SOPHiA GENETICS
Annual Report 2018

Download report
Get a demo

More annual reports from SOPHiA GENETICS:

2018 Report
2017 Report
2016 Report

Peers and competitors of SOPHiA GENETICS:

Intrusion
ManTech International
Applied DNA Sciences
SOPHiA GENETICS

Plain-text annual report

2 0 1 8 A n n u a l R e p o r t a n d A c c o u n t s 2018 Annual Report and Accounts Cybersecurity made simple A world leader in delivering innovative, simple and highly effective cybersecurity solutions The Sophos Group is a leading global provider of cloud-enabled enduser and network security solutions, offering end-to- end protection against known and unknown IT security threats through products that are easy to install, configure, update and maintain. The Group has more than 30 years of experience in enterprise security and has built a portfolio of products that protect more than 300,000 organisations and more than 100 million end users in 150 countries across a variety of industries. Highlights Continued momentum in subscription billings drives improvement in revenue growth and cash flow For more information www.sophos.com Contents Introduction 01 Highlights 02 At a Glance Billings1 $769M (FY17: $632m) Revenue $641M (FY17: $530M) Cash EBITDA1 $194M (FY17: $150M) Loss Before Tax $52M (FY17: $49M) Unlevered Free Cash Flow1 $140M (FY17: $133M) Net Cash Flow From Operating Activities $148M (FY17: $119M) 1 Definitions and reconciliations of non-GAAP measures are included in note 4 of the financial statements and in the glossary Business Highlights 10 Chairman’s Statement • Customers now benefiting from deep learning capabilities, integrated within Intercept X 12 Investment Proposition 14 Financial Stability and Visibility • Sophos Central enhanced with further integration of XG Firewall, Sophos Mobile and Phish Threat • Enduser security a key driver of subscription billings and revenue • 66,000 customers now using Sophos Central Platform • Renewal rates continued to improve, demonstrating success of cross-selling strategy • Recognised for leadership in technology and channel by independent industry analysts Strategic Report 16 Our Markets 18 Our Business Model 20 Focus on Strategic Priorities 21 Key Performance Indicators 22 Chief Executive Officer’s Statement 26 Key Product and Technology Developments 28 Financial Review 34 Principal Risks and Risk Management 38 Corporate Responsibility Report Governance 44 Board of Directors 46 Corporate Governance Statement 55 Nomination Committee Report 57 Audit and Risk Committee Report 62 Disclosure Committee Report 63 Annual Statement of the Remuneration Committee Chairman 64 Remuneration at a Glance 65 Directors’ Remuneration Policy 72 Annual Report on Remuneration 82 Directors’ Report Financial Statements 88 Independent Auditor’s Report 94 Consolidated Financial Statements and Notes 140 Company Financial Statements and Notes 144 Glossary 145 Company Information /01 Strategic ReportGovernanceFinancial StatementsIntroduction At a Glance A global leader in Network and Enduser security Synchronized Security As the pioneer of synchronized security, Sophos continues to execute against its vision for a security system where products can directly share status and threat information, to automate and improve the time taken to respond to potential threats. In 2017, Sophos introduced a synchronized security capability in the XG Firewall that is able to provide an unprecedented view into the source of network traffic. Before this breakthrough, less than 50 per cent of network traffic was identifiable, causing serious security challenges. As Sophos has enabled more of its portfolio with the capability to share information directly, channel partners have embraced this innovation and see it as a unique market differentiator and a successful proposition for their customers. Over 3,300 Employees Over Over 300,000 End user customers 39,000 Partners Platform and Strategy Next-Gen Firewall Wireless Email Web In Cloud CENTRAL Cloud Intelligence Next-Gen Endpoint Mobile Server Encryption For more information go to www.sophos.com/central 02/ Cybersecurity made simple Geographic Footprint Sophos is a truly global company with more than 40 offices around the world, with major offices in the UK, USA, Canada, India and Germany. Billings by Type Billings by Geography Enduser Network Other Americas EMEA APJ /03 Strategic ReportGovernanceFinancial StatementsIntroduction Developments in Deep Learning Deep learning is better suited to the massive amounts of cyber- security data than ‘old school’ machine learning techniques Deep learning has been proven to deliver better detection, fewer false- positives and has less of an impact on system resources. Today, deep learning has been included in the Group’s Intercept X endpoint protection product introducing ‘predictive security’ to organisations of all sizes. Sophos Sandstorm has been enhanced with deep learning-based technology and SophosLabs has recently accelerated its automated threat analysis systems by the adoption of this technology. Sophos plans to add the advantage of artificial intelligence to other appropriate areas of its portfolio in due course. For more information go to www.sophos.com 04/ Cybersecurity made simple Cybersecurity made simple Sophos has applied advanced deep learning neural network technology to the cybersecurity challenge /05 Strategic ReportGovernanceFinancial StatementsIntroduction Delivering Financially Billings and revenue both up over 20 per cent year-on-year driving strong cash flows The year-ended 31 March 2018 saw a continuation of growth in billings, in line with the Group’s forecast to deliver annual billings of $1 billion in FY20. As the Group continues to leverage both sales and marketing and general finance and administration costs, cash EBITDA margin improved. Revenue growth accelerated, as expected, as prior-period subscription billings were recognised as revenue in the current-year. Unlevered free cash flow, from a high prior-year base, also increased at the anticipated rate as cash flows from working capital normalised. For more information see page 28 06/ Cybersecurity made simple Cybersecurity made simple Financial strength through visibility of future revenue and cash flow /07 Strategic ReportGovernanceFinancial StatementsIntroduction Trusted Partner Sophos puts its partners first in everything it does, from sales to marketing to support With no conflict in sales or marketing objectives, Sophos focuses 100 per cent of its resources on building products and programs that are designed with the needs of channel partners in mind. Sophos strives to be the security vendor of choice for endpoint and network security resellers worldwide and is unwavering in its commitment to be a trusted partner with the best products, support and programs that actively enable a reseller to grow with Sophos. Sophos continues to be recognised for this commitment by the industry and partners alike. For more information go to www.sophos.com/partners 08/ Cybersecurity made simple Cybersecurity made simple Sophos has one route to market, over 39,000 registered channel partners /09 Strategic ReportGovernanceFinancial StatementsIntroduction Chairman’s Statement Another successful year for Sophos We continued the strong momentum in growth and innovation that have been the hallmarks of our business in recent years We are pleased to report that we achieved another year of strong growth and that from a technology and competitive standpoint Sophos has never been in a stronger position than it is today. Our continued success reflects the significant investments we have made in recent years in our products, organisation, and people. Against a strengthening demand backdrop, customer awareness of the need for effective cybersecurity was dramatically heightened in the first-half of our financial year by a number of high-profile ransomware attacks which made media headlines around the world. Consequently, we are reporting a strong year for our Enduser security business, but also broad-based growth across all key products and regions. As we entered the 2018 financial year, we made a number of commitments to stakeholders, particularly with respect to delivering on an ambitious pipeline of innovation, as well as the medium-term goals that we have set for our business. I am delighted to say that we achieved a successful financial result for the year, which clearly demonstrates that we are on track to meet our growth objectives. Our financial model is strong, as it is rooted in a large Software as a Service (“SaaS”) subscription base, which we have continued to grow in the past year. Indeed, as we enter the 2019 financial year the total subscription base has exceeded the $1 billion milestone, and we now have more than 300,000 end user customers around the world protecting their businesses with Sophos cybersecurity solutions. In October we launched a major upgrade to the Sophos XG Firewall with enhanced performance and compelling new synchronized security features. We were also able to rapidly integrate the advanced machine learning technology, known as “deep learning”, acquired with Invincea a year ago. In January 2018 we launched a dramatic upgrade to our already successful Intercept X next-generation endpoint offering, which now delivers unrivalled detection of unknown malware based on our advanced approach to the use of artificial intelligence in cybersecurity. Additionally, our customers and partners have benefited from a wide range of new product updates, features, and functions as well as further significant investment in our flagship cloud management platform, Sophos Central, which now offers even more effective and comprehensive security for customers, and greater cross-selling opportunities for partners. 10/ Cybersecurity made simple End User Customers Partner Growth 300K 30% Awards We continued our commitment to support and invest in our partner channel and it is very encouraging to see that we added over 9,000 new partners in the year. We offer our partners the opportunity to build successful and profitable businesses with Sophos over the long term and we shall continue to invest in the tools, education, training, and support they require in order for them to become even more productive over time. In summary, during the 2018 financial year, we believe we have demonstrated that our focused strategy continues to be effective, backed-up by tight operational and financial controls and significant investment for the future. As a result, we feel very encouraged about our ability to deliver against our medium and long-term objectives, and to achieve further growth and improvement in profitability in the current-year. On behalf of our Board, I would like to thank our Sophos team members all around the world for their tireless dedication, expertise, and hard work. It is their commitment and their achievements that make it possible to deliver value to our customers and returns to our shareholders. I would also like to thank our customers and partners for the confidence they continue to place in Sophos, and you our investors for your continued confidence and support. We will continue to work hard to keep earning it. Peter Gyenes Non-Executive Chairman SC Awards Europe Best UTM Solution – Sophos XG Firewall SC Awards Europe Best Email Security Solution – Sophos Email on Sophos Central SC Awards Europe Best Web Content Management Solution CRN Awards 2017 Winner – ARC Awards – Network Security Winner – Tech Innovator Awards, Security Endpoint – Intercept X GEC Awards 2017 Top Vendor for Endpoint Security ARN ICT Industry Awards 2017 Security Vendor of the Year Computing Security Excellence Awards 2017 Security Innovation of the Year – Intercept X Channelnomics Security Vendor of the Year eGovernment Computing Winner – Platinum Award for Sophos Endpoint Protection VAR India Best Security Company in India /11 Strategic ReportGovernanceFinancial StatementsIntroduction Investment Proposition High visibility with substantial opportunity for growth 1. Compelling industry fundamentals See Markets on page 16 for further information 2. Differentiated strategy See Strategic Priorities on page 20 for further information 3. Highly stable and predictable financial model See Financial Review on page 28 for further information A large, dynamic, growing market opportunity • Security is consistently the top priority for corporate IT spend • The total market is estimated to be worth around $46 billion, growing at around 8% per annum, within which the Group’s products address markets growing even faster • The cybersecurity threat environment is constantly evolving in scale and sophistication, presenting new challenges at a rapid pace to organisations of all sizes • Sophos is well-positioned to take advantage of opportunities as a leader in high growth areas, for example next-generation endpoint, cloud, network and synchronized security A clear and compelling strategy • Sophos is solely focused on cybersecurity and we strive to deliver industry-leading technology that is simple to deploy, use and manage • We offer enterprise-grade technology, rated as amongst the best in the industry, to mid-market organisations • Our sales strategy is 100% “channel first” and as a result of considerable investment we now have more than 39,000 global partners High recurring revenues and renewal rates • We principally sell our Software as a Service (“SaaS”) via recurring, upfront subscriptions, which provides significant visibility and stability of future revenues and cash flows • We have a proven ability to deliver consistent new customer growth and maintain strong renewal rates • Our business generates substantial and growing cash flows which we reinvest in driving billings growth for the future, via innovation, building brand awareness and sensible acquisitions • Our total renewal base has recently exceeded the $1 billion milestone 12/ Cybersecurity made simple 4. The Sophos brand Innovative, simple and highly effective security • We are very proud of our brand and the ethos of simplicity that it represents – this spans all we do at Sophos • We employ a highly creative digital marketing approach, utilising educational in-person events and social media outreach • With one of the world’s leading threat intelligence operations, SophosLabs, and a reputation for excellence built over many years, Sophos is a trusted voice in the world of cybersecurity We expect to continue to outperform the IT security market • Differentiation is a key driver of market share gains • Innovation will remain a key growth driver, with internal investment supplemented by sensible, disciplined technology acquisitions • Despite a broad international reach, we see opportunities for further regional expansion • Our integrated product portfolio, delivered via the cloud in Sophos Central, provides significant cross-sell and upsell opportunities • We are focused on continuing to build our partner network and increasing the productivity of our existing partners Consistently delivering against strategic goals • Strongly motivated team with the background and skills to deliver profitable growth over the long-term • Extensive experience in running large technology businesses, typically with more than twenty years of experience in their respective fields • Completely aligned in driving forward the Sophos vision and strategy of innovative, simple and highly effective security 5. Opportunities for growth See Markets on page 16 for further information 6. Experienced management team See Board of Directors on page 44 for further information /13 Strategic ReportGovernanceFinancial StatementsIntroduction Financial Stability and Visibility Visibility is underpinned by a growing SaaS subscription business and best-in-class renewal rates Strong growth in billings and revenue New billings and hardware sales Billings are closely aligned with cash flows and are an indicator of growth in the business. Subscription contracts represent approximately 84 per cent of total billings and around 76 per cent of total billings are derived from existing customers. The average subscription contract duration, consistent with the prior-year, is close to 28 months, resulting in the majority of the contract value being booked to deferred revenue to be recognised in the income statement over the term of the contract. This adds to the high levels of visibility of the renewal book, future revenues and profits. The growth in subscriptions over recent years is now feeding an acceleration in revenue growth. Continued strong growth in new billings, +23 per cent in FY18 and c.40K net customers added. This is principally driven by a strong customer proposition, as well as the increasing productivity of our 39,000 strong partner channel of which over 7,000 are now “blue chip”; a designation given to the most productive partners. The hardware element of billings is associated with the network security business, and is generally 15–20 per cent of billings. High levels of recurring subscriptions, plus strong growth in new business, underpins stability and visibility The nature of our financial model, which is rooted in predictable subscription revenues, a growing renewal base, improving renewal rates and increasing productivity in our channel ecosystem, gives us strong visibility over future growth in revenue, profitability and cash flow. Subscription billings drive growth A productive and growing partner ecosystem $535M 21% $632M 19% 81% 79% $769M 16% 84% 39K 7.0K 32.0K 30K 6.1K 23.9K 20K 4.7K 15.3K Blue chip partners Other partners Hardware & other billings Subscription billings FY16 FY17 FY18 FY16 FY17 FY18 14/ Cybersecurity made simple Due to a consistently strong billings performance in recent years, we have been able to grow our customer base and deferred revenue balance significantly. The improvements we have seen in retention and renewal rates reflect our success at cross-selling additional products to existing customers. Deferred revenue Number of customers $ 7 5 6 M $ 5 8 1 M $ 4 9 9 M 3 0 0 K 2 6 0 K 2 2 0 K Retention and renewal rates 129% 140% 1 0 6 % 1 0 9 % 109% 1 0 2 % FY16 FY17 FY18 FY16 FY17 FY18 FY16 FY17 FY18 Renewal rate Retention rate Operating priorities • Continue the significant pace of innovation across our product portfolio, enhancing capabilities, ease of use, protection and differentiation • Continue our commitment to, and investment in, the cloud to deliver better security, manageability and scalability • Advance our differentiated synchronized security strategy through further meaningful product integration • Further improve the productivity of our channel partners, through investment in tools, training and education, and continue to grow our overall partner network • Expand Sophos’ brand visibility and awareness /15 Strategic ReportGovernanceFinancial StatementsIntroduction Our Markets The demand for IT security continues to grow Threat Landscape Ransomware and high-profile data breaches continued to grab the headlines in 2017. According to SophosLabs researchers, ransomware ubiquitously attacked Windows, Android, Linux, and MacOS systems. The volume of attacks targeting Android platforms continued to grow rapidly and shows no sign of slowing in 2018. Of all ransomware seen, just two strains, WannaCry and Cerber, were responsible for 90 per cent of all attacks intercepted by Sophos products deployed worldwide. WannaCry was the first high-profile attack to use EternalBlue, an exploit tool stolen from the NSA in 2016. Sophos expects more of these attack types to surface in the next 12 months. ransomware. The commercialisation of cybercrime has continued to promote a new kind of cybercriminal, who can launch a ransomware campaign with little need for technical knowledge. The most successful of these include customer service guarantees and helpful “how to” videos with slick marketing. The growth in cryptocurrency values has also spawned a new type of attack, cryptojacking, that involves the hijacking of CPUs on networked devices to generate coins. While some argue that this is no more than “borrowing” the unused processing power of a system, security experts believe the backdoors and exploits used to gain access to the computer carry a serious risk. Do-it-yourself exploit kits make it easy for threats like WannaCry to target Microsoft Office vulnerabilities. Meanwhile, Ransomware as a Service (“RaaS”) was big business on the dark web, where criminals sell kits that buyers can use to make and distribute their own High-profile data breaches continued to keep pressure on organisations to review their security strategies. From Equifax to Uber, the industry saw large organisations admit to customer data breaches and suffer the economic consequences. Many organisations are no longer building strategies for “if” they suffer a breach but “when”. Expanding Attack Surface Growing Awareness IT Security Market1 $46B Vanished Perimeter Increased Attack Sophistication 16/ Cybersecurity made simple Regulatory Environment The EU General Data Protection Regulation (“GDPR”) will take effect on 25 May 2018. GDPR imposes specific requirements on businesses that will continue to drive the review of data protection strategies and marketing tactics of all organisations wishing to conduct business in the EU. The Group does not expect Brexit to significantly impact the responsibilities of UK businesses under GDPR legislation as Sophos expects any subsequent UK legislation to remain largely in line with GDPR. Sophos anticipates clarification on domestic data protection legislation within the UK as Brexit negotiations continue. The Investigatory Powers Act that was ratified by the UK Government in December 2016 has recently undergone a revision to clarify the circumstances under which a law enforcement or government agency may request access to an individual’s data records. Further scrutiny of that Act is expected to continue. The Group also expects that regulations in other countries are to be reinforced and therefore drive IT security strategies in the private sector. The US Security Exchange Commission recently strengthened its guidelines on data breach reporting for US-listed companies. The update includes scrutiny of stock trades made by company executives at the time of a significant data breach. Maintaining cybersecurity continues to be a priority for governments as they move to protect political elections and critical infrastructures. Organisations of every size must continue to invest resources to protect data and avoid both penalties and reputational damage. IT Security Market1 $46B 7.9% CAGR Cross-Sell Opportunity with Sophos Central Corporate Endpoint Security2 Additional Cross- Sell Opportunity Markets UTM and Next-Gen Firewall5 Encryption3: $1.7B Email Security1: $2.2B Web Security1: $3.0B Mobile Security4: $2.7B 1 2 3 Worldwide IT Security Products Forecast, 2017–2021: Comprehensive Security Products Forecast Review (February 2018, IDC #US43540817) and represents expected market size in 2018 Sophos estimate and represents expected market size in 2018 Worldwide Endpoint Encryption and Key Management Infrastructure Forecast 2016-2020 (August 2016, IDC #US41632016) and represents expected market size in 2018 4 5 Worldwide Enterprise Mobility Management Software Forecast 2017-2021 (July 2017, IDC #US41324617) and represents expected market size in 2018 Worldwide Network Security Forecast 2017-2021 (September 2017, IDC #US42049017) and represents expected market size in 2018 /17 $11.3B11.1% CAGR$5.5B6.3% CAGRIntroductionGovernanceFinancial StatementsStrategic Report Our Business Model Delivering innovative and highly effective cybersecurity, with a differentiated approach What sets us apart What drives our business S i g n i i f n c i a n n n t o v i n a t v e i s o t n m e n t Sophos aims to be the best in the world at delivering innovative, simple and highly-effective cybersecurity solutions to IT professionals and the channel that serves them We have a track record for fast-paced innovation and continue to invest to ensure a strong future product pipeline Sophos is independently recognised as a leader both by industry analysts and channel organisations Focus on customers with fewer than 5,000 employees These small and medium-sized enterprises (“SMEs”) face the same threats as large enterprises, but are understandably more resource-constrained Sophos Central The entire Sophos product portfolio can be managed through Sophos Central, our single integrated cloud platform, which provides significant cross-selling opportunities and enhances renewal rates Synchronized security, made simple Our industrial-strength cybersecurity products actively communicate with and enhance each other, spanning our entire product portfolio SaaS subscription financial model We have a large and growing SaaS subscription business, with best-in-class renewal rates Founded more than 30 years ago, Sophos has significant experience in its markets and a track record of financial success and stability Channel-first We only sell to end users indirectly through partners, who we have made a major commitment to, and operate a 100% ‘channel-first’ sales strategy 18/ Cybersecurity made simple >60M SMEs estimated globally 29% of subscriptions are now in the cloud 24% customers with >1 Sophos product >$1BN total subscription renewal base >7K fast-growing and productive blue-chip partner base How this creates value for our stakeholders For shareholders Strong growth in subscriptions allows for significant investment in our business and free cash flow generation 61% 12 month total shareholder return For customers Customers benefit from comprehensive, integrated, enterprise-grade security and our commitment to a strong future product pipeline 140% net renewal rate For partners We continue to make a significant investment in our partner network, providing tools, training and support to enable them to succeed 9,000 new Sophos channel partners in FY18 For employees We are committed to enabling our employees to do the best work of their careers at Sophos, through active employee engagement 87% overall employee satisfaction /19 IntroductionGovernanceFinancial StatementsStrategic Report Focus on Strategic Priorities Innovative, simple, highly- effective cybersecurity solutions, all managed in the cloud Strategic Goals Focus on cybersecurity Innovative, simple and highly effective solutions Comprehensive capabilities Sophos continues to prioritise its investment in research and development as it delivers innovative new capabilities and products at a rapid pace in order to maintain its leadership position. As the Group is committed to IT security, it believes it has an advantage over competitors who often seek to address disparate and unrelated areas of technology. The Group’s industry-leading technologies are amongst the most innovative, advanced and effective available in the market, but are simple and easy to deploy, manage and use. Sophos believes that simple, integrated solutions deliver better security and are easier to manage for organisations of any size. Sophos offers comprehensive cybersecurity, and continues to make progress on its multi-year strategy to integrate these different products and enable a synchronized security approach for its customers. Synchronized security delivers added protection for customers in addition to enhanced automation. Strategic commitment to the cloud 100% channel focused The Group’s customers derive significant benefits from Sophos Central, the single integrated cloud- based management and reporting platform. Cloud technology underpins the channel strategy and continues to enhance Sophos’ partner-centric management console. This enables partners to easily manage, update and configure the Sophos products, and to drive cross-sell and upsell opportunities. Sophos is committed to its channel-only sales strategy. The Group has grown its partner ecosystem to more than 39,000 partners during the course of the year. It is seeing considerable success in helping its partners to be more productive and to cross-sell and upsell to existing customers. Over 7,000 of Sophos’ partners are now blue-chip, demonstrating higher levels of activity. Sophos is also helping a growing number of partners as they develop Managed Service Provider (“MSP”) businesses, built around the Sophos product portfolio. 20/ Cybersecurity made simple Key Performance Indicators The Group makes use of a number of Key Performance Indicators (“KPIs”) to measure its performance against the Group’s strategy, as well as providing key inputs into modelling of future performance. Definitions of KPIs are included in the Glossary and further explanation and reconciliation of non-GAAP measures are included in Note 4 of the financial statements. Billings FY18 FY17 FY16 $768.6M $632.1M $534.9M Revenue FY18 FY17 FY16 $640.7M $529.7M $478.2M Billings represents the value of goods and services invoiced to customers and is a key leading indicator of future revenue performance. Revenue reflects the element of billings recognised in the period. The majority of billings are for subscription contracts that are recognised rateably over the contract term. Performance Strong growth in all regions and products, partially aided by the high-profile global ransomware attacks. Performance Growth has trended towards billings growth rates as prior- period subscription billings are now converting to revenue. See page 29 for a detailed review of billings. See page 31 for a detailed review of revenue. Cash EBITDA Unlevered Free Cash Flow FY18 FY17 FY16 $193.7M $150.1M $120.9M FY18 FY17 FY16 $46.4M $139.6M $133.4M Cash EBITDA provides visibility of earnings from the period, even if the associated revenue for that period’s billings have not yet been recognised. Unlevered free cash flow represents the amount of cash generated by operations after allowing for capital expenditure, taxation and working capital movements. Performance Continued billings growth and leverage of the cost base contributes to increase in cash EBITDA and cash EBITDA margin. Performance After a significant increase in FY17 unlevered free cash flow has further improved, in line with the Board’s expectations. Retention Rate Renewal Rate FY18 FY17 FY16 109% 106% 102% FY18 FY17 FY16 140% 129% 109% Retention rate, after upsell and cross-sell, is a measure of long-term value of customer agreements and the Group’s ability to retain end users Renewal rate, including upsell and cross-sell, measures the ability of the Group to retain end users in period and expand the nature or volume of products used by them. Performance Growth in retention rate resulting from strong customer billings and an increase in cross-sell. Performance Increase in renewal rate as the Group has successfully renewed contracts with existing customers and further cross-sold other products. Endpoint/UTM Cross-sell Weighted Average Contract Length FY18 FY17 FY16 11.2% 9.6% 7.4% FY18 FY17 FY16 27.6 28.1 27.8 The continued growth of the business partly depends on successfully selling additional products and services to existing customers. The weighted average contract length, measured in months, gives the Group an indication of the period over which future revenue will be recognised. Performance Continued improvement in cross-sell rate as the Group has demonstrated the benefit of synergies in management, support and functionality, primarily through Sophos Central. Performance Stable weighted average contract length, with small decrease due to a material contract previously disclosed in the prior-year. /21 IntroductionGovernanceFinancial StatementsStrategic Report Chief Executive Officer’s Statement Our next-generation technology and competitive strength, position us well for FY19 and beyond Cybersecurity has never been more important for enterprises of all sizes, and the demand environment for our solutions has never been stronger Enduser Billings Growth 32% Cloud Subscriptions Growth 112% Total Subscription Base >$1B 22/ Cybersecurity made simple Commitment to Cloud Cloud Platform Success 29% Subscriptions in the cloud 175% Sophos Central 3-year CAGR For the fiscal year 2018 Sophos delivered another successful result. Among the highlights, the Group delivered 22 per cent growth in billings, a 21 per cent increase in revenue, a 20 per cent increase in adjusted operating profit, a 25 per cent increase in cash flow, and a reduction in the operating loss. Loss before taxation increased to $52 million, despite the improvement in operating loss, largely a consequence of currency losses on debt revaluation. A key driver of billings growth was Sophos Central, the company’s integrated cloud-based management platform, which grew 112 per cent to $186 million. Sophos Central has experienced dramatic growth from $1 million in FY14 through $9 million, $27 million, and $88 million, to be $186 million in FY18. We posted industry-leading retention rates and reached the significant milestone of our subscription renewal base now exceeding $1 billion. Sophos also saw healthy growth in new customers as well, with our total customer count now exceeding 300,000 customers, growing by approximately 10,000 net new customers per quarter. “ The need for businesses to secure their IT infrastructure and data has never been greater, and the well-publicised cyber- attacks of the past twelve months have further raised awareness and strengthened demand.” Sophos is a recognised leader in the large and growing IT security market, where we continue to post billings and revenue growth rates that exceed the overall market growth rate. We have a highly differentiated strategy to deliver advanced, innovative, and highly-effective cybersecurity solutions that at the same time are simple and easy to manage by enterprises of any size, and entirely sold through our global ecosystem of channel partners. The need for businesses to secure their IT infrastructure and data has never been greater, and the well-publicised cyber-attacks of the past twelve months have further raised awareness and strengthened demand. This was particularly notable in the first half of our fiscal year when the WannaCry and NotPetya attacks, among others, brought into sharp focus the significance of the threat posed to organisations by ransomware. Consequently, customers have become especially focused on securing their endpoints against these sorts of threats, and our Enduser security business and particularly our next- generation endpoint solution, Intercept X, have seen strong growth as a result. Technology and Innovation Our focus on innovation continues to fuel our growth and enabled us to deliver some of the most advanced cybersecurity technology available in the industry, consistent with our company mission statement: “To be the best in the world at delivering innovative, simple, and highly-effective cybersecurity solutions to IT professionals and the channel that serves them”. In particular, we focused on four key pillars that drive our billings performance and security effectiveness: endpoint, firewall, Sophos Central, and synchronized security. “ In FY18 we delivered another successful result, with 22 per cent growth in billings, a 21 per cent increase in revenue, a further improvement in both adjusted operating profit and cash flow, and a reduction in the operating loss.” In FY18 we saw the first full-year contribution from Intercept X, our next-generation endpoint solution which is highly effective in protecting customers against ransomware, exploits, and zero-day threats. We recently integrated the deep-learning neural network technology that the Group gained as part of our acquisition of Invincea into the latest release of Intercept X, providing customers with advanced artificial intelligence for unmatched detection of previously unknown malware. Amongst next-generation endpoint vendors, Sophos is in a unique position to leverage industry-leading data science capabilities from Invincea with the expertise and knowledge built over decades within our SophosLabs threat research group, in order to deliver best-in-class detection rates combined with amongst the lowest false positive rates in the industry. As a result, we are positioned very attractively to be a leader in the dynamic and high- growth market for next-generation endpoint solutions. /23 IntroductionGovernanceFinancial StatementsStrategic Report Chief Executive Officer’s Statement continued In October 2017 we launched Sophos XG Firewall version 17, a major new release offering enhanced performance and usability and numerous new features and security improvements, including Synchronized App Control, an industry first that leverages the endpoint and firewall working together to dramatically improve network traffic visibility, reducing the security risks associated with unidentified traffic. We continued to invest in Sophos Central, a highly differentiated platform that enables both more effective security while simplifying management for our partners as well as our end user customers. Sophos Central allows individual Sophos security components including endpoint, mobile, server, encryption, firewall, web, email, and Wi-Fi to automatically communicate relevant information with each other to form the foundation of what we call synchronized security. Enhancements to Sophos Central during the period include: management of Intercept X; deeper integration of XG Firewall; management of Sophos Mobile, Phish Threat, and device encryption; role-based administration; improved integration with Microsoft Azure; and Security Heartbeat for Linux servers. During the year, we saw further strong adoption of Sophos Central by both new and existing customers, with more than 66,000 customers using the platform today. Customers see immediate benefits from the ease of use and efficiency that Sophos Central brings, enabling them to seamlessly manage all of their Sophos products through a single cloud interface. Our channel partners leverage Sophos Central not only as a differentiated offering to attract brand new customers, but also to cross-sell and upsell existing customers. In addition, a growing number of partners are utilising the Sophos Central platform to offer managed security services. Among other notable new products and features, we added CryptoGuard within Sophos Server Protection, enabling signature-less detection capabilities as another layer of protection to combat ransomware. Additionally, our synchronized security capabilities on Sophos Central Server Protection Advanced now enable IT administrators to leverage the Sophos XG Firewall to automatically isolate infected servers and endpoints and respond to potential compromises more rapidly. Channel Progress One of our continuing strategic priorities is to invest in developing and supporting our partner channel, building on our “Channel First” go-to-market strategy, which is a key differentiator compared to other IT security vendors that may have mixed, unclear, and conflicting routes to market. Sophos sells entirely through our channel partners, which allows us to expand our reach and rapidly scale our business globally in a cost-effective manner. Our overriding commitment to our channel partners and their long-term success has been validated not just by our billings growth and our growth in our channel ecosystem, but also by numerous global awards, where Sophos is recognised as the premier channel-focused cybersecurity vendor. We successfully grew our overall number of partners to more than 39,000 partners, compared to 30,000 a year ago. Encouragingly, the number of “blue chip” Sophos partners, our most active and productive partners who conducted five or more transactions in the prior six months, rose to over 7,000, from 6,100 a year ago. “ Sophos sells entirely through our channel partners, which allows us to expand our reach and rapidly scale our business globally in a cost- effective manner.” The success of our channel strategy is reflected in our rapid growth in new end user customers. Today, more than 300,000 organisations around the world are protected by Sophos cybersecurity solutions, compared to 260,000 at the end of March 2017. This impressive growth in our customer base is strategically important to our business over the longer term. When paired with our best-in-class renewal rates, this steadily growing group of new customers builds upon our future subscription renewal base and the deferred revenue on our balance sheet, increasing the visibility we have over billings and revenues. In turn, this also enables us to better plan our investment in innovation and expansion, while also improving margins. We continue to make progress in our ongoing efforts to enhance cross-sell and upsell, while we in parallel add new customers. We ended the year with more than 11 per cent of customers using both our UTM and Endpoint solutions, up from under 10 per cent a year ago; and today more than 24 per cent of our customers have more than one Sophos product, versus 21 per cent in FY17. Customers with more than one product benefit from Sophos synchronized security, which enables layers of protection and automation as Sophos products actively share real-time contextual information. The success of this strategy is also evident from our best-in-class renewal rates, including cross-sell and upsell, which rose to 140 per cent in the period, from 129 per cent in FY17. 