating segments are defined as
components of an entity for which separate financial information is available and it is regularly reviewed by the Chief Operating Decision
Maker (“CODM”) in making decisions regarding resource allocation and evaluating financial performance. The Company determined it
operates in one reportable segment as the Company's CODM is the Chief Executive Officer who makes operating decisions, assess
performance and allocates resources on a consolidated basis. The Company’s CODM uses consolidated net loss to review actual results and
decide where to allocate additional resources within the business to continue growth. Since the Company operates as one operating segment,
financial segment information, including profit or loss and asset information, can be found in the consolidated financial statements.
b.
The total revenues are attributed to geographic areas based on the location of the Company's channel partners, which are considered as end
customers, as well as direct customers of the Company.
The following tables present total revenues for the years ended December 31, 2022, 2023 and 2024 and long-lived assets as of December 31,
2023 and 2024:
Revenues:
Year ended
December 31,
2022
2023
2024
United States
$
312,816 $
393,355 $
503,359
Israel
6,302
6,784
8,257
United Kingdom
41,297
45,751
60,238
Europe, the Middle East and Africa *)
130,745
173,203
243,100
Other
100,550
132,795
185,788
$
591,710 $
751,888 $ 1,000,742
For the years ended December 31, 2022, 2023 and 2024, no single customer contributed more than 10% to the Company's total revenues.
Long-lived assets, including property and equipment, net and operating lease right-of-use assets:
December 31,
2023
2024
United States
$
4,635 $
8,405
Israel
33,898
31,327
United Kingdom
3,118
2,880
Europe, the Middle East and Africa *)
747
1,521
Other
6,282
6,602
$
48,680 $
50,735
*) Excluding United Kingdom and Israel
F - 55
CYBERARK SOFTWARE LTD.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
U.S. dollars in thousands (except share and per share data and unless otherwise indicated)
NOTE 19:-
SUBSEQUENT EVENTS
On February 12, 2025, the Company completed the acquisition of Zilla Security, Inc. (“Zilla”), a leader in modern Identity Governance and
Administration (IGA) solutions. Zilla’s innovative, AI-powered IGA capabilities will expand CyberArk’s industry-leading Identity Security
Platform with scalable automation that enables accelerated identity compliance and provisioning across digital environments, while maximizing
security and operational efficiency.
The Company will account for the acquisition as a business combination in accordance with ASC No. 805, “Business Combinations.” The
purchase consideration transferred amounted to approximately $165 million in cash, and up to $6 million earn-out tied to the achievement of
certain contingent milestones. An additional $4 million earn-out is tied to retention of key employees. Goodwill generated from this business
combination is primarily attributable to the expected post-acquisition synergies from integrating Zilla`s technology into the Company’s portfolio.
F - 56
Exhibit 1.1
THE COMPANIES LAW, 1999
A LIMITED LIABILITY COMPANY
ARTICLES OF ASSOCIATION OF
CYBERARK SOFTWARE LTD.
PRELIMINARY
1.
DEFINITIONS; INTERPRETATION.
(a)
In these Articles, the following terms (whether or not capitalized) shall bear the meanings set forth opposite to them respectively, unless
inconsistent with the subject or context.
“Articles”
shall mean these Articles of Association, as amended from time to time.
“Board of Directors”
shall mean the Board of Directors of the Company.
“Chairman”
shall mean the Chairman of the Board of Directors, or the Chairman of the General Meeting, as the context
provides;
“Company”
shall mean CYBERARK SOFTWARE LTD.
“Companies Law”
shall mean the Israeli Companies Law, 5759-1999. The Companies Law shall include reference to the
Companies Ordinance (New Version), 5743-1983, of the State of Israel, to the extent in effect according to the
provisions thereof.
“Director(s)”
shall mean the member(s) of the Board of Directors holding office at any given time, including alternate
directors. “External Director(s)” shall mean as defined in the Companies Law.
“General Meeting”
shall mean an Annual General Meeting or Special General Meeting of the Shareholders, as the case may be.
“NIS”
shall mean New Israeli Shekels.
“Office”
shall mean the registered office of the Company at any given time.
“Office Holder” or “Officer”
shall mean as defined in the Companies Law.
“RTP Law”
shall mean the Israeli Restrictive Trade Practices Law, 5758- 1988.
“Securities Law”
shall mean the Israeli Securities Law 5728-1968.
“Shareholder(s)”
shall mean the shareholder(s) of the Company, at any given time.
“in writing” or “writing”
shall mean written, printed, photocopied, photographic, typed, sent via email, facsimile or produced by any
visible substitute for writing, or partly one and partly another, and signed shall be construed accordingly.
(b)
Unless otherwise defined in these Articles or required by the context, terms used herein shall have the meaning provided therefor under the
Companies Law.
(c)
Unless the context shall otherwise require: words in the singular shall also include the plural, and vice versa; any pronoun shall include the
corresponding masculine, feminine and neuter forms; the words “include”, “includes” and “including” shall be deemed to be followed by the
phrase “without limitation”; the words “herein”, “hereof” and “hereunder” and words of similar import refer to these Articles in its entirety
and not to any part hereof; all references herein to Articles, Sections or clauses shall be deemed references to Articles, Sections or clauses of
these Articles; any references to any agreement or other instrument or law, statute or regulation are to it as amended, supplemented or
restated, from time to time (and, in the case of any law, to any successor provisions or re-enactment or modification thereof being in force at
the time); any reference to “law” shall include any supranational, national, federal, state, local, or foreign statute or law and all rules and
regulations promulgated thereunder (including, any rules, regulations or forms prescribed by any governmental authority or securities
exchange commission or authority, if and to the extent applicable); any reference to a “day” or a number of “days” (without any explicit
reference otherwise, such as to business days) shall be interpreted as a reference to a calendar day or number of calendar days; reference to
month or year means according to the Gregorian calendar; any reference to a “company”, “corporate body” or “entity” shall include a,
partnership, corporation, limited liability company, association, trust, unincorporated organization, or a government or agency or political
subdivision thereof, and reference to a “person” shall mean any of the foregoing or an individual.
(d)
The captions in these Articles are for convenience only and shall not be deemed a part hereof or affect the construction or interpretation of
any provision hereof.
LIMITED LIABILITY
2.
The Company is a limited liability company and therefore each shareholder’s obligations to the Company shall be limited to the payment of the
nominal value of the shares held by such shareholder, subject to the provisions of the Companies Law.
PUBLIC COMPANY; COMPANY’S OBJECTIVES
3.
PUBLIC COMPANY; OBJECTIVES.
(a)
The Company is a Public Company as such term is defined in and as long as it qualifies under the Companies Law.
(b)
The Company's objectives are to carry on any business, and do any act, which is not prohibited by law.
4.
DONATIONS.
The Company may donate a reasonable amount of money (in cash or in kind, including the Company’s securities) for any purpose that the
Board of Directors finds appropriate.
SHARE CAPITAL
5.
AUTHORIZED SHARE CAPITAL.
(a)
The share capital of the Company shall consist of NIS 2,500,000 divided into 250,000,000 Ordinary Shares, of a nominal value of NIS 0.01
each (the “Shares”).
(b)
The Shares shall rank pari passu in all respects.
6.
INCREASE OF AUTHORIZED SHARE CAPITAL.
(a)
The Company may, from time to time, by a Shareholders' resolution, whether or not all the shares then authorized have been issued, and
whether or not all the shares theretofore issued have been called up for payment, increase its authorized share capital by the creation of new
shares. Any such increase shall be in such amount and shall be divided into shares of such nominal amounts, and such shares shall confer
such rights and preferences, and shall be subject to such restrictions, as such resolution shall provide.
(b)
Except to the extent otherwise provided in such resolution, any new shares included in the authorized share capital increased as aforesaid
shall be subject to all the provisions of these Articles which are applicable to shares of such class included in the existing share capital
without regard to class (and, if such new shares are of the same class as a class of shares included in the existing share capital, to all of the
provisions which are applicable to shares of such class included in the existing share capital).
7.
SPECIAL OR CLASS RIGHTS; MODIFICATION OF RIGHTS.
(a)
The Company may, from time to time, by a Shareholders’ resolution, provide for shares with such preferred or deferred rights or other
special rights and/or such restrictions, whether in regard to dividends, voting, repayment of share capital or otherwise, as may be stipulated
in such resolution.
(b)
If at any time the share capital of the Company is divided into different classes of shares, the rights attached to any class, unless otherwise
provided by these Articles, may be modified or cancelled by the Company by a resolution of the General Meeting of the holders of all shares
as one class, without any required separate resolution of any class of shares.
(c)
The provisions of these Articles relating to General Meetings shall, mutatis mutandis, apply to any separate General Meeting of the holders
of the shares of a particular class, it being clarified that the requisite quorum at any such separate General Meeting shall be two or more
Shareholders (not in default in payment of any sum referred to in Article 13 hereof) present in person or by proxy and holding not less than
thirty-three and one-third percent (33⅓%) of the issued shares of such class, provided, however, that if (i) such separate General Meeting of
the holders of the particular class of Shares was initiated by and convened pursuant to a resolution adopted by the Board of Directors and (ii)
at the time of such meeting the Company is qualified to use the forms of a “foreign private issuer” under US securities laws, then the
requisite quorum at any such separate General Meeting shall be two or more Shareholders (not in default in payment of any sum referred to
in Article 13 hereof) present in person or by proxy and holding not less than twenty-five percent (25%) of the issued shares of such class. For
the purpose of determining the quorum present at such General Meeting, a proxy may be deemed to be two (2) or more Shareholders
pursuant to the number of Shareholders represented by the proxy holder.
(d)
Unless otherwise provided by these Articles, an increase in the authorized share capital, the creation of a new class of shares, an increase in
the authorized share capital of a class of shares, or the issuance of additional shares thereof out of the authorized and unissued share capital,
shall not be deemed, for purposes of this Article 7, to modify or derogate or cancel the rights attached to previously issued shares of such
class or of any other class.
8.
CONSOLIDATION, DIVISION, CANCELLATION AND REDUCTION OF SHARE CAPITAL.
(a)
The Company may, from time to time, by or pursuant to an authorization of a Shareholders’ resolution, and subject to applicable law:
(i)
consolidate all or any part of its issued or unissued authorized share capital into shares of a per share nominal value which is larger,
equal to or smaller than the per share nominal value of its existing shares;
(ii)
divide or sub-divide its shares (issued or unissued) or any of them, into shares of smaller or the same nominal value (subject,
however, to the provisions of the Companies Law), and the resolution whereby any share is divided may determine that, as among
the holders of the shares resulting from such subdivision, one or more of the shares may, in contrast to others, have any such
preferred or deferred rights or rights of redemption or other special rights, or be subject to any such restrictions, as the Company
may attach to unissued or new shares;
(iii)
cancel any shares which, at the date of the adoption of such resolution, have not been taken or agreed to be taken by any person,
and reduce the amount of its share capital by the amount of the shares so canceled; or
(iv)
reduce its share capital in any manner.
(b)
With respect to any consolidation of issued shares and with respect to any other action which may result in fractional shares, the Board of
Directors may settle any difficulty which may arise with regard thereto, as it deems fit, and, in connection with any such consolidation or
other action which could result in fractional shares, may, without limiting its aforesaid power:
(i)
determine, as to the holder of shares so consolidated, which issued shares shall be consolidated into a share of a larger, equal or
smaller nominal value per share;
(ii)
issue, in contemplation of or subsequent to such consolidation or other action, shares sufficient to preclude or remove fractional
share holdings;
(iii)
redeem such shares or fractional shares sufficient to preclude or remove fractional share holdings;
(iv)
round up, round down or round to the nearest whole number, any fractional shares resulting from the consolidation or from any
other action which may result in fractional shares; or
(v)
cause the transfer of fractional shares by certain shareholders of the Company to other shareholders thereof so as to most
expediently preclude or remove any fractional shareholdings, and cause the transferees of such fractional shares to pay the
transferors thereof the fair value thereof, and the Board of Directors is hereby authorized to act in connection with such transfer, as
agent for the transferors and transferees of any such fractional shares, with full power of substitution, for the purposes of
implementing the provisions of this sub-Article 8(b)(v).
9.
ISSUANCE OF SHARE CERTIFICATES, REPLACEMENT OF LOST CERTIFICATES.
(a)
To the extent that the Board of Directors determines that all shares shall be certificated or, if the Board of Directors does not so determine, to
the extent that any shareholder requests a share certificate, share certificates shall be issued under the corporate seal of the Company or its
written, typed or stamped name and shall bear the signature of one Director, or of any person or persons authorized therefor by the Board of
Directors. Signatures may be affixed in any mechanical or electronic form, as the Board of Directors may prescribe.
(b)
Subject to the Article 9(a), each Shareholder shall be entitled to one numbered certificate for all the shares of any class registered in his
name. Each certificate shall specify the serial numbers of the shares represented thereby and may also specify the amount paid up thereon.
The Company (as determined by an officer of the Company to be designated by the Chief Executive Officer) shall not refuse a request by a
Shareholder to obtain several certificates in place of one certificate, unless such request is, in the opinion of such officer, unreasonable.
Where a Shareholder has sold or transferred some of such Shareholder’s shares, such Shareholder shall be entitled to receive a certificate in
respect of such Shareholder’s remaining shares, provided that the previous certificate is delivered to the Company before the issuance of a
new certificate.
(c)
A share certificate registered in the names of two or more persons shall be delivered to the person first named in the Register of Shareholders
in respect of such co-ownership.
(d)
A share certificate which has been defaced, lost or destroyed, may be replaced, and the Company shall issue a new certificate to replace such
defaced, lost or destroyed certificate upon payment of such fee, and upon the furnishing of such evidence of ownership and such indemnity,
as the Board of Directors in its discretion deems fit.
10.
REGISTERED HOLDER.
Except as otherwise provided in these Articles or the Companies Law, the Company shall be entitled to treat the registered holder of each share
as the absolute owner thereof, and accordingly, shall not, except as ordered by a court of competent jurisdiction, or as required by the Companies
Law, be obligated to recognize any equitable or other claim to, or interest in, such share on the part of any other person.
11.
ISSUANCE AND REPURCHASE OF SHARES.
(a)
The unissued shares from time to time shall be under the control of the Board of Directors (and to the full extent permitted by law any
Committee thereof), which shall have the power to issue or otherwise dispose of shares and of securities convertible or exercisable into or
other rights to acquire from the Company to such persons, on such terms and conditions (including inter alia terms relating to calls set forth
in Article 13(f) hereof), and either at par or at a premium, or subject to the provisions of the Companies Law, at a discount and/or with
payment of commission, and at such times, as the Board of Directors (or the Committee, as the case may be) deems fit, and the power to give
to any person the option to acquire from the Company any shares or securities convertible or exercisable into or other rights to acquire from
the Company, either at par or at a premium, or, subject as aforesaid, at a discount and/or with payment of commission, during such time and
for such consideration as the Board of Directors (or the Committee, as the case may be) deems fit.