24/ Cybersecurity made simple Future Priorities Sophos has grown rapidly in recent years, and we plan to continue prioritising investment in technology and innovation to deliver future expansion in line with our objectives. We have a robust pipeline of exciting new product innovation, especially in our strategic pillars of next-generation endpoint, next-generation firewall, Sophos Central, and synchronized security. Likewise, we continue to invest in our channel-driven go-to-market strategy, with new channel programs, systems, and marketing initiatives to enhance Sophos’ brand awareness and visibility. From an operational perspective, a key ongoing priority is to ensure that we efficiently scale our business as we continue to grow through appropriate investment in our people, products, and channel. Outlook FY18 was a strong year for Sophos. Cybersecurity has never been more important for enterprises of all sizes, and the demand environment for our solutions has never been stronger. We continue to take share in the market, as we execute a differentiated strategy of delivering advanced and highly-effective cybersecurity solutions designed to be simple to use, managed in the cloud, and sold 100 per cent through our channel partners. We have a massive market opportunity in front of us. Our strong and growing subscription base, our growth in new customers, our next-generation technology in endpoint and firewall combined with our Sophos Central cloud platform position us well for FY19, and beyond. Our continued growth and success are only possible through the dedication and teamwork of our global team of employees and partners, who work tirelessly every day to support and protect our customers. Thank you for all you do to make the world a safer place. Kris Hagerman Chief Executive Officer 16 May 2018 /25 IntroductionGovernanceFinancial StatementsStrategic Report Key Product and Technology Developments For the first time ever, we can memorise the entire observable threat universe Deep Learning Only Sophos has this critical combination of Labs Research and Data Science Optimal Models Bi-Directional Error Correction Massive Data Sets Accurate Labels Deep learning is the latest evolution of machine learning. It delivers a massively scalable detection model that is able to learn the entire observable threat landscape. With the ability to process hundreds of millions of samples, deep learning can make more accurate predictions at a faster rate with far fewer false-positives when compared to traditional machine learning. Deep learning has less impact to system performance and the capability to detect malware within 20 milliseconds. Deep learning technology has been integrated into the SophosLabs threat analysis platform to further accelerate and automate the identification and remediation of threats. Sophos has also integrated the technology into the next- generation endpoint protection product Intercept X, and into Sophos Sandstorm, becoming the first security company to provide artificial intelligence in network security protection. The next-generation sandboxing solution delivers an extra layer of security against unknown malware and ransomware within email or file downloads. 26/ DATA SCIENCECreate the most efficient algorithms for solving hard cybersecurity problemsDATA SCIENCE + LABSContinuously incorporate feedback to improve system accuracy and predictive powerLABSUse established Labs systems and processes to ensure labeling precisionLABSSource 100s of millions of samples for the best possible predictionsCybersecurity made simple Sophos Central Sophos XG Firewall The integrated management platform of Sophos Central continues to support the Group’s synchronized security strategy and delivers the promise of security made simple. Customers and partners are able to seamlessly manage multiple combinations of critical security services from a single management screen. The further integration of Sophos XG Firewall in late 2017 has enabled an unmatched level of network traffic visibility when used with Sophos Endpoint Protection or Intercept X. Features added to Sophos Central include device encryption and role based administration. The following products are currently available through Sophos Central: Sophos Endpoint Security, Sophos Intercept X, Sophos XG Firewall, Sophos Mobile, Sophos Server Protection, Sophos Synchronized Encryption, Sophos Wireless, Sophos Email Security, Sophos Web Security, and Sophos Phish Threat. In October 2017, Sophos released the latest version of its XG Firewall with the industry’s first Synchronized App Control that enables it to identify all traffic on the network. Using synchronized security to obtain information from the endpoint, XG Firewall can identify, classify and allow the control of all previously unknown applications active on the network, including those without signatures or which are using generic HTTP or HTTPS connections. Synchronized App Control on XG Firewall is a significant breakthrough to reduce the security risks associated with unidentified traffic. Sophos Intercept X Sophos for Amazon and Azure Within 12 months of the acquisition of Invincea, Sophos introduced the latest version of Intercept X. This next-generation endpoint security product now has malware detection powered by an advanced deep learning neural network. The further inclusion of new active-hacker mitigation, advanced application lockdown, and enhanced ransomware protection has boosted Intercept X to previously unseen levels of detection and prevention. Sophos provides server and network security for hosted environments in Amazon Web Services and Microsoft Azure. This past year, Sophos added Sophos Server Protection for Azure. When used with Sophos XG Firewall on Azure, Sophos synchronized security technology will coordinate defences against cyber threats attacking multiple vectors, including Virtual Machines running in Azure. Sophos Mobile Sophos Server Protection In February, Sophos announced that Sophos Mobile was now fully available through Sophos Central, and when used in conjunction with Sophos Endpoint Protection or Intercept X can provide IT administrators with a unified endpoint management capability for Android, iOS, Windows and Mac that standardises access and permissions, and updates management for employees, regardless of the device they choose to access the network. Sophos closed a critical gap in network security by preventing ransomware attacks that could come in through rogue, guest or remote access users by adding CryptoGuard to Sophos Server Protection. Servers are high-value targets as they contain proprietary financials, personally identifiable information and other key data, and become vulnerable when compromised devices connect to the network. /27 IntroductionGovernanceFinancial StatementsStrategic Report Financial Review Another strong performance across all key metrics The table below presents the Group’s financial highlights on a reported currency basis: Billings Revenue Cash EBITDA Loss before taxation Unlevered free cash flow Net cash flow from operating activities FY18 $M 768.6 640.7 193.7 (52.3) 139.6 147.7 FY17 $M 632.1 529.7 150.1 (49.3) 133.4 118.5 Change % 21.6 21.0 29.0 6.1 4.6 24.6 Definitions and reconciliations of non-GAAP measures are included in note 4 of the financial statements and the glossary Billings growth was strong in the fnancial year-ended 31 March 2018 (“FY18”), reflecting an acceleration in the frst-half and a return to trend in the second-half of the year at constant currency Revenue $641M (FY17: $530M) Loss After Taxation $66M (FY17: $47M) Net Cash Flow From Operating Activities $148M (FY17: $119M) 28/ Cybersecurity made simple Revenue growth accelerated, as expected, driven by deferred revenue as prior-period subscription billings were recognised as revenue. Cash generation remained strong, with cash flow from operations up 24.6 per cent for the year. Billings at reported exchange rates increased by 21.6 per cent to $768.6 million, within which subscription billings grew 25.6 per cent to $644.2 million. Reported revenue grew 21.0 per cent with subscription revenue growing at 25.5 per cent. The loss before taxation increased to $52.3 million, from $49.3 million in the prior-year, being particularly impacted by foreign exchange losses that amounted to $16.5 million, compared to a net gain in the prior-year of $3.0 million, resulting from the strengthening of both sterling and the Euro against the US Dollar. The Group’s loss for the year increased by $19.6 million to $66.3 million in the year-ended 31 March 2018 due to changes in both current and deferred tax, resulting in a net charge in the current-year as opposed to a net credit in the prior-year. The deferred revenue balance at 31 March 2018 of $755.7 million compared to $581.0 million at the end of the prior- year, with the increase primarily reflecting growth in subscription billings as well as a foreign exchange benefit of $46.8 million, following the strengthening of sterling and the Euro against the US Dollar year-over-year. The growth in deferred revenue provides visibility over future revenues, with $423.9 million of the balance due to be recognised in less than one year, an increase of 28.2 per cent over the prior-year. Billings The Group’s reported billings increased by $136.5 million from $632.1 million in the year-ended 31 March 2017 to $768.6 million in the year-ended 31 March 2018, with continued growth in all regions and products, as detailed in the table below. This represented a 21.6 per cent reported growth rate or 18.5 per cent growth rate on a constant currency (“CC”) basis. Billings by Region Americas Americas billings increased by $52.4 million to $270.0 million in the year-ended 31 March 2018, representing 24.1 per cent growth on a reported basis and 24.0 per cent on a constant currency basis, driven by Enduser, including continued adoption of the Sophos Central platform. FY18 $M (Reported) FY17 $M (Reported) Growth % (Reported) Growth % (CC) Billings by Region: – Americas – EMEA – APJ Billings by Product: – Network – Enduser – Other Billings by Type: – Subscription – Hardware – Other 270.0 395.1 103.5 768.6 353.4 383.2 32.0 768.6 644.2 113.7 10.7 768.6 217.6 319.5 95.0 632.1 311.5 289.7 30.9 632.1 513.1 105.7 13.3 632.1 24.1 23.7 8.9 21.6 13.5 32.3 3.6 21.6 25.6 7.6 (19.5) 21.6 24.0 18.0 7.5 18.5 9.8 29.6 2.3 18.5 22.5 3.7 (20.8) 18.5 /29 IntroductionGovernanceFinancial StatementsStrategic Report Financial Review continued EMEA EMEA billings increased by $75.6 million to $395.1 million in the year-ended 31 March 2018, representing 23.7 per cent growth on a reported basis and 18.0 per cent growth on a constant currency basis. We continued to see rapid adoption of the Sophos Central platform in the region and customer demand for next-generation endpoint was particularly strong which, along with growth in Network, contributed to the year-over-year increase. APJ APJ billings increased by $8.5 million to $103.5 million in the year-ended 31 March 2018, representing 8.9 per cent growth on a reported basis and 7.5 per cent growth on a constant currency basis, growth in the region being more balanced between Enduser and Network products. Billings by Product Network Products The Group’s billings attributable to Network products increased by $41.9 million to $353.4 million in the year- ended 31 March 2018, representing 13.5 per cent growth on a reported basis and 9.8 per cent on a constant currency basis, driven by UTM and Wireless. Enduser Products The Group’s billings attributable to Enduser products increased by $93.5 million to $383.2 million in the year- ended 31 March 2018, representing 32.3 per cent growth on a reported basis and 29.6 per cent growth on a constant currency basis. The continued adoption of Intercept X, the Group’s next-generation endpoint solution, and the Sophos Central platform by new customers has supported the Enduser year-over-year billings growth, which benefited in the first half of the year from the worldwide impact of various high-profile ransomware attacks. Billings by Type Subscription billings increased by $131.1 million to $644.2 million in the year-ended 31 March 2018, representing a 25.6 per cent growth on a reported basis and 22.5 per cent growth on a constant currency basis. Sophos Central billings were a key driver for this growth with billings of $185.6 million, more than doubling on the prior-year, and increasing to 28.8 per cent of all subscription billings. Hardware billings increased by 7.6 per cent to $113.7 million and consequently, following the strong growth in subscription-billings, declined marginally as a proportion of total Group billings. Key Billings Metrics Billings from New Customers Billings from new customers, excluding OEM, remained broadly consistent at 24 per cent of total billings (FY17: 25 per cent) with a growth of 23 per cent on a reported basis. Retention and Renewal Rates The Group’s net retention and renewal rates include the impact of cross-selling and upselling, which helps the Group evaluate the success of its strategy to broaden the sales of its product portfolio to existing customers. The Group’s net retention rate improved in the period from 106.3 per cent in the year-ended 31 March 2017 to 109.2 per cent in the year-ended 31 March 2018. The Group’s renewal rate increased to 139.7 per cent from 128.9 per cent, driven by Enduser products, and Intercept X cross-sell in particular, with demand further benefiting from high-profile ransomware attacks in the first half of the financial year. Billings by Size Sophos’ products are designed for the Group’s target market, specifically mid-market enterprises with fewer than 5,000 employees, although the products are frequently also bought by larger enterprises. In the current-year, the proportion of billings derived from the mid-market increased to 85 per cent from 83 per cent. Billings by Length of Contract Subscription agreements sold by the Group are of differing durations, with the majority of contracts typically of one to three years duration. The last twelve months weighted average contract length, which provides an indication of the period over which future revenue will be recognised, was 27.6 months for the year-ended 31 March 2018, a small decrease on the 28.1 months for the year-ended 31 March 2017. The reduction was principally due to a material longer-term contract with an existing customer reported in the prior-period. The billings analysis of contracts by subscription length for each year was as follows: Constant currency Under one year One to two years Two to three years Greater than three years FY18 % 34.4 7.0 47.9 10.7 FY17 % 34.3 7.5 46.0 12.2 30/ Cybersecurity made simple Revenue Growth Deferred Revenue Growth +21.0% +30.1% Cross-Sell and Upsell Opportunities As the threat landscape evolves, and the Group continues to innovate, there is an opportunity to cross-sell additional products and services, or to upsell enhanced versions of products or additional end user licences to existing customers. The Group saw a further improvement in the percentage of customers who own both a Sophos Endpoint and UTM product. At 31 March 2018, approximately 11.2 per cent of the Group’s more than 300,000 customers had both a UTM product and an Endpoint product; this compares to 9.6 per cent of the Group’s 260,000 customers at 31 March 2017, or around an additional 9,000 customers with both products in the year. Revenue and Deferred Revenue The Group’s revenue increased by $111.0 million, or 21.0 per cent, to $640.7 million in the year-ended 31 March 2018. In constant currency, revenue grew by 18.2 per cent, excluding the benefit derived from the strengthening of sterling and the Euro against the US Dollar in the year. The majority of the Group’s billings relate to subscription products (FY18: 83.8 per cent; FY17: 81.2 per cent), with revenue deferred and recognised over the lifetime of the contract. Revenue in the period of $640.7 million comprised $341.5 million from the recognition of prior-period deferred revenues and $299.2 million from in-period billings. The deferred revenue balance at the end of the year of $755.7 million increased by 30.1 per cent, or $174.7 million. This was due to a net deferral of billings over the year of $127.9 million and a net currency revaluation of $46.8 million, as a consequence of the strengthening of the Euro and sterling against the US Dollar. Revenue in the Americas increased by 20.4 per cent to $225.1 million in the year-ended 31 March 2018 due to growth in Enduser, which has continued to benefit from the growth in the Sophos Central platform. EMEA revenue increased by 23.3 per cent to $324.5 million in the year-ended 31 March 2018, with growth in both Enduser and Network revenue, the former particularly benefiting from uptake of the Sophos Central platform. APJ revenue increased by 14.3 per cent to $91.1 million in the year-ended 31 March 2018, growth being balanced between both Enduser and Network products. FY18 $M (Reported) FY17 $M (Reported) Growth % (Reported) Growth % (CC) Revenue by Region: – Americas – EMEA – APJ Revenue by Product: – Network – Enduser – Other Revenue by Type: – Subscription – Hardware – Other 225.1 324.5 91.1 640.7 315.6 294.7 30.4 640.7 515.3 114.2 11.2 640.7 186.9 263.1 79.7 529.7 271.2 231.6 26.9 529.7 410.7 106.7 12.3 529.7 20.4 23.3 14.3 21.0 16.4 27.2 13.0 21.0 25.5 7.0 (8.9) 21.0 20.2 18.2 13.3 18.2 12.9 25.0 12.3 18.2 22.9 3.2 (10.7) 18.2 /31 IntroductionGovernanceFinancial StatementsStrategic Report Financial Review continued Cost of Sales Amortisation of Intangible Assets The Group’s cost of sales increased by $22.0 million, or 18.1 per cent, to $143.3 million in the year-ended 31 March 2018. Growth in cost of sales is substantially driven by growth in sales of Network products, which have a hardware component, and natural growth in other costs associated with supporting the Group’s products and services, which grow as the Group grows, albeit at a slower rate. Sales and Marketing The Group’s sales and marketing expenses increased by $38.4 million, or 18.2 per cent, to $249.0 million in the year-ended 31 March 2018. Sales and marketing expenses are targeted to increase at below the rate of billings growth to enable them to continue to support the business and channel whilst also allowing for growth in profitability as the Group continues to expand. Research and Development The Group’s research and development expenses increased by $28.0 million, or 23.8 per cent, to $145.8 million in the year-ended 31 March 2018. The Group continues to focus on enhancing its products to address the evolving threat landscape and the significant market opportunity that exists. This strategic focus is further supported by targeted technology acquisitions. Research and development expenditure is broadly expected to grow at the rate of billings. General Finance and Administration The Group’s general finance and administration expenses, excluding exceptional items, foreign exchange and the amortisation of intangible assets, increased by $17.4 million, or 24.2 per cent, to $89.2 million in the year-ended 31 March 2018. The increase was partially due to a higher share-based payment expense, which increased by $9.8 million to $42.3 million, as the run-rate continued to stabilise in the three-year period post the initial public offering of the Company’s shares and as a consequence of the impact on cash-settled schemes of a higher share price. The balance of the increase was due to underlying general finance and administration expenses which increased by 19.3 per cent to $46.9 million, marginally decreasing as a proportion of billings. The Group’s exceptional items, included within general finance and administration expenses, decreased by $18.2 million to $13.2 million in the year-ended 31 March 2018. Current-year exceptional items relate primarily to restructuring and integration costs. Prior-year exceptional items predominantly related to expenses incurred in connection with the defence of certain claims brought against the Group in relation to the intellectual property litigation case brought by Finjan Inc. The Group’s amortisation of intangible assets increased by $5.3 million, or 26.6 per cent, to $25.2 million in the year-ended 31 March 2018. The increase was due to the amortisation of intangibles added as part of the acquisition of Invincea, Inc, which completed on 21 March 2017. Currency Movements and Impact The Group’s foreign exchange loss was $6.9 million in the year-ended 31 March 2018, compared with a loss of $1.2 million in the year-ended 31 March 2017. The loss was due to the strengthening of the Euro and sterling against the US Dollar. Cash EBITDA Cash EBITDA increased by 29.0 per cent to $193.7 million in the year-ended 31 March 2018. Cash EBITDA margins increased year-over-year to 25.2 per cent from 23.7 per cent in the prior-year due to both the growth of billings and the planned management of sales and marketing costs. The reconciliation of Cash EBITDA to operating loss is included in note 3 of the Financial Statements. Adjusted Operating Profit Adjusted operating profit increased by $7.8 million to $46.1 million in the year-ended 31 March 2018. The increase was driven by strong revenue growth, as prior-period billings were recognised as revenue and operating leverage as the business continues to scale. This was partially offset by a $5.7 million increase in the foreign exchange loss, reflecting the strengthening of sterling and Euro in the year. The reconciliation of adjusted operating profit to operating loss is included in note 3 of the Financial Statements. Operating Loss The Group’s operating loss improved to $31.9 million in the year-ended 31 March 2018, compared to a loss of $44.3 million in the prior-year. This improvement was achieved because of strong revenue growth, as noted above, and the decrease in exceptional costs being partly offset by increases in amortisation, share-based payment expenses, and foreign exchange. Net Finance Costs The Group’s net finance costs increased by $15.4 million to $20.4 million in the year due to foreign exchange losses on Euro denominated debt following the weakening of the US Dollar in the period, resulting in a $9.6 million loss compared to a $4.2 million gain in the prior-year. Underlying net interest charges increased to $8.7 million from $7.8 million in the prior-year, in part due to the increase in the drawn portion of the revolving credit facility entered into at the end of the prior-year, which has been fully repaid during the current-year. 32/ Cybersecurity made simple Income Taxation Change in Working Capital The Group’s tax charge for the year was $14.0 million (FY17: $2.6 million credit) with an effective taxation rate of -26.8 per cent (FY17: 5.3 per cent). The charge arises against a reported loss for the Group and includes $5.4 million arising on the enactment of the US Tax Cuts and Jobs Act rate change being applied to deferred tax assets on the balance sheet. Working capital is closely monitored by the Group, the year-on-year change results from timing of payment of payable balances offset by a decrease in debtor days outstanding to 41 days (FY17: 42 days), despite the growth in billings. Loss Before Taxation and Loss for the Period The loss before taxation increased to $52.3 million from $49.3 million in the prior-year, whilst the Group’s loss for the year increased by $19.6 million, from a loss of $46.7 million in the year-ended 31 March 2017, to a loss of $66.3 million in the year-ended 31 March 2018. This principally reflects the increase in net finance costs, operating foreign exchange differences and taxation charge noted above. Cash Flow Net cash flow from operating activities increased to $147.7 million from $118.5 million in the prior-year. This strong performance benefited from a number of factors, including the growth in billings, planned cost control, a decrease in exceptional items and a continued focus on working capital management. Unlevered free cash flow increased modestly on the prior-year, in line with the Board’s expectation, as working capital levels normalised. Cash EBITDA1 FY18 $M 193.7 FY17 $M 150.1 Net deferral of revenue (127.9) (102.4) Foreign exchange Depreciation Adjusted operating profit Net deferral of revenue Exceptional items 2 Depreciation Foreign exchange Change in working capital 1 Corporation tax paid 1 Net cash flow from operating activities Exceptional items 2 Net capital expenditure 1 Unlevered free cash flow (8.1) (11.6) 46.1 127.9 (13.0) 11.6 8.1 (10.9) (22.1) 147.7 13.0 (21.1) 139.6 – (9.4) 38.3 102.4 (31.4) 9.4 – 19.0 (19.2) 118.5 31.4 (16.5) 133.4 1 2 Unlevered free cash flow represented by the sum of the marked rows and has been presented to enhance understanding of the Group’s cash generation capability. Excludes $0.2 million non-cash fair-value adjustment on contingent consideration Capital Expenditure Capital expenditure primarily comprises property, plant and equipment as well as intangible assets. In the year-ended 31 March 2018, net capital expenditure increased by $4.6 million, mainly as a consequence of investment in the purchase of intellectual property to strengthen the Group’s network products. Cash Taxation Cash tax remains payable as a consequence of profits in local subsidiaries. Corporation tax paid of $22.1 million is higher than in the prior-year (FY17 $19.2 million) due to the increasing profits in local subsidiaries and in light of changes in the global tax environment. The Group receives the benefit of research and development expense credits of $5.1 million in the UK, US and Canada (FY17 $5.4 million). Financing In the prior-year the Group agreed an additional $40.0 million revolving credit facility with its existing lenders, which at the end of the prior-year was fully drawn along with $10.0 million from the original revolving credit facility. These drawings were made to partially finance the acquisition of Invincea, Inc. at the end of March 2017. During the current- year both revolving credit facilities have been fully repaid. Dividends The Directors propose to pay a final dividend in respect of the year-ended 31 March 2018 of 3.5 US Cents per share (FY17: 3.3 US Cents). This, combined with the interim dividend, gives a total dividend for the year of 4.9 US Cents (FY17: 4.6 US Cents). Subject to shareholder approval the final dividend will be paid on 12 October 2018 to all shareholders on the register on 21 September 2018. Nick Bray Chief Financial Officer 16 May 2018 /33 IntroductionGovernanceFinancial StatementsStrategic Report Principal Risks and Risk Management Principal risks are identified through a business wide risk assessment process The risk review process encompasses the identification, management and monitoring of risks in each area of the business. This process includes an assessment of risks to determine the likelihood of occurrence, potential impact and the adequacy of the mitigation or controls already in place. A review is then undertaken by the Risk and Compliance Committee (“RCC”), which evaluates the principal risks of the Group with reference to its strategy and the operating environment. The Audit and Risk Committee monitors and challenges these processes, reviewing the Group’s Consolidated Risk Register and reporting material risks to the Board. There may be other risks or uncertainties that could emerge in the future, however the Group’s ongoing commitment to risk management will seek to address and mitigate the future risks, as and when they become apparent. Structure of risk management RES P O SOPHOS GROUP PLC BOARD AUDIT AND RISK COMMITTEE L O R T N O C E V I T C E F RISK AND COMPLIANCE COMMITTEE INTERNAL AUDIT BUSINESS FUNCTIONS F E R O F Y T I L I B INTEGRATED BUSINESS RISK MANAGEMENT N S I B I L I T Y F O R R I S K M A N A G E M E N T M A N A G E M E N T T E A M S E N O R I A T N ACCOU The Directors consider the following matters to be the principal risks and uncertainties (in no specific order) affecting the Group: Risk 1: Recruitment and retention of key personnel How it impacts us What we are doing about it The ongoing success of Sophos is dependent on attracting and retaining global high-quality employees at all levels in the business who can effectively implement the Group’s strategy. Failure to attract, retain or develop high quality employees across the business could limit the Group’s ability to deliver its business plan. Making Sophos a great place to work is central to the Group’s strategy. Sophos is increasing its commitment to diversity and inclusion by introducing new programs to attract and develop women in technology. Sophos is committed to strong recruitment processes supported by robust remuneration programs which are benchmarked appropriately. Additionally, Sophos has a commitment to all levels of training and development throughout the organisation. Reward schemes are continuously evaluated to drive and reward performance and ensure retention of key talent. Annual employee engagement surveys enable progress of the Group’s people actions to be monitored, areas of improvement identified, and necessary actions performed. Risk movement 34/ Cybersecurity made simple Risk 2: Defects or vulnerabilities in products or services How it impacts us What we are doing about it Sophos is committed to extensive test cycles and quality procedures which are subject to continuous improvement. Sophos employs combinations of internal and external quality reviews and testing of products, including source code reviews, public and private 3rd party efficacy testing, automated code tests and various forms of penetration testing. The Group encourages a healthy collaboration with the security research community, as described in the Responsible Disclosure Policy: www.sophos. com/security Sophos continues to run a Bug Bounty program to leverage the skills of thousands of individuals to help make its products and web properties more secure. The Group sees good activity from the research community, allowing it to resolve software defects before they can be exploited by attackers. This and other measures have allowed the Group to slightly reduce this risk. Further, Sophos protects the privacy and security of its customers worldwide through its pledge to never engineer backdoors into its products as described here: www.sophos.com/nobackdoors. The Group’s products and services are complex, and as such they have contained, and may in the future contain, design or manufacturing defects or errors that are not detected until after their commercial release and deployment by end customers. These defects could cause the Group’s products or services to be vulnerable to security attacks, cause them to fail to help security networks, temporarily interrupt end customers’ networking traffic, and fail to prevent or detect viruses or similar threats. Further, due to the evolving nature of threats and the continual emergence of new threats, the Group may fail to identify and update its threat intelligence or other virus databases in time to protect its end customers’ networks and devices. As a result, actual or perceived defects or vulnerabilities in the Group’s products or services, the failure of the Group’s products or services to prevent a security threat could harm the Group’s reputation and divert the Group’s resources. Risk 3: False detection of threats How it impacts us What we are doing about it Sophos strives for continuous improvement in its world class SophosLabs threat research operation. The Group invests in ongoing staff training and process optimisation, as well as enhancements to testing and quality systems and procedures. In 2017, Sophos developed and launched a new reputation-based false positive suppression system to complement the introduction of its “Deep Learning” artificial intelligence predictive modules in its products. Additionally, there is proactive focus on improvement of processes to enable early detection of a false positive event, as well as applying a ‘lessons learnt’ approach through root cause analysis. Sophos acknowledges the inherent risk associated with a false positive incident within the industry and is committed to ensuring there are mitigating processes in place to manage any incident, large or small, in order to minimise the impact on the Group’s customers. The Group’s products may falsely detect threats or malware that do not actually exist in applications or content based on the Group’s classification of application type, virus, malware, vulnerability exploits, data or URL categories (known as ‘false positives’). These false positives, while inherent in the Group’s industry, may impair the perceived reliability of the Group’s products and may therefore adversely impact market acceptance of the Group’s products. If the Group’s products restrict important files or applications based on falsely identifying them as malware or some other item that could be restricted, this could adversely affect end customers’ systems and cause material system failures. Any such false identification of important files or applications could result in negative publicity, damage to the Group’s reputation, loss of end customers and sales, increased costs to remedy any problem and risk of litigation, any of which could materially adversely affect the Group’s financial condition and operating results. Risk movement Risk movement /35 IntroductionGovernanceFinancial StatementsStrategic Report Risk movement Risk movement Principal Risks and Risk Management continued Risk 4: IT security and cyber risk How it impacts us What we are doing about it Sophos has a dedicated cybersecurity team focused on identifying risks related to cyber-attack and planning appropriate protection, detection, response and recovery mechanisms. The Group is focused on day-to-day active monitoring and hunting for threats, improving response processes and implementing continual improvements to governance, technology and education and awareness programs. Sophos continues to increase its investment in cybersecurity. As a provider of IT security products, the Group is a natural cyber-attack target. The Group’s networks and products may have vulnerabilities that have from time to time been, and may in the future be, targeted by attacks specifically designed to disrupt the Group’s business and harm the Group’s reputation. If an actual or perceived breach of security occurs in the Group’s internal systems, it could adversely affect the market perception of the Group’s products. In addition, a security breach could affect the Group’s ability to operate its business, including the Group’s ability to provide support services to end customers. Risk 5: Product portfolio management How it impacts us What we are doing about it Sophos has an extensive number of products, enhanced further by acquired technologies. The extent of investment in each product needs to be managed and prioritised taking into account the expected future prospects. Additionally, consideration must be given to the ability to be able to adequately support the entire product range. Failure to manage the product portfolio adequately could result in inappropriate investment focus in relation to research and product innovation. This could result in products that do not meet the requirements of customers or partners and the risk they will look to alternative solutions, resulting in the potential loss of both new and existing revenue streams. Failure to protect the Group’s intellectual property could adversely affect the ability of the Group to operate in its markets. Additionally, insufficient focus on key research and innovation projects may damage the long-term growth prospects of the Group. Sophos continue to focus on and improve the interaction between Product Management, Product Development, Sales and Marketing and all Support functions in an integrated product development approach. Internal processes are run to identify opportunities for standardisation and consistency across product lines. This helps eliminate redundancies, reduce development and support costs, and improve partner and customer experiences through a more predictable and coherent product portfolio. Sophos is working to bring all products under a single cloud management platform to deliver a common management experience for the portfolio and a comprehensive solution that will encourage existing customers using on premise products to migrate to cloud management. The Group is also working on the portability of the cloud infrastructure in order to address any privacy or data sovereignty issues that its customers/partners might face. Additionally, during the current financial year, Sophos have consolidated the Network Security Group (NSG), Enduser Security Group (ESG) and the Central Platform Group (CPG) under single leadership in order to improve synchronized security, cross business unit interlock and investment efficiencies. The Group takes all appropriate opportunities to protect its intellectual property and brands. Sophos customer and partner communities continue to be invaluable resources in guiding portfolio management decisions. They provide immediate and constant feedback on how well Sophos is meeting its requirements, improvements that Sophos can make to its current offerings and opportunities for portfolio consolidation or expansion. 36/ Cybersecurity made simple Risk 6: Disruption to day-to-day Group operations How it impacts us What we are doing about it Sophos is at risk of disruption to its day-to-day operations from a disaster incident which may seriously impact IT systems or access to office space. A failure in the operation of the Group’s key systems or infrastructure on which the Group relies could cause a failure of service to its customers and negatively impact the Sophos brand. Incident management procedures and escalation processes are in place as well as maintaining security, business continuity and disaster recovery plans. Whilst Sophos continues to make significant investments in the technology and infrastructure of the Group, the risk has increased due to the growing demand and reliance on cloud delivery for the Group’s products. Risk movement In concluding on the risks and uncertainties that are considered to be significant for the Group the Directors assess a wide range of issues, which included the following that are not considered to be principal risks: Brexit Following the decision by the UK population to exit, in due course, from the European Union (“Brexit”), the Directors have continued to keep under consideration the expected impact of Brexit on the Group. The Group operates internationally with a diverse geographic spread which results in only 12 per cent of the Group’s revenue being sourced from the UK. Whilst the fluctuations in the sterling exchange rate impacts on those UK revenues these are, to a degree, balanced with sterling denominated costs which mitigates the impact on the US Dollar functional currency of the Group. The exact nature of the trading arrangements between the UK and the EU subsequent to the UK’s exit from the EU currently remains uncertain and as a consequence the Directors have considered a number of scenarios and the Group’s potential responses to them. This scenario planning has included anticipating changes to the operations of the Group and its supply chain, which are not considered to be significant or posing a heightened risk to the Group. The impact of Brexit on the current and future employees has also been considered and while there may be some disruption or changes in the UK, these are not currently anticipated to materially affect one of the Group’s principal risks, the ‘Recruitment and retention of key personnel’. Patent Infringement In addition, the Directors consider the risk of claims of patent infringement against the Group’s products, which is considered to be a software industry-wide risk. The risk is not considered to be a standalone principal risk and is instead factored into the Directors’ consideration of ‘Product portfolio management’, which is a principal risk. /37 IntroductionGovernanceFinancial StatementsStrategic Report Corporate Responsibility Report Sophos is committed to defending its customers against criminal activity and acting as a responsible business Approach Identifying Priorities With over 300,000 customers around the world, Sophos recognises the responsibility it holds in providing the right tools to protect its clients and educate them on the importance of digital security. The Group’s business model is built on securing its customers from the risks of cybercrime by offering innovative, simple and highly effective cybersecurity solutions. Beyond the impact of Sophos’ own products and services, the Group recognises the duty it has in conducting its business activities in a responsible way. With over 3,300 employees across more than 40 offices, it is vital that the Group maintains the highest standards of conduct. To achieve this, Sophos focuses on operating openly and transparently, treating its people fairly, creating a diverse culture and reducing its environmental impacts. In the year, the Group further enhanced its commitment to Corporate Responsibility (“CR”) by undertaking a detailed materiality assessment. Over the coming year, work will continue on further establishing the Group’s CR strategy and improving measurement across key areas of focus. In 2018, Sophos worked with a third party to undertake a desk-based materiality exercise. The objective of the assessment was to rank and prioritise CR issues from the perspective of business impact and stakeholder interest, to better understand the areas where the Group can make a positive difference. Guided by the Global Reporting Initiative (“GRI”) Standards and Accountability’s Five-Part Materiality test, the approach undertaken involved ranking and assessing a broad range of CR issues before selecting 20 material topics. These topics form the basis of the Group’s approach to corporate responsibility reporting and four pillar CR framework. Work will continue into 2018 to develop the Group’s overall CR strategy and focus areas. Sophos CR Framework Securing customers Engaging people Enhancing communities Protecting the environment Simplicity Empowerment Passion Innovation Authenticity Underpinned by our values 38/ Cybersecurity made simple Managing Corporate Responsibility Ultimate responsibility for Sophos CR activities lies with the Senior Management Team (“SMT”) who set the Group’s strategic approach, develop key policies and coordinate activities. The SMT is comprised of the Chief Executive Officer, Chief Financial Officer and other individuals who head up key Group functions. The Group’s functional heads take leading roles in key strategic CR areas such as Gender, HR and Environmental Management. The SMT are also responsible for ensuring global compliance with key internal and external policies including: • Anti-human trafficking and slavery policy • Diversity policy • Anti-corruption and bribery policy • Whistleblowing policy • UK modern slavery act The SMT support the Audit and Risk Committee and the Risk and Compliance Committee (“RCC”) in ensuring compliance with the Code of Conduct, as well as financial compliance and global risk management (see page 34). Moving forward the Group aims to implement a CR Steering Committee to reinforce commitment to corporate responsibility and promote strategic action across the organisation. Engaging with Key Stakeholders Communicating with key stakeholders is vital in helping to better understand their needs and requirements. The Group conducted several engagement activities throughout 2017, to encourage two-way dialogue with key stakeholder groups. Local offices also play a significant role in forming lasting relationships with local stakeholders, including community members. All of the above policies can be found at: www.sophos.com Key Stakeholders Channel Partners Engagement Channels Key Activities in the Year • Channel-best commitment to have channel- • Partner conferences for Americas, EMEA and APJ excellence and industry-best at the Group’s core with CEO and SMT speakers • Industry-leading partner program • Launch of regional partner programs tailored to • Partner conferences and global events • Dedicated partner portal • Partner advisory councils • Webinars and live online events including product and threat landscape training MEA, and Eastern Europe partners • Partner advisory meetings in key markets End Customers • Community and support forums • “Man from Sophos” roadshow in Australia • Social media engagement • Customer events across all major US, EMEA and APJ • Dedicated and targeted product communications markets • VIP Newsletter and Sophos News updates • Daily industry news service – NakedSecurity • Tour across Central Europe with Sophos truck • Sophos Home Premium launched • Free tools for home use (Sophos Home, XG Firewall, Sophos Mobile) • Enduser events in key markets • Webinars and live online events Employees • Intranet site “Sophos Hub” for collaboration, communication and information • Annual employee survey • Access to online training tools and instructor-led training • Investor roadshows Investors and Analysts • Annual kick-off led by CEO • Quarterly business updates • Local kick-off events • Social events run locally • Capital markets day • Results presentations and webcasts • Analyst and investor visits to Abingdon • Conference calls • AGM headquarters • Participation in investor conferences in US and • Investor and analyst 1:1 meetings Europe Community • Employee driven charity and community actions • Sponsorship of the UK National Computing Museum in local offices, supported by SMT and local management • Charitable and community activities undertaken around the world supporting a wide range of causes /39 IntroductionGovernanceFinancial StatementsStrategic Report Corporate Responsibility Report continued Securing Customers Sophos’ mission is to be the best in the world at delivering innovative, simple and highly- effective cybersecurity solutions. With more than 100 million users across 150 countries and 300,000 businesses relying on Sophos to protect them against complex threats and data loss, the Group has a significant duty to protect and secure its customers 24/7. The issues surrounding digital security and ransomware continued to be a major challenge across the globe in 2017. In a survey conducted in late 2017, 54 per cent of mid-sized organisations across five continents were hit by a ransomware attack in the last year, with a further 31 per cent expecting to be victims of an attack in the future*. The cost of a ransomware attack extends beyond any ransom paid and includes downtime, work hours, device costs, network costs and lost opportunities, with the survey finding the median total cost of an attack to be nearly $133,000. To tackle these complex challenges, Sophos continued to deploy product updates and introduce best-practice innovations to existing products in 2017. The Group’s suite of encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs – a global network of threat intelligence centres. In 2017, deep learning technology was successfully integrated and deployed to significantly increase the efficiency of the SophosLabs automated processes. As a result, SophosLabs now intelligently processes over 400,000 files, 150,000 suspicious URLs, 30,000 malware samples and more than five million spam messages across 20 countries every day. * The State of Endpoint Security Today, Study, 2017: www.sophos.com/en-us/medialibrary/Gated-Assets/white- papers/endpoint-survey-report.pdf Additional updates to products and services in 2017 included: • The launch of Sophos Home Premium, an enterprise- grade product for home users that goes beyond traditional antivirus to deliver advanced, real-time protection from the latest ransomware, malicious software, and hacking attempts. • The introduction of market-leading network traffic visibility in the XG Firewall. The ability of the XG Firewall to identify all traffic on the network is enabled through synchronized security. • The addition of artificial intelligence capacity into its next-generation endpoint protection product, Intercept X. The deep learning technology implemented creates a smarter, more scalable security solution for Sophos customers. 40/ Helping customers secure their networks The Roman Catholic Diocese of Brooklyn serves more than 1.5 million people living in Brooklyn and Queens in New York, USA, within 187 parishes and 90 schools. This complex organisation turned to Sophos to unify and simplify its endpoint, firewall, and cloud security; improve system and network performance; meet compliance requirements; and provide a wider array of network services to protect its users. The IT team had previously managed multiple products, and it often fell on the shoulders of Security and Information Officer, Gus Garcia to handle the more complicated tasks. “Now, it’s simple. Our systems run faster, and we have excellent visibility into endpoint and network activity. I can just log into my Sophos Central account and easily see which computers are lacking up-to-date security and modify them quickly and painlessly,” says Garcia. “In the past 12 to 18 months, we have not experienced any serious incidents or outages. Our users stay productive, and I no longer have to send technicians out to clear up systems when something bad happens.” Cybersecurity made simple Engaging People Guided by the Group’s core values of simplicity, empowerment, passion, innovation and authenticity, the Group seeks to promote a culture where its people can thrive. For Sophos, this means promoting strong business ethics and putting in place policies and programs to build trust with employees. Creating an Ethical Culture As a first priority, Sophos seeks to uphold individual human rights in its operations, and expects the same from all partners. The Group’s policies outline the behaviours expected from employees and suppliers at all times, and set out the Group’s zero tolerance approach towards any form of modern slavery, discrimination or unethical behaviour relating to bribery, corruption or business conduct. To support its people, the Group makes development opportunities available to all employees through access to one of the largest online libraries of e-learning courses in the world for technical, personal and leadership skills development, as well as role-specific training and access to Instructor-Led Training. This training is aligned to personal development initiatives such as quarterly manager ‘check ins’ and real-time coaching. Promoting Diversity The Sophos diversity policy outlines the Group’s commitment to building an inclusive culture, where people feel able to be their best at work, irrespective of age, race, sexual orientation, religion, national origin or gender. Sophos is passionate about creating a workplace that promotes equal opportunities and prides itself on recognising and rewarding team members based on merit above anything else. At the end of the financial year, the gender breakdown of employees and Directors was as follows: In 2017, the UK government introduced new legislation requiring companies with 250 or more employees to publish their gender pay gap. Sophos’ median gender pay gap in the 12 months to April 2017 was 23.4 per cent, which is higher than the UK average pay gap of 18.4 per cent. Despite this, Sophos is ahead of industry peers in the UK high-tech sector, who have an average pay gap of 25 per cent. The Group believes its current pay gap is due to lower female representation at the higher levels of the organisation, and a high percentage of men in specialist positions carrying a higher market premium. Moving forward, Sophos will continue to enhance gender diversity and ensure equitable pay for all genders throughout their careers. In line with this commitment, Sophos continued to promote gender diversity in FY18 through its actions and activities, which included: • Becoming one of the founding organisations of the PWC “Tech She Can” initiative. • Supporting the “Women of Silicon Roundabout” project which enables people and organisations to connect, learn and take action on gender diversity and inclusion. • Introducing a new apprenticeship scheme to provide a route for women to pursue technical careers at Sophos. • Rolling out unconscious bias training to managers and setting a target to expand this to all employees in 2018. 31 March 2018 31 March 2017 Female Male Female Male Executive & Non-Executive Directors Senior Managers* Employees 2 18 760 7 75 2 17 8 79 2,500 692 2,495 * The Group has defined senior managers as members of the SMT and their direct reports (excluding executive Directors separately reported) as is set out in Sophos’ diversity policy. Sophos Women in Technology The Sophos Women in Technology forum was launched in late 2017 to promote gender diversity in the technology industry. There are now dedicated groups running in the UK and Canada, with the U.S. and India set to follow suit in 2018. The purpose of the initiative is to make Sophos a great place to work for women in the technology industry – spanning technical and non-technical roles. The focus of the group is to help women develop the skills they need, and create a supportive environment where they can progress in the business and enhance their career development at Sophos. /41 IntroductionGovernanceFinancial StatementsStrategic Report Corporate Responsibility Report continued Enhancing Communities Sophos is committed to helping others and using its resources, expertise and insights to make a positive difference to the communities where it operates. The Group encourages local offices around the world to support community projects and initiatives relevant to them, and participated in many local initiatives to enhance communities in FY18. UK India The Group became a corporate foundation sponsor at the National Museum of Computing in Bletchley in 2017, where the history of computing and security can be seen in action with the world’s largest collection of functioning historical computers. Sophos has committed to sponsor the museum until 2020 and will provide expertise and insight to support the museum’s ongoing development of exhibition space and visitor experiences. Canada Every December for the past several years, Sophos Canada employees have raised funds for YWCA’s “Presents of Peace”. This local initiative focuses on assisting families in need so that they may have a special Christmas. In 2017, employees were matched with two families for whom funds were raised through activities such as bake sales, raffles, auctions and sporting competitions. In the end, a total of CAD $3,650 was raised and divided up between the families, with the excess funds donated back to YWCA. Over £33,500 was raised by Sophos employees in the UK to donate to spinal injury charity Aspire. Sophos India focuses its community engagement efforts on improving the infrastructure of a local village near to its offices. Ropda was selected by employees after extensive community engagement and recognition of a local need. With the aim of enhancing the quality of life for people living in the village, the team identified four key focus areas to target: • Education: Despite there only being one school in the village, the attendance rate was just 25 per cent when Sophos employees arrived in Ropda. To address this, a campaign was launched to encourage parents to enrol their children into school to improve literacy rates. As a result, the attendance rate increased from 25 per cent to 85 per cent by the end of the year, including 100 per cent attendance for exams. A water purification plant was also built at the school, as well as a meal shed to encourage better health and hygiene. • Sanitation: As is common in many Indian rural villages, there was no central sanitation facility or drainage system in the village. Toilets were built in over 20 houses, and a drainage system was installed throughout the village to ensure effective waste management and cleanliness. • Infrastructure: 60 solar street lights were installed to reduce the financial burden of villagers and promote renewable energy. Beyond this, a new road was constructed to better connect the village to the surrounding community. • Health and ftness: Half-yearly health check-ups were introduced and villagers were put in contact with local hospitals where they are now able to seek treatment at a subsidised cost. Sophos staff pedal their way to fundraising goal Sophos cycling colleagues, the “Sophos Interceptors”, hit the road to ride 100 miles in a single day at the end of July to raise money for Aspire, a charity helping those with spinal cord injuries, live full and healthy lives. More than two dozen Sophos employees joined the CEO and CFO in flying the company colours for the cause. After a successful 100 mile ride to the finish line, the final amount raised for the charity was over £33,500. The Sophos Interceptors also hosted “Wellfest”, a day of fun and fitness to help raise additional funding for Aspire. Sophos staff got involved by pedalling on a “smoothie bike” to blend their own smoothies and taking the “watt challenge” by cycling to create electricity. Employees were also encouraged to team up to challenge themselves with cycle sprints or spin bike and rowing challenges, all in the name of the cause. 42/ Cybersecurity made simple Protecting the Environment As an office-based organisation, Sophos is an environmentally low-impact business. The Group has therefore not adopted a formal environmental policy. Despite this, the Group recognises the responsibility it has in managing its environmental performance and conducting local initiatives to reduce its overall carbon footprint, waste profile and water impact. Greenhouse Gas Emissions In line with the Companies Act 2006, Sophos is required to measure and report on its Greenhouse Gas (“GHG”) emissions disclosures. These have been calculated for the year-ending 31 March 2018, in line with the Group’s financial year. The calculation of the disclosures has been performed in accordance with Greenhouse Gas Protocol Corporate Standard and using the UK government’s conversion factor guidance for the year reported. The Group’s operations that primarily release GHG includes usage of electricity and gas of owned and leased offices, business travel and usage of vehicles. The Group keeps its data capture process under review, seeking to extend the availability of direct information wherever possible. Where direct information for certain sites is not available, estimates have been developed that enable reporting for them. These estimates are revised if new or improved data is obtained. The Group will continue to build its GHG reporting capabilities. The Group’s chosen intensity ratio is ‘tonnes of CO2 equivalent per million US dollars of billings’ as it aligns with Sophos’ strategic growth ambitions. Creating an environmentally friendly HQ In 2017, the Group conducted a greening study at its global headquarters in Abingdon, Oxfordshire. The purpose of the study was to benchmark the current environmental, health and wellbeing performance of the building against current best-practice and Sophos’ peers. The topics assessed included everything from indoor air and water quality through to connection with nature, nourishment and comfort. The outcomes of the study will set the direction for achieving best practice in environmental sustainability as well as health and wellbeing at the Group’s headquarters and global offices. Year-ended 31 March 2018 tCO2e Year-ended 31 March 2017 tCO2e Year-ended 31 March 2016 tCO2e 320.0 4,457.3 5,117.4 9,894.7 12.9 251.8 4,681.9 4,510.9 9,444.6 14.9 207.2 4,819.7 4,025.2 9,052.1 16.9 Scope 1 (Combustion of natural gas and operation of owned vehicles) Scope 2 (Electricity consumption in offices) Scope 3 (Business travel (air and car)) Total Intensity ratio tCO2e per $M of billings Strategic report approval The strategic report on pages 16 to 43 was approved by the Board on 16 May 2018 and signed on its behalf by: Kris Hagerman Chief Executive Officer 16 May 2018 /43 IntroductionGovernanceFinancial StatementsStrategic Report Board of Directors PETER GYENES Non-Executive Chairman KRIS HAGERMAN Chief Executive Officer NICK BRAY Chief Financial Officer SANDRA BERGERON Independent Non- Executive Director ROY MACKENZIE Non-Executive Director First Election Date 14 September 2016 14 September 2016 14 September 2016 14 September 2016 14 September 2016 Committee Membership Experience Peter joined the Sophos Board in 2006, bringing experience with corporate growth and value creation to the Group’s vision for integrated threat management leadership. He has four decades of experience in technical, sales, marketing and general management positions within the computer systems and software industry globally, and was most recently the Chairman and CEO of Ascential Software Corporation. He has also served on the boards of Applix Inc., BladeLogic Software, Epicor Software Corporation, Lawson Software, EnerNOC Inc., Cimpress NV, Intralinks Holdings, Inc. and webMethods Qualifications BA in Mathematics and an MBA, Columbia University, New York Kris joined Sophos in 2012 as Chief Executive Officer. Kris was most recently CEO of Corel Corporation, and prior to that, group president, data centre management at Symantec, where he led a business of more than $1.5 billion that represented nearly 30 per cent of Symantec’s global revenue. Prior to Symantec, Kris was EVP and GM, storage and server management at Veritas Software where, during his tenure, the company’s revenue more than doubled, before its acquisition by Symantec. Earlier in his career, Kris was founder and CEO of BigBook and prior to that, Affinia. Kris also held positions at Silicon Graphics and McKinsey & Company Nick joined Sophos in 2010 as Chief Financial Officer, bringing more than 20 years’ experience in the technology sector, extensive international operational skills and significant public company experience on both the London Stock Exchange and Nasdaq. Nick was most recently CFO at Micro Focus International plc, where he was instrumental in the company tripling revenue and increasing market capitalisation from circa £200 million to in excess of £1 billion. He has also held Group CFO roles at Fibernet Group plc and Gentia Software plc, as well as senior financial positions at Comshare Inc. and Lotus Software Sandra joined the Sophos Board in 2010. She has more than 20 years’ security, operations and board advisory expertise having previously served on the boards of TraceSecurity Inc., Tipping Point, Netegrity, Nuance Communications, TriCipher Inc., and ArcSight Inc. Earlier in her career Sandra spent 10 years at McAfee, Inc. holding a number of key executive positions Roy joined the Sophos Board in 2010. He is a partner of Apax Partners’ technology and telecoms team. He joined Apax Partners in 2003 and has been involved in a variety of technology focussed investments including Epicor Software Corporation, NXP Semiconductors, and King Digital Entertainment plc. Previously, Roy worked at McKinsey & Company, Inc., focusing on consulting clients in the high technology sector and also held product management positions at Psion Computers BA in Russian and Economics, Dartmouth College, an M.Phil. in International Relations, Cambridge University, and an MBA, Stanford Graduate School of Business First class BA in Civil Engineering, Aston University, and a qualified Chartered Accountant MBA from Xavier University, Cincinnati, Ohio and a BA in Business Administration (Cum Laude), Georgia State University MBA, Stanford Graduate School of Business and an MA in Engineering, Imperial College, London Key External Appointments Director of Carbonite Inc., Information Builders, Inc., Pegasystems Inc., RealPage, Inc. and is trustee emeritus of the Massachusetts Technology Leadership Council None Non-Executive Director of De La Rue plc Director of F5 Networks, Inc. and Qualys Inc Director of Duck Creek Software, Inc. and Exact Holdings NV ELEANOR LACEY Chief Legal Officer Committee Membership Experience Eleanor joined Sophos in 2016 as SVP General Counsel and Company Secretary. Most recently, Eleanor had been SVP, General Counsel and Corporate Secretary at SurveyMonkey Inc. Prior to SurveyMonkey she has held the roles of General Counsel and VP of Business Development at Corel Corporation, VP of Corporate Development at SupportSoft, Inc. and VP and General Counsel at Niku Corporation, prior to its acquisition by Computer Associates Qualifications J.D., Yale Law School and BA in History and English, University of Massachusetts at Amherst Key External Appointments None 44/ Cybersecurity made simple RICK MEDLOCK Independent Non- Executive Director STEVE MUNFORD Non-Executive Director VIN MURRIA OBE Independent Non- Executive Director PAUL WALKER Senior Independent Director First Election Date 7 September 2017 14 September 2016 7 September 2017 14 September 2016 Committee Membership Experience Rick joined the Sophos Board in April 2017. Rick has 30 years of experience in the financial management of large international technology companies. Most recently Rick was CFO at Worldpay until the completion of its merger with Vantiv in February 2018 prior to which, Rick was CFO of Misys until December 2013. Before joining Misys, Rick had spent nine years as CFO of Inmarsat plc and seven years as CFO and company secretary of NDS Group plc. He was also a non-executive director and chairman of the audit committee of Edwards Vacuum (Edwards Group Ltd). He spent the early part of his career in a variety of roles as CFO of a number of private equity backed technology companies in the UK and the US Paul joined the Sophos Board in 2015. Paul brings more than 30 years of technology and senior leadership experience, having served for 16 years as CEO of Sage Group plc. Paul has previously served on the boards of WANdisco plc, Diageo plc, and My Travel Group plc Steve served as Sophos’ CEO from 2006 to 2012 prior to which he had been COO, as well as president of Sophos, North America. Steve led the company through a period of dramatic growth, more than tripling billings. Previously, he was President of ActiveState before its acquisition by Sophos Vin joined the Sophos Board in January 2017. She was founder and CEO at Advanced Computer Software and CEO of Computer Software Group. Previously, Vin was also a non-executive director of Chime Communications, Greenko Group and Concateno. Vin was named Cisco’s Woman of the Year and Tech Entrepreneur of the Year in 2012 and in addition, Advanced Computer Software was named Tech Company of the Year in 2014. Vin received an OBE for services to the Digital Economy and the Empowerment of Women in Software and Technology in the 2018 New Year’s Honours list Qualifications MA in Economics, University of Cambridge and a qualified Chartered Accountant BA in Economics, University of Western Ontario and MBA from Queen’s University, Ontario BSc (Hons), an MBA, and a Doctorate business administration (Honorary), Edinburgh Napier University BA in Economics, York University, and a qualified Chartered Accountant having trained at Ernst & Young Key to Committee Membership:    Audit and Risk Committee   Nominations Committee    Remuneration Committee   Disclosure Committee BOARD INFORMATION Independence (excluding Chairman)   Independent   Non-Independent Board Nationality   British   Canadian   American Board Diversity by Gender 22% female Key External Appointments None Chairman of Carbonite, Inc. and Elastic Path Software, Inc., interim CEO of Absolute Software Corporation, and serves on the boards of Actenum Corporation, Alert Logic, Inc., Apica, Inc., NetMotion, Inc, QuickMobile Inc. and Teradici Corporation CHLOE BARRY Group Company Secretary Independent Non-Executive Director at Softcat plc and Zoopla Property Group plc, Senior Advisor - Rothschild Global Advisory team, and a partner at Elderstreet Investments Non-executive chairman of Halma plc and Perform Group Ltd, and a Non-Executive Director of Experian plc Experience Chloe joined Sophos in 2016 as Deputy Company Secretary. Most recently, Chloe had been Group Secretariat Manager at BG Group plc for four years until its acquisition by Royal Dutch Shell plc in February 2016. Prior to BG Group, Chloe has held roles at a number of UK listed companies, including Centrica plc, InterContinental Hotels Group plc and Electrocomponents plc Qualifications Associate, Institute of Chartered Secretaries and Administrators Key External Appointments None /45 IntroductionGovernanceFinancial StatementsStrategic Report Corporate Governance – Chairman’s Introduction Good corporate governance is critical in helping build a successful business that is sustainable over the longer term, in the dynamic, fast-paced markets in which we operate Dear Shareholder, With the full support of the Board, I am committed to maintaining a robust governance structure to ensure that we discharge our duties responsibly in setting our strategy and long-term objectives, monitoring and providing oversight to the performance of management and progress of our business, managing our risks, and carrying out our business with integrity. Good corporate governance is critical in helping to build a successful business that is sustainable over the longer term, in the dynamic, fast-paced markets in which we operate. To support fulfilling these responsibilities, the Board hold formal quarterly meetings with management to review operating performance and strategic progress, and hold additional periodic updates and reviews, as well as an annual comprehensive strategy and objectives review, discussion and confirmation with the full Senior Management Team (“SMT”). Corporate Governance Code Compliance This report aims to provide shareholders and other stakeholders with an understanding of how Sophos is managed and the governance and control framework within which we operate. The Board and I take seriously our commitment to maintain the highest standards of corporate governance and this report sets out on pages 50 to 54 how during the year, we have continued to apply the principles and provisions of the UK Corporate Governance Code 2016 (the “Code”). The Board considers it has complied fully with the Code throughout FY18, with the exception of the three-month period following the retirement of Ed Gillis in September 2017, during which time, the Board comprised 44 per cent independent Non-Executive Directors, excluding the Chairman. Since the departure of Apax’s Salim Nathoo from the Board in November 2017, and until the date of this report, 46/ Cybersecurity made simple UK Corporate Governance Code Compliance This report, which is available on the Company’s website, explains the key features of the Company’s governance structure to provide a greater understanding of how the main principles of the UK Corporate Governance Code (“the Code”) have been applied and to highlight areas of focus during the year. The Code can be found on the FRC’s website at www.frc.org.uk During the year, the Company complied with all the principles and provisions of the Code, except for Code provision B.1.2 which recommends that at least half of the Board of Directors of a UK-listed company, excluding the Chairman, should comprise independent Non-Executive Directors. For the period from 8 September until 28 November 2017 the Board comprised 44 per cent independent Non-Executive Directors after which, and to the date of this report, it has comprised 50 per cent independent Non-Executive Directors. The Board is confident that the balance of independence weighed against, the strong judgement and considerable knowledge that each Non-Executive Director individually brings, is right and appropriate for Sophos. the Board has comprised 50 per cent independent Non- Executive Directors, excluding the Chairman. Full details of the Board’s independence is set out on page 52. Throughout the year, the Nominations Committee kept the composition of the Board and its Committees, including the chairmanship of each Committee, under close review; and taking account of the balance of skills, knowledge, experience, and diversity of our Board, continue to believe our Board composition is strongly appropriate to our responsibilities and to the Sophos mission. Board Composition As disclosed in the FY17 Annual Report, the Board welcomed Rick Medlock as a new independent Non- Executive Director on 3 April 2017. Rick has extensive experience and a deep understanding, and knowledge of financial management in the technology industry, and with global businesses listed in both the UK and the US. Rick also assumed the role of chairman of the Audit and Risk Committee following Ed Gillis’s retirement as an independent Non-Executive Director and chairman of our Audit and Risk Committee at the conclusion of the Company’s 2017 Annual General Meeting (“AGM”). Rick and Vin Murria who joined the Board as an independent Non- Executive Director in January 2017, have already brought their considerable experience to bear through their valuable contributions at Board and Committee meetings. Salim Nathoo stepped down as a Non-Executive Director on 28 November 2017, in accordance with the terms of the Relationship Agreement between the Company and Apax, which agreement regulates their ongoing relationship, in accordance with the Listing Rules. Salim had been a member of the Board for seven years and had provided invaluable support to Sophos through its Initial Public Offering (“IPO”) and during the critical early years of its listing. Further details regarding the Relationship Agreement are set out on page 83. The Board also welcomed the promotion of Chloe Barry from Deputy Company Secretary to Company Secretary, with effect from 1 April 2018. Eleanor Lacey, our previous Company Secretary, continues in her capacity as Chief Legal Officer. Board Evaluation In accordance with current best practice and the Code, the Board undertakes an annual formal evaluation of its performance and effectiveness and that of each Director and its Committees. As Chairman, I value this annual evaluation opportunity and consider that key to my role in creating an effective Board, is the effective assimilation of feedback received, and the development and effective application of germane recommendations. In March 2018, the Chairman, with the support of the Company Secretary, facilitated the FY18 evaluation. As disclosed in the FY17 Annual Report, the FY17 evaluation was undertaken by Duncan Reed of Condign Board Consulting Limited. The Board continued to consider the agreed recommendations for improvement during FY18 and reviewed and measured progress, as they were implemented. The reviews are discussed in more detail on pages 49 and 50. Shareholder Engagement The Board looks to encourage and maintain an active dialogue with shareholders throughout the year, listens to the views of representatives of investors and financial institutions, and regularly monitors and considers shareholder sentiment and feedback. We believe that the design and operation of a robust, yet evolving governance structure, appropriate for a group of the scale and ambition of Sophos, remain critical to meeting the needs of our shareholders. We welcome all opportunities to meet and answer shareholders’ questions. Conclusion Our Board and I continue our commitment to strong governance as a matter of both strategy and culture. We work together with our management team to reflect integrity, excellence, and transparency throughout our global leadership and operations. We believe this has contributed to our growth and shareholder value this past year and will continue to do so going forward. Peter Gyenes Non-Executive Chairman /47 IntroductionGovernanceFinancial StatementsStrategic Report Corporate Governance Statement Corporate Governance Structure The Company’s governance is structured through the Board and a number of committees that support the effective discharge of its duties, as illustrated below. BOARD OF DIRECTORS Audit and Risk Committee (Report on pages 57 to 61) Nominations Committee (Report on pages 55 and 56) Remuneration Committee (Report on pages 63 to 81) Disclosure Committee (Report on page 62) Risk and Compliance Committee Senior Management Team The various committee reports can be found on pages 55 to 81 of this Report and each committee’s full terms of reference are available on the Company’s website at: investors.sophos.com. The Senior Management Team (“SMT”) is comprised of the Chief Executive Officer, Chief Financial Officer and nine individuals who head up the key Group functions and each report to the Chief Executive Officer, supporting him in the leadership of the business, and responsible for the day to day management of the Group’s operations. Attendance at scheduled meetings of the Board and Committees held during the year: Peter Gyenes1 Kris Hagerman Nick Bray Sandra Bergeron Edwin Gillis (resigned on 7 September 2017) Salim Nathoo (resigned on 28 November 2017) Roy Mackenzie Rick Medlock2 Steve Munford Paul Walker3 Vin Murria 100% 100% 100% 100% 67% 50% 100% 100% 100% 83% 100% 100% 100% 100% 67% 100% 100% 100% 67% 100% 100% 100% 100% 100% 100% 100% 100% 100% Board Audit and Risk Committee Remuneration Committee Nominations Committee Directors who are unable to attend scheduled meetings due to competing engagements or unforeseen circumstances are encouraged to input offline and ideally, ahead of the meeting. 