(b)
The Company may at any time and from time to time, subject to the Companies Law, repurchase or finance the purchase of any shares or
other securities issued by the Company, in such manner and under such terms as the Board of Directors shall determine, whether from any
one or more shareholders. Such purchase shall not be deemed as payment of dividends and no shareholder will have the right to require the
Company to purchase his shares or offer to purchase shares from any other shareholders.
12.
PAYMENT IN INSTALLMENT.
If pursuant to the terms of issuance of any share, all or any portion of the price thereof shall be payable in installments, every such installment
shall be paid to the Company on the due date thereof by the then registered holder(s) of the share or the person(s) then entitled thereto.
13.
CALLS ON SHARES.
(a)
The Board of Directors may, from time to time, as it, in its discretion, deems fit, make calls for payment upon shareholders in respect of any
sum (including premium) which has not been paid up in respect of shares held by such shareholders and which is not, pursuant to the terms
of issuance of such shares or otherwise, payable at a fixed time, and each shareholder shall pay the amount of every call so made upon him
(and of each installment thereof if the same is payable in installments), to the person(s) and at the time(s) and place(s) designated by the
Board of Directors, as any such times may be thereafter extended and/or such person(s) or place(s) changed. Unless otherwise stipulated in
the resolution of the Board of Directors (and in the notice hereafter referred to), each payment in response to a call shall be deemed to
constitute a pro rata payment on account of all the shares in respect of which such call was made.
(b)
Notice of any call for payment by a shareholder shall be given in writing to such shareholder not less than fourteen (14) days prior to the
time of payment fixed in such notice, and shall specify the time and place of payment, and the person to whom such payment is to be made.
Prior to the time for any such payment fixed in a notice of a call given to a shareholder, the Board of Directors may in its absolute discretion,
by notice in writing to such shareholder, revoke such call in whole or in part, extend the time fixed for payment thereof, or designate a
different place of payment or person to whom payment is to be made. In the event of a call payable in installments, only one notice thereof
need be given.
(c)
If pursuant to the terms of issuance of a share or otherwise, an amount is made payable at a fixed time (whether on account of such nominal
value of such share or by way of premium), such amount shall be payable at such time as if it were payable by virtue of a call made by the
Board of Directors and for which notice was given in accordance with paragraphs (a) and (b) of this Article 13, and the provision of these
Articles with regard to calls (and the non-payment thereof) shall be applicable to such amount or such installment (and the non- payment
thereof).
(d)
Joint holders of a share shall be jointly and severally liable to pay all calls for payment in respect of such share and all interest payable
thereon.
(e)
Any amount called for payment which is not paid when due shall bear interest from the date fixed for payment until actual payment thereof,
at such rate (not exceeding the then prevailing debitory rate charged by leading commercial banks in Israel), and payable at such time(s) as
the Board of Directors may prescribe.
(f)
Upon the issuance of shares, the Board of Directors may provide for differences among the holders of such shares as to the amounts and
times for payment of calls for payment in respect of such shares.
14.
PREPAYMENT.
With the approval of the Board of Directors, any shareholder may pay to the Company any amount not yet payable in respect of his shares, and
the Board of Directors may approve the payment by the Company of interest on any such amount until the same would be payable if it had not
been paid in advance, at such rate and time(s) as may be approved by the Board of Directors. The Board of Directors may at any time cause the
Company to repay all or any part of the money so advanced, without premium or penalty. Nothing in this Article 14 shall derogate from the right
of the Board of Directors to make any call for payment before or after receipt by the Company of any such advance.
15.
FORFEITURE AND SURRENDER.
(a)
If any shareholder fails to pay an amount payable by virtue of a call, installment or interest thereon as provided for in accordance herewith,
on or before the day fixed for payment of the same, the Board of Directors, may at any time after the day fixed for such payment, so long as
such amount (or any portion thereof) or interest thereon (or any portion thereof) remains unpaid, forfeit all or any of the shares in respect of
which such payment was called for. All expenses incurred by the Company in attempting to collect any such amount or interest thereon,
including, without limitation, attorneys' fees and costs of legal proceedings, shall be added to, and shall, for all purposes (including the
accrual of interest thereon) constitute a part of, the amount payable to the Company in respect of such call.
(b)
Upon the adoption of a resolution as to the forfeiture of a shareholder's share, the Board of Directors shall cause notice thereof to be given to
such shareholder, which notice shall state that, in the event of the failure to pay the entire amount so payable by a date specified in the notice
(which date shall be not less than fourteen (14) days after the date such notice is given and which may be extended by the Board of
Directors), such shares shall be ipso facto forfeited, provided, however, that, prior to such date, the Board of Directors may cancel such
resolution of forfeiture, but no such cancellation shall stop the Board of Directors from adopting a further resolution of forfeiture in respect
of the non-payment of the same amount.
(c)
Without derogating from Articles 52 and 56 hereof, whenever shares are forfeited as herein provided, all dividends, if any, theretofore
declared in respect thereof and not actually paid shall be deemed to have been forfeited at the same time.
(d)
The Company, by resolution of the Board of Directors, may accept the voluntary surrender of any share.
(e)
Any share forfeited or surrendered as provided herein, shall become the property of the Company as dormant share, and the same, subject to
the provisions of these Articles, may be sold, re-issued or otherwise disposed of as the Board of Directors deems fit.
(f)
Any person whose shares have been forfeited or surrendered shall cease to be a shareholder in respect of the forfeited or surrendered shares,
but shall, notwithstanding, be liable to pay, and shall forthwith pay, to the Company, all calls, interest and expenses owing upon or in respect
of such shares at the time of forfeiture or surrender, together with interest thereon from the time of forfeiture or surrender until actual
payment, at the rate prescribed in Article 13(e) above, and the Board of Directors, in its discretion, may, but shall not be obligated to, enforce
or collect the payment of such amounts, or any part thereof, as it shall deem fit. In the event of such forfeiture or surrender, the Company, by
resolution of the Board of Directors, may accelerate the date(s) of payment of any or all amounts then owing to the Company by the person
in question (but not yet due) in respect of all shares owned by such shareholder, solely or jointly with another.
(g)
The Board of Directors may at any time, before any share so forfeited or surrendered shall have been sold, re- issued or otherwise disposed
of, nullify the forfeiture or surrender on such conditions as it deems fit, but no such nullification shall stop the Board of Directors form re-
exercising its powers of forfeiture pursuant to this Article 15.
16.
LIEN.
(a)
Except to the extent the same may be waived or subordinated in writing, the Company shall have a first and paramount lien upon all the
shares registered in the name of each shareholder (without regard to any equitable or other claim or interest in such shares on the part of any
other person), and upon the proceeds of the sale thereof, for his debts, liabilities and engagements to the Company arising from any amount
payable by such shareholder in respect of any unpaid or partly paid share, whether or not such debt, liability or engagement has matured.
Such lien shall extend to all dividends from time to time declared or paid in respect of such share. Unless otherwise provided, the registration
by the Company of a transfer of shares shall be deemed to be a waiver on the part of the Company of the lien (if any) existing on such shares
immediately prior to such transfer.
(b)
The Board of Directors may cause the Company to sell a share subject to such a lien when the debt, liability or engagement giving rise to
such lien has matured, in such manner as the Board of Directors deems fit, but no such sale shall be made unless such debt, liability or
engagement has not been satisfied within fourteen (14) days after written notice of the intention to sell shall have been served on such
shareholder, his executors or administrators.
(c)
The net proceeds of any such sale, after payment of the costs and expenses thereof or ancillary thereto, shall be applied in or toward
satisfaction of the debts, liabilities or engagements of such shareholder in respect of such share (whether or not the same have matured), and
the residue (if any) shall be paid to the shareholder, his executors, administrators or assigns.
17.
SALE AFTER FORFEITURE OF SURRENDER OR IN ENFORCEMENT OF LIEN.
Upon any sale of a share after forfeiture or surrender or for enforcing a lien, the Board of Directors may appoint any person to execute an
instrument of transfer of the share so sold and cause the purchaser's name to be entered in the Register of Shareholders in respect of such share.
The purchaser shall be registered as the shareholder and shall not be bound to see to the regularity of the sale proceedings, or to the application
of the proceeds of such sale, and after his name has been entered in the Register of Shareholders in respect of such share, the validity of the sale
shall not be impeached by any person, and person, and the remedy of any person aggrieved by the sale shall be in damages only and against the
Company exclusively.
18.
REDEEMABLE SHARES.
The Company may, subject to applicable law, issue redeemable shares or other securities and redeem the same upon terms and conditions to be
set forth in a written agreement between the Company and the holder of such shares or in their terms of issuance.
TRANSFER OF SHARES
19.
REGISTRATION OF TRANSFER.
No transfer of shares shall be registered unless a proper writing or instrument of transfer (in any customary form or any other form satisfactory
to the Board of Directors) has been submitted to the Company (or its transfer agent), together with any share certificate(s) and such other
evidence of title as the Board of Directors may reasonably require. Until the transferee has been registered in the Register of Shareholders in
respect of the shares so transferred, the Company may continue to regard the transferor as the owner thereof. The Board of Directors, may, from
time to time, prescribe a fee for the registration of a transfer.
20.
SUSPENSION OF REGISTRATION.
The Board of Directors may, in its discretion to the extent it deems necessary, close the Register of Shareholders of registration of transfers of
shares for a period determined by the Board of Directors, and no registrations of transfers of shares shall be made by the Company during any
such period during which the Register of Shareholders is so closed.
TRANSMISSION OF SHARES
21.
DECEDENTS’ SHARES.
(a)
In case of a share registered in the names of two or more holders, the Company may recognize the survivor(s) as the sole owner(s) thereof
unless and until the provisions of Article 21(b) have been effectively invoked.
(b)
Any person becoming entitled to a share in consequence of the death of any person, upon producing evidence of the grant of probate or
letters of administration or declaration of succession (or such other evidence as the Board of Directors may reasonably deem sufficient (or to
an officer of the Company to be designated by the Chief Executive Officer)), shall be registered as a shareholder in respect of such share, or
may, subject to the provisions as to transfer contained herein, transfer such share.
22.
RECEIVERS AND LIQUIDATORS.
(a)
The Company may recognize any receiver, liquidator or similar official appointed to wind-up, dissolve or otherwise liquidate a corporate
shareholder, and a trustee, manager, receiver, liquidator or similar official appointed in bankruptcy or in connection with the reorganization
of, or similar proceeding with respect to a shareholder or its properties, as being entitled to the shares registered in the name of such
shareholder.
(b)
Such receiver, liquidator or similar official appointed to wind-up, dissolve or otherwise liquidate a corporate shareholder and such trustee,
manager, receiver, liquidator or similar official appointed in bankruptcy or in connection with the reorganization of, or similar proceedings
with respect to a shareholder or its properties, upon producing such evidence as the Board of Directors (or an officer of the Company to be
designated by the Chief Executive Officer) may deem sufficient as to his authority to act in such capacity or under this Article, shall with the
consent of the Board of Directors (which the Board of Directors may grant or refuse in its absolute discretion), be registered as a shareholder
in respect of such shares, or may, subject to the regulations as to transfer herein contained, transfer such shares.
GENERAL MEETINGS
23.
GENERAL MEETINGS.
(a)
An annual General Meeting (“Annual General Meeting”) shall be held at such time and at such place, either within or out of the State of
Israel, as may be determined by the Board of Directors.
(b)
All General Meetings other than Annual General Meetings shall be called "Special General Meetings". The Board of Directors may, at its
discretion, convene a Special General Meeting at such time and place, within or outside of the State of Israel, as may be determined by the
Board of Directors.
(c)
If so determined by the Board of Directors, an Annual General Meeting or a Special General Meeting may be held through the use of any
means of communication approved by the Board of Directors, provided all of the participating Shareholders can hear each other
simultaneously. A resolution approved by use of means of communications as aforesaid shall be deemed to be a resolution lawfully adopted
at such general meeting, and a Shareholder shall be deemed present in person at such general meeting if attending such meeting through the
means of communication used at such meeting.
24.
RECORD DATE FOR GENERAL MEETING.
Notwithstanding any provision of these Articles to the contrary, and to allow the Company to determine the shareholders entitled to notice of or
to vote at any General Meeting or any adjournment thereof, or entitled to receive payment of any dividend or other distribution or grant of any
rights, or entitled to exercise any rights in respect of or to take or be the subject of any other action, the Board of Directors may fix a record date,
which shall not be more than the maximum period and not less than the minimum period permitted by law. A determination of shareholders of
record entitled to notice of or to vote at a meeting shall apply to any adjournment of the meeting; provided, however, that the Board of Directors
may fix a new record date for the adjourned meeting.
25.
SHAREHOLDER PROPOSAL REQ UEST.
(a)
Any Shareholder or Shareholders of the Company holding at least the required percentage under the Companies Law of the voting rights of
the Company which entitles such Shareholder(s) to require the Company to include a matter on the agenda of a General Meeting (the
“Proposing Shareholder(s)”) may request, subject to the Companies Law, that the Board of Directors include a matter on the agenda of a
General Meeting to be held in the future, provided that the Board determines that the matter is appropriate to be considered in a General
Meeting (a “Proposal Request”). In order for the Board of Directors to consider a Proposal Request and whether to include the matter stated
therein in the agenda of a General Meeting, notice of the Proposal Request must be timely delivered in accordance with applicable laws, and
the Proposal Request must comply with the requirement of these Articles (including this Article 25) and any applicable law and stock
exchange rules and regulations. The Proposal Request must be in writing, signed by all of the Proposing Shareholder(s) making such request,
delivered, either in person or by certified mail, postage prepaid, and received by the Secretary (or, in the absence thereof by the Chief
Executive Officer of the Company). To be considered timely, a Proposal Request must be received within the time periods prescribed by
applicable law. The announcement of an adjournment or postponement of a General Meeting shall not commence a new time period (or
extend any time period) for the delivery of a Proposal Request as described above. In addition to any information required to be included in
accordance with applicable law, the Proposal Request must include the following: (i) the name, address, telephone number, fax number and
email address of the Proposing Shareholder (or each Proposing Shareholder, as the case may be) and, if an entity, the name(s) of the
person(s) that controls or manages such entity; (ii) the number of Shares held by the Proposing Shareholder(s), directly or indirectly (and, if
any of such Shares are held indirectly, an explanation of how they are held and by whom), which shall be in such number no less than as is
required to qualify as a Proposing Shareholder, accompanied by evidence satisfactory to the Company of the record holding of such Shares
by the Proposing Shareholder(s) as of the date of the Proposal Request, and a representation that the Proposing Shareholder(s) intends to
appear in person or by proxy at the meeting; (iii) the matter requested to be included on the agenda of a General Meeting, all information
related to such matter, the reason that such matter is proposed to be brought before the General Meeting, the complete text of the resolution
that the Proposing Shareholder proposes to be voted upon at the General Meeting and, if the Proposing Shareholder wishes to have a position
statement in support of the Proposal Request, a copy of such position statement that complies with the requirement of any applicable law (if
any), (iv) a description of all arrangements or understandings between the Proposing Shareholders and any other Person(s) (naming such
Person or Persons) in connection with the matter that is requested to be included on the agenda and a declaration signed by all Proposing
Shareholder(s) of whether any of them has a personal interest in the matter and, if so, a description in reasonable detail of such personal
interest; (v) a description of all Derivative Transactions (as defined below) by each Proposing Shareholder(s) during the previous twelve (12)
month period, including the date of the transactions and the class, series and number of securities involved in, and the material economic
terms of, such Derivative Transactions; and (vi) a declaration that all of the information that is required under the Companies Law and any
other applicable law and stock exchange rules and regulations to be provided to the Company in connection with such matter, if any, has
been provided to the Company. The Board of Directors, may, in its discretion, to the extent it deems necessary, request that the Proposing
Shareholder(s) provide additional information necessary so as to include a matter in the agenda of a General Meeting, as the Board of
Directors may reasonably require.