1 2 3 Peter Gyenes is Chairman of the Board and of the Nominations Committee Rick Medlock was appointed Chairman of the Audit and Risk Committee, effective from Edwin Gillis’s resignation on 7 September 2017 Paul Walker is Chairman of the Remuneration Committee 48/ Cybersecurity made simple Board Focus During FY18 • provided strong oversight of the Group’s strategy and growth plans, and considered the key risks; • discussed potential future acquisition opportunities in support of the Company’s strategy; • retained focus on the performance of the Company’s existing portfolio of products, key risks to delivery for the portfolio, together with the ongoing portfolio management strategy and different portfolio scenarios; • reviewed the Company’s operating results and financial statements with management and the Company’s external auditor. The Board also reviewed and approved the operating plan for the fiscal year; • reviewed the Annual Report including detailed consideration of the identified principle risks and their continued effective management to achieve the Group’s strategic objectives, the ongoing appropriateness of the adoption of the going concern basis of accounting, the appropriateness of the Viability Statement disclosure; and ensured that the Annual Report was fair, balanced and understandable and it provided the information necessary to assess the Group’s position and performance, business model and strategy; • retained focus on risk, and in particular cybersecurity; • oversaw the adoption of new articles of association; • reviewed the changing corporate governance landscape and kept under review the Group’s own corporate governance arrangements including GDPR preparedness, internal policies relating to share dealing, inside information and disclosure, whistle blowing, and publication of the FY17 Modern Slavery Act Transparency Statement; • undertook a shareholder engagement programme with key shareholders; • retained focus on those areas recommended for improvement during the FY17 Board evaluation process and implemented change accordingly; and • undertook an internal evaluation of its performance and effectiveness, and that of each Director and its Committees. Full biographical details of the SMT can be found on the Company’s website at www.sophos.com. Board Evaluation In accordance with current best practice and the Code, the Board undertakes an annual formal evaluation of its performance and effectiveness and that of each Director and its Committees. It is the Board’s policy to invite external evaluation every three years. External evaluation last took place in FY17 and was facilitated by Duncan Reed of Condign Board Consulting Limited. Duncan Reed is independent, his only connection with Sophos is his work on the Board evaluation. The Board continued to consider the agreed recommendations for improvement during FY18 and reviewed and measured progress, as they were implemented. The FY18 evaluation process was facilitated by the Chairman with the support of the Company Secretary, and was undertaken in March 2018. The final evaluation report and suggested priorities were discussed by the Board and each Committee at their respective meetings in May 2018. The FY18 evaluation focused on a number of areas, including: performance against the FY17 evaluation recommendations, the Board and Committees’ structure, composition, and their operations, the chairmen, induction and training, and strategy, risk management and internal control. Following the results of the FY18 evaluation, the Board is content that it remains committed, effective and purposeful in seeking to deliver value to shareholders. The Directors are individual experts in their field, and work well together with a mutual respect, transparency and authenticity. In addition, the Board remains confident in the committee structure in place, and level of specialist support and assurance it affords. /49 IntroductionGovernanceFinancial StatementsStrategic Report Corporate Governance Statement continued A review of progress against the FY17 recommendations adopted by the Board for improvement in FY18, together with an outline of the proposed FY19 initiatives as a result of this year’s FY18 internal evaluation, is set out below: Actions taken in FY18 following the FY17 Evaluation Recommendations for FY19 following the FY18 Evaluation The role of the Board: During the year, the Directors and Company Secretary evaluated existing Board operations, including the format, tone and detail of Board materials, and the schedule for their dissemination. The Board adopted a number of enhancements that have improved the information quality and flow, and the allocation of the Board’s time. The Company Secretary has implemented a review process to facilitate ongoing refinement of these processes. Focused debate at the Board: The Board also introduced an annual strategic agenda and adopted a revised pattern of Board and Committee meetings. Together with the adoption of a consistent approach to Board materials, this has enhanced agenda planning, facilitated better use of the Board’s time and expertise, and ultimately improved the quality of Board discussion. Support Board and Committee rotation: The Nominations Committee held detailed discussions throughout the year concerning planning for future Board and Committee rotation. Following changes during the year, the Board’s composition is compliant with the Code’s provisions for independence. The Board is confident that it has in place the appropriate range of value accretive skills, experience and knowledge relevant to each forum, yet it recognises that this is an ongoing process and is committed to ensuring the Board and its Committees remain appropriately constituted. Ensure understanding of wider shareholder sentiment on Company matters: The Executive Directors met regularly with shareholders throughout the year and the Board received frequent updates concerning shareholder sentiment and the view of analysts on Company matters, including its products and performance. In addition, a number of Directors attended and met with analysts at a Capital Markets Day held in September 2017. The Board will invite external advisers or the Company’s brokers to attend certain meetings to provide an independent view. Additionally, the Remuneration Committee Chairman speaks directly with major shareholders and shareholder advisory groups on executive compensation matters. Corporate Governance Report The Company is committed to maintaining a high standard of corporate governance. This report, which is available on the Company’s website, including the Audit and Risk Committee Report, Directors’ Remuneration Report, the Nominations Committee Report and the Disclosure Committee Report, details how the Company has applied the main principles and provisions of the UK Corporate Governance Code (the Code): leadership, effectiveness, accountability, remuneration and relations with shareholders. Board agenda: The Board will continue to shape the annual strategic agenda and further develop the relevance of items, and the breadth of subject matter, including incorporating appropriate external parties each year to facilitate additional in-depth discussion of the factors affecting the Company’s opportunities. Board succession: As the majority of our Non-Executive Directors enter their second three-year term in June 2018, the Board will further support the Nominations Committee to focus on succession planning and ensure at all times that the Sophos Board operates effectively and retains membership that consistently combines a detailed knowledge of: the Group’s operations and history; the technology industry in which the Group operates; leadership of a global business; and, being listed on the London Stock Exchange. Board development: The Board will introduce a Non- Executive Director training and development programme which will bring together a variety of informal briefings, technical updates and further interaction with the SMT. Developing stakeholder engagement: While the Board believes its current plans for ongoing stakeholder engagement are appropriate and effective, in light of planned revisions to the Code, the Board will also spend time considering its communication with employees, channel partners and wider stakeholders on an ongoing basis, to ensure the appropriate alignment. A copy of the Code is available on the Financial Reporting Council’s website www.frc.org.uk. The Company’s business model is explained in the Strategic Report. It is the Board’s view that it has been fully compliant with the Code throughout the financial year, except for the period 7 September to 28 November 2017 during which time membership excluding the Chairman, comprised 44 per cent independent Non-Executive Directors. Full details of the Board’s independence are set out on page 52. 50/ Cybersecurity made simple A: Leadership A.1 The role of the Board The Board is collectively responsible to Sophos shareholders for promoting the long-term success of the Company and the operation of effective governance arrangements. The steps the Board takes to facilitate this are set out on pages 46 to 87. The Board provides leadership and sets the Company’s strategic long-term objectives. A formal schedule of matters reserved for the Board is published on the Company’s website, which includes: • overall management of the Group, its strategy and long-term objectives; • ensuring that necessary resources and the appropriate risk management controls, processes and culture are in place to deliver its strategy and long-term objectives; • approval of all material corporate transactions; • approval of the Group’s annual and half-year results, dividend policy and shareholder distributions; • succession to the Board and senior management team • approval of all material policies including Diversity, Anti-Bribery and Corruption, Modern Slavery, Share Dealing and Whistle Blowing; • corporate governance arrangements and Board evaluation; and • determining the remuneration policy for the Directors and the SMT. The Board held six scheduled Board meetings during the year and holds additional meetings, as required. All Directors are expected, wherever possible, to attend all Board and relevant Committee meetings in addition to general meetings of the Company, including the AGM. Details of Board and Committee attendance for the year are set out on page 48. All Directors are covered by the Company’s Directors’ and Officers’ liability insurance. The Board has a number of committees that support the effective discharge of its duties. The various committee reports can be found on pages 55 to 81 of this Report and each committee’s full terms of reference are available on the Company’s website at: investors.sophos.com. A.2 Division of responsibilities The division of responsibilities between the Chairman and Chief Executive Officer, and the role of the Senior Independent Director, are clearly defined and are available on the Company’s website at: investors.sophos.com. The Board supports the separation of these roles and the partnership between Peter Gyenes and Kris Hagerman is constructive and based on mutual trust. The separation of authority enhances independent oversight of the executive management by the Board and helps to ensure that no one individual has unfettered authority. A.3 The Chairman The Chairman leads the Board and is responsible for its effective operation, for overseeing strategy and for ensuring each Director contributes to effective decision-making. The Chief Executive Officer is expected to lead the business, to develop and deliver the strategy to enable the Company to achieve its strategic long-term objectives and to develop the Senior Management Team. With the Company Secretary, the Chairman sets the Board’s agenda for the year and ensures sufficient time is available for the discussion of all items. At, at least one meeting each year, strategic issues are considered in depth with members of the SMT invited to attend, where appropriate. In accordance with the Code, the Chairman was independent on appointment. A.4 Non-Executive Directors Paul Walker was Senior Independent Director for the duration of the year. The responsibilities of the Senior Independent Director include meeting with shareholders as an alternative contact to the Chairman, Chief Executive Officer or Chief Financial Officer and working closely with the Chairman, acting as a sounding board and providing support. The Senior Independent Director is expected to commit six days per year to the role and will commit significantly more in exceptional years. This is in addition to the expected time commitment of a Non-Executive Director. In accordance with the Code, the Non-Executive Directors are encouraged to challenge constructively and to help develop proposals on strategy, scrutinise the performance of management in meeting agreed goals and objectives, and monitor the reporting of performance. They should satisfy themselves on the integrity of financial information and that financial controls and systems of risk management are robust and defensible. As part of the FY18 Board Evaluation Paul Walker and the Non-Executive Directors considered, without the Chairman present, the Chairman’s performance. The next performance evaluation will take place during the FY19 Board Evaluation process. The Chairman meets with the Non-Executive Directors without the Executive Directors present after each physical Board meeting, and individually with each Non-Executive Director at least once a year. During the year, the Directors had no unresolved concerns about the running of the Company or any proposed action. It is Company policy that any such unresolved concern must be recorded in the Board minutes. B: Effectiveness B.1 Board composition At the date of publication, there are seven Non-Executive Directors including the Non-Executive Chairman (who, for the purposes of the Code was independent on appointment) on the Board and two Executive Directors. The Board composition is compliant with B.1.2 of the Code, as at least half of the Board, excluding the Chairman comprises independent Non-Executive Directors. /51 IntroductionGovernanceFinancial StatementsStrategic Report Corporate Governance Statement continued Independence During the year, the Board kept under review the overall balance of skills, experience, independence and knowledge of Board and Committee members and their diversity, including gender, and weighed carefully its overall size and ability to meet the requirements of the business. It is the Board’s view that its current members have a wide range of value accretive skills and experience. The Board believes that crucial to its ability to lead the Company successfully it requires a membership that combines detailed knowledge of: the Group’s operations and history; the technology industry in which the Group operates; leadership of a global business; and, being listed on the London Stock Exchange. The Board is confident that the balance of independence weighed against the strong judgement and considerable knowledge that each Non-Executive Director brings, is right and appropriate for Sophos. However, the Board recognises that this is an ongoing process and is committed to ensuring the Board and its Committees remain appropriately constituted. In the spirit of the Code, it is the Board’s intention to continue to consider candidates as they may be identified, and the Nominations Committee has identified a number of technical and personal capabilities which the Board would value in any new Non-Executive Director. In accordance with the Code, the Board undertakes an annual review of the independence of its Non-Executive Directors taking into account each individual’s professional characteristics, behaviour and their contribution to unbiased and independent debate. The Board considers that the Non-Executive Directors, led by the Senior Independent Director Paul Walker, have the skills, experience and knowledge of the Group, and the markets in which we operate to enable them to discharge their respective duties and responsibilities effectively. Each Non-Executive Director is prepared to question and to challenge management. The Board considers four of its Non-Executive Directors to be independent for the purposes of the Code; Steve Munford and Roy Mackenzie are not considered independent. The Board recognises that Sandra Bergeron’s overall length of service will be more than eight years after the 2018 AGM which may lead some investors to question her independence. The Board considered this issue and agreed that Sandra continues to maintain and contribute an independent view in all Board deliberations and brings invaluable security, operations and board advisory expertise spanning more than 20 years. In addition, at the 2018 AGM Sandra will have served on the Board for two years from the date of her first election, in line with the Code. Comments have been made regarding Paul Walker’s past participation in a restricted share arrangement, as noted in the annual report on Directors’ Remuneration on page 81, which may have led some investors to question his independence. The Board are agreed that since his appointment as Senior Independent Director, Paul, whose technology and senior leadership experience spans more than 30 years, has been independent in character and judgement and remains an active and committed Board member and Chairman of the Remuneration Committee. Finally, the Board recognises that Peter Gyenes, the Chairman, is also a Director of Carbonite Inc. on whose board Steve Munford is chairman. The Board consider that Peter was independent upon appointment and continues to maintain and contribute an independent view notwithstanding this cross-directorship. Peter brings valued leadership to the Board and unwavering commitment to supporting the Company to achieve its long term strategic objectives. Conflicts of Interest The Company has established procedures whereby actual and potential conflicts of interest arising from current and proposed roles to be undertaken by Directors of the Board with other organisations are regularly reviewed in respect of both the nature of those roles, and their time commitment, and for proper authorisation to be sought prior to the appointment of any new Director. The Board consider these procedures to be working effectively. Directors are required to notify Sophos when they become aware of any actual or potential conflict of interest. The Board deals with each notified conflict of interest, or potential conflict of interest, on its individual merit and takes into consideration all the circumstances. The following conflicts of interest have been authorised by the Board for the relevant period. • Salim Nathoo was a partner of Apax Partners, LLP and Roy Mackenzie is a partner at Apax Partners, LP. Apax Partners, LP is a wholly owned subsidiary of Apax Partners, LLP. Both Apax Partners, LP and Apax Partners, LLP are advisors of the Apax Funds, which wholly own Pentagon Lock Sarl, Pentagon Lock 6-A Sarl, Pentagon Lock 7-A Sarl and Pentagon Lock US Sarl, and shares a common owner with Apax Global Alpha Limited (collectively “Apax”). It was noted, that: • following the admission of the Company’s shares to the London Stock Exchange in 2015, Apax controlled 35.2 per cent of the voting rights in the Company and at 31 March 2018, controlled 11.09 per cent of the voting rights in the Company; and • Apax is a shareholder of Global Logic, with whom the Company maintains an ongoing supplier relationship, and on whose board Salim Nathoo was also a director. • Steve Munford is chairman, and Peter Gyenes is a director of, Carbonite, Inc. which supplies cloud and hybrid data protection solutions. Steve is also interim chief executive of Absolute Software Corporation which supplies endpoint visibility and data protection solutions, and sits on the board of Alert Logic, Inc. which supplies security and compliance solutions. • Sandra Bergeron sits on the boards of F5 Networks and Qualys, Inc., suppliers of application delivery networking and cloud security and compliance management solutions, respectively. • Vin Murria is a non-executive director of Softcat plc, with whom the Company maintains an ongoing customer relationship. 52/ Cybersecurity made simple B.2 Appointments to the board Following the appointment of Rick Medlock as a Non- Executive Director with effect from 3 April 2017, there were no further appointments to the Board during the year. The succession and appointment process is led by the Nominations Committee with strong oversight from the Board. Further details concerning the succession and appointment process, and the Company’s policy on diversity are set out in the Nominations Committee report on pages 55 and 56. All Non-Executive Directors serve on the basis of letters of appointment which are available for inspection upon request. The letters of appointment set out the expected time commitment of Non-Executive Directors who, on appointment, undertake that they will have sufficient time to meet what is expected of them. Non-Executive Directors are appointed for an initial three-year term and the continuation of their appointment is conditional on satisfactory performance and subject to annual re-election at the Company’s annual general meetings. Executive Directors serve on the basis of service agreements which are also available for inspection upon request. Further details on the Executive Directors’ service agreements are included in the Directors’ Remuneration Policy, on page 70. B.3 Commitment During the year, the Board considered the external commitments of its Chairman, Senior Independent and other Non-Executive Directors and is satisfied that these do not conflict with their duties and time commitments as Directors of the Company. Executive Directors may accept external appointments with the prior approval of the Chairman, provided that such appointments do not prejudice the executive’s ability to fulfil their duties for the Group. B.4 Development The Chairman, with the support of the Company Secretary, is responsible for the induction of new Directors, and the ongoing development of all Directors. An induction programme is provided to all Directors on joining the Board, designed to provide an understanding of the Group’s business, governance and key stakeholders. The induction process continues to evolve and currently includes, the provision of an induction pack and past Board materials, meetings with key individuals and the Company’s advisors, and briefings on the Company’s products, as well as key business, legal and regulatory issues facing the Group. As the business environment changes, it is important to ensure the Directors’ skills and knowledge are refreshed and updated regularly. Accordingly, the Company Secretary ensures that updates on corporate governance, regulatory and technical matters are published to Directors at Board meetings and by means of communications between meetings. The Board’s approach to training and development opportunities continues to develop and the Company Secretary (in consultation with the Chairman) works closely with Directors to ascertain their training and development needs. Through this process, the Board’s approach continues to be tailored to address the identified areas for focus as well as topical corporate governance, regulatory and technical matters. Each year the Directors are invited to attend the annual Partner Conferences to support their familiarity with the Group’s products and operations. B.5 Information and support The Directors have full access to the Chief Legal Officer and Company Secretary, who each advise the Board and the Board Committees on relevant matters, including compliance with the Company’s policies and procedures, relevant legislation and regulation, including the Listing Rules and the Code and other governance standards. The Chief Legal Officer and Company Secretary are each available to provide guidance to the Board and individual Directors regarding their duties, responsibilities and powers and the Company Secretary ensures the proper administration of the proceedings and matters relating to the Board. The Chief Executive Officer and the Company Secretary work together to ensure that Board papers are clear, accurate, delivered in a timely and secure manner to Directors, and are of sufficient quality to enable the Board to discharge its duties effectively. Directors may obtain independent professional advice at the Company’s expense in the furtherance of their duties, where considered necessary or advisable. All Directors have access to an online portal to which Board materials are published and Board resources, including information about the Company and helpful guidance documents for their reference as Directors of a UK listed company, are available. B.6 Evaluation In FY18, performance evaluations of the Board, its Committees and individual Directors were carried out internally. External evaluation last took place in FY17 and will take place again in FY20. The FY18 evaluation considered performance against the FY17 evaluation recommendations, the Board and Committees’ structure, composition, and their operations, the chairmen, induction and training, and strategy, risk management and internal control. Further details of the evaluation, together with recommendations for FY19, can be found on pages 49 to 50. As part of the internal evaluation, the Non-Executive Directors evaluated the performance of the Chairman. Following the evaluation, the Board is satisfied that it remains committed, effective and purposeful in seeking to deliver value to shareholders. In addition, the Board remains confident in the committee structure in place, and level of specialist support and assurance it affords. B.7 Election and re-election In accordance with the Company’s Articles of Association (the “Articles”) and the Code, each Director is subject to election at the first AGM following their appointment, and re-election at each subsequent AGM. The Directors unanimously recommend the re-election of all other members of the Board. Full biographical details for all Directors can be found on pages 44 and 45, and summarised in the Notice of AGM. /53 IntroductionGovernanceFinancial StatementsStrategic Report Corporate Governance Statement continued C: Accountability C.1 Financial and business reporting A statement of the Directors’ responsibilities regarding the Financial Statements, including the status of the Group as a going concern, is set out on page 86, with an explanation of the Group’s strategy and business model, together with relevant risks and performance metrics, which are set out in the Strategic Report on pages 16 to 43. A further statement is set out on page 87, confirming that the Board considers that the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Company’s position, performance, business model and strategy. C.2 Risk management and internal controls The Board has carried out a robust assessment of the principle risks facing the Company, including those that would threaten its business model, future performance, solvency or liquidity. Further details concerning how they are being managed or mitigated can be found on pages 34 to 37. The Board believes that the Company’s current Remuneration Policy, as approved by shareholders at the 2016 AGM, remains appropriate and fit for purpose. D.2 Procedure The Board has delegated a number of responsibilities to the Remuneration Committee, including the setting of the Group’s overall remuneration policy and strategy, as well as the remuneration arrangements for the Executive Directors and SMT and their direct reports. Full details are set out in the terms of reference for the Committee published at investors.sophos.com. During FY18, no individual was present when their own remuneration was being discussed. E: Relations with Shareholders E.1 Dialogue with Shareholders The Board recognises that meaningful engagement with its shareholders is integral to the continued success of the Group. Throughout FY18, members of the Board have sought to actively engage with shareholders on a number of occasions, through meetings, presentations and roadshows. The Audit and Risk Committee report explains the process carried out for the ongoing assessment of the effectiveness of the Company’s risk management and internal control systems on pages 57 to 61. The Board’s assessment of the prospects of the Company, its expectation that the Company will be able to continue in operation, and meet its liabilities as they fall due, the viability statement, is set out on page 86. Non-Executive Directors are kept informed of the views of the shareholders through periodic reports from the Chief Executive Officer and the Chief Financial Officer, including inputs from the corporate brokers with whom they are in regular contact. The Non-Executive Directors are invited to attend meetings in the investor relations programme, including the Capital Markets Day, and welcome the opportunity to meet with our major shareholders. C.3 Audit Committee and Auditors Annual General Meeting The AGM will be held on 30 August 2018 at the Company’s registered office. All shareholders have the opportunity to attend and vote, in person or by proxy. The Notice of AGM is sent to all shareholders who have requested to receive hard copy documentation and can also be found on our website at investors.sophos.com. The Notice of AGM sets out the business of the meeting and explanatory notes on all proposed resolutions. Separate resolutions are proposed in respect of each substantive issue. The AGM is the Company’s principal forum for communication with private shareholders. By order of the Board Chloe Barry Company Secretary 16 May 2018 The Audit and Risk Committee report on pages 57 to 61 sets out the details of the composition of the Committee, including the expertise of its members, and outlines how the Committee has discharged its responsibilities in FY18. The Board has delegated a number of responsibilities to the Audit and Risk Committee, including: oversight of the Group’s financial reporting processes; management of the external auditor; and, management of the internal risk management processes. Full details are set out in the terms of reference for the Committee published at investors.sophos.com. KPMG LLP have expressed their willingness to continue as the Company’s auditor. Resolutions proposing their reappointment and to authorise the Committee to determine their remuneration will be proposed at the 2018 AGM. D: Remuneration D.1 Level and components of remuneration The annual report on Directors’ Remuneration on pages 72 to 81 outlines the activities of the Committee during FY18. The Company’s Directors’ Remuneration Policy, including relevant remuneration components and how they support the achievement of the strategic long-term objectives of the Company are set out on pages 65 to 71. The annual report on Directors’ Remuneration sets out the implementation of remuneration during FY18, including salary, bonus and share awards, and payments for loss of office paid to Directors. 54/ Cybersecurity made simple Nomination Committee Report Dear Shareholder, During the year, particular time was taken to: The Committee met three times during the year and ensures that Board and Committee composition is appropriate for a company of Sophos’ scale and ambition. The key aspects of the Committee’s role, together with the main areas of consideration and the activities undertaken during the year are set out in this report. • review the composition of the Board and its Committees; • consider the implications for Board composition of the results of the FY18 Board evaluation process and the retirement of Edwin Gillis, and resignation of Salim Nathoo, respectively; Committee Composition and Meeting Attendance As disclosed in our last report to Shareholders, the Committee welcomed Rick Medlock as a new member during the year and said farewell to Edwin Gillis following his retirement in September 2017. The composition of the Committee is compliant with the Code, which provides that a majority of its members should be independent Non- Executive Directors. The Committee is chaired by the Chairman of the Board. The Company Secretary is secretary to the Committee and attends all meetings. Other attendees at Committee meetings may differ from time to time and, upon invitation from the Committee, include the Chief Executive Officer and other members of the SMT. • consider succession plans for SMT, Board, and Committee appointments; • identify a number of technical and personal capabilities which the Board would value in any new Non-Executive Director; • review the Company’s Diversity Policy and consider the Company’s objectives to deliver against its commitments; • monitor external commitments of the Board, as they relate to their time commitments to the Company and potential conflicts of interest; and, • review and recommend the election and re-election of Directors at the Company’s 2017 AGM. Peter Gyenes (Chairman) 100% Sandra Bergeron Roy Mackenzie Rick Medlock Vin Murria Paul Walker 100% 67% 100% 100% 100% Attended of those eligible All appointments as at 31 March 2018. Role and Responsibilities The Committee is responsible for regularly evaluating the balance of skills, knowledge, experience and diversity of the Board and its Committees, as well as the size, structure and composition of each. It is also responsible for periodically reviewing the Board, Committees’ and senior management structure, succession plans, and identifying, with management, the priorities for succession planning in respect of each position. On an annual basis, the Committee considers the re-election of Directors prior to their recommended approval by shareholders. The full terms of reference of the Committee can be found on the Company’s website at: investors.sophos.com. Main Activities The Committee has an annual forward agenda developed from its terms of reference with standing items that the Committee considers at each meeting, in addition to any specific matters arising, and topical business or governance items on which the Committee has chosen to focus. Board Composition and Independence Following the resignation of Salim Nathoo on 28 November 2017, excluding the Chairman, the Board is comprised 50 per cent independent Non-Executive Directors (FY17: 44 per cent). The Board believes that crucial to its ability to lead the Company successfully it requires a membership that combines detailed knowledge of: the Group’s operations and history; the technology industry in which the Group operates; leadership of a global business; and, being listed on the London Stock Exchange. The Board is confident that the balance of independence weighed against, the strong judgement and considerable knowledge that each Non-Executive Director brings, is right and appropriate for Sophos. However, the Board recognises that this is an ongoing process and in the spirit of the current Code, and cognisant of the provisions of the proposed new UK Corporate Governance Code relating to directors’ independence, the Board is committed to ensuring the Board and its Committees remain appropriately constituted. Process for Board Appointments The Committee leads the Board appointment process and makes recommendations to the Board, as appropriate. During May 2016, the Company engaged Heidrick & Struggles, independent executive search consultants, with whom the Company has no other connection, to assist with Board searches, when required. Heidrick & Struggles is a signatory to, and abides by, the voluntary Code of Conduct on gender diversity and best practice. /55 IntroductionGovernanceFinancial StatementsStrategic Report Nomination Committee Report continued The Company’s current process in relation to Board appointments is set out below: Non-Executive Director The Committee Chairman and consultants submit a short-list of candidates to the Committee and Chief Executive Officer for review and inclusion of additional candidates. The Committee Chairman, Senior Independent Director, Chief Executive Officer and Chief Financial Officer each meet selected candidates. Successful candidates go on to meet each Board member. After all Board members have met the candidate, the Committee make their recommendation to the Board. Executive Director The Committee Chairman and the Chief Executive Officer or, if engaged, search consultants, submit a short-list of candidates to the Committee. The Committee Chairman, Senior Independent Director, Chief Executive Officer and Chief Financial Officer each meet the selected candidates. Successful candidates go on to meet some or all of the Committee members. The Committee’s assessment is reviewed with the Chairman of the Board and the Chief Executive Officer and the Committee make their recommendation to the Board. Succession During the year, the Committee conducted a review of succession to SMT roles and those individuals who had been identified internally who would be suited to take on each role, as appropriate. Internal successors were categorised by their relative readiness to assume any such role and where it was not possible to identify a suitable internal successor, an external successor would be identified, as and when appropriate. Management would look at the implementation of development plans to address any internal successors relative readiness to assume any such role. The Committee have kept a watching brief on succession to Board roles during the year, and would continue to do so during FY19. Diversity At 31 March 2018, the proportion of women on the Board was 22 per cent (FY17: 20 per cent). The Company’s Diversity Policy is published on its website at: investors. sophos.com. The Company recognises the benefits of diversity in its broadest sense, including gender and ethnicity, and will continue to ensure that all forms of diversity are actively considered when contemplating future appointments to the Board, and recruitment and promotion to the SMT, and their direct reports. As set out in the Company’s Diversity, it is the Board’s intention to be mindful of the recommendations of the Davies and Hampton-Alexander reviews on Women on Boards and FTSE Women leaders respectively, when considering the composition of the Board, SMT and their direct reports. Details of a number of diversity initiatives introduced across the Group during the year are set out in the Corporate Responsibility Report on page 41, together with details of diversity within our workforce, including at Board and senior management level. The Board’s objectives for achieving diversity on the Board are set out below: • all Board appointments will be made on merit, in the context of the skills, knowledge and experience that are needed for the Board to be effective; • ensure long lists of potential Non-Executive Directors include diverse candidates of appropriate merit; • encourage the emergence of female candidates and candidates of diverse backgrounds among the senior management talent pool; and, • only engage executive search firms who have signed up to the voluntary Code of Conduct on gender diversity and best practice. In addition to taking into account gender, ethnicity and other forms of diversity, the Committee seeks to achieve the optimal balance of skills, experience, independence and knowledge of Sophos and the industry as a whole amongst the Board and SMT, and their direct reports in order to support the Company’s long-term strategic objectives. The Committee will continue to keep these measurable objectives under review and will make recommendations to the Board for their revision, as appropriate. The Committee is pleased with the Group’s performance against these objectives to date, but acknowledges that this is an ongoing process. Performance Evaluation The Nominations Committee’s performance was assessed as part of the Board’s annual effectiveness review. It was concluded that the Committee operated effectively in FY18. In response to findings of the review, Committee members will continue to focus on succession planning as a number of Non-Executive Directors enter their second three-year term in June 2018. In addition, the Committee will remain available to the Company Secretary in relation to the introduction of a Non-Executive Director training and development programme. The Committee also undertakes a review of its terms of reference and composition each year. Following the most recent review in January 2018, no changes were proposed. The full terms of reference of the Committee can be found on the Company’s website, at: investors.sophos.com. Peter Gyenes Chairman of the Nominations Committee 16 May 2018 56/ Cybersecurity made simple Audit and Risk Committee Report Dear Shareholder, The Committee met five times during the year and welcomed Rick Medlock as its Chairman in September 2017 and Vin Murria as a new Committee member in January 2018. Edwin Gillis stepped down as Chairman after the 2017 AGM. Rick Medlock has a deep understanding and knowledge of financial management in the technology industry and extensive experience with globally-oriented UK-listed companies. Set out here are the key aspects of the Committee’s role in more detail, together with the main activities it has undertaken and the significant issues it has considered during the year. Committee Composition and Meeting Attendance Rick Medlock (Chairman) Sandra Bergeron Vin Murria Paul Walker Attended of those eligible 100% 100% 100% 100% All appointments stated are as at 31 March 2018 The composition of the Committee is compliant with the Principles of the Code, which provides that all members should be independent Non-Executive Directors. In line with the requirements of the Code and the FRC’s Guidance on Audit Committees, Rick Medlock, the Committee Chairman, has recent and relevant financial experience through his previous employment in senior financial positions at large companies, including until February 2018, as CFO of Worldpay Group plc, a UK listed company, and is a qualified Chartered Accountant. The Board is also satisfied that all members of the Committee have extensive experience of the technology industry in which we operate, sufficient to enable the Committee to exercise its duties effectively. Full biographical details are set out on pages 44 and 45. The Company Secretary is secretary to the Committee and attends all meetings. Other attendees at Committee meetings may differ from time to time and, upon invitation from the Committee, include the Chairman, the Chief Executive Officer, the Chief Financial Officer, Chief Information Officer and other members of the SMT. The Committee will also invite representatives from the internal auditor (Ernst & Young LLP (“EY”)) and the external auditor (KPMG LLP (“KPMG”)), as required. Role and Responsibilities The Committee has a fundamental role to play in reviewing, monitoring and challenging the integrity and effectiveness of the Company’s financial reporting and internal control processes. The Committee also oversees the relationship between the Group and its external auditor and makes recommendations to the Board on their appointment. In addition, the Committee monitors and reviews the external auditor’s independence, objectivity and the effectiveness of the audit process, taking into account relevant legal, professional and regulatory requirements. The full terms of reference of the Committee can be found on the Company’s website, at: investors.sophos.com. Main Activities The Committee has an annual forward agenda, developed from its terms of reference, with standing items that the Committee considers at each meeting, in addition to any specific matters arising, and topical business or financial items on which the Committee has chosen to focus. The Chairman and the Company Secretary have worked together to review and, where appropriate, refresh the annual forward agenda to bring in to greater focus areas of importance for the Committee, and the Company. Such revisions have included the introduction of updates from the Chief Legal Officer and Head of Internal Audit at each meeting. During the year, the work of the Committee fell in to three main areas as follows: Accounting, tax and financial reporting The Committee has: • reviewed and approved the quarterly trading updates, half-year and annual financial statements, the attendant significant financial reporting judgements and disclosures, and investor presentations; • reviewed and approved the going concern and viability assessment, and the annual external statement thereon; • reviewed updates on accounting matters, including consideration of relevant accounting standards and underlying assumptions, and in particular: the review and the use of constant currency comparators applied by the Company and the impact of changing accounting standards, most notably covering revenue recognition and leases; and, • reviewed and approved the interim and full-year dividend proposals and adjudged them to be in line with the Company’s Dividend policy. Risk management and internal controls The Committee has: • reviewed and approved the internal audit plan for the year as well as longer-term objectives and reports and updates of the work performed by the in-house internal audit team and EY, as the outsourced internal audit providers appointed by the Committee in 2015; • reviewed and approved the risk assessment process and, in particular the identification and assessment of the Company’s principal risks and the attendant disclosures; • received and noted regular updates from the Risk and Compliance Committee (“RCC”), a management committee that has a direct reporting line to the Committee, to provide an additional level of assurance to the Committee; and, • received and noted regular updates from the Chief Legal Officer concerning pending or ongoing litigation, and statutory or regulatory risks, including General Data Protection Regulation preparedness and consideration of the HMRC Corporate Criminal Offence. /57 IntroductionGovernanceFinancial StatementsStrategic Report Audit and Risk Committee Report continued External Auditor The Committee has: • supported the new lead audit partner during his first year working with the Company; • met with the external auditor, KPMG, to review the annual audit plan and receive their findings and reports on the annual audit and interim review; and, • reviewed and approved the external auditor evaluation paper prepared by management covering the external auditor’s independence and objectivity, and evaluation of the effectiveness of the audit process, together with the attendant recommendation for reappointment. Key matters covered by the Committee are reported to the subsequent meeting of the Board, which also receives copies of the minutes of each meeting. Performance Evaluation The Audit and Risk Committee’s performance was assessed as part of the Board’s annual effectiveness review. It was concluded that the Committee operated effectively in FY18. In response to findings of the review, Committee members will continue to work closely with management to consider the Group’s risk profile and review and challenge the Company’s systems for risk management and internal control as the Company grows and evolves. The Committee also undertakes a review of its terms of reference and composition each year. Significant Issues The issues considered by the Committee that are deemed to be significant to the Group are set out below: Revenue Recognition The Group generates revenue from sales of products through subscriptions, hardware and the rendering of enhanced support or professional services. There is a risk that revenue is inappropriately recognised if revenue is incorrectly apportioned to a product or service or if the recognition criteria of the product is not correct. The Group has a revenue recognition policy in place that details the application of relevant standards to the products and services sold by the Group. The policy includes rules for applying fair value to components of multiple element arrangements and timing of recognition dependent upon the individual nature of the goods or services sold. At half-year and year-end management provide to the Committee an accounting paper on revenue recognition, any changes arising from updated standards and a commentary on the revenue recognised. The Group’s external auditors have reported to the Committee that they have reviewed the revenue recognition policy and processes as well as performing detailed testing of revenue recognition across the year and found revenue to be appropriately accounted for. This review last took place in March 2018, and the full terms of reference of the Committee are on the Company’s website, at: investors.sophos.com. Having provided appropriate challenge to management and the external auditors, the Committee has concluded that revenue recognition for the Group is appropriate. Reporting Requirements and Presentation The Group makes use of certain non-GAAP measures and discloses certain items separately within the consolidated statement of profit or loss as exceptional items which, in the opinion of the Directors, enables an enhanced understanding of the performance of the Group. The use of these measures and disclosures is judgemental in nature. The use of non-GAAP measures and the classification of certain income statement items as exceptional by the Group have been reviewed by the Committee during the year with reference to authoritative guidance and regulations as well as through discussions with management and external advisors. The Committee is satisfied that the use of such measures is appropriate and enhances the understanding of the Group’s financial performance and its prospects. The Committee has also reviewed the disclosures made in this Annual Report and has discussed them with the external auditors, so as to ensure that it is comfortable with the content and presentation made in the Annual Report. 58/ Cybersecurity made simple Internal Controls and Risk Management During the year, the Committee has received and reviewed reports regarding progress on risk management and the principal risks identified across the Group. The Committee was satisfied with the risk management process and with the relevance of the risks identified. It was also satisfied with the level of assurance provided by the Group’s Internal Audit and Risk Management function, which is supported by EY. The Committee has concluded that sound risk management and internal control systems have been maintained throughout the year. Whilst the Board is ultimately responsible for the Group’s systems of risk management and internal control, each of the individual functional leaders are recognised as key drivers of the process through which risks and uncertainties are identified. The Board recognises that rigorous internal control systems are critical to managing risks and fundamental to the achievement of its strategic objectives. The Board further acknowledges that these systems are designed to manage rather than eliminate risk in the Group. The formal process for identifying, evaluating and managing significant risks faced by the Group is overseen by the RCC in association with the work performed by the Internal Audit and Risk Management function. The RCC has designed the risk framework in order to capture and evaluate control weaknesses and risks facing the business. Where the Board defines an identified risk as significant, procedures are established to ensure that necessary action is taken to rectify or mitigate as appropriate. These aforementioned functions provide additional assurance to the Committee who have ultimate responsibility for the oversight and review of the adequacy and effectiveness of the Group’s systems of internal controls. The external auditors provide a supplementary, independent and autonomous perspective on those areas of the internal control system which they assess in the course of their work. Their findings are regularly reported to both the Committee and the Board. Key elements of the control environment are: • annual budgets and strategic plans performed for all business units and the Group as a whole • monitoring of performance against budget and subsequent forecast with reporting to the Board on a regular basis • monthly review of detailed key performance indicators • all contracts are reviewed at a level of detail appropriate to the size and complexity of the contract • timely reconciliations are performed for all significant balance sheet accounts • clearly defined organisational structure and authorisation lines • the RCC that oversees the risk management process • the Committee, which approves audit plans and assesses the overall appropriateness of the Group’s internal control environment. The preparation and issue of financial reports is managed by the Group’s finance department, as delegated by the Board. The Group’s financial reporting process is controlled using the Group accounting policies and reporting systems. The Group’s finance department supports all reporting entities with guidance on the preparation of financial information. Each legal entity has a Finance Director or Controller who has responsibility and accountability for providing information which is in accordance with agreed policies. The financial information for each entity is subject to a review at reporting entity and Group level by the Chief Financial Officer alongside the Vice President of Finance. The Annual Report is reviewed by the Committee in advance of presentation to the Board for approval. Additionally, the Finance Director or Controller of each significant reporting entity completes a self-certified quarterly Financial Reporting Review Questionnaire which is used to identify control strengths and weaknesses across all financial areas, with any weaknesses being subsequently addressed. The Group also maintains a consolidated Risk Register which sets out the nature and extent of the significant risks facing the Group. Each of the risks are prioritised according to likelihood of occurrence and potential impact to the Group and the register ensures that all risks are identified, measured, mitigated, and managed by the appropriate owner. The Directors, through the use of appropriate procedures, systems and the employment of competent personnel, have ensured that measures are in place to secure compliance with the Company’s obligation to keep adequate accounting records. The accounting records are kept at the registered office of the Company. How We Manage Risk The Sophos Board is ultimately responsible for ensuring effective identification, assessment and management of risk across the Group. Central to the risk management process is the Group’s culture of openness, transparency and accountability. The Internal Audit and Risk Management function manage and drive the risk management framework and operates on an independent basis providing further assurance to the Committee and the Board. The risk management framework enables a robust assessment process to identify risks in line with the overall achievement of the business strategy. This function also ensures that all relevant and significant risks identified across the business are mapped to the Internal Audit plan for the year. In addition, the Group’s annual planning and quarterly forecasting cycles include discussions around business risks identified to ensure appropriate investment by the Group. On a quarterly basis, the RCC reviews the status of risk exposures and risk management throughout the business as managed by the Internal Audit and Risk Management function. The RCC is a committee of senior leaders authorised by the Board to provide an additional level of assurance to the Committee in overseeing risk management and internal control activities. On behalf of the Board, the Committee reviews and challenges the effectiveness of the risk management process. /59 IntroductionGovernanceFinancial StatementsStrategic Report Audit and Risk Committee Report continued Identify Re-evaluate Risk Management Process Analyse & Evaluate Develop & Implement Risk Management Plan The Group takes a two-pronged approach to identifying risks: Whistleblowing A bottom-up approach at the business function level where these risks are managed at the operational level with an appropriately defined escalation process in place for those risks rated as high. A whistleblowing policy is in place in the Group enabling employees to confidentially report matters of concern directly to Non-Executive Directors. The Committee receives details of any matters raised. 1) 2) A top-down approach at the senior leadership team level which are the principal risks which could have a serious impact on the strategic business plan of the Group and may encompass several of the risks identified in the bottom-up approach. A series of risk identification approaches are used, such as risk identification and horizon scanning workshops, interviews, and inclusion of risk discussions in team meetings. Risk registers are fully owned at the business function level and registers are maintained and reviewed on a quarterly basis. All identified risks are assessed against a pre-defined scoring matrix and prioritised accordingly. Any risks identified in the bottom-up approach deemed to be rated as higher risk are escalated in line with pre-defined escalation procedures for further evaluation. Following the identification of risks, a risk management plan is developed and implemented. This is managed by the assigned risk owner with regular feedback to the RCC. Regular reporting of risk management ensures each risk is re-evaluated on a timely basis to ensure that all relevant risks are identified and managed appropriately and that the Board is focused on the principal risks identified. 60/ Internal Audit EY continue to support the Sophos Internal Audit and Risk Management function. The Group’s Chief Financial Officer provides oversight and co-ordination of Internal Audit with support from the RCC. In order to ensure independence, the Internal Audit function has a direct reporting line to the Committee and its Chairman. The nature and scope of the Internal Audit plan using a risk-based approach, was approved by the Committee, with any subsequent changes to the plan requiring further approval. The results of the audits were assessed alongside responses from management. Any outcomes graded as requiring improvement were considered in detail by the Committee along with the appropriateness of mitigation plans to resolve the issues identified. At each meeting, the Committee received audit reports and updates from the Internal Auditors, in order to ascertain progress in completing the Internal Audit plan and to review results of the audits. The Internal Audit plan continues to be developed through a review of formal risk assessments, together with consideration of the Group’s key business processes and functions that could be subject to audit. The Committee monitored and reviewed the scope and results of the Internal Auditors’ activities as well as the effectiveness of Internal Audit during the financial year. Cybersecurity made simple Review of Effectiveness The Board, through the Committee, has reviewed and considered the effectiveness of the risk management and system of internal controls in operation across the Group. The main objectives of the Group’s internal control systems are: • to ensure its aims and objectives are met; • to ensure adherence to management policies; • to ensure compliance with statutory requirements; • to safeguard assets; and • to ensure the relevance, reliability and integrity of information, so ensuring as far as possible the completeness and accuracy of records. Any system of control can only ever provide reasonable and not absolute assurance that control weaknesses or irregularities do not exist, or that there is no risk of material errors, losses, fraud, or breaches of laws or regulations. Accordingly, the Group is continually seeking to improve the effectiveness of its systems of internal control. The Committee has concluded that the Group’s risk management and system of internal controls is deemed effective. This is informed by a number of sources: Non-audit fees for the year ended 31 March 2018 were nil, in the year-ended 31 March 2017 the non-audit fees were 33 per cent of the audit and audit-related fees. During the year-ended 31 March 2017 the non-audit services provided by KPMG related primarily to tax compliance activities. Full details of auditor remuneration is shown in note 9 to the Financial Statements. Review of Effectiveness of External Auditor An important role of the Committee is to assess the effectiveness of the external audit process. In performing this assessment, the Committee: • reviewed the annual audit plan and considered the auditor’s performance against that plan along with any variations to it; • met with the audit engagement partner to review the audit findings and responses received to questions raised by the Committee; • held regular meetings with the audit engagement partner, including in the absence of executive management; • considered their length of tenure; • reviewed the nature and magnitude of non-audit services provided; and • reviewed the external auditor’s own independence confirmation presented to the Committee. • the audit work undertaken by the Internal Audit function; • risk management procedures managed and overseen by the RCC; and Based on the assessment performed, the Committee has recommended to the Board that a resolution to reappoint KPMG LLP be proposed at the 2018 AGM. Rick Medlock Chairman of the Audit and Risk Committee 16 May 2018 • reports issued by the Group’s external auditors. A detailed review of the Group’s management of each principle risk or uncertainty is explained on pages 34 to 37 External Auditor The Committee reviews and makes recommendations with regard to the appointment and reappointment of the external auditors. In making these recommendations, consideration is given to auditor effectiveness and independence, partner rotation and any other factors that may impact the reappointment of the external auditors. There are no contractual restrictions on the choice of external auditors and the Committee considers on an annual basis the need for a formal tender process in accordance with the provisions of the UK Corporate Governance Code. The Group’s auditors, KPMG LLP, were appointed for the year-ended 31 March 2001 with the audit engagement partner rotation last occurring for the current year-end The external auditors may perform certain non-audit services for the Group, though above a certain level of materiality, any such non-audit services require pre- approval by the Audit and Risk Committee and are only permitted to the extent allowed by relevant laws and regulations. /61 IntroductionGovernanceFinancial StatementsStrategic Report Disclosure Committee Report At each Board and SMT meeting, transactions or events are considered against the disclosure obligations of the Company and whether any matter is considered to be price sensitive. Main Activities Key issues reviewed by the Disclosure Committee during the year, included: • the trading update for the three-months, and full-year, ended 31 March 2017; • the preliminary results announcement; • the trading update for the three-months ended 30 June 2017; • the Capital Markets Day and trading update on 6 September 2017; • the proposed final dividend; • the announcement in respect of the interim results for the six-months ended 30 September 2017; • the interim dividend; and • the trading update for the three-months ended 31 December 2017. Committee Composition Kris Hagerman (Chairman) Nick Bray Eleanor Lacey All appointments stated are as at 31 March 2018 The Committee comprises the Chief Executive Officer, Chief Financial Officer and Chief Legal Officer, and is chaired by Kris Hagerman, the Chief Executive Officer. A quorum of two members, including at least one Executive Director is required for the transaction of business. The Company Secretary is secretary to the Committee. Role and Responsibilities The Committee is responsible for the implementation and monitoring of systems and controls in respect of the identification, management and disclosure of inside information and for ensuring that regulatory announcements, shareholder circulars, prospectuses and other documents issued by the Company comply with applicable legal or regulatory requirements. The primary responsibilities of the Committee include: • review of the preliminary results announcement, the interim management statements, the half-year results and any other trading statements, and investor presentations; • review of information provided to the Committee, consideration of its potential categorisation as inside information and determination of the date and time at which that inside information first existed within the Company; • determination of whether any identified inside information gives rise to an immediate disclosure obligation, or whether it is permissible to delay disclosure; and, • review and approval of announcements in respect of disclosable projects. 62/ Cybersecurity made simple Annual Statement of the Remuneration Committee Chairman Dear Shareholder, As Chairman of Sophos’ Remuneration Committee, I am pleased to present the FY18 Directors’ Remuneration Report which has been prepared by the Committee and approved by the Board. In line with the UK reporting regulations, this report is divided into three sections: • the Annual Statement of the Remuneration Committee Chairman, which this year includes a ‘Remuneration at a Glance’ section on page 64; • the Directors’ Remuneration Policy, which was approved by shareholders at the 2016 AGM and details Sophos’ remuneration policies and their link to Group strategy, as well as projected pay outcomes under various performance scenarios, set out on pages 65 to 71; and, • the Annual Report on Remuneration, which focuses on our remuneration arrangements and incentive outcomes for the year under review and how the Committee intends to implement the Remuneration Policy in FY19, set out on pages 72 to 81. The Annual Report on Remuneration will be put to an advisory vote at the AGM on 30 August 2018. The Context for Executive Remuneration at Sophos The IT security market is global, as is the market in which Sophos competes for high calibre executive talent. In order for Sophos to be able to attract and retain executives in the relevant geographies with the right skills and experience to drive the long-term success of the Group, the Committee believes that remuneration packages need to be appropriately calibrated to be competitive globally, including in the UK, where Nick Bray our Chief Financial Officer is located, and on the US West Coast, where Kris Hagerman our Chief Executive Officer, and many of the Group’s executives, are located. At the 2016 AGM, the Committee implemented a remuneration policy that was designed to balance this need, to be competitive globally with accepted UK market and best practice, and to measure and reward the performance of the Group’s executives against the best measures of the Group’s performance given its current size and stage of growth. As the ‘Remuneration at a Glance’ section overleaf demonstrates, strong billings and cash EBITDA performance over the last three years has contributed to the Group’s significant growth in share price (92 per cent since Listing) and TSR outperformance of the FTSE250 index. The Committee is comfortable that pay outcomes are appropriately aligned with Group performance against its strategic objectives and longer-term shareholder value creation. The Committee is further confident that the linkage of executive incentives to the Company’s overall growth targets for billings and cash EBITDA, remains appropriate for focusing the Group’s executives on growing the business and establishing a strong customer base from which to build on. However, we are cognisant that a number of features of our remuneration policy continue to differ from typical UK market practice and further, that this may have informed how those shareholders who voted in opposition to our Annual Report on Remuneration at the 2017 AGM, elected to cast their votes. In line with the reporting Regulations, we are required to resubmit the remuneration policy to a binding shareholder vote at the 2019 AGM. In the intervening period, the Committee will consider what changes may be appropriate as Sophos matures as a business and market practice develops apace. We look forward to a constructive two-way consultation with our major shareholders on the evolution of our remuneration policy. Remuneration Decisions in FY18 Sophos achieved strong results in the year-ended 31 March 2018, with billings of $768.6 million and cash EBITDA of $193.7 million at actual rates, against stretching targets. As a result, Kris Hagerman and Nick Bray will receive bonuses of 88 per cent and 71 per cent of salary respectively. During the year, Kris Hagerman and Nick Bray were granted awards of 497 and 388 per cent of salary, respectively, under the Sophos Group Long-Term Incentive Plan 2015 (“LTIP”). Performance share units (comprising 75 per cent of the awards) vest over three years subject to achievement of annual billings and cash EBITDA targets, and restricted share units (25 per cent of the awards) vest over four years subject to continued employment only. Although no performance share units were due to vest in the year under review, the awards granted in August 2015 will vest in August 2018 based on performance over the three-year period that ended on 31 March 2018 (see page 75 for details). Remuneration for FY19 Following a review of Group performance and their personal contribution, the salaries of the Executive Directors will be increased by 2.6 and 2.4 per cent respectively, effective from 1 July 2018. This compares to the average increase expected for the wider employee population of c.4 per cent. The Committee will operate the annual bonus on the same basis as in FY18, and billings and EBITDA targets have been set by the Committee to require significant stretch performance to achieve full payout. The bonus will continue to be paid in cash. In FY19, the Committee intends to grant long-term incentive awards to Executive Directors in line with the stated remuneration policy and using the same measures as were used in FY18 (billings and cash EBITDA). Awards will be made over performance share units (at least 75 per cent of the total award) and restricted shares, within the normal policy limits. The Committee welcomes feedback from our shareholders as we remain committed to an open and transparent dialogue, and hope to receive your support at the forthcoming AGM. On behalf of the Remuneration Committee: Paul Walker Chairman of the Remuneration Committee 16 May 2018 This report, prepared by the Remuneration Committee (‘the Committee’) on behalf of the Board, takes account of the UK Corporate Governance Code and the latest Investment Association, ISS and PLSA guidelines, and has been prepared in accordance with the provisions of the Act, the Listing Rules of the Financial Conduct Authority and the Large and Medium-Sized Companies and Groups (Accounts and Reports) (Amendment) Regulations 2013. The Act requires the Auditor to report to the Company’s Shareholders on the audited information within this report and to state whether in their opinion those parts of the report have been prepared in accordance with the Act. The Auditor’s opinion is set out on pages 88 to 93 and those aspects of the report that have been subject to audit are clearly marked. /63 IntroductionGovernanceFinancial StatementsStrategic Report Remuneration at a Glance KPI – Performance snapshot How is performance reflected in our incentives? Billings $534.9M $632.1M +18.2% $768.6M +21.6% FY16 FY17 FY18 Cash EBITDA $120.9M $150.1M +24.2% $193.7M +29.0% FY16 FY17 FY18 Used as a measure in the annual bonus and PSU Billings is an important measure that represents the value of products and services invoiced to customers. Cash is received at the start of a subscription period and consequently billings are a key forward indicator of future performance. Used as a measure in the annual bonus and PSU EBITDA (as defined in the scheme rules) provides visibility of cash earnings during the period, even if the associated revenue for that period’s billings has not yet been recognised. TSR since IPO £250 £100 Invested on Sophos’ IPO Sophos FTSE250 £200 £150 £100 £50 Close alignment through significant stock ownership TSR is a key measure of shareholder value creation. Although not incorporated as a standalone measure of performance in the LTIP, the interests of our Executive Directors are aligned closely with those of shareholders through their share ownership, as well as through the denomination of LTIP awards in stock units. £0 25.06.15 31.03.16 31.03.17 31.03.18 Executive Director remuneration in FY18 Executive Director shareholdings Salary Taxable benefits Pension Single-year variable Restricted stock units Performance stock units All employee schemes Total Kris Hagerman $000 716 Nick Bray £000 291 3 8 638 877 6,458 4 8,704 16 15 207 283 2,186 – 2,998 Implementation of Policy in FY19 $11.7m Kris Hagerman 1,623% of salary £0.3m Nick Bray 101% of salary Salary Increased by 2.6 and 2.4 per cent respectively, c.1 per cent lower than increases for the wider workforce. From 1 July 2018, salaries will be $740,000 for Kris Hagerman and £300,000 for Nick Bray. Annual bonus Opportunities are unchanged from FY18 at 200 per cent and 160 per cent of salary for Kris Hagerman and Nick Bray, respectively. Payout will be based 80 per cent on billings and EBITDA, and 20 per cent on personal performance. Payable 100 per cent in cash. LTIP FY19 awards to be made over performance share units (at least 75 per cent of the total award) and restricted shares, within normal policy limits. PSU awards will vest based on billings and cash EBITDA performance in FY19, FY20 and FY21. RSU awards vest over four years from grant. Benefits Unchanged from FY18. 64/ Cybersecurity made simple Directors’ Remuneration Policy This section describes the Group’s remuneration policy for Directors which applies for up to three years from approval at the Annual General Meeting on 14 September 2016. The only amendments to this Policy Report from the version approved by shareholders in 2016 are to update: (i) the data used in the pay-for-performance scenarios; (ii) references to financial years; (iii) page references; and (iv) the details of the Non-Executive Directors’ appointment letters. The overarching principles of the remuneration policy are to provide a competitive package of fixed and variable pay that will enable the Group to ensure it has executives with the right skills and experience to drive the success of the Company, and that their remuneration is linked to shareholder interests and the Company’s long-term success. The remuneration philosophy is: • to promote the long-term success of the Company, with stretching performance targets which are rigorously applied; • to provide appropriate alignment between the Company’s strategic goals, shareholder returns and executive reward; and, • to have a competitive mix of base salary and short and long-term incentives, with an appropriate proportion of the package determined by stretching targets linked to the Company’s performance. Executive Directors’ fixed and variable remuneration arrangements have been determined taking into account: • the role, experience in the role, and performance of the Executive Director; • the location in which the Executive Director is working; • remuneration arrangements at UK listed companies of a similar size and complexity; • remuneration arrangements at US high-technology companies of a similar size and complexity, including companies with which the Company competes for talent; and, • best practice guidelines for UK listed companies set by institutional investor bodies. Purpose and link to strategy Fixed pay: Base salary To attract and retain talent of the right calibre and with the ability to contribute to strategy, by ensuring base salaries are competitive in the relevant talent market. Fixed pay: Pension Provide post-retirement benefits for participants in a cost-efficient manner. Operation Maximum opportunity Performance metrics Base salaries are reviewed annually, with reference to individual performance, Group performance, market competitiveness, salary increases across the Group and the position holder’s experience, competence and criticality to the business. Any increases are generally effective from 1 July. Pension contributions are provided, with a choice of funding vehicles: US 401(k) savings plan for all US employees or group personal pension scheme. Individual and Group performance is taken into account when determining appropriate salary levels. Executive Directors’ salary increases will normally be in-line with those for the wider employee population. However, higher salary increases may be made where there is a change in role or responsibilities or a significant market misalignment. None. The CEO currently receives a matching contribution of up to 3 per cent of salary under his US 401(k) savings plan, subject to the applicable maximum contribution (US$24,500 for FY18). The CFO receives up to 5 per cent of salary as a contribution to a group personal pension scheme. Other than in exceptional cases (such as to replace existing arrangements for new recruits) the Committee does not anticipate pension benefits as being at a cost to the Company that would exceed 20 per cent of base salary. /65 IntroductionGovernanceFinancial StatementsStrategic Report Directors’ Remuneration Policy continued Purpose and link to strategy Fixed pay: Benefits To provide competitive benefits for each role. Operation Maximum opportunity Performance metrics Benefits currently include the provision of medical and dental insurance, life and disability insurance, travel insurance, personal tax return preparation, and car allowance. Reasonable relocation, travel and subsistence allowances (and, in certain circumstances, cash allowances in respect of the associated tax charge) and other benefits may be provided based on individual circumstances. There is no overall maximum value set out for benefits. None. They are set at a level that is comparable to market practice and appropriate for individual and Company circumstances. The Committee retains the discretion to amend benefits in exceptional circumstances or in circumstances where factors outside of the Group’s control have materially changed (e.g. increases in insurance premiums). Variable pay: Annual bonus Aims to focus executives on achieving stretching financial targets relevant to the business priorities for the financial period. Performance measures and targets are set prior to or shortly after the start of the relevant financial period. The maximum bonus opportunity for Executive Directors will be up to 200 per cent of salary. At the end of the financial period, the Remuneration Committee will determine the extent to which the targets have been achieved. Up to 50 per cent of maximum will vest for target performance. The Committee may award up to 12.5 per cent of maximum for threshold performance. Awards are typically delivered in cash, however the Committee has discretion to defer awards in cash or in shares. The Committee has discretion to reduce the bonus in the event of serious financial misstatement or misconduct. In extreme cases of misconduct, the Committee may claw back annual bonus payments previously made. The annual bonus will be based on achievement of stretching financial targets (e.g. billings, EBITDA) and personal performance. Personal performance will have a weighting of no more than a third. Details of the measures used during the period under review are set out on pages 73 to 74. The Committee has discretion to adjust the formulaic bonus outcome downwards (or upwards with shareholder consultation) within the limits of the plan, to ensure alignment of pay with the underlying performance of the business. 