A “Derivative Transaction” means any agreement, arrangement, interest or understanding entered into by, or on behalf or for the benefit
of, any Proposing Shareholder or any of its affiliates or associates, whether of record or beneficial: (1) the value of which is derived in
whole or in part from the value of any class or series of shares or other securities of the Company, (2) which otherwise provides any direct
or indirect opportunity to gain or share in any gain derived from a change in the value of securities of the Company, (3) the effect or intent
of which is to mitigate loss, manage risk or benefit of security value or price changes, or (4) which provides the right to vote or increase or
decrease the voting power of, such Proposing Shareholder, or any of its affiliates or associates, with respect to any shares or other
securities of the Company, which agreement, arrangement, interest or understanding may include, without limitation, any option, warrant,
debt position, note, bond, convertible security, swap, stock appreciation right, short position, profit interest, hedge, right to dividends,
voting agreement, performance-related fee or arrangement to borrow or lend shares (whether or not subject to payment, settlement,
exercise or conversion in any such class or series), and any proportionate interest of such Proposing Shareholder in the securities of the
Company held by any general or limited partnership, or any limited liability company, of which such Proposing Shareholder is, directly or
indirectly, a general partner or managing member.
(b)
The information required pursuant to this Article shall be updated as of (i) the record date of the General Meeting, (ii) five business days
before the General Meeting, and (iii) as of the General Meeting, and any adjournment or postponement thereof.
(c)
The provisions of Articles 25(a) and 25(b) shall apply, mutatis mutandis, to any matter to be included on the agenda of a General Meeting
which is convened pursuant to a request of a Shareholder duly delivered to the Company in accordance with the Companies Law.
26.
NOTICE OF GENERAL MEETINGS; OMISSION TO GIVE NOTICE.
(a)
The Company is not required to give notice of a General Meeting, subject to any mandatory provision of the Companies Law.
Notwithstanding anything herein to the contrary, to the extent permitted under the Companies Law, with the consent of all Shareholders
entitled to vote thereon, a resolution may be proposed and passed at such meeting although a lesser notice period than hereinabove
prescribed has been given.
(b)
The accidental omission to give notice of a General Meeting to any Shareholder, or the non-receipt of notice sent to such Shareholder, shall
not invalidate the proceedings at such meeting or any resolution adopted thereat.
(c)
No Shareholder present, in person or by proxy, at any time during a General Meeting shall be entitled to seek the cancellation or invalidation
of any proceedings or resolutions adopted at such General Meeting on account of any defect in the notice of such meeting relating to the time
or the place thereof, or any item acted upon at such meeting.
(d)
The Company may add additional places for Shareholders to review the full text of the proposed resolutions to be adopted at a General
Meeting, including an internet site.
PROCEEDINGS AT GENERAL MEETINGS
27.
QUORUM.
(a)
No business shall be transacted at a General Meeting, or at any adjournment thereof, unless the quorum required under these Articles for
such General Meeting or such adjourned meeting, as the case may be, is present when the meeting proceeds to business.
(b)
In the absence of contrary provisions in these Articles, the requisite quorum for any General Meeting shall be two or more Shareholders (not
in default in payment of any sum referred to in Article 13 hereof), present in person or by proxy and holding shares conferring in the
aggregate at least thirty-three and one-third percent (33⅓%) of the voting power of the Company, provided, however, that if (i) such General
Meeting was initiated by and convened pursuant to a resolution adopted by the Board of Directors and (ii) at the time of such General
Meeting the Company is qualified to use the forms of a “foreign private issuer” under US securities laws, then the requisite quorum of
General Meetings shall be two or more Shareholders (not in default in payment of any sum referred to in Article 13 hereof) present in person
or by proxy and holding shares conferring in the aggregate at least twenty-five percent (25%) of the voting power of the Company. A proxy
may be deemed to be two (2) or more Shareholders pursuant to the number of Shareholders represented by the proxy holder.
(c)
If within half an hour from the time appointed for the meeting a quorum is not present, then without any further notice the meeting shall be
adjourned either (i) to the same day in the next week, at the same time and place, (ii) to such day and at such time and place as indicated in
the notice to such meeting, or (iii) to such day and at such time and place as the Chairman of the General Meeting shall determine (which
may be earlier or later than the date pursuant to clause (i) above). No business shall be transacted at any adjourned meeting except business
which might lawfully have been transacted at the meeting as originally called. At such adjourned meeting, if the original meeting was
convened upon requisition under Section 63 of the Companies Law, one or more shareholders, present in person or by proxy, and holding the
number of shares required for making such requisition, shall constitute a quorum, but in any other case any shareholder (not in default as
aforesaid) present in person or by proxy, shall constitute a quorum.
28.
CHAIRMAN OF GENERAL MEETING.
The Chairman of the Board of Directors, shall preside as Chairman of every General Meeting of the Company. If at any meeting the Chairman is
not present within fifteen (15) minutes after the time fixed for holding the meeting or is unwilling to act as Chairman, any of the following may
preside as Chairman of the meeting (and in the following order): Director, Chief Executive Officer, Chief Financial Officer, Secretary or any
person designated by any of the foregoing. If at any such meeting none of the foregoing persons is present or all are unwilling to act as
Chairman, the Shareholders present (in person or by proxy) shall choose a Shareholder or its proxy present at the meeting to be Chairman. The
office of Chairman shall not, by itself, entitle the holder thereof to vote at any General Meeting nor shall it entitle such holder to a second or
casting vote (without derogating, however, from the rights of such Chairman to vote as a shareholder or proxy of a shareholder if, in fact, he is
also a shareholder or such proxy).
29.
ADOPTION OF RESOLUTIONS AT GENERAL MEETINGS.
(a)
Except as required by the Companies Law or these Articles, including, without limitation, Article 39 below, a resolution of the Shareholders
shall be adopted if approved by the holders of a simple majority of the voting power represented at the General Meeting in person or by
proxy and voting thereon, as one class, and disregarding abstentions from the count of the voting power present and voting. Without limiting
the generality of the foregoing, a resolution with respect to a matter or action for which the Companies Law prescribes a higher majority or
pursuant to which a provision requiring a higher majority would have been deemed to have been incorporated into these Articles, but for
which the Law allows these Articles to provide otherwise (including, Section 327 and 24 of the Law), shall be adopted by a simple majority
of the voting power represented at the General Meeting in person or by proxy and voting thereon, as one class, and disregarding abstentions
from the count of the voting power present and voting.
(b)
Every question submitted to a General Meeting shall be decided by a show of hands, but the Chairman of the General Meeting may
determine that a resolution shall be decided by a written ballot. A written ballot may be implemented before the proposed resolution is voted
upon or immediately after the declaration by the Chairman of the results of the vote by a show of hands. If a vote by written ballot is taken
after such declaration, the results of the vote by a show of hands shall be of no effect, and the proposed resolution shall be decided by such
written ballot.
(c)
A declaration by the Chairman of the General Meeting that a resolution has been carried unanimously, or carried by a particular majority, or
rejected, and an entry to that effect in the minute book of the Company, shall be prima facie evidence of the fact without proof of the number
or proportion of the votes recorded in favor of or against such resolution.
30.
POWER TO ADJOURN.
(a)
A General Meeting, the consideration of any matter on its agenda or the resolution on any matter on its agenda, may be postponed or
adjourned, from time to time and from place to place: (i) by the Chairman of a General Meeting at which a quorum is present (and he shall if
so directed by the meeting, with the consent of the holders of a majority of the voting power represented in person or by proxy and voting on
the question of adjournment), but no business shall be transacted at any such adjourned meeting except business which might lawfully have
been transacted at the meeting as originally called, or a matter on its agenda with respect to which no resolution was adopted at the meeting
originally called; or (ii) by the Board (whether prior to or at the General Meeting).
31.
VOTING POWER.
Subject to the provisions of Article 32(a) and to any provision hereof conferring special rights as to voting, or restricting the right to vote, every
Shareholder shall have one vote for each share held by him of record, on every resolution, without regard to whether the vote thereon is
conducted by a show of hands, by written ballot or by any other means.
32.
VOTING RIGHTS.
(a)
No shareholder shall be entitled to vote at any General Meeting (or be counted as a part of the quorum thereat), unless all calls then payable
by him in respect of his shares in the Company have been paid.
(b)
A company or other corporate body being a Shareholder of the Company may duly authorize any person to be its representative at any
meeting of the Company or to execute or deliver a proxy on its behalf. Any person so authorized shall be entitled to exercise on behalf of
such Shareholder all the power, which the Shareholder could have exercised if it were an individual. Upon the request of the Chairman of the
General Meeting, written evidence of such authorization (in form acceptable to the Chairman) shall be delivered to him.
(c)
Any Shareholder entitled to vote may vote either in person or by proxy (who need not be Shareholder of the Company), or, if the
Shareholder is a company or other corporate body, by representative authorized pursuant to Article (b) above.
(d)
If two or more persons are registered as joint holders of any share, the vote of the senior who tenders a vote, in person or by proxy, shall be
accepted to the exclusion of the vote(s) of the other joint holder(s). For the purpose of this Article 32(d), seniority shall be determined by the
order of registration of the joint holders in the Register of Shareholder.
(e)
If a Shareholder is a minor, under protection, bankrupt or legally incompetent, or in the case of a corporation, is in receivership or
liquidation, such Shareholder may, subject to all other provisions of these Articles and any documents or records required to be provided
under these Articles, vote through his, her or its trustee, receiver, liquidator, natural guardian or another legal guardian, as the case may be,
and the persons listed above may vote in person or by proxy.
PROXIES
33.
INSTRUMENT OF APPOINTMENT.
(a)
An instrument appointing a proxy shall be in writing and shall be substantially in the following form:
“I
of
(Name of Shareholder)
(Address of Shareholder)
Being a shareholder of CYBERARK SOFTWARE LTD. hereby appoints
of
(Name of Proxy)
(Address of Proxy)
as my proxy to vote for me and on my behalf at the General Meeting of the Company to be held on the_______________day of ,
and at any adjournment(s) thereof.
Signed this__________day of , .
(Signature of Appointor)”
or in any usual or common form or in such other form as may be approved by the Board of Directors. Such proxy shall be duly signed
by the appointor of such person's duly authorized attorney, or, if such appointor is company or other corporate body, in the manner in
which it signs documents which binds it together with a certificate of an attorney with regard to the authority of the signatories.
(b)
Subject to the Companies Law, the original instrument appointing a proxy or a copy thereof certified by an attorney (and the power of
attorney or other authority, if any, under which such instrument has been signed) shall be delivered to the Company (at its Office, at its
principal place of business, or at the offices of its registrar or transfer agent, or at such place as notice of the meeting may specify) not less
than forty eight (48) hours (or such shorter period as the notice shall specify) before the time fixed for such meeting. Notwithstanding the
above, the Chairman shall have the right to waive the time requirement provided above with respect to all instruments of proxies and to
accept any and all instruments of proxy until the beginning of a General Meeting. A document appointing a proxy shall be valid for every
adjourned meeting of the General Meeting to which the document relates.
34.
EFFECT OF DEATH OF APPOINTOR OF TRANSFER OF SHARE AND OR REVOCATION OF APPOINTMENT.
(a)
A vote cast in accordance with an instrument appointing a proxy shall be valid notwithstanding the prior death or bankruptcy of the
appointing shareholder (or of his attorney-in-fact, if any, who signed such instrument), or the transfer of the share in respect of which the
vote is cast, unless written notice of such matters shall have been received by the Company or by the Chairman of such meeting prior to such
vote being cast.
(b)
Subject to the Companies Law, an instrument appointing a proxy shall be deemed revoked (i) upon receipt by the Company or the Chairman,
subsequent to receipt by the Company of such instrument, of written notice signed by the person signing such instrument or by the
Shareholder appointing such proxy canceling the appointment thereunder (or the authority pursuant to which such instrument was signed) or
of an instrument appointing a different proxy (and such other documents, if any, required under Article 33(b) for such new appointment),
provided such notice of cancellation or instrument appointing a different proxy were so received at the place and within the time for delivery
of the instrument revoked thereby as referred to in Article 33(b) hereof, or (ii) if the appointing shareholder is present in person at the
meeting for which such instrument of proxy was delivered, upon receipt by the Chairman of such meeting of written notice from such
shareholder of the revocation of such appointment, or if and when such shareholder votes at such meeting. A vote cast in accordance with an
instrument appointing a proxy shall be valid notwithstanding the revocation or purported cancellation of the appointment, or the presence in
person or vote of the appointing shareholder at a meeting for which it was rendered, unless such instrument of appointment was deemed
revoked in accordance with the foregoing provisions of this Article 34(b) at or prior to the time such vote was cast.
BOARD OF DIRECTORS
35.
POWERS OF BOARD OF DIRECTORS.
(a)
The Board of Directors may exercise all such powers and do all such acts and things as the Board of Directors is authorized by law or as the
Company is authorized to exercise and do and are not hereby or by law required to be exercised or done by the General Meeting. The
authority conferred on the Board of Directors by this Article 35 shall be subject to the provisions of the Companies Law, these Articles and
any regulation or resolution consistent with these Articles adopted from time to time at a General Meeting, provided, however, that no such
regulation or resolution shall invalidate any prior act done by or pursuant to a decision of the Board of Directors which would have been
valid if such regulation or resolution had not been adopted.
(b)
Without limiting the generality of the foregoing, the Board of Directors may, from time to time, set aside any amount(s) out of the profits of
the Company as a reserve or reserves for any purpose(s) which the Board of Directors, in its absolute discretion, shall deem fit, including
without limitation, capitalization and distribution of bonus shares, and may invest any sum so set aside in any manner and from time to time
deal with and vary such investments and dispose of all or any part thereof, and employ any such reserve or any part thereof in the business of
the Company without being bound to keep the same separate from other assets of the Company, and may subdivide or re-designate any
reserve or cancel the same or apply the funds therein for another purpose, all as the Board of Directors may from time to time think fit.
36.
EXERCISE OF POWERS OF BOARD OF DIRECTORS.
(a)
A meeting of the Board of Directors at which a quorum is present shall be competent to exercise all the authorities, powers and discretion
vested in or exercisable by the Board of Directors.