66/ Cybersecurity made simple Purpose and link to strategy Operation Maximum opportunity Performance metrics Variable pay: Long-term incentive plan (“LTIP”) Aligns the interests of executives with shareholders in growing the value of the business over the long-term. The plan provides for annual awards of restricted shares, options and performance shares to eligible participants. Other than for restricted shares, vesting is based on three-year performance. The Committee has discretion to reduce any unvested long-term incentive awards, or to vary the opportunities for future awards, in the case of serious financial misstatement or misconduct. In extreme cases of misconduct, the Committee may claw back vested long-term incentive awards. Participants are eligible to receive cash or shares equal to the value of dividends that would have been paid over the vesting period on shares that vest. Awards may be made up to a maximum of 500 per cent of salary in normal circumstances and up to 750 per cent in exceptional circumstances (including, but not limited to, recruiting an individual). The award size is reviewed in advance of grant. No performance-based awards will vest below threshold. Up to 25 per cent of each element will vest for achievement of threshold performance under each metric, then increase on a straight-line basis to full vesting for achieving stretch performance. It is anticipated that no more than 25 per cent of aggregate awards in any one year will be over restricted shares or options. Performance-based awards will vest on achievement of financial performance measures, measured over a three-year performance period, which may include profit measures and billings. Performance-based awards: profit will receive a weighting of at least 50 per cent. Other measures may be considered in future years to help capture the strategic goals of the business and may be used in conjunction with these metrics. Time-based awards: restricted shares will begin vesting after one year, and thereafter vest in equal instalments on a quarterly basis until the fourth anniversary of grant based on continued employment only. The Committee has discretion to adjust the formulaic LTIP award downwards (or upwards with shareholder consultation), within the limits of the plan, to ensure alignment of pay with the underlying performance of the business. n/a n/a Other arrangements: Shareholding guidelines To align Directors’ interests with the long-term interests of shareholders. Executive Directors are required to retain a minimum shareholding in the Company, and are required to retain at least 50 per cent of shares vesting (after tax) under the LTIP until the shareholding guideline has been met. Further details of the level of shareholding guideline currently in operation is set out on page 80. Other arrangements: All-employee schemes To encourage share ownership across the workforce. SAYE and ESPP schemes are operated by the Company for eligible employees, in which Executive Directors may participate on the same terms. None. Participation is capped at the prevailing approved limit at the time eligible employees are invited to participate, or such lower limit as determined by the Remuneration Committee. /67 IntroductionGovernanceFinancial StatementsStrategic Report Directors’ Remuneration Policy continued Purpose and link to strategy Operation Maximum opportunity Performance metrics Other arrangements: Non-Executive Directors’ fees To reflect the time commitment in preparing for and attending meetings, the duties and responsibilities of the role and the contribution expected from the Non-Executive Directors. None Any increases to Non- Executive Director fees will be considered as a result of the outcome of a review process and taking into account wider market factors, e.g. inflation. There is no prescribed individual maximum fee. Further details are set out on page 78. Annual base fee for Chairman. Annual base fee for Non- Executive Directors. Additional fees paid to the chairmen of Board Committees. Additional fees may be paid if there is a material increase in time commitment required. Non-Executive Directors do not participate in any incentive schemes, nor do they receive any pension or benefits (other than nominal travel expenses and, in certain circumstances, cash allowances in respect of the associated tax charge). Notes to the Policy Table This policy is unchanged in substance since approval at the AGM on 14 September 2016. Other than minor text changes to ensure this policy remains clear for the reader, a few other minor changes have been made to provide additional clarity, including updated scenario charts shown below. Performance measure selection and approach to target setting Billings and EBITDA are considered to be the best measures of the Group’s annual performance given the current size and stage of growth, and will continue to determine annual bonus vesting. The Committee will keep this under review, and may select alternative measures as the Group evolves and strategic priorities change. Annual bonus targets will be set prior to, or shortly after, the start of the financial period. Financial targets will be calibrated with reference to the Group’s budget for the upcoming financial period and the Group’s performance over the prior financial period. Threshold and stretch performance levels for performance-based awards under the LTIP will be set at the start of the three-year performance period. The Committee aims to set stretching but achievable targets, taking account of a range of reference points, including market consensus and the Group’s strategic plan. Differences in remuneration policy operated for other employees Other employee remuneration has the same components as set out in the policy, being base salary, annual bonus, long-term incentive participation, pension, life assurance and benefit provision. Annual bonus and long-term incentive arrangements share a similar structure and pay-out arrangement, although the mix between performance-based and time-based awards, and the maximum award, varies by seniority and role. Other In addition to the above elements of remuneration, any commitment made prior to, but due to be fulfilled after, the approval and implementation of the policy detailed in this report will be honoured, this includes awards made to Directors (both Executive and Non-Executive) prior to IPO. Performance scenarios The graphs below provide estimates of the potential future reward opportunities for Executive Directors, and the potential split between the different elements of remuneration under three different performance scenarios; ‘Minimum’, ‘Mid’ and ‘Maximum’. Maximum 11% 22% Mid Chief Executive Officer $000 Maximum Chief Financial Officer £000 67% 6,455 15% 22% 63% 2,149 Mid 24% 24% 52% 3,030 31% 22% 47% 1,058 Minimum 45% 55% 1,633 Minimum 53% 47% 609 Fixed Annual incentive LTI 68/ Cybersecurity made simple The potential reward opportunities illustrated are based on the policy approved at the AGM on 14 September 2016, applied to the base salaries in force at 1 April 2018. The projected value of LTIP amounts excludes the impact of share price movement or dividend accrual. The assumptions made in illustrating potential reward opportunities are shown in the table below: Performance scenario Fixed pay Minimum Mid Maximum Salary as at most recent review date Benefits and pension value as for the most recent financial period Annual bonus No annual bonus payable LTIP (performance-based awards) Threshold not achieved LTIP (time-based awards) On target annual bonus payable Performance warrants threshold vesting Full vesting Maximum annual bonus payable Performance warrants full vesting Approach to Remuneration for New Executive Director Appointments In the cases of hiring or appointing a new Executive Director, the Remuneration Committee may make use of all the existing components of remuneration, as follows: Component Base salary Pension Benefits Annual bonus LTIP Approach Maximum opportunity The base salaries of new appointees will be determined based on the experience and skills of the individual, relevant market data and their current basic salary. n/a Membership of pension scheme or salary supplement on a similar basis to other executives, as described in the policy table. Other than in exceptional cases (such as to replace existing arrangements for new recruits) the Committee does not anticipate pension benefits as being at a cost to the Company that would exceed 20 per cent of base salary. In line with Policy Table New appointees will be eligible to receive benefits in line with the policy which may include (but are not limited to) car allowance, medical insurance and life insurance. n/a The structure described in the policy table will apply to new appointees with the relevant maximum being pro-rated to reflect the proportion of employment over the year. 200 per cent of base salary New appointees will be granted awards under the LTIP on similar terms as other executives, as described in the Policy Table. Up to 750 per cent of base salary All-employee schemes New appointees may be eligible to participate in all-employee schemes on the same basis as other employees. In line with Policy Table In determining appropriate remuneration for a new Executive Director, the Committee will take into consideration all relevant factors to ensure that arrangements are in the best interests of the Group and its shareholders. In addition to the remuneration arrangements set out above, the Committee may make an award in respect of a new appointment to ‘buy out’ incentive arrangements forfeited on leaving a previous employer, using Listing Rule 9.4.2 R if necessary. In doing so, the Committee will take account of relevant factors including any performance conditions attached to these awards, the likelihood of those conditions being met, and the proportion of the vesting period remaining. The fair value of any buy out will not exceed that of the award being foregone. In cases of appointing a new Executive Director by way of internal promotion, the approach will be consistent with the policy for external appointees detailed above. Where an individual has contractual commitments made prior to their promotion to Board level, the Group will continue to honour these arrangements. Incentive opportunities for below Board employees are no higher than for Executive Directors, but measures may vary. In recruiting a new Non-Executive Director, the Committee will use the policy as set out in the table on page 68. /69 IntroductionGovernanceFinancial StatementsStrategic Report Directors’ Remuneration Policy continued Service Contracts and Exit Payment Policy Non-Executive Directors The appointments of each of the Chairman and the Non-Executive Directors are for a fixed term of three years and subject to annual re-election by the Company at the AGM. Their letters of appointment set out the terms of their appointment and are available for inspection upon request. They are not eligible to participate in the annual bonus, nor do they receive any additional pension or benefits (other than nominal travel expenses) on top of the fees disclosed on page 78. Non-Executive Directors appointments may be terminated at any time upon written notice or in accordance with the Articles and receive no compensation on termination. Non-Executive Director Role Appointment date Term of appointment Peter Gyenes Paul Walker Steve Munford Sandra Bergeron Roy Mackenzie Vin Murria Rick Medlock Chairman 11 June 20151 Senior Independent Director 11 June 20151 Non-Executive Director 11 June 20151 Independent Non-Executive Director 11 June 20151 Non-Executive Director 11 June 20151 Independent Non-Executive Director 3 January 2017 Independent Non-Executive Director 3 April 2017 Three years Three years Three years Three years Three years Three years Three years 1. At the May 2018 meeting of the Board, Directors approved a second term of appointment in respect of those Directors whose first terms end on 10 June 2018. Executive Directors On 11 June 2015, each of the Executive Directors entered into a service agreement with the Company, which are available for inspection upon request. Executive Director Role Appointment date Term of appointment Kris Hagerman Nick Bray Chief Executive Officer 11 June 2015 Chief Financial Officer 11 June 2015 12 months 12 months The Employer is entitled to terminate an Executive Director’s employment by payment of a cash sum in lieu of notice, equal to (i) the basic salary that would have been payable, and (ii) the cost that would have been incurred in providing the Executive Director with medical insurance benefits for any unexpired portion of the notice period (the ‘‘Payment in Lieu’’). The Company can alternatively choose to continue providing the medical insurance benefits under item (ii) instead of paying a cash sum representing their cost. The Payment in Lieu will be paid in monthly instalments over the notice period. In specified circumstances (not involving a change of control, in which case the severance payment applicable is as described below), each Executive Director is entitled to terminate his employment without notice and receive a severance payment. The severance payment will be equal to the Payment in Lieu and paid in a single lump sum. The specified circumstances are where either: (a) the employer terminates or gives notice to terminate the Executive Director’s employment without cause; or (b) the Executive Director terminates his employment in response to: a material diminution of his authority, duties, responsibilities or status in a manner inconsistent with his service agreement; a breach of a fundamental term of his service agreement; a material reduction in his annual basic salary or target bonus opportunity; or being required to relocate his place of work beyond a specified distance (each a ‘‘Good Leaver Reason’’). Each Executive Director is entitled to a severance payment, paid in a single lump sum, in the event of a termination of his employment by his Employer without cause or by the Executive Director for a Good Leaver Reason at any time during a period ending 18 months after any change of control of the Company (whether by way of a general offer or a scheme of arrangement or compromise) and beginning three months prior to the announcement of such general offer or scheme of arrangement or compromise. The severance payment will be equal to the sum of: (i) 150 per cent of the Executive Director’s annual basic salary; (ii) 150 per cent of the Executive Director’s target bonus for the Company’s financial year in which the termination occurs; and (iii) the total cost of providing the Executive Director with the benefits (including pension contributions) to which he is entitled under his service agreement for a period of 12 months. 70/ Cybersecurity made simple The Group’s change of control provisions are standard practice in the US (where many of the SMT, including the CEO, are located) and to renegotiate contracts would likely represent an increased cost for the Company (where this provision may never be triggered). For future hires, the Committee will consider the appropriateness of the contractual provisions at that time, taking into account prevailing market practice in the geography that the executive is located. The Company’s policy on termination payments is to consider the circumstances on a case-by-case basis, taking into account the executive’s contractual terms, the circumstances of termination and any duty to mitigate. The table below summarises how incentives are typically treated in different circumstances: Reason for leaving Treatment Bonus Summary dismissal, resignation Awards lapse. Good leaver Change of control Eligible for an award to the extent that performance conditions have been satisfied, pro-rated for the proportion of the financial year served, with Committee discretion to treat otherwise. Eligible for an award to the extent that performance conditions have been satisfied up to the change of control, pro-rated for the proportion of the financial year served, with Committee discretion to treat otherwise. Executives may be eligible for an enhanced bonus payment in the case of termination of employment within 18 months of a change of control, as described above. Long-term incentives Summary dismissal, resignation Awards lapse. Good leaver Change of control Outstanding awards will normally be pro-rated to the date of leaving, with Committee discretion to treat otherwise and with discretion to either test at the end of relevant performance periods, or immediately assess, whether or not relevant performance criteria have been met. Outstanding awards will normally vest and be tested for performance over the period to change of control, and be pro-rated for time based on the proportion of the period served, with Committee discretion to treat otherwise. Executives may be eligible for additional vesting in the case of termination of employment within 18 months of a change of control. All-employee schemes Treated in line with applicable scheme rules External appointments of Executive Directors Executive Directors may accept external appointments with the prior approval of the Chairman, provided that such appointments do not prejudice the executive’s ability to fulfil their duties for the Group. Any fees for outside appointments would normally be retained by the Director. Consideration of employment conditions elsewhere in Group The Committee takes into account the general basic salary increase being offered to employees elsewhere in the Group when annually reviewing the salary increases and remuneration for the Executive Directors. Employees have not been consulted in respect of the design of the Group’s senior executive remuneration policy. Consideration of shareholder views The Committee takes shareholder feedback into careful consideration when reviewing remuneration and regularly reviews the Remuneration policy in the context of key institutional shareholder guidelines and best practice. It is the Committee’s policy to consult with major shareholders prior to making any major changes to its executive remuneration structure. /71 IntroductionGovernanceFinancial StatementsStrategic Report Annual Report on Remuneration Main Activities The Committee has an annual forward agenda, developed from its terms of reference, with standing items that the Committee considers at each meeting, in addition to any specific matters arising, and topical business or governance items on which the Committee has chosen to focus. The work of the Committee undertaken during the year is summarised throughout this report. External Advisers Mercer Kepler, independent remuneration consultants appointed by the Committee in FY16 after consultation with the Board, continued to act as the remuneration adviser to the Committee during the year. Mercer Kepler reports directly to the Committee Chairman and is a signatory to and abides by the Code of Conduct for Remuneration Consultants (which can be found at www.remunerationconsultantsgroup.com). The fees paid to Mercer Kepler in respect of work carried out for the Remuneration Committee in FY18 totalled £52,168 (FY17: £41,621). In addition, a separate and distinct department of Mercer (also part of the MMC Group of companies), provided independent verification and consultation services to Sophos during FY18 in relation to the Company’s UK Gender Pay Gap and Pay Programme analysis, and reported directly to the Chief Human Resources Officer. The Committee Chairman undertook due diligence to ensure that Mercer Kepler remains independent of the Company and that the advice provided is impartial and objective. The Committee is satisfied that the advice provided by Mercer Kepler is independent, and will continue to undertake such due diligence periodically. Performance Evaluation The Remuneration Committee’s performance was assessed as part of the Board’s annual effectiveness review. It was concluded that the Committee operated effectively in FY18. In response to findings of the review, Committee members will continue to give significant weight to shareholder sentiment whilst balancing this with the recruitment and retention needs of the business and in particular, in their consideration of the Company’s remuneration policy as it is reviewed for renewed shareholder vote at the 2019 AGM. The Committee also undertakes a review of its terms of reference and composition each year. Following the most recent review in January 2018, no changes were proposed. The full terms of reference of the Committee can be found on the Company’s website, at: investors.sophos.com. The following section provides details of remuneration outcomes for the financial year ended 31 March 2018 for Directors who served on the Board during the year, and how the Remuneration policy will be implemented in FY19. The Remuneration Committee The Committee met three times during the year. Committee composition and meeting attendance Paul Walker (Chairman) Sandra Bergeron Peter Gyenes Rick Medlock Vin Murria 100% 100% 100% 100% 100% 100% Attended of those eligible All appointments stated are as at 31 March 2018 Committee Composition and Meeting Attendance The composition of the Committee is compliant with the Provisions of the Code, which provides that its members should comprise at least three independent Non-Executive Directors and that the Chairman of the Group may be a member, but not chair, of the Committee due to his independence at the time of his appointment. The Committee is chaired by Paul Walker, the Senior Independent Director. The Company Secretary is secretary to the Committee and attends all meetings. Other attendees at Committee meetings may differ from time to time and, upon invitation from the Committee, include the Chief Executive Officer, Chief Human Resources Officer and other senior executives, but they are not present when their own remuneration is set. Role and Responsibilities The Committee is responsible for overseeing the Group’s Remuneration policy and practices having regard for relevant legal and regulatory requirements, the provisions and recommendations of the Code and associated guidance. The key responsibilities of the Committee include, to: • determine and monitor the remuneration policy for the Chairman, Executive Directors and the senior management team it is designated to consider; • ensure that the remuneration policy and reward decisions support the Sophos business strategy and sustainable long-term performance; • set specific remuneration packages which include salary, annual bonus, share incentives, pension and benefits; • review the Executive Directors’ service contracts; • review remuneration trends across the Group and in the market in which Sophos operates; and, • approve employee share-based incentive plans and associated performance conditions and targets. 72/ Cybersecurity made simple Single Total Figure of Remuneration for Executive Directors (Audited) The table below sets out the total single figure of remuneration received by each Executive Director who served during the year-ended 31 March 2018 and the prior-year: Kris Hagerman ($000) Nick Bray (£000) Salary1 Taxable benefits2 Pension3 Single-year variable4 Restricted stock units5 Performance stock units6 All employee schemes Total 1 Amount earned in respect of the year FY18 716 3 8 638 877 6,458 4 8,704 FY17 695 3 8 772 842 n/a 2 2,322 FY18 291 16 15 207 283 2,186 – 2,998 FY17 282 12 14 250 267 n/a 4 829 2 Taxable benefits include: Kris Hagerman: medical and dentail, life and disability insurance and reimbursement of up ot $10,000 per annum for the preparation of his tax returns; Nick Bray: Car allowance (FY18: £14K, FY17: £10K), life, private medical and critical illness insurances, travel and personal accident insurances, and employee assistance programme arrangements. 3 The Company’s pension contributions during the year of up to 3 per cent and 5 per cent of salary for Kris Hagerman and Nick Bray, respectively 4 Bonus payment for performance during the year 5 RSUs: The face value at grant, using market price on day of issue, of time-based RSUs. 6 PSUs: The estimated value at vesting of PSUs for which the performance period ends at the end of the relevant financial year. For FY18, reflects the number of FY16 PSUs vesting in FY19 subject to performance over the 3-year period ended 31 March 2018, valued using the average middle market quotation of the shares on the main market of the London Stock Exchange (“MMQ”) over the three-months to 31 March 2018 (converted at daily US Dollar rates for Kris Hagerman), and including the estimated value of dividends accruing over the vesting period on this award. Base Salary During FY18, the Remuneration Committee reviewed the salaries of Kris Hagerman and Nick Bray, who were each awarded an increase of 2.6 per cent and 2.4 per cent respectively, effective 1 July 2018, as follows: Executive Director Kris Hagerman Nick Bray 1 July 2018 1 July 2017 Increase % $740,000 £300,000 $721,000 £293,000 2.6 2.4 Pension and Benefits Kris Hagerman receives medical and dental insurance, travel insurance, life and disability insurance, a reimbursement of up to $10,000 per annum for the preparation of his tax returns and, under his employer’s standard US 401(k) savings plan for all US employees, is entitled to receive a matching contribution of up to three per cent of his salary, subject to any annual maximum contribution applicable to US 401(k) savings plans from time to time. For 2018, this annual maximum is $24,500. Nick Bray is entitled to receive up to five per cent of his base salary as a contribution to a group personal pension scheme. In FY18 he also received an annual car allowance of £14,000 (paid monthly), life insurance, private medical and critical illness insurance, travel insurance, personal accident insurance and employee assistance programme arrangements. Incentive Outcomes for FY18 Annual bonus The Group operates an annual performance-related bonus scheme for a number of senior executives including Executive Directors. Bonus opportunities for FY18 were 200 per cent of salary for Kris Hagerman and 160 per cent of salary for Nick Bray. Target bonus was 50 per cent of the maximum opportunity. The level of annual bonus earned in any one year is based on Group performance against predetermined financial targets for the year and personal performance. In FY18, the bonus was based 80 per cent on billings and EBITDA, as defined by the scheme rules, with 12.5 per cent of maximum vesting for threshold performance and 50 per cent for target performance. The remaining 20 per cent of the bonus opportunity is based on personal performance. No bonus is awarded for performance below the threshold. The financial element payout is based on the lower of the implied payouts for billings and EBITDA, so to achieve any vesting of this element, executives were required to perform on both billings and EBITDA. /73 IntroductionGovernanceFinancial StatementsStrategic Report Annual Report on Remuneration continued Financial performance The financial targets for the FY18 annual bonus are no longer considered commercially sensitive, and are disclosed in full, alongside performance against these targets, below: Performance measure Threshold (12.5% payout) Target (50% payout) Stretch (100% payout) Achievement Implied vesting (% of element) Billings EBITDA $686M $172M $750M $188M $899M $226M $738M $185M 43% 43% Performance was measured using constant currency exchange rates. For levels of performance between the points set out in the table above, bonus payout was determined on a straight-line, pro-rata basis. The overall bonus payout was based on the lower of the implied payouts for billings and EBITDA, and was therefore 43 per cent of maximum for the financial element. Personal performance Following the end of FY18, the Committee assessed each Executive Director’s performance against personal objectives set at the start of the year. Performance of the Executive Directors in respect of FY18 was assessed to warrant a payout of 48 per cent for the personal element. An overview of the FY18 objectives, and each Director’s performance against these, is set out below: Kris Hagerman FY18 objectives In support of the continued effective execution of the Group’s long-term strategic objectives, the Chief Executive Officer: • Delivered strong performance against the Group’s FY18 Plan • Led a detailed Group strategic review by the SMT, established a five-year financial plan, and defined a clear company strategy to support it • Led the evolution of product-specific strategies, including the potential role for M&A, each in support of the five-year financial plan • Continued to build a high-quality, high-performing organisation through key appointments and strong employee engagement results Nick Bray FY18 objectives In support of the continued effective execution of the Group’s long-term strategic objectives, the Chief Financial Officer: • Delivered strong performance against the Group’s FY18 Plan • Established a five-year financial plan, including appropriate targets for the Group, and continued to align cost growth with billings growth and ensure an efficient capital structure • Continued to build new, and strengthen existing, relationships with the Group’s investors Led key programs relating to the Group’s business continuity planning, and systems implementation and improvement • • Continued to strengthen financial controls, processes, risk identification and mitigation across the Group Annual bonus outcomes Outcome warranted by peformance (% of element) Weighting 20% 48% Outcome warranted by peformance (% of element) Weighting 20% 48% Based on the above assessments of performance during FY18, Kris Hagerman and Nick Bray will receive bonuses of 88 per cent and 71 per cent of salary, respectively. The entire bonus in respect of FY18 will be paid in cash. The bonus calculations for FY18 are illustrated below: Executive Director Kris Hagerman Nick Bray Maximum bonus opportunity (% of salary) Weighting on financial performance (% of bonus) Weighting on personal performance (% of bonus) Financial measure outcome (% of element) Personal performance outcome (% of element) Overall bonus vesting (% of maximum) FY18 bonus award (000) 200% 160% 80% 80% 20% 20% 43% 43% 48% 48% 44% 44% $638 £207 74/ Cybersecurity made simple Long-Term Incentive Plan FY16 PSU awards vesting (audited) PSU awards were granted to Kris Hagerman and Nick Bray in FY16 (calendar year 2015), shortly after Listing (and before our remuneration policy took effect after the 2016 AGM). These awards are subject to performance against annual billings and cash EBITDA targets set for each of the financial years FY16, FY17 and FY18. Performance against each of these measures over the completed performance period is summarised in the table below: Performance period Weighting (of max.) Performance measure Initial Vesting Accelerator Vesting Threshold (25% vesting) Stretch (100% vesting) Super Stretch (1 x multiplier) Maximum (1.25 x multiplier) Financial year outcome Vesting outcome (out of 125%) FY16 FY17 FY18 One-third Billings $448M $498M $519M Cash EBITDA $99M $110M $118M One-third Billings Cash EBITDA One-third Billings Cash EBITDA $508M $114M $577M $133M $565M $597M $127M $143M $641M $687M $147M $172M $560M $127M $644M $155M $741M $185M $535M $121M $632M $150M $769M $194M 110% 108% 119% 115% 125% 125% Average of the lowest vesting outcomes in FY16, FY17 and FY18 116.11% Overall vesting (based on the aggregate of the lowest vesting outcome for each performance period) For each performance year, the vesting outcome is based on the lower of that warranted by billings performance and cash EBITDA performance. Based on the performance outcomes set out above, 116.11 per cent of the FY16 PSU awards will vest, representing 92.88 per cent of the maximum opportunity. Details of the awards vesting to Executive Directors are set out in the table below: Executive Director Kris Hagerman Nick Bray Interests held 716,292 337,079 % vesting 116.11% 116.11% Interests vesting Date of vesting Share price at vesting1 831,687 7 Aug 2018 391,382 7 Aug 2018 552.6p 552.6p Value (£000) 4,596 2,163 1 The estimated value of vested awards is calculated using the MMQ over the three-months to 31 March 2018. The estimated value of dividends accruing over the vesting period on these awards for Kris Hagerman and Nick Bray are $65K (£49K) and £23K respectively, and will be paid in cash. LTIP awards granted in FY18 (audited) On 16 June 2017, Kris Hagerman and Nick Bray were granted awards under the LTIP in the form of RSUs and PSUs. Details are provided in the table below: Executive Director Date of award Type of award Awards made during the year Reference price of award1 Face value of award (£000) Kris Hagerman Nick Bray 16 June 2017 1 The MMQ between 14 June 2017 and 16 June 2017. 2 Based on salary as at 1 July 2017. RSU PSU RSU PSU 159,424 478,272 64,995 194,985 436.94p 436.94p 436.94p 436.94p 697 2,090 284 852 Face value of award2 (% of salary) 124 373 97 291 /75 IntroductionGovernanceFinancial StatementsStrategic Report Annual Report on Remuneration continued The RSU awards are not subject to future performance conditions, and will vest over four years, subject to continued employment, with 25 per cent of the awards vesting on 1 June 2018 and the remainder vesting on a quarterly basis thereafter until 1 June 2021. The PSU awards vest subject to the vesting outcome implied by performance against annual targets over the three years to the financial year ending 31 March 2020, with the award vesting (to the extent that targets are met) on the third anniversary of grant. Targets for the three years are set at the start of the performance period. Vesting is based on the lower of the implied payouts for billings and cash EBITDA, with 25 per cent vesting for threshold performance, 100 per cent for stretch performance, and 125 per cent vesting for maximum performance. The table on page 75 sets out the face value of awards granted in FY18 which can vest, subject to performance set out above, and in the table below. No awards will vest for performance below the threshold. Performance Targets for Outstanding PSU Awards The Committee believes that disclosing the individual annual financial performance targets for FY19 and FY20 in this report would put the Company at a competitive disadvantage to its international and privately held competitors, that are not subject to similar disclosure requirements. However, the Committee remains committed to disclosing (on a retrospective basis) the annual financial targets attaching to outstanding PSU awards, and performance against these. FY17 PSU awards Performance period Weighting (of max.) Performance measure Initial Vesting Accelerator Vesting Threshold (25% vesting) Stretch (100% vesting) Super Stretch (1 x multiplier) Maximum (1.25 x multiplier) Two-year performance to 31 March 2018 Vesting outcome (out of 125%) FY17 FY18 FY19 One-third Billings $554M $615M Cash EBITDA One-third Billings $127M $637M $142M $707M Cash EBITDA $150M $166M $655M $157M $766M $189M $706M $169M $826M $204M $632M $150M $769M $194M 100% 100% 101% 107% One-third Billings Cash EBITDA To be disclosed in the FY19 Annual Report on Remuneration Note: actual vesting is dependent on the performance against targets for each of the financial years FY17 to FY19 and is based on the lower of the implied payouts for billings and cash EBITDA (i.e. the measures are equally weighted); sliding scale vesting applies between threshold and stretch, and super stretch and maximum. The final total vesting percentage will not be known until the end of the three-year performance period). FY18 PSU awards Initial Vesting Accelerator Vesting Performance period Weighting (of max.) Performance measure Threshold (25% vesting) Stretch (100% vesting) Maximum (1.25 x multiplier) One-year performance to 31 March 2018 Vesting outcome (out of 125%) FY18 FY19 FY20 One-third Billings Cash EBITDA One-third Billings Cash EBITDA One-third Billings Cash EBITDA $663M $164M $736M $182M $825M $204M $769M $194M 109% 113% To be disclosed in the FY19 Annual Report on Remuneration To be disclosed in the FY20 Annual Report on Remuneration Note: Following the publication of the Company’s external billings targets during the year, the structure for the LTIP PSU awards’ performance conditions has been simplified. The gap between the previous Stretch and Super Stretch targets has been removed for all PSU awards made from FY18 onwards. Actual vesting is dependent on the performance against targets for each of the financial years FY18 to FY20 and is based on the lower of the implied payouts for billings and cash EBITDA (i.e. the measures are equally weighted). Vesting on a sliding scale between 25 and 100 per cent applies between threshold and stretch, and a 1.25 multiplier applies up to the maximum 125 per cent vesting for performance above stretch. The final total vesting percentage will not be known until the end of the three-year performance period. 76/ Cybersecurity made simple Dilution Limits Sophos will continue to manage dilution within the context of maintaining award levels within a 10 per cent limit over five years, the limit that has applied since the equity incentive plans were approved at IPO. The Committee is aware that this is higher than the limit adopted by many UK companies and preferred by many institutional investors of 5 per cent over 10 years in respect of discretionary awards and 10 per cent over 10 years in respect of all schemes. The Committee believes the higher limit we operate is necessary in part because of the broad based nature of our equity incentive plans, under which shares are provided to a large proportion of our employees (including SAYE and ESPP schemes open to most employees). The equity incentive plans are a key part of the Group’s employee compensation package, and reflects the need to be able to compete with other US and international companies for the high-calibre employees and executives required to secure Sophos’ future success. At 31 March 2018, dilution under all our incentive schemes was c.6.7 per cent, and continues to reflects the front-loaded approach to equity incentive grants following the IPO. Single Total Figure Of Remuneration For Non-Executive Directors (Audited) The table below sets out the total single figure of remuneration received by each Non-Executive Director who served during the year-ended 31 March 2018 and the prior-year: Base fee ($000) Additional fees1 ($000) Other ($000) Total ($000) FY18 FY17 FY18 FY17 FY18 FY17 FY18 FY17 Peter Gyenes Sandra Bergeron Edwin Gillis2 Roy Mackenzie Rick Medlock3 Steve Munford Vin Murria Salim Nathoo4 Paul Walker 250 150 66 – 150 150 150 – 150 250 150 150 – – 150 37 – 150 5 – 7 – 8 – – – 5 – 15 – – – – – 25 25 – – – – – – – – – – – – – – – – – – 255 150 73 – 158 150 150 – 175 255 150 165 – – 150 37 – 175 1 Additional fees relate to fees for chairing Board Committees. 2 Edwin Gillis retired on 7 September 2017. His fees for 2017 reflect the period from 1 April 2017 to this date. 3 Rick Medlock joined the Board on 3 April 2017, and additional fees relate to his appointment as Chairman of the Audit and Risk Committee from 8 September 2017. 4 Salim Nathoo resigned on 28 November 2017. Exit Payments Made In Year (Audited) No exit payments were made to Directors in FY18. Payments To Past Directors (Audited) No payments were made to past Directors in FY18. External Directorships In FY18 Nick Bray received £57.8K as a Non-Executive Director of De La Rue plc (FY17: £39.5K). Remuneration for FY19 Base salary Salaries for Kris Hagerman and Nick Bray, effective from 1 July 2018, will be $740,000 and £300,000, respectively. This equates to increases of 2.6 and 2.4 per cent respectively, which is approximately 1.5 per cent lower than increases awarded to the broader employee population of c.4 per cent. Pension and benefits In line with the Remuneration Policy, the Executive Directors will continue to receive pension contributions of 3 to 5 per cent of salary. They will also continue to receive benefits in line with the policy. /77 IntroductionGovernanceFinancial StatementsStrategic Report Annual Report on Remuneration continued Annual bonus For the year ending 31 March 2019, the Committee will operate the annual bonus using the same framework and measures as used in FY18. Billings and EBITDA targets have been set by the Committee and will require Executive Directors to deliver significant stretch performance to achieve full payout. Given the close link between these targets and Sophos’ competitive strategy, these financial targets are considered commercially sensitive and will not be disclosed in advance, but will be disclosed on a retrospective basis in next year’s Annual Report on Remuneration to the extent that the Committee determines that the targets are no longer commercially sensitive. All of bonus will be paid in cash. Bonus payments are subject to malus and clawback provisions. Long-Term Incentive Plan In FY19, the Committee intends to grant long-term incentive awards to Executive Directors in line with the stated remuneration policy and using the same measures as were used in FY18. Awards will be made over performance share units (at least 75 per cent of the total award) and restricted shares, within the normal policy limits. Full details of the awards will be set out in the Annual Report for the year ending 31 March 2019. LTIP awards are subject to malus and clawback provisions. Non-Executive Director Fees (Including The Chairman) With effect from IPO, the fees payable to the Chairman of the Board and other Non-Executive Directors (“NEDs”) are as follows: Chairman of the Board NED base fee Additional fees: Audit and Risk Committee Chairman Remuneration Committee Chairman Nominations Committee Chairman Senior Independent Director Fee p.a. $250,000 $150,000 $15,000 $10,000 $5,000 $15,000 There will be no change to the NED fee policy set out above for FY19. Percentage Change in CEO Remuneration The table below shows the percentage change in the CEO’s remuneration from the prior-year compared to the average percentage change in remuneration for all other employees. To provide a meaningful comparison, the analysis is based on a consistent set of employees, i.e. the same individuals appear in the FY17 and FY18 populations. Base salary Taxable benefits Single-year variable % change FY17 to FY18 CEO 3% – -17% Other employees 5% – -2% Relative Importance of Spend on Pay The following table shows, for FY18 and FY17, the actual expenditure and percentage change in total employee costs and percentage change in distributions to shareholders. Shareholder distributions – dividends1 Total employee expenditure2 1 Represents dividends paid in each financial year. FY18 $M 21.8 370.9 FY17 $M 10.9 304.6 Change % 100% 22% 2 Total employee expenditure includes wages and salaries, social security costs, pension and other costs and share-based payments, see note 10 of the financial statements. 78/ Cybersecurity made simple Pay for Performance In line with the reporting regulations, Sophos is required to provide a graph showing the Company’s Total Shareholder Return (“TSR”) performance (share price plus dividends paid) compared with the performance of a relevant comparator group since IPO, assuming a nominal £100 investment in both the Company and the comparator group at the start of the timeframe. Companies are also required to show the CEO’s single figure of remuneration and actual variable pay outcomes over the same period. Sophos has chosen to compare its performance against the FTSE250 Index, as the Company became a constituent of the index on IPO. The table below details the Chief Executive’s single figure of remuneration and actual variable pay outcomes over the same period. As Sophos completed its IPO in July 2015, TSR data and pay disclosure is available from this date to 31 March 2018 only. £100 Invested on Sophos’ IPO Sophos FTSE250 £250 £200 £150 £100 £50 £0 25.06.15 31.03.16 31.03.17 31.03.18 Incumbent Kris Hagerman Kris Hagerman Kris Hagerman CEO single figure of remuneration ($000) Annual bonus outcomes (% of maximum) PSU vesting outcome (% of maximum) $18,627 59% n/a $2,322 55% n/a $8,704 44% 93% FY16 FY17 FY18 Statement of Shareholder Voting The following table shows the result of the advisory vote on the 2017 Annual Report on Remuneration at the 2017 AGM, and the binding vote on the Remuneration Policy at the 2016 AGM. Remuneration Policy (2016 AGM) 279,603,831 2017 Annual Report on Remuneration 271,042,033 For Number % 72.15% 70.18% Against Withheld Number % Number 107,903,661 115,160,183 27.85% 29.82% 4,904,177 2,602,369 We are aware that a number of features of our remuneration policy continue to differ from typical UK market practice and further, that this may have informed how those shareholders who voted in opposition to our Annual Report on Remuneration at the 2017 AGM, elected to cast their votes. During FY18 the Company published an interim statement in response to notification of its inclusion in the Investment Association’s Public Register of listed companies who received opposition of more than 20 per cent on any resolution in a General Meeting (the ‘2017 Interim Statement’). It is the Committee’s belief that the Group’s remuneration policy (the ‘Policy’) measures and rewards the performance of the Group’s executives against the best measures of the Group’s performance given its current size and stage of growth, and further that these metrics are appropriate now for focusing the Group’s executives on growing the business and establishing a strong customer base from which to build on. However, as already noted, the Committee is committed to keeping this under review and recognises that as Sophos matures as a business, it may become appropriate to look at a different, possibly broader, selection of metrics with which to focus the Group’s executives on delivering in additional areas. The Policy is next due for shareholder approval in 2019 and the Committee will continue to review developments in market practice in advance of its renewal. See the Annual Statement of the Remuneration Committee Chairman on page 63 for further details on the Committee’s response to the vote on the Annual Report on Remuneration at the 2017 AGM. The 2017 Interim Statement is available at: investors.sophos.com /79 IntroductionGovernanceFinancial StatementsStrategic Report Annual Report on Remuneration continued Directors’ Share Ownership (Audited) The table below shows the shareholding of each Director against their respective shareholding requirement as at 31 March 2018. Share and option awards Beneficially owned Subject to performance Subject to continued employment only Vested but not yet exercised Kris Hagerman 1,927,330 1,471,875 2,270,267 4,408,352 Nick Bray1 68,497 642,729 1,019,107 Peter Gyenes 286,631 Sandra Bergeron Roy Mackenzie Rick Medlock 214,974 – – Steve Munford 1,986,059 Vin Murria Paul Walker 307,272 127,129 – – – – – – – – – – – – – 63,565 - – – – – – – – Shareholding required (% of salary) Current shareholding (% of salary) Requirement met 200 200 1,623 101 Yes No 1 Awards will vest on 21 May 2018, and Nick Bray’s beneficially owned shareholding will be 125,547 shares, equivalent to 237 per cent of salary based on the MMQ over the three months to 31 March 2018. There have been no changes to shareholdings between 1 April 2018 and 16 May 2018. None of the Directors had an interest in the shares of any subsidiary undertaking of the Company or in any significant contracts of the Group, with the exception of Vin Murria who is also a Non-Executive Director of Softcat plc, with whom the Company maintains an ongoing customer relationship. Summary of Outstanding Share Awards The interests of the Directors in the Company’s share schemes as at 31 March 2018 are summarised in the table below. Date of award Awards held at 1 Apr 17 Granted during the year Exercised during the year Forfeited during the year Awards held at 31 Mar 18 Exercise price Market price at grant Performance period Vesting period/ date Expiry date Director Kris Hagerman Pre-IPO Options Pre-IPO Options 10 Oct 12 2,312,285 10 Oct 12 2,420,174 LTIP – RSU 7 Aug 15 1,376,405 LTIP – RSU 7 Aug 15 149,228 LTIP – PSU 7 Aug 15 716,292 LTIP – RSU 14 Jun 16 331,201 LTIP – PSU 14 Jun 16 993,603 LTIP – RSU 16 Jun 17 LTIP – PSU 16 Jun 17 – – 159,424 478,272 – – – – – – – (162,053) (162,054) (294,944) (44,768) – (124,200) – – – – – – – – – – – – 2,150,232 $0.598 $0.598 n/a 1 Aug 13 – 1 Aug 17 10 Oct 22 2,258,120 $0.598 $0.598 Exit event 1 Jul 15 10 Oct 22 1,081,461 104,460 716,292 207,001 993,603 159,424 478,272 – – – – – – – 265p 265p 265p 179p 179p 436p 436p n/a n/a 7 Aug 16 – 7 Aug 20 7 Aug 16 – 7 Aug 19 6 Aug 25 6 Aug 25 1 Apr 15 – 31 Mar 18 7 Aug 18 6 Aug 25 n/a 14 Jun 17 – 14 Jun 20 13 Jun 26 1 Apr 16 – 31 Mar 19 14 Jun 19 13 Jun 26 n/a 16 Jun 18 – 16 Jun 21 15 Jun 27 1 Apr 17 – 31 Mar 20 16 Jun 20 15 Jun 27 ESPP ESPP ESPP 1 Jan 17 1 Jul 17 1 Jan 18 1,574 – – – 2,176 1,629 (1,497) (2,087) (77) (89) – – – – 1,629 223p 262p 376p TBD* 442p 567p n/a n/a n/a 30 Jun 17 30 Jun 17 31 Dec 17 31 Dec 17 30 Jun 18 30 Jun 18 80/ Cybersecurity made simple Date of award Awards held at 1 Apr 17 Granted during the year Exercised during the year Forfeited during the year Awards held at 31 Mar 18 Exercise price Market price at grant Performance period Vesting period/ date Expiry date Director Nick Bray LTIP – RSU 7 Aug 15 589,888 LTIP – RSU 7 Aug 15 70,225 LTIP – PSU 7 Aug 15 337,079 LTIP – RSU 14 Jun 16 149,248 LTIP – PSU 14 Jun 16 447,744 – – – – – LTIP – RSU 16 Jun 17 LTIP – PSU 16 Jun 17 – – 64,995 194,985 SAYE 24 Jun 16 11,111 – (126,404) (21,067) – (55,968) – – – – Steve Munford Pre-IPO Options 22 Oct 10 153,457 – (153,437) – – – – – – – – – 463,484 49,158 337,079 93,280 447,744 64,995 194,985 – – – – – – – 265p 265p 265p 179p 179p 436p 436p n/a n/a 7 Aug 16 – 7 Aug 20 7 Aug 16 – 7 Aug 19 6 Aug 25 6 Aug 25 1 Apr 15 – 31 Mar 18 7 Aug 18 6 Aug 25 n/a 14 Jun 17 – 14 Jun 20 13 Jun 26 1 Apr 16 – 31 Mar 19 14 Jun 19 13 Jun 26 n/a 16 Jun 18 – 16 Jun 21 15 Jun 27 1 Apr 17 – 31 Mar 20 16 Jun 20 15 Jun 27 11,111 162p 202p n/a 8 Aug 19 8 Feb 20 – $0.019 $0.476 n/a 22 Oct 10 22 Oct 20 * Under Group scheme rules exercise price is to be not less than 85 per cent of the lesser of market value on date of grant and market value on date of exercise. As outlined in the IPO prospectus, Kris Hagerman continues to hold share options granted under the Pentagon Holdings Management Equity Plan (“MEP”) that were issued prior to IPO. Nick Bray’s (until exercised under the JOE agreement in FY16) and Steve Munford’s (until exercised under the JOE agreement in FY17) MEP options (a “Linked Option”) were linked to a parallel award under a JOE Agreement. Awards under a JOE agreement entitle the participant to call for the transfer to him by the Trustee of the JOE agreement of that part of the beneficial interest in any jointly owned shares which vest, upon payment by the participant of a price specified in the JOE Agreement. Rights under a JOE Agreement may only be exercised to the extent that a Linked Option has not been exercised and vice versa. The rules of the MEP provide that 50 per cent of a MEP option is subject to time vesting and 50 per cent is subject to performance vesting. On Admission, 66.2 per cent of the awards subject to performance vested. Depending on the length of service of a MEP participant, the Company may require that a portion of an option which is vested as to performance may only be exercised at a later date. Steve Munford additionally held vested share options granted under an option deed with Pentagon Holdings SARL on 22 October 2010 until exercised in FY18. The interests of the Directors in pre-IPO restricted shares as at 31 March 2018 are summarised in the table below: Restricted awards held at 1 Apr 17 Restriction lifted during year Restricted awards held at 31 Mar 18 Exercise price Market price at grant date Date of award Performance period Vesting period/ date Expiry date 27 Mar 15 127,129 (63,564) 63,565 – $1.5575 27 Mar 16 – 27 Mar 18 n/a n/a Director Paul Walker Pre-IPO Restricted Shares As outlined in the IPO prospectus certain of the Non-Executive Directors held Restricted Shares, the majority of which have now vested. Paul Walker entered into a restricted share agreement on 27 March 2015 (the “Acquisition Date”) pursuant to which he acquired 300,000 A shares in Pentagon Holdings SARL. The Restricted Shares shall vest in three equal tranches on the first, second and third anniversaries of the Acquisition Date or as soon as reasonably practicable thereafter, in accordance with the provisions of the EU Market Abuse Regulation (596/2014), subject to Paul Walker remaining a Director until that date. All Restricted Shares in Pentagon Holdings SARL were exchanged for new shares in Sophos Group plc as part of the reorganisation of the Group immediately prior to the IPO. On behalf of the Board: Paul Walker Chairman of the Remuneration Committee 16 May 2018 /81 IntroductionGovernanceFinancial StatementsStrategic Report Directors’ Report The Directors of Sophos Group plc (the “Company”) present their Annual Report on the affairs of the Group, together with the Consolidated Financial Statements and Auditor’s Report on the Group for the year-ended 31 March 2018. There are a number of legal and regulatory requirements with which the Company must comply, such as the Companies Act 2006 (the “Act”), the Listing Rules and the Disclosure Guidance and Transparency Rules (the “DTRs”), which are addressed in this section. Strategic Report The Strategic Report, which forms part of this report and is presented on pages 16 to 43 of this Annual Report, includes a fair review of the business, a description of the principal risks and uncertainties facing the Group and an indication of likely future developments. Corporate Governance The Corporate Governance Statement set out on pages 46 to 54 and Committee Reports on pages 55 to 81 have been incorporated into the Directors’ Report by cross-reference. The majority of the disclosures required under LR 9.8.4 R are not applicable to the Group. The table below sets out the location of the disclosures for those requirements that are applicable: Applicable sub-paragraph Publication of unaudited financial information Disclosure provided Financial Review Details of long-term incentive schemes Annual Report on Remuneration Allotment of equity securities Contracts of significance Agreements with controlling shareholders Note 28 to the Financial Statements Directors’ Report Directors’ Report Articles of Association and Constitution Sophos Group plc is domiciled in England and incorporated in England and Wales under Company Number 09608658. The Articles of Association of the Company (the “Articles”) may only be amended by a special resolution at a meeting of the shareholders. The current Articles can be found on the Group’s website at investors.sophos.com. Directors and Directors’ Interests The Directors who held office during the year and up to the date of the signing of this report: Peter Gyenes Kris Hagerman Nick Bray Sandra Bergeron Edwin Gillis Roy Mackenzie Rick Medlock Steve Munford Vin Murria Salim Nathoo Paul Walker Non-Executive Director and Chairman Chief Executive Officer Chief Financial Officer Non-Executive Director Non-Executive Director (retired 7 September 2017) Non-Executive Director Non-Executive Director (appointed 3 April 2017) Non-Executive Director Non-Executive Director Non-Executive Director (resigned 28 November 2017) Non-Executive Director A summary of the Directors’ remuneration, employment contracts and interests in the shares of the Company are set out in the Remuneration Report. None of the Directors had an interest in any significant contracts of the Group or its subsidiaries, with the following exceptions: (i) Vin Murria is also a Non-Executive Director of Softcat plc, with whom the Company maintains an ongoing customer relationship; and (ii) Salim Nathoo is also a Non-Executive Director of Global Logic, with whom the Company maintains an ongoing supplier relationship. 82/ Cybersecurity made simple Directors’ Indemnity and Insurance Throughout the year, the Company has purchased and maintained Directors’ and Officers’ liability insurance in respect of itself and its Directors, and the Directors of Group subsidiary companies. The Directors also have the benefit of the indemnity provision contained in the Articles. The Company has entered into qualifying third-party indemnity arrangements for the benefit of all its Directors in a form and scope which comply with the requirements of the Companies Act 2006 and which were in force throughout the year and remain in force. Relationship Agreement Pentagon Lock Sarl, Pentagon Lock 6-A Sarl, Pentagon Lock 7-A Sarl and Pentagon Lock US Sarl (collectively “Apax”) previously held more than 30 per cent of the issued ordinary share capital of the Company and still hold more than 10 per cent of the issued ordinary share capital as at 31 March 2018. On 26 June 2015, the Company and Apax entered into a Relationship Agreement which regulates the ongoing relationship between the Company and Apax (as the “controlling shareholder”) in accordance with the Listing Rules. The Board can confirm that throughout the period: • the Company has complied with the agreement’s independence provisions; • as far as the Company is aware, the controlling shareholder and its associates have complied with the agreement’s independence provisions; and, • as far as the Company is aware, the controlling shareholder has procured the compliance of non-signing controlling shareholders with the agreement’s independence provisions. Significant Agreements The following significant agreements are in place as at 31 March 2018, which include provisions that would enable the counterparties to alter or terminate the agreements upon a change of control of the Company following a takeover bid: • a syndicated secured term loan (“Facility A”) of $235.0 million entered into on 1 July 2015; • a syndicated secured term loan (“Facility B”) of €60.0 million entered into on 1 July 2015; • a revolving credit facility agreement (“RCF 1”) of $30.0 million entered into on 1 July 2015; and, • a revolving credit facility agreement (“RCF 2”) of $40.0 million entered into on 6 February 2017. Further details of financing agreements in place are included in note 23 of the Financial Statements. Share Capital and Substantial Shareholders The share capital of the Company is set out in note 26 of the Financial Statements; ordinary shares of three pence each are the only class of share in issue. As at 31 March 2018 and 16 May 2018 the Company was notified under DTR 5 of the following significant holdings of voting rights in its shares set out in the table below. No change in voting interests in the ordinary share capital of the Company, disclosable under the DTRs, has been notified to the Company between 31 March 2018 and 16 May 2018. Name Apax Jan Hruska Peter Lammer Franklin Templeton Institutional, LLC Standard Life Investments (Holdings) Limited Old Mutual plc ODDO Meriten Asset Management As at 31 March 2018 Ordinary shares held Percentage of total ordinary shares 51,936,344 42,543,360 42,543,360 23,376,977 22,724,690 19,821,783 13,633,922 11.09 9.08 9.08 4.99 4.85 4.23 2.91 /83 IntroductionGovernanceFinancial StatementsStrategic Report Directors’ Report continued Voting Rights All of the issued and outstanding ordinary shares of the Company have equal voting rights, with one vote per share. There are no special control rights attaching to them. Transfer of Shares The transfer of shares is governed by the Articles which allows any member to transfer certificated shares in any usual form or in any other form for which the Board may approve. The Board may, in its absolute discretion, refuse to register a transfer of a certificated share that is not fully paid, provided that the refusal does not prevent dealings in the Company from taking place on an open and proper basis. The Board may also refuse to register the transfer of a certificated share unless the instrument of transfer is (i) lodged, duly stamped (if stampable), at the office or at another place appointed by the Board, accompanied by the certificate for the shares to which it relates and such other evidence as the Board may reasonably require to show the right of the transferor to make the transfer; (ii) in respect of only one class of shares; and (iii) in favour of not more than four transferees. Appointment and Retirement of Directors Unless otherwise determined by ordinary resolution, the number of Directors shall be no less than three but is not subject to any maximum number. The Board may appoint a person who is willing to act to be a Director, either to fill a vacancy or as an additional Director and in either case whether or not for a fixed term. At every AGM all the Directors at the date of the notice convening the AGM shall retire from office, if the Company does not fill the vacancy at the meeting the retiring Director shall, if willing to act, be deemed to have been re-appointed unless at the meeting it is resolved not to fill the vacancy or unless a resolution for the re-appointment of the Director is put to the meeting and lost. A person ceases to be a Director as soon as: (i) notification is received by the Company from the Director that they are resigning or retiring from office; (ii) (iii) that person has been absent for more than six consecutive months without permission of the Board and the Board resolves that their office be vacated; the person has become physically or mentally incapable of acting as a Director and may remain so for more than three months; (iv) a bankruptcy order is made against that person; (v) a composition is made with that person’s creditors generally in satisfaction of that person’s debts; (vi) that person ceases to be a Director by virtue of any provision of the Act or is prohibited from being a Director by law; or, (vii) that person is removed from office pursuant to the Articles. Powers of the Board Subject to provisions of the Companies Act 2006, the Articles, and to any directions given by special resolution, the business of the Company shall be managed by the Board who may exercise all the powers of the Company. Dividends The Directors have recommended that the Company pay a final dividend in relation to the year-ended 31 March 2018 of 3.5 US Cents per share. Subject to shareholder approval, combined with the interim dividend announced of 1.4 US Cents per share, this gives a total dividend for the year of 4.9 US Cents per share. The Directors continue to adopt a progressive dividend policy targeting approximately mid-single digit per cent growth per annum, reflecting the cash-generative nature of the Group. Sophos Group plc is the parent company of the Group and is a non-trading investment company for the Group, holding investments in subsidiaries financed by Group companies. Sophos Group plc has retained earnings of $946.1 million, which approximates the distributable reserves. At the end of the prior-year Sophos Group plc had retained earnings of $977.1 million, after paying dividends in that year totalling $10.9 million, the distributable reserves thereby having significant cover for the dividends being proposed. The Group is strongly cash generative with trading activities continuing to support the dividends made and proposed, details of cash on hand is included in note 20 of the Financial Statements. The dividend policy and availability of distributable reserves or cash to make future dividend payments is influenced by the principal risks, and their mitigations, discussed on pages 34 to 37 which are factored into the Group’s viability review and statement disclosed on page 86. Prior to the proposal of a dividend the Directors review both the distributable reserves and cash available on hand as well as the impact of the proposed dividend on each of them in light of other cash commitments and investment intentions. On the basis of the latest review the Directors consider the current dividend policy to be appropriate and sustainable. 84/ Cybersecurity made simple Annual General Meeting Share Option Plans The notice of the Annual General Meeting (“AGM”) which sets out the resolutions to be proposed at the 2018 AGM accompanies this Annual Report and Accounts. The 2018 AGM will be held at 3.00pm on 30 August 2018 at: The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP. The Group operates a number of share option plans to motivate and retain staff and align their interests with shareholders. Details of these schemes are set out in note 28 to the Financial Statements. Branches The Group, through various subsidiaries, has established branches in a number of different countries in which the business operates. Financial Instruments Details of the Group’s financial risk management policies and risks are set out in note 25 to the Financial Statements. Authority to Issue Shares and Authority to Purchase Own Shares The Company was authorised by shareholders at the 2017 AGM to allot shares and also to make market purchases of up to 10 per cent of the Company’s issued share capital, as permitted under the Company’s Articles. The Company did not repurchase shares during the year or make any shares the subject of a charge. The Company will seek to renew these authorities at the 2018 AGM, within the limits set out in the AGM Notice. Shares Held in the Employee Benefit Trust The Trustees of the Employee Benefit Trust will abstain from voting or exercising any other rights in respect of any shares held by them and in which no beneficial interest is held by any beneficiary unless otherwise directed by the Company. Greenhouse Gas Emissions The Greenhouse Gas Emissions (“GHG”) disclosures for the Group, as well as environmental considerations, have been included in the Corporate Responsibility Report, see page 43. Employees The Group continues to invest to drive future growth. A key objective of the Group is to achieve a shared commitment by all employees to the success of the business. Throughout the Group, there is consultation between employees and management on matters of mutual interest and information is disseminated through team and Company briefings. Updates on the operations of the Group and its performance are shared with all employees via quarterly all-hands which are led by the CEO and SMT and are recorded and made available on the Group’s intranet site. Employees are encouraged to promote and participate in the progress and profitability of the Group through the share option plans and other incentive schemes. The Group provides full consideration to applications for employment from disabled persons where the requirements of the role can be adequately fulfilled by a disabled person. Where existing employees become disabled it is the Group’s policy, wherever practicable, to provide continuing employment under normal terms and conditions and to provide training and career development to disabled employees wherever appropriate. Research and Development The Group continues to undertake research and development activity relating to its principal activities. In the year-ended 31 March 2018, the Group spent 19.0 per cent of its billings on research and development (FY17: 18.6 per cent). Development expenditure is capitalised if the requirements of IAS 38 have been met, further details are included in note 3 of the Financial Statements. Political Donations The Group’s policy is not to make any political donations. Accordingly, no political donations were made in the year-ended 31 March 2018 (FY17: no political donations were made). /85 IntroductionGovernanceFinancial StatementsStrategic Report Directors’ Report continued Going Concern Post Balance Sheet Events There have been no material events from 31 March 2018 to the date of this report. Auditors KPMG LLP has expressed their willingness to continue in office as auditors of the Company and accordingly a resolution for the re-appointment of KPMG LLP as auditors of the Company is to be proposed to the shareholders at the 2018 AGM. Disclosure of Information to Auditors The Directors who held office at the date of approval of this Directors’ Report confirm that, so far as they are each aware, there is no relevant audit information of which the Company’s auditors are unaware and each Director has taken all the steps that he or she ought to have taken as a Director to make them aware of any relevant audit information. Statement of Directors’ Responsibilities in Respect of the Annual Report and the Financial Statements The Directors are responsible for preparing the Annual Report and the Group and parent Company financial statements in accordance with applicable law and regulations. Company law requires the Directors to prepare Group and parent company financial statements for each financial year. Under that law they are required to prepare the Group financial statements in accordance with International Financial Reporting Standards as adopted by the European Union (IFRSs as adopted by the EU) and applicable law. As explained in note 3 to the Group financial statements, the Group, in addition to complying with its legal obligation to apply IFRSs as adopted by the EU, has also applied IFRSs as issued by the International Accounting Standards Board (“IASB”). Under company law the Directors have elected to prepare the parent company financial statements in accordance with UK accounting standards, including FRS 102 The Financial Reporting Standard applicable in the UK and Republic of Ireland. Having made appropriate enquiries and considered the Group’s forecasts, the Directors consider that the Group has sufficient resources to continue for the foreseeable future. Accordingly, they continue to adopt the going concern basis in preparing the Financial Statements. Further details regarding the adoption of the going concern basis can be found in the viability statement below. Viability Statement The Directors have assessed the viability of the Group over a three-year period, taking into account the Group’s current position and the potential impacts of the principal risks documented on pages 34 to 37 of the Annual Report. Based on this assessment, the Directors confirm that they have a reasonable expectation that the Company will be able to continue to operate and to meet its liabilities as they fall due over the three years to 31 March 2021. The Group prepares annually, and on a rolling basis, a strategic plan, which is predicated on a detailed year one budget and higher-level forecasts thereafter. The output of this plan is used to perform debt and associated covenant headroom profile analysis, which includes sensitivity to business as usual risks such as billings and EBITDA impacts. A bottom-up operating plan is prepared on an annual basis for presentation to the Board. Following assessment of the planning process, the Directors have determined that a three-year period is an appropriate period over which to assess the Group’s viability. Whilst the Directors have no reason to believe that the Group will not be viable over a longer period; the period of three years has been chosen as this matches the term of the majority of the Group’s sales (typically one to three years in duration, with a weighted average contract life of around twenty eight months) which therefore aids the accuracy of forecasting with a single renewal cycle, thereby providing a greater degree of certainty and, in the view of the Directors, still provides an appropriate long-term outlook. In making this viability statement, the Board carried out a robust assessment of the principal risks facing the Group, including those that would threaten its business model, future performance, solvency or liquidity. Where individual principal risks did not impact the future viability of the Group, consideration was given to potential principal risk combinations. The process of identifying, assessing and managing principal risks is set out in the Audit and Risk Committee Report on pages 57 to 61. 86/ Cybersecurity made simple Responsibility Statement of the Directors in Respect of the Annual Financial Report We confirm that to the best of our knowledge: • the financial statements, prepared in accordance with the applicable set of accounting standards, give a true and fair view of the assets, liabilities, financial position and profit or loss of the company and the undertakings included in the consolidation taken as a whole; and • the strategic report includes a fair review of the development and performance of the business and the position of the issuer and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face. We consider the annual report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group’s position and performance, business model and strategy. By order of the Board Chloe Barry Company Secretary 16 May 2018 Under company law the Directors must not approve the financial statements unless they are satisfied that they give a true and fair view of the state of affairs of the Group and parent company and of their profit or loss for that period. In preparing each of the Group and parent company financial statements, the Directors are required to: • select suitable accounting policies and then apply them consistently; • make judgements and estimates that are reasonable, relevant, reliable and prudent; • for the Group financial statements, state whether they have been prepared in accordance with IFRSs as adopted by the EU; • for the parent company financial statements, state whether applicable UK accounting standards have been followed, subject to any material departures disclosed and explained in the parent company financial statements; • assess the Group and parent company’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern; and • use the going concern basis of accounting unless they either intend to liquidate the Group or the parent company or to cease operations, or have no realistic alternative but to do so. The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the parent company’s transactions and disclose with reasonable accuracy at any time the financial position of the parent company and enable them to ensure that its financial statements comply with the Companies Act 2006. They are responsible for such internal control as they determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error, and have general responsibility for taking such steps as are reasonably open to them to safeguard the assets of the Group and to prevent and detect fraud and other irregularities. Under applicable law and regulations, the Directors are also responsible for preparing a Strategic Report, Directors’ Report, Directors’ Remuneration Report and Corporate Governance Statement that complies with that law and those regulations. The Directors are responsible for the maintenance and integrity of the corporate and financial information included on the company’s website. Legislation in the UK governing the preparation and dissemination of financial statements may differ from legislation in other jurisdictions. /87 IntroductionGovernanceFinancial StatementsStrategic Report Independent Auditor’s Report to the members of Sophos Group plc only 1. Our opinion is unmodified We have audited the financial statements of Sophos Group plc (“the Company”) for the year ended 31 March 2018 which comprise the Consolidated Statements of Profit and Loss, Comprehensive Income, Financial Position, Changes in Equity, and Cash Flows, and the Company Only Statements of Financial Position and Changes in Equity and the related notes, including the accounting policies in note 3. In our opinion: • the financial statements give a true and fair view of the state of the Group’s and of the parent Company’s affairs as at 31 March 2018 and of the Group’s loss for the year then ended; • the Consolidated financial statements have been properly prepared in accordance with International Financial Reporting Standards as adopted by the European Union (IFRSs as adopted by the EU); • the parent Company financial statements have been properly prepared in accordance with UK accounting standards, including FRS 102 The Financial Reporting Standard applicable in the UK and Republic of Ireland; and • the financial statements have been prepared in accordance with the requirements of the Companies Act 2006 and, as regards the Consolidated financial statements, Article 4 of the IAS Regulation. Additional opinion in relation to IFRSs as issued by the IASB As explained in note 3 to the Consolidated financial statements, the Group, in addition to complying with its legal obligation to apply IFRSs as adopted by the EU, has also applied IFRSs as issued by the International Accounting Standards Board (IASB). In our opinion the Consolidated financial statements have been properly prepared in accordance with IFRSs as issued by the IASB. Basis for opinion We conducted our audit in accordance with International Standards on Auditing (UK) (“ISAs (UK)”) and applicable law. Our responsibilities are described below. We believe that the audit evidence we have obtained is a sufficient and appropriate basis for our opinion. Our audit opinion is consistent with our report to the audit committee. We were appointed as auditor on 25 January 2001. The period of total uninterrupted engagement is for the 18 financial years ended 31 March 2018. We have fulfilled our ethical responsibilities under, and we remain independent of the Group in accordance with, UK ethical requirements including the FRC Ethical Standard as applied to listed public interest entities. No non-audit services prohibited by that standard were provided. Overview Materiality: Consolidated financial statements as a whole $6.3m (2017: $5.5m) 1% (2017: 1%) of group revenue Coverage 99% (2017: 98%) of group revenue Risks of material misstatement vs 2017 Recurring risks Revenue recognition Exceptional items & alternative performance measures Recoverability of parent company’s investment in subsidiaries 88/ Cybersecurity made simple 2. Key audit matters: our assessment of risks of material misstatement Key audit matters are those matters that, in our professional judgement, were of most significance in the audit of the financial statements and include the most significant assessed risks of material misstatement (whether or not due to fraud) identified by us, including those which had the greatest effect on: the overall audit strategy; the allocation of resources in the audit; and directing the efforts of the engagement team. We summarise below the key audit matters in decreasing order of audit significance, in arriving at our audit opinion above, together with our key audit procedures to address those matters and, as required for public interest entities, our results from those procedures. These matters were addressed, and our results are based on procedures undertaken, in the context of, and solely for the purpose of, our audit of the financial statements as a whole, and in forming our opinion thereon, and consequently are incidental to that opinion, and we do not provide a separate opinion on these matters: Revenue recognition ($640.7m; 2017: $529.7m) Refer to page 58 (Audit Committee Report), page 102 (accounting policy) and page 114 (financial disclosures). The risk Accounting treatment: As the Group expands and product portfolios evolve, there is considerable risk associated with recognising revenue on contracts containing multiple elements. Judgement is required in determining each element of the arrangement and estimating their respective fair values. The Group makes reference to the list prices of individual elements and discounts given on the total contract. This judgement could materially affect the timing and quantum of revenue recognised in each period. Our response Our procedures included: • Controls design: We evaluated the design and implementation of the control ensuring review and approval of non standard contract terms which may impact revenue recognition; • Control operation: We evaluated the operating effectiveness of IT controls over the establishment of list prices in the sales order system which directly impact the fair value calculation; • Tests of details: We selected a sample of Group billings from throughout the year and with reference to list prices and discounts given, we recalculated the relative fair values of each element to assess whether the determination of relative fair values of each separable element was in line with Group Policy. We also reviewed a sample of contracts in the year, assessing the impact of contract terms on revenue recognition; • Accounting analysis: We assessed the Group’s policy in respect of fair value allocation and revenue recognition against relevant accounting standards; and • Assessing transparency: We assessed the adequacy of the Group’s disclosure regarding the determination of fair values of multiple element arrangements. Our results • We found the amount of revenue recognised in the year as at 31 March 2018 to be acceptable (2017: acceptable). /89 IntroductionGovernanceFinancial StatementsStrategic Report Independent Auditor’s Report continued to the members of Sophos Group plc only The risk Presentation appropriateness: The Group presents Alternative Performance Measures (APMs) to operating loss for the period within the consolidated income statement and throughout the Annual Report. The Directors believe that the separate identification of exceptional items and the presentation of specified APMs provides clear and useful information on the Group’s underlying trading performance. However, when improperly used and presented, these kind of measures might prevent the Annual Report from being fair and balanced by focusing on only part of the performance. The determination of whether an item should be separately disclosed as an exceptional item requires judgement on its nature and incidence, and its use along with presentation of APMs requires judgement as to whether they provide a better understanding of the Group’s underlying trading performance. Exceptional items & alternative performance measures Exceptional items: ($13.2m; 2017: $31.4m) Billings $768.6m (2017: $632.1m), Cash EBITDA $193.7m (2017: $150.1m), Adjusted operating profit $46.1m (2017: $38.3m) Unlevered Free Cash Flow $139.6m (2017: $133.4m) Refer to page 58 (Audit Committee Report), page 109 (accounting policy) and pages 109-111 (financial disclosures). Recoverability of parent company’s investment in subsidiaries ($1,099.1m; 2017: $1,068.4m) Refer to page 59 (Audit Committee Report), page 142 (accounting policy) and page 143 (financial disclosures). Forecast based valuation: The carrying amount of the parent company’s investments in subsidiaries is significantly in excess of the net assets of the Group as a whole, and is assessed for recoverability using a discounted cash flow model to calculate value in use (“VIU”). Due to the inherent uncertainty involved in forecasting and discounting future cash flows for a VIU model, this is one of the key judgemental areas that our audit concentrates on. Our response Our procedures included: • Assessing principles: We assessed the accounting policy to determine whether, in judging what to include in exceptional items, the Directors took appropriate regard to guidance issued by the Financial Reporting Council on the reporting of exceptional items and the requirement to separately disclose material or unusual transactions under relevant accounting standards; • Assessing application: We assessed whether the application of the accounting policy was consistent, including whether it was applied to both gains and losses; whether the same category of material items are treated consistently each year; and whether the tax effects of exceptional items are explained, by using our knowledge of the Group’s transactions throughout the audit; • Assessing balance: We assessed whether the disclosure of APMs and related commentary of exceptional items and APMs placed disproportionate emphasis on those measures over the related GAAP measure; whether the APMs were given meaningful labels that are not GAAP terms; whether they were clearly described and explained; whether the APMs provided meaningful measures of trading performance; whether their presentation are in line with guidance issued by the FRC and European Securities and Markets Authority with respect to APMs; and whether the underlying financial information is otherwise misleading; and • Assessing transparency: We also assessed the adequacy of the disclosure of the definition and composition of APMs and exceptional items, including whether APMs were appropriately reconciled to GAAP terms with sufficient prominence given to that reconciliation. Our results • We found the presentation of exceptional items and APMs to be acceptable (2017: acceptable). Our procedures included: • Our sector experience: Challenging the assumptions used in the cash flows included in the discounted cash flow model by using our sector experience through evaluating the current level of trading, including identifying any indications of a downturn in activity, by examining the post year end management accounts and considering our knowledge of the Group and the market; • Benchmarking assumptions: Assessing the reasonableness of key external inputs, such as projected long term economic growth and discount rates, by benchmarking these against those used by comparable listed companies; • Historical comparison: Assessing the reasonableness of the budgets by considering the historical accuracy of the previous forecasts; and • Comparing valuations: Comparing the sum of the discounted cash flows to the Group’s market capitalisation to assess the reasonableness of those cash flows. Our results • We found the resulting estimate of the recoverability of the carrying amount of the parent company’s investment in subsidiaries to be acceptable (2017: acceptable). 