(b)
A resolution proposed at any meeting of the Board of Directors shall be deemed adopted if approved by a majority of the Directors present,
entitled to vote and voting thereon when such resolution is put to a vote.
(c)
The Board of Directors may adopt resolutions, without convening a meeting of the Board of Directors, in writing or in any other manner
permitted by the Companies Law.
(d)
The Board of Directors may hold meetings by use of any means of communication on the condition that all participating directors can hear
each other at the same time.
37.
DELEGATION OF POWERS.
(a)
The Board of Directors may, subject to the provisions of the Companies Law, delegate any or all of its powers to committees (in these
Articles referred to as a “Committee of the Board of Directors”, or “Committee”), each consisting of one or more persons (who may or
may not be Directors), and it may from time to time revoke such delegation or alter the composition of any such Committee. No regulation
imposed by the Board of Directors on any Committee and no resolution of the Board of Directors shall invalidate any prior act done or
pursuant to a resolution by the Committee which would have been valid if such regulation or resolution of the Board had not been adopted.
The meeting and proceedings of any such Committee of the Board of Directors shall, mutatis mutandis, be governed by the provisions herein
contained for regulating the meetings of the Board of Directors, so far as not superseded by any regulations adopted by the Board of
Directors. Unless otherwise expressly prohibited by the Board of Directors in delegating powers to a Committee of the Board of Directors,
such Committee shall be empowered to further delegate such powers.
(b)
Without derogating from the provisions of Article 49, the Board of Directors may from time to time appoint a Secretary to the Company, as
well as officers, agents, employees and independent contractors, as the Board of Directors deems fit, and may terminate the service of any
such person. The Board of Directors may, subject to the provisions of the Companies Law, determine the powers and duties, as well as the
salaries and compensation, of all such persons.
(c)
The Board of Directors may from time to time, by power of attorney or otherwise, appoint any person, company, firm or body of persons to
be the attorney or attorneys of the Company at law or in fact for such purposes(s) and with such powers, authorities and discretions, and for
such period and subject to such conditions, as it deems fit, and any such power of attorney or other appointment may contain such provisions
for the protection and convenience of persons dealing with any such attorney as the Board of Directors deems fit, and may also authorize any
such attorney to delegate all or any of the powers, authorities and discretions vested in him.
38.
NUMBER OF DIRECTORS.
(a)
The Board of Directors shall consist of such number of Directors (not less than four (4) nor more than 9 (nine), including the External
Directors, to the extent required by law) as may be fixed from time to time by the Board of Directors.
(b)
Notwithstanding anything to the contrary herein, this Article 38 may only be amended or replaced by a resolution adopted at a General
Meeting by a majority of 65% of the voting power represented at the General Meeting in person or by proxy and voting thereon,
disregarding abstentions from the count of the voting power present and voting.
39.
ELECTION AND REMOVAL OF DIRECTORS.
(a)
The Directors, excluding the External Directors, shall be classified, with respect to the term for which they each severally hold office, into
three classes, as nearly equal in number as practicable, hereby designated as Class I, Class II and Class III. The Board of Directors may
assign members of the Board of Directors already in office to such classes at the time such classification becomes effective.
(i)
The term of office of the initial Class I directors shall expire at the first Annual General Meeting to be held in 2015 and when their
successors are elected and qualified,
(ii)
The term of office of the initial Class II directors shall expire at the first Annual General Meeting following the Annual General
Meeting referred to in clause (i) above and when their successors are elected and qualified, and
(iii)
The term of office of the initial Class III directors shall expire at the first Annual General Meeting following the Annual General
Meeting referred to in clause (ii) above and when their successors are elected and qualified.
(b)
At each Annual General Meeting, commencing with the Annual General Meeting to be held in 2015, each of the successors elected to
replace the Directors of a Class whose term shall have expired at such Annual General Meeting shall be elected to hold office until the third
Annual General Meeting next succeeding his or her election and until his or her respective successor shall have been elected and qualified.
Notwithstanding anything to the contrary, each Director shall serve until his or her successor is elected and qualified or until such earlier
time as such Director's office is vacated.
(c)
If the number of Directors (excluding External Directors) that consists the Board of Directors is hereafter changed, any newly created
directorships or decrease in directorships shall be so apportioned by the Board of Directors among the classes as to make all classes as nearly
equal in number as is practicable, provided that no decrease in the number of Directors constituting the Board of Directors shall shorten the
term of any incumbent Director.
(d)
Prior to every General Meeting of the Company at which Directors are to be elected, and subject to clauses (a) and (h) of this Article, the
Board of Directors (or a Committee thereof) shall select, by a resolution adopted by a majority of the Board of Directors (or such
Committee), a number of Persons to be proposed to the Shareholders for election as Directors at such General Meeting (the “Nominees”).
(e)
Any Proposing Shareholder requesting to include on the agenda of a General Meeting a nomination of a Person to be proposed to the
Shareholders for election as Director (such person, an “Alternate Nominee”), may so request provided that it complies with this Article
39(e) and Article 25 and applicable law. Unless otherwise determined by the Board, a Proposal Request relating to Alternate Nominee is
deemed to be a matter that is appropriate to be considered only in an Annual General Meeting. In addition to any information required to be
included in accordance with applicable law, such a Proposal Request shall include information required pursuant to Article 25, and shall also
set forth: (i) the name, address, telephone number, fax number and email address of the Alternate Nominee and all citizenships and
residencies of the Alternate Nominee; (ii) a description of all arrangements, relations or understandings between the Proposing
Shareholder(s) or any of its affiliates and each Alternate Nominee; (iii) a declaration signed by the Alternate Nominee that he consents to be
named in the Company’s notices and proxy materials relating to the General Meeting, if provided or published, and, if elected, to serve on
the Board of Directors and to be named in the Company’s disclosures and filings, (iv) a declaration signed by each Alternate Nominee as
required under the Companies Law and any other applicable law and stock exchange rules and regulations for the appointment of such an
Alternate Nominee and an undertaking that all of the information that is required under law and stock exchange rules and regulations to be
provided to the Company in connection with such an appointment has been provided (including, information in respect of the Alternate
Nominee as would be provided in response to the applicable disclosure requirements under Form 20-F or any other applicable form
prescribed by the U.S. Securities and Exchange Commission); (v) a declaration made by the Alternate Nominee of whether he meets the
criteria for an independent director and/or External Director of the Company under the Companies Law and/or under any applicable law,
regulation or stock exchange rules, and if not, then an explanation of why not; and (vi) any other information required at the time of
submission of the Proposal Request by applicable law, regulations or stock exchange rules. In addition, the Proposing Shareholder shall
promptly provide any other information reasonably requested by the Company. The Board of Directors may refuse to acknowledge the
nomination of any person not made in compliance with the foregoing. The Company shall be entitled to publish any information provided by
a Proposing Shareholder pursuant to this Article 39(e) and Article 25, and the Proposing Shareholder shall be responsible for the accuracy
and completeness thereof.
(c)
The Nominees or Alternate Nominees shall be elected by a resolution adopted at the General Meeting at which they are subject to election.
(f)
Notwithstanding anything to the contrary herein, this Article 39 and Article 42(e) may only be amended, replaced or suspended by a
resolution adopted at a General Meeting by a majority of 65% of the voting power represented at the General Meeting in person or by proxy
and voting thereon, disregarding abstentions from the count of the voting power present and voting.
(g)
Notwithstanding anything to the contrary in these Articles, the election, qualification, removal or dismissal of External Directors shall be
only in accordance with the applicable provisions set forth in the Companies Law.
40.
COMMENCEMENT OF DIRECTORSHIP.
Without derogating from Article 39, the term of office of a Director shall commence as of the date of his appointment or election, or on a later
date if so specified in his appointment or election.
41.
CONTINUING DIRECTORS IN THE EVENT OF VACANCIES.
The Board may at any time and from time to time appoint any person as a Director to fill a vacancy (whether such vacancy is due to a Director
no longer serving or due to the number of Directors serving being less than the maximum number stated in Article 38 hereof). In the event of one
or more such vacancies in the Board of Directors, the continuing Directors may continue to act in every matter, provided, however, that if they
number less than the minimum number provided for pursuant to Article 38 hereof, they may only act in an emergency or to fill the office of
director which has become vacant up to a number equal to the minimum number provided for pursuant to Article 38 hereof, or in order to call a
General Meeting of the Company for the purpose of electing Directors to fill any or all vacancies. The office of a Director that was appointed by
the Board of Directors to fill any vacancy shall only be for the remaining period of time during which the Director whose service has ended was
filled would have held office, or in case of a vacancy due to the number of Directors serving being less than the maximum number stated in
Article 38 hereof the Board shall determine at the time of appointment the class pursuant to Article 39 to which the additional Director shall be
assigned.
42.
VACATION OF OFFICE.
The office of a Director shall be vacated and he shall be dismissed or removed:
(a)
ipso facto, upon his death;
(b)
if he is prevented by applicable law from serving as a Director;
(c)
if the Board determines that due to his mental or physical state he is unable to serve as a director;
(d)
if his directorship expires pursuant to these Articles and/or applicable law;
(e)
by a resolution adopted at a General Meeting by a majority of 65% of the voting power represented at the General Meeting in person or by
proxy and voting thereon, disregarding abstentions from the count of the voting power present and voting. Such removal shall become
effective on the date fixed in such resolution;
(f)
by his written resignation, such resignation becoming effective on the date fixed therein, or upon the delivery thereof to the Company,
whichever is later; or
(g)
with respect to an External Director, and notwithstanding anything to the contrary herein, only pursuant to applicable law.
43.
CONFLICT OF INTERESTS; APPROVAL OF RELATED PARTY TRANSACTIONS.
(a)
Subject to the provisions of the Companies Law and these Articles, no Director shall be disqualified by virtue of his office from holding any
office or place of profit in the Company or in any company in which the Company shall be a shareholder or otherwise interested, or from
contracting with the Company as vendor, purchaser or otherwise, nor shall any such contract, or any contract or arrangement entered into by
or on behalf of the Company in which any Director shall be in any way interested, be avoided, nor, other than as required under the
Companies Law, shall any Director be liable to account to the Company for any profit arising from any such office or place of profit or
realized by any such contract or arrangement by reason only of such Director's holding that office or of the fiduciary relations thereby
established, but the nature of his interest, as well as any material fact or document, must be disclosed by him at the meeting of the Board of
Directors at which the contract or arrangement is first considered, if his interest then exists, or, in any other case, at no later than the first
meeting of the Board of Directors after the acquisition of his interest.
44.
ALTERNATE DIRECTORS.
(a)
Subject to the provisions of the Companies Law, a Director may, by written notice to the Company, appoint, remove or replace any person as
an alternate for himself; provided that the appointment of such person shall have effect only upon and subject to its being approved by the
Board (in these Articles, an "Alternate Director"). Unless the appointing Director, by the instrument appointing an Alternate Director or by
written notice to the Company, limits such appointment to a specified period of time or restricts it to a specified meeting or action of the
Board of Directors, or otherwise restricts its scope, the appointment shall be for all purposes, and for a period of time concurrent with the
term of the appointing Director.
(b)
Any notice to the Company pursuant to Article 44(a) shall be given in person to, or by sending the same by mail to the attention of the
Chairman of the Board of Directors at the principal office of the Company or to such other person or place as the Board of Directors shall
have determined for such purpose, and shall become effective on the date fixed therein, upon the receipt thereof by the Company (at the
place as aforesaid) or upon the approval of the appointment by the Board, whichever is later.
(c)
An Alternate Director shall have all the rights and obligations of the Director who appointed him, provided however, that (i) he may not in
turn appoint an alternate for himself (unless the instrument appointing him otherwise expressly provides), and (ii) an Alternate Director shall
have no standing at any meeting of the Board of Directors or any Committee thereof while the Director who appointed him is present.
(d)
Any individual, who qualifies to be a member of the Board of Directors, may act as an Alternate Director. One person may not act as
Alternate Director for several directors or if he is serving as a Director.
(e)
The office of an Alternate Director shall be vacated under the circumstances, mutatis mutandis, set forth in Article 42, and such office shall
ipso facto be vacated if the office of the Director who appointed such Alternate Director is vacated, for any reason.
PROCEEDINGS OF THE BOARD OF DIRECTORS
45.
MEETINGS.
(a)
The Board of Directors may meet and adjourn its meetings and otherwise regulate such meetings and proceedings as the Directors think fit.
(b)
Any Director may at any time, and the Secretary, upon the request of such Director, shall, convene a meeting of the Board of Directors, but
not less than five (5) days' notice shall be given of any meeting so convened, unless such notice is waived in writing by all of the Directors as
to a particular meeting or unless the matters to be discussed at such meeting are of such urgency and importance that notice ought reasonably
to be waived under the circumstances.
(c)
Notice of any such meeting shall be given in writing.
(d)
Notwithstanding anything to the contrary herein, failure to deliver notice to a director of any such meeting in the manner required hereby
may be waived by such Director, and a meeting shall be deemed to have been duly convened notwithstanding such defective notice if such
failure or defect is waived prior to action being taken at such meeting, by all Directors entitled to participate at such meeting to whom notice
was not duly given as aforesaid. Without derogating from the foregoing, no Director present at any time during a meeting of the Board of
Directors shall be entitled to seek the cancellation or invalidation of any proceedings or resolutions adopted at such meeting on account of
any defect in the notice of such meeting relating to the date, time or the place thereof or the convening of the meeting.
46.
QUORUM.
Until otherwise unanimously decided by the Board of Directors, a quorum at a meeting of the Board of Directors shall be constituted by the
presence in person or by any means of communication of a majority of the Directors then in office who are lawfully entitled to participate and
vote in the meeting. No business shall be transacted at a meeting of the Board of Directors unless the requisite quorum is present (in person or by
any means of communication) when the meeting proceeds to business.
47.
CHAIRMAN OF THE BOARD OF DIRECTORS.
The Board of Directors shall, from time to time, elect one of its members to be the Chairman of the Board of Directors, remove such Chairman
from office and appoint in his place. The Chairman of the Board of Directors shall preside at every meeting of the Board of Directors, but if
there is no such Chairman, or if at any meeting he is not present within fifteen (15) minutes of the time fixed for the meeting or if he is unwilling
to take the chair, the Directors present shall choose one of the Directors present at the meeting to be the Chairman of such meeting. The office of
Chairman of the Board of Directors shall not, by itself, entitle the holder to a second or casting vote.
48.
VALIDITY OF ACTS DESPITE DEFECTS.
All acts done or transacted at any meeting of the Board of Directors, or of a Committee of the Board of Directors, or by any person(s) acting as
Director(s), shall, notwithstanding that it may afterwards be discovered that there was some defect in the appointment of the participants in such
meeting or any of them or any person(s) acting as aforesaid, or that they or any of them were disqualified, be as valid as if there were no such
defect or disqualification.
CHIEF EXECUTIVE OFFICER
49.
CHIEF EXECUTIVE OFFICER.
(a)
The Board of Directors shall from time to time appoint one or more persons, whether or not Directors, as Chief Executive Officer of the
Company and may confer upon such person(s), and from time to time modify or revoke, such titles and such duties and authorities of the
Board of Directors as the Board of Directors may deem fit, subject to such limitations and restrictions as the Board of Directors may from
time to time prescribe. Such appointment(s) may be either for a fixed term or without any limitation of time, and the Board of Directors may
from time to time (subject to any additional approvals required under, and the provisions of, the Companies Law and of any contract between
any such person and the Company) fix their salaries and compensation, remove or dismiss them from office and appoint another or others in
his or their place or places.
(b)
Unless otherwise determined by the Board of Directors, the Chief Executive Officer shall have authority with respect of the management and
operations of the Company in the ordinary course of business.
MINUTES
50.
MINUTES.
Any minutes of the General Meeting or the Board of Directors or any committee thereof, if purporting to be signed by the Chairman of the
General Meeting, the Board or a committee thereof, as the case may be, or by the Chairman of the next succeeding General Meeting, meeting of
the Board or meeting of a committee thereof, as the case may be, shall constitute prima facie evidence of the matters recorded therein.
DIVIDENDS
51.
DECLARATION OF DIVIDENDS.
The Board of Directors may from time declare, and cause the Company to pay, such dividend as may appear to the Board of Directors to be
justified by the profits of the Company and as permitted by the Companies Law. The Board of Directors shall determine the time for payment of
such dividends and the record date for determining the shareholders entitled thereto.
52.
AMOUNT PAYABLE BY WAY OF DIVIDENDS.
(a)
Subject to the provisions of these Articles and subject to the rights or conditions attached at that time to any share in the capital of the
Company granting preferential, special or deferred rights or not granting any rights with respect to dividends, any dividend paid by the
Company shall be allocated among the shareholders (not in default in payment of any sum referred to in Article 13 hereof) entitled thereto in
proportion to their respective holdings of the shares in respect of which such dividends are being paid.
(b)
Whenever the rights attached to any shares or the terms of issue of the shares do not provide otherwise, shares which are fully paid up or
which are credited as fully or partly paid within any period which in respect thereof dividends are paid shall entitle the holders thereof to a
dividend in proportion to the amount paid up or credited as paid up in respect of the nominal value of such shares and to the date of payment
thereof (pro rata temporis).
53.
INTEREST.
No dividend shall carry interest as against the Company.
54.
PAYMENT IN SPECIE.
Upon the Board of Directors may determine that the Company (i) may cause any moneys, investments, or other assets forming part of the
undivided profits of the Company, standing to the credit of a reserve fund, or to the credit of a reserve fund for the redemption of capital, or in
the hands of the Company and available for dividends, or representing premiums received on the issuance of shares and standing to the credit of
the share premium account, to be capitalized and distributed among such of the shareholders as would be entitled to receive the same if
distributed by way of dividend and in the same proportion, on the footing that they become entitled thereto as capital, or may cause any part of
such capitalized fund to be applied on behalf of such shareholders in paying up in full, either at par or at such premium as the resolution may
provide, any unissued shares or debentures or debenture stock of the Company which shall be distributed accordingly, in payment, in full or in
part, of the uncalled liability on any issued shares or debentures or debenture stock; and (ii) may cause such distribution or payment to be
accepted by such shareholders in full satisfaction of their interest in the said capitalized sum.
55.
IMPLEMENTATION OF POWERS.
For the purpose of giving full effect to any resolution under Article 54, and without derogating from the provisions of Article 56 hereof, the
Board of Directors may settle any difficulty which may arise in regard to the distribution as it thinks expedient, and, in particular, may fix the
value for distribution of any specific assets and may determine that cash payments shall be made to any shareholders upon the footing of the
value so fixed, or that fractions of less value than a certain determined value may be disregarded in order to adjust the rights of all parties, and
may vest any such cash, shares, debentures, debenture stock or specific assets in trustees upon such trusts for the persons entitled to the dividend
or capitalized fund as may seem expedient to the Board of Directors. Where requisite, a proper contract shall be filed in accordance with Section
291 of the Companies Law, and the Board of Directors may appoint any person to sign such contract on behalf of the persons entitled to the
dividend or capitalized fund.
56.
DEDUCTIONS FROM DIVIDENDS.
The Board of Directors may deduct from any dividend or other moneys payable to any Shareholder in respect of a share any and all sums of
money then payable by him to the Company on account of calls or otherwise in respect of shares of the Company and/or on account of any other
matter of transaction whatsoever.
57.
RETENTION OF DIVIDENDS.
(a)
The Board of Directors may retain any dividend or other moneys payable or property distributable in respect of a share on which the
Company has a lien, and may apply the same in or toward satisfaction of the debts, liabilities, or engagements in respect of which the lien
exists.
(b)
The Board of Directors may retain any dividend or other moneys payable or property distributable in respect of a share in respect of which
any person is, under Articles 21 or 22, entitled to become a Shareholder, or which any person is, under said Articles, entitled to transfer, until
such person shall become a Shareholder in respect of such share or shall transfer the same.
58.
UNCLAIMED DIVIDENDS.
All unclaimed dividends or other moneys payable in respect of a share may be invested or otherwise made use of by the Board of Directors for
the benefit of the Company until claimed. The payment by the Directors of any unclaimed dividend or such other moneys into a separate account
shall not constitute the Company a trustee in respect thereof, and any dividend unclaimed after a period of seven (7) years from the date of
declaration of such dividend, and any such other moneys unclaimed after a like period from the date the same were payable, shall be forfeited
and shall revert to the Company, provided, however, that the Board of Directors may, at its discretion, cause the Company to pay any such
dividend or such other moneys, or any part thereof, to a person who would have been entitled thereto had the same not reverted to the Company.
The principal (and only the principal) of any unclaimed dividend of such other moneys shall be if claimed, paid to a person entitled thereto.
59.
MECHANICS OF PAYMENT.
Any dividend or other moneys payable in cash in respect of a share may be paid by check or warrant sent through the post to, or left at, the
registered address of the person entitled thereto or by transfer to a bank account specified by such person (or, if two or more persons are
registered as joint holders of such share or are entitled jointly thereto in consequence of the death or bankruptcy of the holder or otherwise, to the
joint holder whose name is registered first in the Register of Shareholders or his bank account or the person who the Company may then
recognize as the owner thereof or entitled thereto under Article 21 or 22hereof, as applicable, or such person's bank account), or to such person
and at such other address as the person entitled thereto may by writing direct, or in any other manner the Board deems appropriate. Every such
check or warrant or other method of payment shall be made payable to the order of the person to whom it is sent, or to such person as the person
entitled thereto as aforesaid may direct, and payment of the check or warrant by the banker upon whom it is drawn shall be a good discharge to
the Company.
60.
RECEIPT FROM A JOINT HOLDER.
If two or more persons are registered as joint holders of any share, or are entitled jointly thereto in consequence of the death or bankruptcy of the
holder or otherwise, any one of them may give effectual receipts for any dividend or other moneys payable or property distributable in respect of
such share.
ACCOUNTS
61.
BOOKS OF ACCOUNT.
The Company's books of account shall be kept at the Office of the Company, or at such other place or places as the Board of Directors may think
fit, and they shall always be open to inspection by all Directors. No shareholder, not being a Director, shall have any right to inspect any account
or book or other similar document of the Company, except as conferred by law or authorized by the Board of Directors. The Company shall
make copies of its annual financial statements available for inspection by the shareholders at the principal offices of the Company. The Company
shall not be required to send copies of its annual financial statements to shareholders.
62.
AUDITORS.
The appointment, authorities, rights and duties of the auditor(s) of the Company, shall be regulated by applicable law, provided, however, that in
exercising its authority to fix the remuneration of the auditor(s), the shareholders in General Meeting may act (and in the absence of any action
in connection therewith shall be deemed to have so acted) to authorize the Board of Directors (with right of delegation to management) to fix
such remuneration subject to such criteria or standards, and if no such criteria or standards are so provided, such remuneration shall be fixed in
an amount commensurate with the volume and nature of the services rendered by such auditor(s).
SUPPLEMENTARY REGISTERS
63.
SUPPLEMENTARY REGISTERS.
Subject to and in accordance with the provisions of Sections 138 and 139 of the Companies Law, the Company may cause supplementary
registers to be kept in any place outside Israel as the Board of Directors may think fit, and, subject to all applicable requirements of law, the
Board of Directors may from time to time adopt such rules and procedures as it may think fit in connection with the keeping of such branch
registers.
EXEMPTION, INDEMNITY AND INSURANCE
64.
INSURANCE.
Subject to the provisions of the Companies Law with regard to such matters, the Company may enter into a contract for the insurance of the
liability, in whole or in part, of any of its Office Holders imposed on such Office Holder due to an act performed by the Office Holder in the
Office Holder’s capacity as an Office Holder of the Company arising from any matter permitted by law, including the following:
(a)
a breach of duty of care to the Company or to any other person;
(b)
a breach of his fiduciary duty to the Company, provided that the Office Holder acted in good faith and had reasonable grounds to assume that
act that resulted in such breach would not prejudice the interests of the Company;
(c)
a financial liability imposed on such Office Holder in favor of any other person; and
(d)
any other event, occurrence, matters or circumstances under any law with respect to which the Company may, or will be able to, insure an
Office Holder, and to the extent such law requires the inclusion of a provision permitting such insurance in these Articles, then such
provision is deemed to be included and incorporated herein by reference (including, without limitation, in accordance with Section 56h(b)(1)
of the Securities Law, if and to the extent applicable, and Section 50P of the RTP Law).
65.
INDEMNITY.
(a)
Subject to the provisions of the Companies Law, the Company may retroactively indemnify an Office Holder of the Company with respect to
the following liabilities and expenses, provided that such liabilities or expenses were imposed on such Office Holder or incurred by such
Office Holder due to an act performed by the Office Holder in such Office Holder's capacity as an Office Holder of the Company:
(i)
a financial liability imposed on an Office Holder in favor of another person by any court judgment, including a judgment given as a
result of a settlement or an arbitrator’s award which has been confirmed by a court in respect of an act performed by the Office
Holder;
(ii)
reasonable litigation expenses, including attorneys’ fees, expended by the Office Holder as a result of an investigation or
proceeding instituted against him or her by an authority authorized to conduct such investigation or proceeding, or in connection
with a financial sanction, provided that (1) no indictment (as defined in the Companies Law) was filed against such office holder
as a result of such investigation or proceeding; and (2) no financial liability in lieu of a criminal proceeding (as defined in the
Companies Law) was imposed upon him or her as a result of such investigation or proceeding or if such financial liability was
imposed, it was imposed with respect to an offence that does not require proof of criminal intent;
(i)
reasonable litigation costs, including attorney’s fees, expended by an Office Holder or which were imposed on an Office Holder by
a court in proceedings filed against the Office Holder by the Company or in its name or by any other person or in a criminal charge
in respect of which the Office Holder was acquitted or in a criminal charge in respect of which the Office Holder was convicted for
an offence which did not require proof of criminal intent; and
(i)
any other event, occurrence, matter or circumstances under any law with respect to which the Company may, or will be able to,
indemnify an Office Holder, and to the extent such law requires the inclusion of a provision permitting such indemnity in these
Articles, then such provision is deemed to be included and incorporated herein by reference (including, without limitation, in
accordance with Section 56h(b)(1) of the Israeli Securities Law, if and to the extent applicable, and Section 50P(b)(2) of the RTP
Law).
(b)
Subject to the provisions of the Companies Law, the Company may undertake to indemnify an Office Holder, in advance, with respect to
those liabilities and expenses described in the following Articles:
(i)
Sub-Article 65(a)(ii) to 65(a)(iv); and
(ii)
Sub-Article 65(a)(i), provided that:
(1) the undertaking to indemnify is limited to such events which the Directors shall deem to be likely to occur in light of the
operations of the Company at the time that the undertaking to indemnify is made and for such amounts or criterion which the
Directors may, at the time of the giving of such undertaking to indemnify, deem to be reasonable under the circumstances; and
(2) the undertaking to indemnify shall set forth such events which the Directors shall deem to be likely to occur in light of the
operations of the Company at the time that the undertaking to indemnify is made, and the amounts and/or criterion which the
Directors may, at the time of the giving of such undertaking to indemnify, deem to be reasonable under the circumstances.
66.
EXEMPTION.
Subject to the provisions of the Companies Law, the Company may exempt and release, in advance, any Office Holder from any liability for
damages arising out of a breach of a duty of care towards the Company.
67.
GENERAL.
(a)
Any amendment to the Companies Law adversely affecting the right of any Office Holder to be indemnified or insured pursuant to Articles
64 to 66 and any amendments to Articles 64 to 66 shall be prospective in effect, and shall not affect the Company’s obligation or ability to
indemnify or insure an Office Holder for any act or omission occurring prior to such amendment, unless otherwise provided by applicable
law.
(b)
The provisions of Articles 64 to 66 (i) shall apply to the maximum extent permitted by law (including, the Companies Law, the Securities
Law and the RTP Law); and (ii) are not intended, and shall not be interpreted so as to restrict the Company, in any manner, in respect of the
procurement of insurance and/or in respect of indemnification (whether in advance or retroactively) and/or exemption, in favor of any person
who is not an Office Holder, including, without limitation, any employee, agent, consultant or contractor of the Company who is not an
Office Holder; and/or any Office Holder to the extent that such insurance and/or indemnification is not specifically prohibited under law.
WINDING UP
68.
WINDING UP.
If the Company is wound up, then, subject to applicable law and to the rights of the holders of shares with special rights upon winding up, the
assets of the Company available for distribution among the shareholders shall be distributed to them in proportion to the nominal value of their
respective holdings of the shares in respect of which such distribution is being made.
NOTICES
69.
NOTICES.
(a)
Any written notice or other document may be served by the Company upon any shareholder either personally, by facsimile, email or other
electronic transmission, or by sending it by prepaid mail (airmail if sent internationally) addressed to such shareholder at his address as
described in the Register of Shareholders or such other address as he may have designated in writing for the receipt of notices and other
documents.
(b)
Any written notice or other document may be served by any shareholder upon the Company by tendering the same in person to the Secretary
or the Chief Executive Officer of the Company at the principal office of the Company, by facsimile transmission, or by sending it by prepaid
registered mail (airmail if posted outside Israel) to the Company at its Office.
(c)
Any such notice or other document shall be deemed to have been served:
(i)
in the case of mailing, forty-eight (48) hours after it has been posted, or when actually received by the addressee if sooner than
forty-eight hours after it has been posted, or
(ii)
in the case of overnight air courier, on the next business day following the day sent, with receipt confirmed by the courier, or when
actually received by the addressee if sooner than three business days after it has been sent;
(iii)
in the case of personal delivery, when actually tendered in person, to such addressee.
(iv)
in the case of facsimile, email or other electronic transmission, the on the first business day (during normal business hours in place
of addressee) on which the sender receives automatic electronic confirmation by the addressee’s facsimile machine that such notice
was received by the addressee or delivery confirmation from the addressee’s email or other communication server.
(d)
If a notice is, in fact, received by the addressee, it shall be deemed to have been duly served, when received, notwithstanding that it was
defectively addressed or failed, in some other respect, to comply with the provisions of this Article 69.
(e)
All notices to be given to the shareholders shall, with respect to any share to which persons are jointly entitled, be given to whichever of such
persons is named first in the Register of Shareholders, and any notice so given shall be sufficient notice to the holders of such share.
(f)
Any shareholder whose address is not described in the Register of Shareholders, and who shall not have designated in writing an address for
the receipt of notices, shall not be entitled to receive any notice from the Company.
(g)
Notwithstanding anything to the contrary contained herein, notice by the Company of a General Meeting, containing the information
required by applicable law and these Articles to be set forth therein, which is published, within the time otherwise required for giving notice
of such meeting, in:
(i)
at least two daily newspapers in the State of Israel shall be deemed to be notice of such meeting duly given, for the purposes of
these Articles, to any shareholder whose address as registered in the Register of Shareholders (or as designated in writing for the
receipt of notices and other documents) is located in the State of Israel; and
(ii)
one daily newspaper in the City of New York and in one international wire service shall be deemed to be notice of such meeting
duly given, for the purposes of these Articles, to any shareholder whose address as registered in the Register of Shareholders (or as
designated in writing for the receipt of notices and other documents) is located outside the State of Israel.
(h)
The mailing or publication date and the date of the meeting shall be counted as part of the days comprising any notice period.
FORUM FOR ADJUDICATION OF DISPUTES
70.
FORUM FOR ADJUDICATION OF DISPUTES
(a)
Unless the Company consents in writing to the selection of an alternative forum, the federal district courts of the United States, shall be the
exclusive forum for the resolution of any complaint asserting a cause or causes of action arising under the U.S. Securities Act of 1933, as
amended, including all causes of action asserted against any defendant to such complaint. For the avoidance of doubt, this provision is
intended to benefit and may be enforced by the Company, its officers and directors, the underwriters to any offering giving rise to such
complaint, and any other professional or entity whose profession gives authority to a statement made by that person or entity and who has
prepared or certified any part of the documents underlying the offering. The foregoing provisions of this Article 70 shall not apply to causes
of action arising under the U.S. Securities Exchange Act of 1934, as amended.
(b)
Unless the Company consents in writing to the selection of an alternative forum, the competent courts in Tel Aviv, Israel shall be the
exclusive forum for (i) any derivative action or proceeding brought on behalf of the Company, (ii) any action asserting a claim of breach of a
fiduciary duty owed by any director, officer or other employee of the Company to the Company or the Company’s shareholders, or (iii) any
action asserting a claim arising pursuant to any provision of the Companies Law or the Securities Law.
(c)
Any person or entity purchasing or otherwise acquiring or holding any interest in shares of the Company shall be deemed to have notice of
and consented to the provisions of this Article.
Exhibit 2.4
Description of Securities
CyberArk Software Ltd., an Israeli corporation (the “Company,” “we” or “our”), currently has one class of securities registered under Section 12 of the
Securities Exchange Act of 1934, as amended, the Company’s ordinary shares, par value NIS 0.01 per share. The following is a summary of some of the terms
of our ordinary shares based on our articles of association, as may be amended and restated from time to time, and Israeli law.
The following summary is not complete and is subject to, and is qualified in its entirety by reference to, the provisions of our articles of association and Israeli
law.
Name of exchange on which registered: Our ordinary shares have been quoted on Nasdaq under the symbol “CYBR” since September 24, 2014. Prior to that
date, there was no public trading market for our ordinary shares. Our IPO was priced at $16.00 per share on September 24, 2014.
Registration Number and Purposes of the Company. Our registration number with the Israeli Registrar of Companies is 51-229164-2. Our purpose, as set forth
in article 3 of our articles of association, is to engage in any lawful activity.
Share Capital. Our authorized share capital consists of 250,000,000 ordinary shares, par value NIS 0.01 per share. All of our issued and outstanding ordinary
shares are validly issued, fully paid and non-assessable. Our ordinary shares are not redeemable and do not have any preemptive rights.
Restrictions on Securities. The ownership or voting of ordinary shares by non-residents of Israel is not restricted in any way by our articles of association or the
laws of the State of Israel, except for citizens of countries which are, or have been in a state of war with Israel or under anti-terror legislation.
Transfer of Shares. Our fully paid ordinary shares are issued in registered form and may be freely transferred under our articles of association, unless the transfer
is restricted or prohibited by another instrument, applicable law or the rules of a stock exchange on which the shares are listed for trade.
Election of Directors. Our ordinary shares do not have cumulative voting rights for the election of directors. As a result, the holders of a majority of the voting
power represented at a shareholders meeting have the power to elect all of our directors.
Under our articles of association, our board of directors must consist of not less than four but no more than nine directors, as may be fixed from time to time by
our board of directors. Pursuant to our articles of association, the vote required to appoint a director is a simple majority vote of holders of our voting shares,
participating and voting at the relevant meeting. In addition, our directors are divided into three classes that are each elected at the third annual general meeting
of our shareholders, in a staggered fashion (such that one class is elected each annual general meeting), and serve on our board of directors unless they are
removed by a vote of 65% of the total voting power of our shareholders at a general meeting of our shareholders or upon the occurrence of certain events, in
accordance with Israeli Companies Law 5759,1999 (the “Companies Law”) and our articles of association. In addition, our articles of association allow our
board of directors to fill vacancies on the board of directors or to appoint new directors up to the maximum number of directors permitted under our articles of
association. Such directors serve for a term of office equal to the remaining period of the term of office of the directors(s) whose office(s) have been vacated or
in the case of new directors, for a term of office according to the class to which such director was assigned upon appointment.
Dividend and Liquidation Rights. We may declare a dividend to be paid to the holders of our ordinary shares in proportion to their respective shareholdings.
Under the Companies Law, dividend distributions are determined by the board of directors and do not require the approval of the shareholders of a company
unless the company’s articles of association provide otherwise. Our articles of association do not require shareholder approval of a dividend distribution and
provide that dividend distributions may be determined by our board of directors.
Pursuant to the Companies Law, the distribution amount is limited to the greater of retained earnings or earnings generated over the previous two years,
according to our then last reviewed or audited financial statements, provided that the date of the financial statements is not more than six months prior to the
date of the distribution. In the event that we do not have retained earnings or earnings generated over the two most recent years, we may seek the approval of the
Israeli court in order to distribute a dividend; as a company listed on an exchange outside of Israel, however, court approval is not required if the proposed
distribution is in the form of an equity repurchase, provided that we notify our creditors of the proposed equity repurchase and allow such creditors an
opportunity to initiate a court proceeding to review the repurchase. If within 30 days such creditors do not file an objection, then we may proceed with the
repurchase without obtaining court approval. In each case, we are only permitted to distribute a dividend if our board of directors and the court, if applicable,
determines that there is no reasonable concern that payment of the dividend will prevent us from satisfying our existing and foreseeable obligations as they
become due.
In the event of our liquidation, after satisfaction of liabilities to creditors, our assets will be distributed to the holders of our ordinary shares in proportion to their
shareholdings. This right, as well as the right to receive dividends, may be affected by the grant of preferential dividend or distribution rights to the holders of a
class of shares with preferential rights that may be authorized in the future.
Exchange Controls. There are currently no Israeli currency control restrictions on remittances of dividends on our ordinary shares, proceeds from the sale of the
shares or interest or other payments to non-residents of Israel, except for shareholders who are subjects of countries that are, or have been, in a state of war with
Israel.
Shareholder Meetings. Under Israeli law, we are required to hold an annual general meeting of our shareholders once every calendar year that must be held no
later than 15 months after the date of the previous annual general meeting. All meetings other than the annual general meeting of shareholders are referred to in
our articles of association as special general meetings. Our board of directors may call special general meetings whenever it sees fit, at such time and place,
within or outside of Israel, as it may determine. In addition, the Companies Law provides that our board of directors is required to convene a special general
meeting upon the written request of (i) any two of our directors or one-quarter of the members of our board of directors or (ii) as a company listed on an
exchange in the U.S., one or more shareholders holding, in the aggregate, either (a) 10% or more of our outstanding issued shares and 1% or more of our
outstanding voting power or (b) 10% or more of our outstanding voting power.
Under Israeli law, one or more shareholders holding at least 1% of the voting rights at the general meeting of the shareholders may request that the board of
directors include a matter in the agenda of a general meeting of the shareholders to be convened in the future, provided that it is appropriate to discuss such a
matter at the general meeting. Notwithstanding the foregoing, as a company listed on an exchange outside of Israel, a matter relating to the appointment or
removal of a director may only be requested by one or more shareholders holding at least 5% of the voting rights at the general meeting of the shareholders. Our
articles of association contain procedural guidelines and disclosure items with respect to the submission of shareholder proposals for general meetings.
Subject to the provisions of the Companies Law and the regulations promulgated thereunder, shareholders entitled to participate and vote at general meetings of
shareholders are the shareholders of record on a date to be decided by the board of directors, which, as a company listed on an exchange outside Israel, may be
between four and 60 days prior to the date of the meeting. Furthermore, the Companies Law requires that resolutions regarding the following matters must be
passed at a general meeting of our shareholders:
•
amendments to our articles of association;
•
appointment or termination of our auditors;
•
approval of certain related party transactions;
•
increases or reductions of our authorized share capital;
•
certain merger transactions; and
•
the exercise of our board of director’s powers by a general meeting, if our board of directors is unable to exercise its powers and the exercise of
any of its powers is required for our proper management.
The Companies Law requires that notice of any annual general meeting or special general meeting be provided to shareholders at least 21 days prior to the
meeting and if the agenda of the meeting includes the appointment or removal of directors, the approval of transactions with office holders or interested or
related parties, or an approval of a merger, notice must be provided at least 35 days prior to the meeting.
Under the Companies Law, shareholders of a public company are not permitted to take action via written consent in lieu of a meeting.
Voting Rights
Voting Rights and Conversion. All ordinary shares have identical voting and other rights in all respects.
Quorum requirements. Pursuant to our articles of association, holders of our ordinary shares have one vote for each ordinary share held on all matters submitted
to a vote before the shareholders at a general meeting. The quorum required for our general meetings of shareholders consists of at least two shareholders
present in person or by proxy who hold or represent between them at least 33⅓% of the total outstanding voting rights, provided, however, that with respect to
any general meeting that was convened pursuant to a resolution adopted by the board of directors and which at the time of such general meeting we qualify to
use the forms and rules of a “foreign private issuer,” the requisite quorum shall consist of two or more shareholders present in person or by proxy who hold or
represent between them at least 25% of the total outstanding voting rights. The requisite quorum shall be present within half an hour of the time fixed for the
commencement of the general meeting. A general meeting adjourned for lack of a quorum shall be adjourned either to the same day in the next week, at the
same time and place, to such day and at such time and place as indicated in the notice to such meeting, or to such day and at such time and place as the
chairperson of the meeting shall determine. At the reconvened meeting, any number of shareholders present in person or by proxy shall constitute a quorum,
unless a meeting was called pursuant to a request by our shareholders, in which case the quorum required is one or more shareholders, present in person or by
proxy and holding the number of shares required to call the meeting as described above.
Vote Requirements. Our articles of association provide that all resolutions of our shareholders require a simple majority vote, unless otherwise required by the
Companies Law or by our articles of association. Under our articles of association, the alteration of the rights, privileges, preferences or obligations of any class
of our shares requires the ordinary majority vote of all classes of shares voting together as a single class at a shareholder meeting. Our articles of association
also require that the removal of any director from office (other than external directors, if applicable) or the amendment of the provisions of our articles of
association relating to our staggered board requires the vote of 65% of the total voting power of our shareholders. Another exception to the simple majority vote
requirement is a resolution for the voluntary winding up, or an approval of a scheme of arrangement or reorganization, of the company pursuant to Section 350
of the Companies Law, which requires the approval of holders of 75% of the voting rights represented at the meeting, in person, by proxy or by voting deed and
voting on the resolution.
Access to Corporate Records. Under the Companies Law, shareholders are provided access to: minutes of our general meetings; our shareholders register and
principal shareholders register, articles of association and annual financial statements, certain other documents as provided in the Companies Law, and any
document that we are required by law to file publicly with the Israeli Companies Registrar or the Israel Securities Authority. In addition, shareholders may
request to be provided with any document related to an action or transaction requiring shareholder approval under the related party transaction provisions of the
Companies Law. We may deny this request if we believe it has not been made in good faith or if such denial is necessary to protect our interest or protect a trade
secret or patent.
Acquisitions under Israeli Law
Full Tender Offer. A person wishing to acquire shares of an Israeli public company and who would as a result hold over 90% of the target company’s issued and
outstanding share capital or that of a certain class of shares is required by the Companies Law to make a tender offer to all of the company’s shareholders or the
shareholders who hold shares of the relevant class for the purchase of all of the issued and outstanding shares of the company or of the same class, as applicable.
If the shareholders who do not accept the offer hold less than 5% of the issued and outstanding share capital of the company or of the applicable class of shares,
and more than half of the shareholders who do not have a personal interest in the offer accept the offer, all of the shares that the acquirer offered to purchase will
be transferred to the acquirer by operation of law. However, a tender offer will also be accepted if the shareholders who do not accept the offer hold less than 2%
of the issued and outstanding share capital of the company or of the applicable class of shares.
If the tender offer was not accepted, the acquirer may not acquire shares of the company that will increase its holdings to more than 90% of the company’s
issued and outstanding share capital or of the applicable class from shareholders who accepted the tender offer.
Special Tender Offer. The Companies Law provides that an acquisition of shares of an Israeli public company must be made by means of a special tender offer if
as a result of the acquisition the purchaser would become a holder of 25% or more of the voting rights in the company. This requirement does not apply if there
is already another holder of at least 25% of the voting rights in the company. Similarly, the Companies Law provides that an acquisition of shares in a public
company must be made by means of a special tender offer if as a result of the acquisition the purchaser would become a holder of more than 45% of the voting
rights in the company, if there is no other shareholder of the company who holds more than 45% of the voting rights in the company, subject to certain
exceptions. These requirements do not apply if the acquisition occurs in the context of a private placement approved by the general meeting as a private offering
whose purpose is to give the acquirer at least 25% or 45% or more, as the case may be.
A special tender offer may be consummated only if (i) at least 5% of the voting power attached to the company’s outstanding shares will be acquired by the
offeror and (ii) the special tender offer is accepted by a majority of the votes of those offerees who gave notice of their position in respect of the offer; in
counting the votes of offerees, the votes of a holder of control in the offeror, a person who has personal interest in acceptance of the special tender offer, holders
of 25% or more of the voting rights in the company or anyone on their behalf, including their relatives and entities controlled by them, will not be taken into
account.
Merger. The Companies Law permits merger transactions if approved by each party’s board of directors and, unless certain requirements described under the
Companies Law are met, by a majority vote of each party’s shareholders.
For purposes of the shareholder vote, unless a court rules otherwise, the merger will not be deemed approved if a majority of the votes of shares represented at
the shareholders meeting that are held by parties other than the other party to the merger, or by any person (or group of persons acting in concert) who holds (or
hold, as the case may be) 25% or more of the voting rights or the right to appoint 25% or more of the directors of the other party, vote against the merger. If,
however, the merger involves a merger with a company’s own controlling shareholder or if the controlling shareholder has a personal interest in the merger, then
the merger is instead subject to the same special majority approval that governs all extraordinary transactions with controlling shareholders (as described under
“Directors, Senior Management and Employees—Board Practices—Approval of Related Party Transactions under Israeli Law—Disclosure of Personal Interests
of Controlling Shareholders and Approval of Certain Transactions” in our most recently filed Annual Report on Form 20-F).
If the transaction would have been approved by the shareholders of a merging company but for the separate approval of each class or the exclusion of the votes
of certain shareholders as provided above, a court may still approve the merger upon the request of holders of at least 25% of the voting rights of a company, if
the court holds that the merger is fair and reasonable, taking into account the value of the parties to the merger and the consideration offered to the shareholders
of the company.
Upon the request of a creditor of either party to the proposed merger, the court may delay or prevent the merger if it concludes that there exists a reasonable
concern that, as a result of the merger, the surviving company will be unable to satisfy the obligations of the merging entities, and may further give instructions
to secure the rights of creditors.
In addition, a merger may not be consummated unless at least 50 days have passed from the date on which a proposal for approval of the merger was filed by
each party with the Israeli Registrar of Companies and at least 30 days have passed from the date on which the merger was approved by the shareholders of each
party.
Anti-takeover Measures under Israeli Law and our Articles of Association
The Companies Law allows us to create and issue shares having rights different from those attached to our ordinary shares, including shares providing certain
preferred rights with respect to voting, distributions or other matters and shares having preemptive rights. No preferred shares are authorized under our articles
of association. In the future, if we do authorize, create and issue a specific class of preferred shares, such class of shares, depending on the specific rights that
may be attached to it, may have the ability to frustrate or prevent a takeover or otherwise prevent our shareholders from realizing a potential premium over the
market value of their ordinary shares. The authorization and designation of a class of preferred shares will require an amendment to our articles of association,
which requires the prior approval of the holders of a majority of the voting power attaching to our issued and outstanding shares at a general meeting. The
convening of the meeting, the shareholders entitled to participate and the majority vote required to be obtained at such a meeting will be subject to the
requirements set forth in the Companies Law as described above in “—Voting Rights.”
Furthermore, in accordance with our articles of association and the Companies Law, our directors are divided into three classes such that each class is elected at
the third annual general meeting of our shareholders, in a staggered fashion, and serve on our board of directors unless they are removed by a vote of 65% of the
total voting power of our shareholders at a general meeting of our shareholders or upon the occurrence of certain events, in accordance with the Companies Law
and our articles of association. See further discussion above in “—Election of Directors.”
Changes to Share Capital
The Company may, from time to time, by a resolution of our shareholders, increase its authorized share capital by the creation of new shares. Any such increase
shall be in such amount and shall be divided into shares of such nominal amounts, and such shares shall confer such rights and preferences, and shall be subject
to such restrictions, as such resolution shall provide. Except to the extent otherwise provided in such resolution, any new shares included in the authorized share
capital increased as aforesaid shall be subject to all the provisions of our articles of association which are applicable to shares of such class included in the
existing share capital without regard to class (and, if such new shares are of the same class as a class of shares included in the existing share capital, to all of the
provisions which are applicable to shares of such class included in the existing share capital).
The Company may, from time to time, by a resolution of our shareholders, provide for shares with such preferred or deferred rights or other special rights and/or
such restrictions, whether in regard to dividends, voting, repayment of share capital or otherwise, as may be stipulated in such resolution.
If at any time our share capital is divided into different classes of shares, the rights attached to any such class, unless otherwise provided by our articles of
association, may be modified or cancelled by the Company by a resolution of a general meeting of the shareholders holding all shares as one class, without any
required separate resolution of any class of shares.
The Company may, by or pursuant to an authorization of a resolution of our shareholders:
•
consolidate all or any part of our issued or unissued authorized share capital into shares of a per share nominal value which is larger, equal to or
smaller than the per share nominal value of its existing shares;
•
divide or sub-divide our shares (issued or unissued) or any of them, into shares of smaller or the same nominal value, and the resolution whereby
any share is divided may determine that, as among the holders of the shares resulting from such subdivision, one or more of the shares may, in
contrast to others, have any such preferred or deferred rights or rights of redemption or other special rights, or be subject to any such restrictions,
as we may attach to unissued or new shares;
•
cancel any shares which, at the date of the adoption of such resolution, have not been taken or agreed to be taken by any person, and reduce the
amount of its share capital by the amount of the shares so canceled; or
•
reduce our share capital in any manner.
Exclusive Forum
Our articles of association provide that unless we consent in writing to the selection of an alternative forum, the federal district courts of the United States of
America shall be the exclusive forum for the resolution of any complaint asserting a cause of action arising under the U.S. Securities Act of 1933, as amended;
and, for the avoidance of any doubt, such provision does not apply to any claim asserting a cause of action arising under the U.S. Securities Exchange Act of
1934, as amended. Our articles of association also provide that unless we consent in writing to the selection of an alternative forum, the competent courts in Tel
Aviv, Israel shall be the exclusive forum for any derivative action or proceeding brought on behalf of the Company, any action asserting a breach of a fiduciary
duty owed by any of our directors, officers or other employees to the Company or our shareholders or any action asserting a claim arising pursuant to any
provision of the Companies Law or the Israeli Securities Law 5728-1968.
Transfer Agent and Registrar
The transfer agent and registrar for our ordinary shares is American Stock Transfer & Trust Company, LLC. Its address is 6201 15th Avenue, Brooklyn, New
York 11219, and its telephone number is (800) 937-5449.
Exhibit 8.1
List of Subsidiaries of CyberArk Software Ltd.
Name of Subsidiary
Place of Incorporation
CyberArk Software, Inc.
Delaware, United States
Cyber-Ark Software (UK) Limited
United Kingdom
CyberArk Software (Singapore) Pte. Ltd.
Singapore
CyberArk Software (DACH) GmbH
Germany
CyberArk Software Italy S.r.l.
Italy
CyberArk Software (France) SARL
France
CyberArk Software (Netherlands) B.V.
Netherlands
CyberArk Software (Australia) Pty Ltd.
CyberArk Software (Japan) K.K.
CyberArk Software Canada Inc.
CyberArk USA Engineering GP, LLC
Australia
Japan
Canada
Delaware, United States
CyberArk Software (Spain), S.L.
Spain
CyberArk Software (India) Private Limited
India
C3M India Private Limited
CyberArk Turkey Siber Güvenlik Yazılımı Anonim Şirketi
India
Turkey
Venafi, Inc.
Delaware, United States
Venafi Ltd.
United Kingdom
Venafi EOOD
Bulgaria
Zilla Security, Inc.
Delaware, United States
Exhibit 11.1
INSIDER TRADING PREVENTION POLICY
As a publicly traded company, it is critical to our success that everyone read and follow CyberArk’s Insider Trading Prevention Policy. Insider trading is against
the law, and all CyberArk persons have an obligation to refrain from trading in CyberArk’s and other public companies’ Securities when in possession of
Material, Non-Public Information. This Policy covers your responsibilities and the preventive mechanisms that CyberArk, including any company within
the CyberArk Software Ltd. group (CyberArk or we), has set in place to support them, such as Quarterly and Designated Blackout Periods, and ensuring that
our Associates also comply with this Policy.
Keeping Informed
Questions? Contact our
Chief Legal Officer &
Compliance Officer or
our Corporate Secretary
As with all our actions,
we strive for Continous
Improvement and revisit
this Policy periodically
Substantive updates and
changes to this Policy
will be communicated
via email
All documents
mentioned in this Policy
are available on the
Legal Portal
Overview
Doing What’s Best for CyberArk includes promoting the trust that our customers, investors and the public have placed in us as a public company traded on
the Nasdaq Stock Market. Insider trading is illegal and can result in severe penalties for both the individuals engaging in the activity and the companies at
which they work.
CyberArk has adopted this Insider Trading Prevention Policy (the Policy) to prevent insider trading, which is prohibited under U.S. federal securities laws.
Generally, insider trading occurs when someone has access to Material Non-Public Information and uses that information to trade Securities to their own (or
others’) advantage.
This Policy covers the following:
•
You are responsible for complying with insider trading laws at all times
•
The Policy applies not only to you, but to your Associates (such as family members)
•
You are prohibited from trading in CyberArk’s Securities while you have Material Non-Public Information about CyberArk, providing that information
to others or making trade recommendations to others
•
You are prohibited from trading in Securities of any other company about which you have Material Non-Public Information that you obtained in
connection with your employment by or service to CyberArk, providing that information to others or making trade recommendations to others
CyberArk Legal Portal — Insider Trading Prevention
•
You are prohibited from trading in CyberArk Securities during Quarterly Blackout Periods or Designated Blackout Periods
•
You must adhere to other restrictions on your trades in CyberArk Securities
Because the consequences of non-compliance are so severe, this Policy is designed to prevent even the appearance of improper conduct. Accusations of
impropriety, even if unfounded, can damage CyberArk’s reputation, give rise to enforcement actions and lawsuits, result in lost business opportunities and
negatively impact our value. All CyberArk persons must review this Policy carefully and comply with it. Non-compliance is grounds for disciplinary action,
including and up to immediate termination.
Consequences of Insider Trading
You or your Associates could face:
•
Criminal penalties of up to $5 million
•
Imprisonment for up to 20 years
•
Civil fines or damages for up to three times the profit gained, or the loss avoided
•
Debarment from serving as a director or officer of a public company
You can be held personally liable for insider trading regardless of the size of the transaction and even if you have lost money. Anyone scrutinizing your
transaction, including enforcement authorities, will do so after the fact with the benefit of hindsight.
Scope
This Policy applies globally to all of the following:
•
CyberArk directors, officers, employees (including part-time or temporary employees), contractors or consultants who devote all or substantially all of
their time to CyberArk and other part-time or temporary personnel (CyberArk persons or you). Directors and officers of CyberArk should be
particularly careful before engaging in any transaction.
•
All of your Associates. An Associate is anyone who resides in your household (whether or not they are related to you) and any family member whose
Securities transactions you control, direct or influence (whether or not they reside in your household). An Associate is also any entity that you may
control, including a corporation, partnership or trust, unless the Compliance Officer or Corporate Secretary has reviewed that entity’s insider trading
policies and procedures and confirmed in advance in writing that they are satisfactory.
2
•
Any other individual or entity, other than CyberArk persons, that the Compliance Officer has determined is subject to this Policy and who has been
notified of such in writing.
For the purposes of this Policy, the Compliance Officer is CyberArk’s Chief Legal Officer & Compliance Officer (if the Chief Legal Officer is unavailable or
personally involved in the transaction at issue, the Compliance Officer will be the Chief Financial Officer).
All directors and officers of CyberArk and their Associates, and any other individual designated by the Compliance Officer in writing, are subject to additional
insider trading prevention measures detailed in this Policy’s Addendum for Directors, Officers and Certain Designated Employees.
Ownership
Compliance Is a Team Sport
CyberArk’s Board of Directors, specifically its Audit Committee, oversees
CyberArk’s compliance program and receives periodic updates. The Board of
Directors has adopted this Policy.
Management is responsible for setting the “tone from the top,” which includes
setting a personal example, ensuring the compliance program has adequate
resources and championing its success.
The Compliance Officer and Corporate Secretary are responsible for the day
to-
day management of this Policy, including issuing internal guidelines and
periodic updates.
Each of us is personally responsible for conducting ourselves in a way that
aligns with CyberArk’s values, adheres to our written policies, and follows
applicable laws. This includes speaking up when we have questions or
concerns.
Prohibition on Trading When You Possess Material Non-Public Information
What Is Insider Trading?
Insider trading occurs when someone has access to Material Non-Public Information obtained through their employment or other professional involvement with
a company and uses that information to trade Securities to their own advantage or in a manner that violates a duty owed to the source of the information.
If you have knowledge of Material Non-Public Information about a company that you obtained in connection with your employment by or service to CyberArk,
you are prohibited under this Policy—and the law—from:
•
Purchasing, selling, gifting or otherwise transferring that company’s Securities
3
•
Advising others to trade or to refrain from trading in that company’s Securities (tipping)
•
Disclosing the Material Non-Public Information to any other person for the purpose of enabling such person to trade or to refrain from trading in that
company’s Securities
Even if you were planning to buy or sell Securities before you became aware of Material Non-Public Information, or if you might suffer a significant financial
loss by not trading – you must still not trade the Securities at that time.
Tipping: Providing Material Non-Public Information to another person who may trade or advising others to trade, on the basis of that information is known as
“tipping” and is illegal. Anyone who “tips” or receives a “tip” can be held criminally and civilly liable under insider trading laws.
The best way to avoid “tipping” is to always maintain your duty of confidentiality to CyberArk, as required in our Code of Conduct and, if applicable, your
agreement with CyberArk. As a reminder, any confidential information that you learn during your service at CyberArk, including Material Non-Public
Information, should be protected and handled according to CyberArk’s policies and procedures.
What Is Non-Public Information?
Non-Public Information is information that has not been publicly disclosed.
Public disclosure of the information must occur in one or more of the following ways:
•
In a filing with the SEC, such as CyberArk’s current reports on Form 6-K or annual report on Form 20-F
•
In a press release issued by CyberArk
•
In a conference call open to the public with advance notice provided
•
Through some other broad release into the marketplace such as a report in a widely read website or on a widely available television program
Public disclosure does not occur when there is a limited announcement of information, such as an internal company communication, or an unauthorized
announcement, such as an employee making an unauthorized comment on a social media platform.
One Day Rule. This Policy requires you to wait one full trading day after the disclosure of Material Non-Public Information about CyberArk before trading in
CyberArk Securities in order to allow the securities markets an opportunity to digest the news.
4
What Is Material Information?
Information about a company is considered to be Material Information if a reasonable investor would consider it important when making a decision to buy,
hold or sell that company’s Securities.
Examples of information that is commonly regarded as Material Information include:
Financial forecasts or earnings estimates, whether or not consistent with the
consensus expectations of the investment community
Significant changes to previously filed financial statements
Unanticipated and significant changes in the level of sales, earnings or
expenses
Significant borrowing or financing developments, including equity or debt
offerings, tender offers or disposition transactions, impending bankruptcy, the
existence of severe liquidity problems or credit rating changes
Examples of information that could be regarded as Material Information, depending on their potential impact or expected likelihood, include:
Significant mergers and acquisitions,
Important business developments, such as significant contract awards or
cancellations, or loss of a significant supplier
A significant cybersecurity, data security or privacy incident
Key management or control changes
Important product developments, such as launch of a new line of business, or a
product failure
Significant litigation or regulatory rulings or the launch of a material
government investigation or enforcement action
These are only examples, and as you can see, the context matters in certain circumstances, as insider trading is an area that often requires specialized judgment.
Better Be Safe Than Sorry
You should consider any information that is likely to affect the price of a company’s stock or Securities, whether positive or negative, to be Material
Information. Reach out to the Compliance Officer or Corporate Secretary for guidance on information you suspect to be material before you trade.
What Are Securities?
Securities are tradable financial assets and include:
•
A public company’s stock
5
•
A company’s traded bonds, notes, debentures, options, warrants and other convertible securities
•
Any derivative instrument of the above, meaning a financial asset that derives its value from the price of a company’s securities, whether or not issued
by that company, including puts, calls or swaps
Note that this Policy does not apply the purchase, sale or holding of an interest in any publicly traded mutual fund.
Remember: All provisions of this Policy apply to CyberArk Securities.
The provisions generally prohibiting insider trading also apply to Securities of any other company, worldwide, about which you learn Material Non-Public
Information in the course of performing your duties at CyberArk (for example, a customer data breach).
Prohibition on Trading in CyberArk Securities During Blackout Periods
What Are Blackout Periods?
A Blackout Period is a period of time during which you and your Associates are strictly prohibited from trading in CyberArk Securities, regardless of whether
you personally possess Material Non-Public Information.
Blackout periods are frequently used by publicly traded companies as a means to reduce the risk of personnel violating insider trading laws. For example,
imposing a blackout period is advisable during the time before the end of a quarter through the public release of a company’s financial results because many
company insiders are in possession of Material Non-Public Information about the actual financial results.
Quarterly Blackout Periods
You and your Associates are prohibited from trading in any CyberArk Securities during our Quarterly Blackout Periods:
Quarter
Start Date and Time
(Eastern Time Zone)
End Date
(Eastern Time Zone)
Q1
March 20 at 12:01 a.m.
11:59 p.m. on the first full trading day following CyberArk’s release of quarterly
financial results, which are furnished with the SEC on Form 6-K (according to
CyberArk’s One Day Rule above).
Q2
June 20 at 12:01 a.m.
Q3
September 20 at 12:01 a.m.
Q4
December 20 at 12:01 a.m.
You will receive a reminder email prior to the start of each Quarterly Blackout Period (typically from CyberArk’s Corporate Secretary). Quarterly Blackout
Period dates are also posted on the Equity Portal.
6
It is your responsibility to check to make sure that you are not subject to a Quarterly Blackout Period prior to trading in CyberArk Securities.
Designated Blackout Periods
Throughout the course of your work with CyberArk, you may be involved in or have knowledge of Material Non-Public Information that is highly sensitive,
such as an upcoming acquisition or the launch of an innovative new product. During these events, the Compliance Officer may inform you that you are subject
to a Designated Blackout Period. Like the Quarterly Blackout Periods, during this time period, you and your Associates are prohibited from trading in
CyberArk Securities until the Designated Blackout Period has expired or you receive further written notice from the Compliance Officer. The existence of a
Designated Blackout Period will not be announced to CyberArk as a whole and should not be communicated to any other person, except that, if necessary, you
may tell your Associates that they must not trade in CyberArk Securities.
Remember: Even if you are not subject to any Blackout Period, you and your Associates are prohibited from trading CyberArk Securities whenever you
believe you have Material Non-Public Information. If you are not sure whether the information you have is Material Non-Public Information, contact the
Compliance Officer as soon as possible for guidance.
Application of This Policy to Specific Transactions in CyberArk Securities
Equity Incentive Plans
The Policy does not apply to:
•
The grant of equity awards under CyberArk’s equity incentive plans, or Equity Plans
•
The cash exercise of share options granted under the Equity Plans
•
The delivery of shares to any entity administrating the Equity Plans on behalf of CyberArk (for example, upon exercise of share options or vesting of
restricted stock units)
•
The sale or forfeit of Equity Plan participants’ CyberArk Securities by CyberArk (or a broker/administrator acting on CyberArk’s behalf) to satisfy tax
withholding obligations in a consistent manner (meaning, a CyberArk initiated “sell-to-cover” practice where relevant)
All other transactions in CyberArk ordinary shares that were obtained from an Equity Plan are subject to the restrictions in this Policy.
7
Employee Share Purchase Plan
This Policy does not apply to:
•
Entering into the Employee Share Purchase Plan, or the ESPP, and making elections under the ESPP
•
Making modifications to ESPP elections consistent with the terms of the ESPP
•
CyberArk’s purchase and/or delivery of ordinary shares to the participants in the ESPP at the end of the purchase period
•
Terminating participation in the ESPP consistent with the terms of the ESPP
•
The sale or forfeit of ESPP participants’ CyberArk Securities by CyberArk (or a broker/administrator acting on CyberArk’s behalf) to satisfy tax
withholding obligations in a consistent manner (meaning, a CyberArk initiated “sell-to-cover” practice where relevant)
All other transactions in CyberArk shares that were obtained from the ESPP are subject to the restrictions in this Policy.
Gifts
This Policy does not apply to gift transactions for family or estate planning purposes, where CyberArk Securities are gifted to your associates.
Limitations on Post-Termination Transactions
If your employment or engagement with CyberArk ends during a Blackout Period (Quarterly or Designated), you and your Associates continue to be subject to
the Blackout Period restrictions until it ends. Similarly, if your employment or engagement ends while you are aware of Material Non-Public Information, the
prohibitions and restrictions in this Policy continue to apply to you and your Associates until that information becomes public or non-material.
Prohibition on Certain Transactions in CyberArk Securities
CyberArk considers it improper and inappropriate for you or your Associates to engage in certain transactions in CyberArk Securities. Among the reasons we
prohibit the transactions listed below is that the trade could be inadvertently executed during a Blackout Period, or when you hold Material Non-Public
Information, or that individuals who engage in these types of transactions may create a conflict of interest between the individual and CyberArk or its other
shareholders.
The following types of transactions in CyberArk Securities are prohibited under this Policy:
•
Hedging transactions, including, but not limited to, short sales, puts, calls, collars, prepaid variable forward contracts and exchange funds
•
Transactions in derivatives of CyberArk Securities (such as puts, calls or other traded options)
8
•
Entering into, or maintaining, a standing order to sell or purchase CyberArk Securities at a specified price is prohibited during a Blackout Period. All
standing orders must be cancelled as soon as a Blackout Period begins or is imposed on you
•
Holding CyberArk Securities in a margin account or pledging CyberArk Securities as collateral
•
Any other transactions that are speculative or short-term in nature, create an actual or perceived conflict of interest or bet against CyberArk’s future
performance or short-term prospects, or could lead to a sale of CyberArk Securities while in possession of Material Non-Public Information
Interpretation and Enforcement
The Compliance Officer shall have the authority to interpret or update this Policy and all related policies and procedures (subject to the Board approving
material revisions of the Policy). In particular, such interpretations or updates of the Policy as authorized by the Compliance Officer may include departures
from the terms of this Policy to the extent consistent with the general purpose of this Policy and applicable securities laws.
Under certain, limited circumstances, an exception to this Policy may be granted by the Compliance Officer. If you wish to seek an exception, you must submit
a request for prior written approval to the Compliance Officer detailing the circumstances and reasoning for your request. The Compliance Office has full
discretion whether to grant an exception – any decision made by the Compliance Officer pursuant to this Policy shall be considered final, and the basis for a
particular decision may not necessarily be disclosed by the Compliance Officer. Approval, if granted, must be in writing and in advance of the transaction’s
execution.
This Policy is designed to help you comply with insider trading laws, but you are ultimately responsible for following applicable laws and regulations. The
implementation and enforcement of this Policy, including any approved written exceptions, do not constitute legal advice and do not insulate anyone from
penalties for violating insider trading laws.
Questions? Just Ask!
Any questions about this Policy and its requirements should be directed to CyberArk’s Compliance Officer and Corporate Secretary
(Donna.Rahav@CyberArk.com and Meital.Koren@CyberArk.com).
Document Management
Document Type
Global Policy
Name
Insider Trading Prevention Policy
Owner – Department, Function
Legal, Compliance Officer
Last Reviewed/Updated
November 5, 2024
9
Exhibit 12.1
CERTIFICATION OF PRINCIPAL EXECUTIVE OFFICER PURSUANT TO
EXCHANGE ACT RULE 13A-14(A)/15D-14(A)
AS ADOPTED PURSUANT TO SECTION 302
OF THE SARBANES-OXLEY ACT OF 2002
I, Matthew Cohen, certify that:
1.
I have reviewed this Annual Report on Form 20-F of CyberArk Software Ltd. (the “company”);
2.
Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the
statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
3.
Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial
condition, results of operations and cash flows of the company as of, and for, the periods presented in this report;
4.
The company’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange
Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the
company and have:
a.
Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to
ensure that material information relating to the company, including its consolidated subsidiaries, is made known to us by others within those
entities, particularly during the period in which this report is being prepared;
b.
Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our
supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for
external purposes in accordance with generally accepted accounting principles;
c.
Evaluated the effectiveness of the company’s disclosure controls and procedures and presented in this report our conclusions about the
effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
d.
Disclosed in this report any change in the company’s internal control over financial reporting that occurred during the period covered by the
annual report that has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting;
and
5.
The company’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the
company’s auditors and the audit committee of the company’s board of directors (or persons performing the equivalent functions):
a.
All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are
reasonably likely to adversely affect the company’s ability to record, process, summarize and report financial information; and
b.
Any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal
control over financial reporting.
/s/ Matthew Cohen
Matthew Cohen
Chief Executive Officer
Date: March 12, 2025
Exhibit 12.2
CERTIFICATION OF PRINCIPAL FINANCIAL OFFICER PURSUANT TO
EXCHANGE ACT RULE 13A-14(A)/15D-14(A)
AS ADOPTED PURSUANT TO SECTION 302
OF THE SARBANES-OXLEY ACT OF 2002
I, Erica Smith, certify that:
1.
I have reviewed this Annual Report on Form 20-F of CyberArk Software Ltd. (the “company”);
2.
Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the
statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
3.
Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial
condition, results of operations and cash flows of the company as of, and for, the periods presented in this report;
4.
The company’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange
Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the
company and have:
a.
Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to
ensure that material information relating to the company, including its consolidated subsidiaries, is made known to us by others within those
entities, particularly during the period in which this report is being prepared;
b.
Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our
supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for
external purposes in accordance with generally accepted accounting principles;
c.
Evaluated the effectiveness of the company’s disclosure controls and procedures and presented in this report our conclusions about the
effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
d.
Disclosed in this report any change in the company’s internal control over financial reporting that occurred during the period covered by the
annual report that has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting;
and
5.
The company’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the
company’s auditors and the audit committee of the company’s board of directors (or persons performing the equivalent functions):
a.
All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are
reasonably likely to adversely affect the company’s ability to record, process, summarize and report financial information; and
b.
Any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal
control over financial reporting.
/s/ Erica Smith
Erica Smith
Chief Financial Officer
Date: March 12, 2025
Exhibit 13.1
CERTIFICATION OF PRINCIPAL EXECUTIVE OFFICER PURSUANT TO
18 U.S.C. SECTION 1350
AS ADOPTED PURSUANT TO SECTION 906
OF THE SARBANES-OXLEY ACT OF 2002
In connection with the Annual Report of CyberArk Software Ltd. (the “Company”) on Form 20-F for the fiscal year ended December 31, 2024 as filed with the
Securities and Exchange Commission on the date hereof (the “Report”), I, Matthew Cohen, do certify, pursuant to 18 U.S.C. § 1350, as adopted pursuant to
Section 906 of the Sarbanes-Oxley Act of 2002, that to my knowledge:
(1) The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and
(2) The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the Company.
/s/ Matthew Cohen
Matthew Cohen
Chief Executive Officer
Date: March 12, 2025
Exhibit 13.2
CERTIFICATION OF PRINCIPAL FINANCIAL OFFICER PURSUANT TO
18 U.S.C. SECTION 1350
AS ADOPTED PURSUANT TO SECTION 906
OF THE SARBANES-OXLEY ACT OF 2002
In connection with the Annual Report of CyberArk Software Ltd. (the “Company”) on Form 20-F for the fiscal year ended December 31, 2024 as filed with the
Securities and Exchange Commission on the date hereof (the “Report”), I, Erica Smith, do certify, pursuant to 18 U.S.C. § 1350, as adopted pursuant to
Section 906 of the Sarbanes-Oxley Act of 2002, that to my knowledge:
(1) The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and
(2) The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the Company.
/s/ Erica Smith
Erica Smith
Chief Financial Officer
Date: March 12, 2025
Exhibit 15.1
CONSENT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
We consent to the incorporation by reference in the following Registration Statements:
(1)
Registration Statement (Form F-3 No. 333-282772) of CyberArk Software Ltd.,
(2)
Registration Statement (Form S-8 No. 333-280349) pertaining to the 2024 Share Incentive Plan of CyberArk Software Ltd.,
(3)
Registration Statement (Form S-8 No. 333-277932) pertaining to the 2020 Employee Share Purchase Plan of CyberArk Software Ltd.,
(4)
Registration Statement (Form S-8 No. 333-270223) pertaining to the 2014 Share Incentive Plan of CyberArk Software Ltd.,
(5)
Registration Statement (Form S-8 No. 333-270222) pertaining to the 2020 Employee Share Purchase Plan CyberArk Software Ltd.,
(6)
Registration Statement (Form S-8 No. 333-263436) pertaining to the 2014 Share Incentive Plan of CyberArk Software Ltd.,
(7)
Registration Statement (Form S-8 No. 333-254154) pertaining to the 2014 Share Incentive Plan of CyberArk Software Ltd.,
(8)
Registration Statement (Form S-8 No. 333-254152) pertaining to the 2020 Employee Share Purchase Plan CyberArk Software Ltd.,
(9)
Registration Statement (Form S-8 No. 333-236909) pertaining to the 2014 Share Incentive Plan of CyberArk Software Ltd.,
(10)
Registration Statement (Form S-8 No. 333-230269) pertaining to the 2014 Share Incentive Plan of CyberArk Software Ltd.,
(11)
Registration Statement (Form S-8 No. 333-223729) pertaining to the 2014 Share Incentive Plan of CyberArk Software Ltd.,
(12)
Registration Statement (Form S-8 No. 333-216755) pertaining to the 2014 Share Incentive Plan of CyberArk Software Ltd.,
(13)
Registration Statement (Form S-8 No. 333-202850) pertaining to the 2014 Share Incentive Plan of CyberArk Software Ltd., and
(14)
Registration Statement (Form S-8 No. 333-200367) pertaining to the 2001 Stock Option Plan, 2001 Section 102 Stock Option Plan, 2011 Share Option
Plan and 2014 Share Incentive Plan of CyberArk Software Ltd.
of our reports dated March 12, 2025, with respect to the consolidated financial statements of CyberArk Software Ltd. and the effectiveness of internal control
over financial reporting of CyberArk Software Ltd. included in this Annual Report (Form 20-F) of CyberArk Software Ltd. for the year ended December 31,
2024.
Tel Aviv, Israel
/s/ KOST FORER GABBAY AND KASIERER
March 12, 2025
A member of EY Global