90/ Cybersecurity made simple 3. Our application of materiality and an overview of the scope of our audit Group Revenue $640.7m (2017: $529.7m) Group Materiality $6.3m (2017: $5.5m) Materiality for the Consolidated financial statements as a whole was $6.3m (2017: $5.5m), determined with reference to a benchmark of Group revenue of which it represents 1% (2017: 1%). We consider Group revenue to be the most appropriate benchmark as it provides a more stable measure year on year than Group loss before tax. Materiality for the parent company financial statements as a whole was set at $5.9m (2017: $3.9m) determined with reference to a benchmark of total assets of which is represents 0.6% (2017: 0.3%). We agreed to report to the Audit Committee all corrected or uncorrected misstatements exceeding $0.31m (2017: $0.25m), in addition to other identified misstatements that warranted reporting on qualitative grounds. Of the Group’s 27 (2017: 28) reporting components, we subjected 7 (2017: 10) to audits for Group reporting purposes and 2 (2017: 2) to specified risk–focused audit procedures over tax. The latter were not individually significant enough to require an audit for Group reporting purposes, but did present specific individual risks that needed to be addressed. The components within the scope of our work accounted for the percentages illustrated opposite. For the residual components, we performed our analysis at an aggregated Group level to re-examine our assessment that there were no significant risks of material misstatement within these. The Group team instructed component auditors as to the significant areas to be covered, including the relevant risks detailed above and the information to be reported back. The Group team approved the component materialities, which ranged from $4.4m to $5.9m having regard to the mix of size and risk profile of the Group across the components. The work on 5 of the 7 components (2017: 6 of the 10 components) was performed by component auditors and the rest, including the audit of the parent company, was performed by the Group team. The Group team visited 2 (2017: 1) component locations in Germany and India (2017: Germany) to assess the audit risk and strategy. Video and telephone conference meetings were also held with these component auditors and the majority of the others that were not physically visited. At these visits and meetings, the findings reported to the Group team were discussed in more detail, and any further work required by the Group team was then performed by the component auditor. $6.3m Whole financial statements materiality (2017: $5.5m) $4.4m Range of materiality at 9 components $4.4m-$5.9m (2017: $1m to $3.9m at 12 components) $0.31m Misstatements reported to the audit committee (2017: $0.25m) Group revenue Group materiality Group revenue Group billings 1% 2% 99% 2017: 98% 98% 99% 1% 100% 2017: 99% 99% 100% Group total assets Group loss before tax 5% 5% 80% 2017: 89% 89% 80% 7% 14% 73% 2017: 70% 70% 73% Full scope for group audit purposes 2018 Specified risk-focused audit procedures 2018 Full scope for group audit purposes 2017 Specified risk-focused audit procedures 2017 Residual components /91 IntroductionGovernanceFinancial StatementsStrategic Report Independent Auditor’s Report continued to the members of Sophos Group plc only 4. We have nothing to report on going concern Disclosures of principal risks and longer-term viability We are required to report to you if: • we have anything material to add or draw attention to in relation to the Directors’ statement in note 3.2 to the financial statements on the use of the going concern basis of accounting with no material uncertainties that may cast significant doubt over the Group and Company’s use of that basis for a period of at least twelve months from the date of approval of the financial statements; or • the related statement under the Listing Rules set out on page 86 is materially inconsistent with our audit knowledge. We have nothing to report in these respects. 5. We have nothing to report on the other information in the Annual Report The Directors are responsible for the other information presented in the Annual Report together with the financial statements. Our opinion on the financial statements does not cover the other information and, accordingly, we do not express an audit opinion or, except as explicitly stated below, any form of assurance conclusion thereon. Our responsibility is to read the other information and, in doing so, consider whether, based on our financial statements audit work, the information therein is materially misstated or inconsistent with the financial statements or our audit knowledge. Based solely on that work we have not identified material misstatements in the other information. Strategic report and Directors’ report Based solely on our work on the other information: • we have not identified material misstatements in the strategic report and the Directors’ report; • • in our opinion the information given in those reports for the financial year is consistent with the financial statements; and in our opinion those reports have been prepared in accordance with the Companies Act 2006. Directors’ remuneration report In our opinion the part of the Directors’ Remuneration Report to be audited has been properly prepared in accordance with the Companies Act 2006. Based on the knowledge we acquired during our financial statements audit, we have nothing material to add or draw attention to in relation to: • • • the Directors’ confirmation within the Directors’ Viability Statement (page 86) that they have carried out a robust assessment of the principal risks facing the Group, including those that would threaten its business model, future performance, solvency and liquidity; the Principal Risks disclosures describing these risks and explaining how they are being managed and mitigated; and the Directors’ explanation in the Directors’ Viability Statement of how they have assessed the prospects of the Group, over what period they have done so and why they considered that period to be appropriate, and their statement as to whether they have a reasonable expectation that the Group will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment, including any related disclosures drawing attention to any necessary qualifications or assumptions. Under the Listing Rules we are required to review the Directors’ Viability Statement. We have nothing to report in this respect. Corporate governance disclosures We are required to report to you if: • we have identified material inconsistencies between the knowledge we acquired during our financial statements audit and the Directors’ statement that they consider that the annual report and financial statements taken as a whole is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group’s position and performance, business model and strategy; or • the section of the annual report describing the work of the Audit Committee does not appropriately address matters communicated by us to the Audit Committee; We are required to report to you if the Corporate Governance Statement does not properly disclose a departure from the eleven provisions of the UK Corporate Governance Code specified by the Listing Rules for our review. We have nothing to report in these respects. 92/ Cybersecurity made simple 6. We have nothing to report on the other Irregularities –ability to detect matters on which we are required to report by exception Under the Companies Act 2006, we are required to report to you if, in our opinion: • adequate accounting records have not been kept by the parent Company, or returns adequate for our audit have not been received from branches not visited by us; or • the parent Company financial statements and the part of the Directors’ Remuneration Report to be audited are not in agreement with the accounting records and returns; or • certain disclosures of Directors’ remuneration specified by law are not made; or • we have not received all the information and explanations we require for our audit. We have nothing to report in these respects. 7. Respective responsibilities Directors’ responsibilities As explained more fully in their statement set out on page 86, the Directors are responsible for: the preparation of the financial statements including being satisfied that they give a true and fair view; such internal control as they determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error; assessing the Group and parent Company’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern; and using the going concern basis of accounting unless they either intend to liquidate the Group or the parent Company or to cease operations, or have no realistic alternative but to do so. Auditor’s responsibilities Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or other irregularities (see below), or error, and to issue our opinion in an auditor’s report. Reasonable assurance is a high level of assurance, but does not guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud, other irregularities or error and are considered material if, individually or in aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements. A fuller description of our responsibilities is provided on the FRC’s website at www.frc.org.uk/auditorsresponsibilities. We identified areas of laws and regulations that could reasonably be expected to have a material effect on the financial statements from our sector experience, and through discussion with the Directors (as required by auditing standards).  We had regard to laws and regulations in areas that directly affect the financial statements including financial reporting (including related company legislation) and taxation legislation. We considered the extent of compliance with those laws and regulations as part of our procedures on the related financial statement items.   We communicated identified laws and regulations throughout our team and remained alert to any indications of non-compliance throughout the audit. This included communication from the Group to component audit teams of relevant laws and regulations identified at Group level, with a request to report on any indications of potential existence of non-compliance with relevant laws and regulations (irregularities) in these areas, or other areas directly identified by the component team. As with any audit, there remained a higher risk of non-detection of non-compliance with relevant laws and regulations (irregularities)/ irregularities, as these may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal controls. 8. The purpose of our audit work and to whom we owe our responsibilities This report is made solely to the Company’s members, as a body, in accordance with Chapter 3 of Part 16 of the Companies Act 2006 and the terms of our engagement by the company. Our audit work has been undertaken so that we might state to the Company’s members those matters we are required to state to them in an auditor’s report, and the further matters we are required to state to them in accordance with the terms agreed with the company, and for no other purpose. To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the Company and the Company’s members, as a body, for our audit work, for this report, or for the opinions we have formed. Robert Seale (Senior Statutory Auditor) for and on behalf of KPMG LLP, Statutory Auditor Chartered Accountants 15 Canada Square London E14 5GL 16 May 2018 /93 IntroductionGovernanceFinancial StatementsStrategic Report Consolidated Statement of Profit or Loss For the year-ended 31 March 2018 Revenue Cost of sales Gross profit Sales and marketing Research and development Note 6 Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 640.7 (143.3) 497.4 (249.0) (145.8) 529.7 (121.3) 408.4 (210.6) (117.8) General finance and administration: (134.5) (124.3) – Underlying – Share-based payments – Exceptional items – Amortisation of intangible assets – Foreign exchange loss Operating loss Finance income Finance expense Loss before taxation Income tax (charge) / credit Loss for the year Earnings per share ($ cents) Basic and diluted EPS Adjusted operating EPS Diluted adjusted operating EPS (46.9) (42.3) (13.2) (25.2) (6.9) (31.9) 0.3 (20.7) (52.3) (14.0) (66.3) (14.4) 10.0 9.5 (39.3) (32.5) (31.4) (19.9) (1.2) (44.3) 0.1 (5.1) (49.3) 2.6 (46.7) (10.3) 8.5 8.1 7 12 12 13 14 14 14 All of the loss for the year is attributable to equity holders of the parent company. The notes on pages 99 to 139 form an integral part of these financial statements 94/ Cybersecurity made simple Consolidated Statement of Comprehensive Income For the year-ended 31 March 2018 Loss for the period Other comprehensive gains / (losses) : Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M (66.3) (46.7) Items that will not be reclassified subsequently to profit or loss: – – Items that may be reclassified subsequently to profit or loss: - Exchange differences arising on translation of foreign operations Total other comprehensive (losses) / gains Comprehensive loss for the year (4.0) (4.0) (70.3) 2.8 2.8 (43.9) All of the comprehensive loss for the year is attributable to equity holders of the parent company. The notes on pages 99 to 139 form an integral part of these financial statements /95 IntroductionGovernanceFinancial StatementsStrategic Report Consolidated Statement of Financial Position At 31 March 2018 Company registered number: 09608658 Note 31 March 2018 $M 31 March 2017 $M Non-current assets Intangible assets Property, plant and equipment Deferred tax asset Other receivables Current assets Tax assets Inventories Trade and other receivables Cash and cash equivalents Total assets Current liabilities Trade and other payables Deferred revenue Tax liabilities Financial liabilities Provisions Non-current liabilities Trade and other payables Deferred revenue Financial liabilities Provisions Deferred tax liabilities Total liabilities Net assets Represented by: Share capital Share premium Merger reserve Retained earnings Share-based payment reserve Translation reserve Total equity 15 17 13 19 18 19 20 21 22 23 24 21 22 23 24 13 26 869.9 25.4 125.8 1.3 1,022.4 8.2 16.0 177.8 120.0 322.0 856.0 23.4 105.3 1.3 986.0 7.7 16.2 145.2 68.1 237.2 1,344.4 1,223.2 134.1 423.9 23.0 17.4 – 598.4 8.2 331.8 306.8 1.4 6.0 107.3 330.6 21.0 71.1 0.4 530.4 3.9 250.4 296.3 1.1 14.4 654.2 1,252.6 566.1 1,096.5 91.8 126.7 22.0 122.3 (200.9) 60.0 121.8 (33.4) 91.8 21.6 118.4 (200.9) 148.1 68.9 (29.4) 126.7 These Consolidated Financial Statements were approved by the Board of Directors on 16 May 2018 and were signed on its behalf by: Nick Bray Chief Financial Officer The notes on pages 99 to 139 form an integral part of these financial statements 96/ Cybersecurity made simple Consolidated Statement of Changes in Equity For the year-ended 31 March 2018 Share Capital $M Share Premium $M Merger Reserve $M Other Reserves1 $M Retained Earnings $M 21.3 115.9 (200.9) (0.1) Share options exercised 0.3 2.5 At 31 March 2016 Loss for the period: Other comprehensive profit or loss: Total comprehensive loss Disposal of EBT treasury shares Share-based payments expense Share-based payments deferred tax Cash dividend (note 27) At 31 March 2017 Loss for the period: Other comprehensive profit or loss: Total comprehensive loss – – – – – – – – – – – – – – – – – – – – 21.6 118.4 (200.9) Share options exercised 0.4 3.9 Share-based payments expense Share-based payments taxation Cash dividends (note 27) – – – – – – At 31 March 2018 22.0 122.3 (200.9) – – – – – – – – – – – – – – – Share-Based Payment Reserve $M Translation Reserve $M Total $M 36.2 (32.2) 145.9 – – – – – 31.3 1.4 – 68.9 – – – – 39.6 13.3 – 121.8 – (46.7) 2.8 2.8 – – – – – 2.8 (43.9) 2.8 0.1 31.3 1.4 (10.9) (29.4) 126.7 – (66.3) (4.0) (4.0) (4.0) (70.3) – – – – 4.3 39.6 13.3 (21.8) (33.4) 91.8 205.7 (46.7) – (46.7) – – – – (10.9) 148.1 (66.3) – (66.3) – – – (21.8) 60.0 – – – – 0.1 – – – – – – – – – – – – 1 At 31 March 2018 other reserves comprise an insignificant number of own shares held in an Employment Benefit Trust. The notes on pages 99 to 139 form an integral part of these financial statements /97 IntroductionGovernanceFinancial StatementsStrategic Report Consolidated Statement of Cash Flows For the year-ended 31 March 2018 Loss for the year Adjusted for: Depreciation Amortisation of intangible assets Amortisation of fair value adjustment on deferred income Fair value adjustment on contingent consideration Foreign exchange expense Share-based payments expense Finance income Finance expense Income tax charge / (credit) Decrease in inventories Increase in trade and other receivables Increase in trade and other payables Increase in deferred revenue (Decrease) / Increase in provisions Cash generated from continuing operations Income taxes paid Net cash flow from operating activities Investing activities Purchase of property, plant and equipment Acquisition of subsidiaries net of cash acquired Purchase of intangible assets Finance income Net cash flow from investing activities Financing activities Proceeds from issue of shares Transaction costs related to the issue of shares Dividends paid Proceeds from borrowings Repayment of borrowings Transaction costs related to borrowings Finance lease payments Finance costs Net cash flow from financing activities Increase in cash and cash equivalents Net foreign exchange differences Cash and cash equivalents at the start of the period Cash and cash equivalents at the end of the period Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M Note (66.3) (46.7) 11.6 25.2 1.0 0.2 8.1 39.6 (0.3) 20.7 14.0 53.8 1.7 (22.9) 10.4 127.0 (0.2) 169.8 (22.1) 147.7 (10.0) (4.9) (11.1) 0.3 (25.7) 4.2 – (21.8) – (50.0) (0.1) (0.1) (9.1) (76.9) 45.1 6.8 68.1 120.0 9.4 19.9 (1.0) – – 31.3 (0.1) 5.1 (2.6) 15.3 1.1 (20.5) 37.1 104.4 0.3 137.7 (19.2) 118.5 (11.4) (101.7) (5.1) 0.1 (118.1) 2.8 – (10.9) 50.0 (25.0) (0.9) (0.1) (8.8) 7.1 7.5 (6.2) 66.8 68.1 28 12 12 17 32 15 12 32 32 32 20 The notes on pages 99 to 139 form an integral part of these financial statements 98/ Cybersecurity made simple Notes to the Consolidated Financial Statements For the year-ended 31 March 2018 1 General Information Reporting Entity Sophos Group plc (“the Company”) is a company domiciled in the United Kingdom. The Company’s registered office is Sophos Group plc, The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP, United Kingdom. The Consolidated Financial Statements of the Company as at and for the year-ended 31 March 2018 comprise the Company and its subsidiaries (together referred to as “the Group”). The Group is a leading provider of cloud-enabled enduser and network security solutions. 2 Application of New and Revised International Financial Reporting Standards (“IFRSs”) The Group has not applied the following new and revised IFRSs that have been issued but are not yet effective. Other than as set out below, the Directors do not anticipate that the IFRSs will have a significant effect on the Group’s consolidated financial information: Effective for annual periods beginning on or after January 2018: IFRS 9 – Financial Instruments; IFRIC 22 – Foreign Currency Transactions and Advance Consideration; Amendments to IFRS 2 – Share-based Payment Transactions; Amendments to IFRS 4 – Insurance Contracts; Amendments to IAS 40 – Investment Property; Amendments to IFRS 1 – First time adoption of IFRS; and, Amendments to IAS 28 – Investments in Associates and Joint Ventures Effective for annual periods beginning on or after January 2019: IFRIC 23 – Uncertainty over Income Tax Treatments Effective for annual periods beginning on or after January 2021: IFRS 17 – Insurance Contracts IFRS 15 – Revenue from Contracts with Customers IFRS 15 “Revenue from contracts with customers” is effective for annual periods beginning on or after 1 January 2018 and will therefore be adopted by the Group in the year-ending 31 March 2019. The review of IFRS15 is ongoing and the Group is cognisant of industry practice, which is constantly evolving, that could impact the Group in its implementation; however, based on the current position the Directors have updated their assessment of the impact of the standard on the Group based on the issued version of the standard and the latest authoritative guidance and have confirmed that there will be a material impact on the Group’s consolidated financial information. This will primarily be as a result of a) the earlier recognition of revenue on certain software products where they are adjudged to have a distinct performance obligation element that transfers the benefit of ownership at the point of sale rather than entirely over the life of the licence; b) the deferral of commissions and other direct costs in line with the recognition of revenue and c) an immaterial impact of recognising rebates in line with the recognition of revenue over an average term of the licences sold. The estimate of this impact on results, had it been effective for the reported periods, is a decrease in revenue in FY18 of $1.8 million as a consequence of more revenue being recognised in earlier periods than would be recognised in FY18 from the deferred revenue balance at the start of the period (FY17: $3.1 million increase, benefiting from the earlier recognition of deferred revenue outweighing the amount now recognised in earlier periods). In addition operating expenses would decrease by $9.1 million (FY17: $3.0 million) both as a consequence of the net recognition in later periods. Other receivables are estimated to increase by $45.7 million (FY17: 36.6 million) while deferred revenue would decrease by $27.1 million (FY17: $27.2 million). The estimated tax impact of IFRS 15, had it been effective for FY18 and earlier periods, is a decrease in the recognised deferred tax asset at 31 March 2018 of $13.6 million with a corresponding total increase in the deferred tax charge over the periods. The development of these estimates has been performed outside of the Group’s underlying financial systems, to avoid the need of running parallel systems. As a result, on full transition in the year-ending 31 March 2019 the actual impact may differ from the amounts disclosed once individual transactions have been processed, though this impact is not expected to be material. The Group’s underlying financial systems have already been updated to ensure that they will recognise transactions in accordance with IFRS 15 from 1 April 2018. The Directors will continue to monitor industry practice and experience of implementation and update its assessment of the impact for the Group as appropriate. /99 IntroductionGovernanceFinancial StatementsStrategic Report 2 Application of New and Revised International Financial Reporting Standards (“IFRSs”) continued In implementing IFRS 15, the Directors intend to apply the retrospective approach such that in the accounts for the year-ended 31 March 2019 the comparatives (for the year-ended 31 March 2018) will be restated on an IFRS 15 compliant basis. In applying this approach, the Directors will make use of certain practical expedients, primarily that contracts that have completed as of the start of the earliest period presented will not be restated as they have no impact upon the results presented. IFRS 16 – Leases IFRS 16 – Leases, which was issued in January 2016 and becomes effective for reporting periods beginning on or after 1 January 2019, will become effective for the Group for the year-ending 31 March 2020. IFRS 16 replaces existing guidance on leases, including IAS 17 Leases, IFRIC 4 – Determining whether an Arrangement contains a Lease, ISC-15 Operating Leases – Incentives and SIC27 Evaluating the Substance of Transactions Involving the Legal Form of a Lease. IFRS 16 introduces a single, on-balance sheet lease accounting model whereby the lessee recognises a right-of-use (“ROU”) asset and a corresponding financial liability to the lessor, representing the obligation to make lease payments. The standard includes two recognition exemptions for lessees; “low value assets” (e.g. personal computers) and short-term leases with a term of less than 12 months. The Directors have completed an initial assessment of the potential impact on its Consolidated Financial Statements, but has not yet completed a detailed assessment of the numerical impact of IFRS 16, which will depend on future economic conditions including the Group’s borrowing rate on 1 April 2019 and the extent to which the Directors choose to use the available practical expedients and recognition exemptions. It is currently anticipated that the most significant impact will be that the Group will recognise ROU assets and liabilities for its operating leases of offices and certain plant and equipment items. As at 31 March 2018, the Group’s future minimum lease payments under non-cancellable operating leases amounted to $68.5M on an undiscounted basis. See note 33. In the Consolidated Statement of Profit or Loss, the operating lease expenditure will be replaced by depreciation of the ROU asset together with a finance expense. Alternative performance measures which exclude depreciation, will benefit from the adoption of IFRS 16 through the removal of the operating lease charge. In the Consolidated Statement of Cash Flows, “Net cash flow from operating activities” will see an improvement because of the depreciation adjustment, with a corresponding increased outflow in “Net cash flow from financing activities”. The adoption of IFRS 16 is not expected to have an impact on the Group’s ability to comply with loan covenants under the Senior Facilities Agreement dated 6 February 2017; as that agreement is drafted on a “frozen GAAP” basis. 3 Significant Accounting Policies 3.1 Statement of Compliance The Consolidated Financial Statements have been prepared using International Financial Reporting Standards as adopted by the European Union (“EU”) as they apply to the Group. In addition to complying with its legal obligation to apply IFRSs as adopted by the EU, the Group has also applied IFRSs as issued by the International Accounting Standards Board; collectively “IFRS”. 3.2 Going Concern The Group has considerable financial resources together with contracts with a large number of customers and across different geographic areas and industries. As a consequence, the Directors believe that the Group is well placed to manage its business risks successfully. After excluding short-term deferred revenue from current liabilities, the Group has net current assets including significant cash balances and despite the loss making position, given the cash generative nature of the Group’s operations and the visibility of future renewals, the Directors have a reasonable expectation that the Group has adequate resources to continue in operational existence for the foreseeable future. Accordingly, the Directors continue to adopt the going concern basis in preparing the annual Consolidated Financial Statements. Further information regarding the Group’s business activities, together with the factors likely to affect its future development, performance and position is set out in the Strategic Report on pages 16 to 43. Further information regarding the financial position of the Group, its cash flows, liquidity position and borrowing facilities are described in the Strategic Report and the notes to the Consolidated Financial Statements. In addition, note 25 to the Consolidated Financial Statements includes the Group’s objectives, policies and processes for managing its capital, its financial risk management objectives, and its exposures to credit risk and liquidity risk. 100/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple 3.3 Basis of Consolidation The consolidated historical financial information has been prepared under the historical cost convention and is presented in US Dollars. All values are rounded to the nearest 0.1 million ($M) unless otherwise indicated. The functional currency of Sophos Group plc is US Dollars. The Group uses US Dollars as its presentation currency to aid comparability of its financial information with that of its peers and the industry; whose information is generally presented in US Dollars. The accounting policies used in preparing the consolidated historical financial information for the year-ended 31 March 2018 have been consistently applied to all years presented and are set out below. The historical financial information consolidates the financial information of Sophos Group plc and the entities it controls (its subsidiaries) at 31 March 2018. Control is achieved where the Company has the power to govern the financial and operating policies of an investee entity so as to obtain benefits from its activities. The financial information of the subsidiaries is prepared for the same reporting period as the parent Company, using consistent accounting policies. Subsidiaries are fully consolidated from the date of acquisition, being the date on which the Group obtains control, and continue to be consolidated until the date that such control ceases. All intra-group balances, transactions, income and expenses and profits and losses resulting from intra-group transactions that are recognised in the statement of financial position of the individual reporting entities, are eliminated in full on consolidation. 3.4 Foreign Currency Translation The individual historical financial information of each Group company is prepared in the currency of the primary economic environment in which it operates (its functional currency). Each entity in the Group determines its own functional currency and items included in the historical financial information of each entity are measured using that functional currency. In preparing the financial information of the individual companies, transactions in foreign currencies are recorded at the rate of exchange prevailing at the date of the transaction. Monetary assets and liabilities in foreign currencies are translated at the exchange rate prevailing at the reporting date. All exchange differences are taken to the Consolidated Statement of Profit or Loss, except for differences on monetary assets and liabilities that form part of the Group’s net investment in a foreign operation. These are taken directly to equity until the disposal of the net investment, at which time they are recognised in the Consolidated Statement of Profit or Loss. Tax charges and credits attributable to exchange differences on those borrowings are also dealt with in equity. Non-monetary items that are measured in terms of historical cost in a foreign currency are translated using the exchange rates as at the dates of the initial transactions. Any goodwill arising on the acquisition of a foreign operation and any fair value adjustments to the carrying amounts of assets and liabilities arising on the acquisition are treated as assets and liabilities of the foreign operation and translated at the closing rate. On consolidation, assets and liabilities of foreign subsidiaries are translated into the presentation currency (US Dollars) at the exchange rate prevailing at the reporting date. Income and expense items are translated into US Dollars at the prior- month closing rate to that in which the transaction took place because they approximate the rate of exchange at the transaction dates. Exchange differences arising on the translation of opening net assets of entities whose functional currency is not US Dollars, together with differences arising from the translation of the net results at average or actual rates to the exchange rate prevailing at the reporting date, are taken to equity. On disposal of a foreign entity, the deferred accumulated amount recognised in equity relating to that particular foreign operation is recognised in the Consolidated Statement of Profit or Loss. 3.5 Critical Accounting Judgments and Key Sources of Estimation Uncertainty The preparation of Consolidated Financial Statements requires Directors to make estimates and assumptions that affect the amounts reported for assets and liabilities as at the reporting date and the amounts reported for revenues and expenses during the period. Judgments In the process of applying the Group’s accounting policies described in this note, Directors have made the following judgments that have a significant effect on the amounts recognised in the historical financial information. Revenue The Group sells software products under fixed term contracts and perpetual licences. Where there is a multi-element arrangement, the consideration receivable is allocated to each element of the arrangement and this is done on the basis of an estimate of their respective fair values. In determining the relative fair values of each element, Directors make reference to current prices of individual elements and adjust this by its relative share of discounts applied to the entire sale, regardless of any separate prices stated within the contract. See note 6. /101 IntroductionGovernanceFinancial StatementsStrategic Report 3 Significant Accounting Policies continued 3.5 Critical Accounting Judgments and Key Sources of Estimation Uncertainty continued Classification of exceptional items and presentation of non-GAAP measures Directors exercise their judgement in the classification of certain items as exceptional and outside of the Group’s underlying results. The determination of whether an item should be separately disclosed as an exceptional item or other adjustments requires judgement on its materiality, nature and incidence, as well as whether it provides clarity on the Group’s underlying trading performance. In exercising this judgement, Directors take appropriate regard of IAS 1 “Presentation of financial statements’’ as well as guidance issued by the Financial Reporting Council and the European Securities and Market Authority on the reporting of exceptional items and alternative performance measures. The overall goal of the Directors is to present the Group’s underlying performance without distortion from one-off or non-trading events regardless of whether they be favourable or unfavourable to the underlying result. Further details of the individual exceptional items, and the reasons for their disclosure treatment, are set out in note 7. Research and development costs Development costs will be capitalised in accordance with the accounting policy set out in this note. Determining the amounts to be capitalised requires the Directors to make assumptions regarding the capitalisation criteria requirements of IAS 38 – Intangible assets. See note 15. Legal proceedings The Directors, at the reporting date, form a judgement in relation to the probable outcome of ongoing litigation against the Group. These judgements take account of available information, historical experience and the likelihood of different possible outcomes. See note 33. Estimates The key assumptions concerning the future, and other key sources of estimation uncertainty at the reporting date, that have a significant risk of causing a material adjustment to the carrying amounts of assets and liabilities within the next financial year, are discussed below. The nature of estimation means that actual outcomes could differ from those estimates: Business combinations Where a business combination includes a contingent consideration, the Directors are required to make an assessment at the time of the acquisition of the most likely amount required to be settled. This will include estimates of the outcome of future performance measures as agreed between the parties. Note 23 sets out the financial liability at the end of the period and details the method of calculation as estimated at the balance sheet date. Income tax The liability for income taxes at the balance sheet date includes the Directors estimates of the amount of tax payable on open tax computations where the liabilities remain to be agreed with the tax authorities. These estimates may differ from the actual outcome and are further discussed in 3.16 and note 13 below. 3.6 Revenue Recognition The Group operates exclusively through a channel distribution model using a two-tier channel distribution structure around the world, with the exception of the UK where it operates a one-tier structure. Under the two-tier arrangement, the Group will contract with and invoice distributors, who will in turn transact with partners, who will ultimately transact with the end user. Under the one-tier arrangement the Group will transact with the partner who will transact with the ultimate end user. Sales contracts are therefore not with the end user. In both scenarios, the accounting treatment of sales contracts is the same. In cases where support has been purchased, the responsibility for providing that support, and for all products providing maintenance and definition updates, remains with the Group rather than with channel partners and distributors. Software licences sold by the Group provide security protection, amongst other things, against ransomware, malware and malicious viruses. 102/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple The vast majority of the Group’s software licences include rights to support and frequent product updates, the access to which is granted at the point a licence is provided to the customer and continues through the term of the licence to which the customer has subscribed, resulting in the software licence service being performed over a period of time. As a result, billings occur on day one whilst revenue is recognised over time, because of the ongoing obligations to provide updates over the term of the licence. Standard sales contracts do not include return rights; and in accordance with industry practice, customers only have a right of refund for undelivered product on the hardware or software licences that they have purchased. In a minority of cases, agreements do allow for some limited returns. These very limited return rights are taken into account when considering the recognition of revenue. The Group does not recognise billings nor revenue until the criteria requiring delivery of hardware or software licences to be completed have been met. Revenue is therefore recognised to the extent that it is probable that the economic benefits will flow to the Group and the revenue can be reliably measured. Revenue is measured at the fair value of the consideration received, after discounts and rebates but excluding VAT and other sales taxes or duty. The following specific recognition criteria must also be met before revenue is recognised: Where there is a multi-element arrangement, the consideration receivable is allocated to each element of the arrangement and this is done on the basis of an estimate of their respective fair values. In determining the relative fair values of each element, Directors make reference to current prices of individual elements and adjust this by its relative share of discounts applied to the entire sale, regardless of any separate prices stated within the contract. Revenue from software licences and service contracts The Group sells software products under fixed-term contracts and under perpetual licences. Revenue on software licences and service contracts is recognised when the Group has met its obligation in relation to the product or services, which is on delivery of all relevant components for perpetual licences and over the life of the agreed licence for termed products. Fixed-term contracts Customers who receive software products at the start of the contract under a fixed-term licence are entitled to receive regular updates and upgrades for the duration of the licence term which runs for periods ranging up to five years. Revenue for these fixed-term contracts is recognised rateably over the period that the contractual obligation exists. Accrued and deferred revenue arising on long-term contracts is included in receivables as accrued income and payables as deferred revenue, as appropriate. Where the Group contracts with an original equipment manufacturer (OEM) or a service provider, rather than an end user, it mirrors the above policy and recognises the revenue in line with the contractual terms granted to the end user. Perpetual licences Revenue is recognised immediately where customers purchase software products under a perpetual licence. Revenue in respect of support and maintenance contracts associated with perpetual licences is recognised rateably over the life of the support / maintenance contract. Sale of goods Where software licences and hardware are sold together, if the software is not essential to the functionality of the tangible product, then the revenue from the sale of goods is recognised immediately. However, where the software is essential to the functionality of the tangible product and the hardware cannot function without the software, revenue from the sale of goods is recognised rateably over the period of the associated software licence contract. Interest income Interest income is recognised as interest accrues. /103 IntroductionGovernanceFinancial StatementsStrategic Report 3 Significant Accounting Policies continued 3.7 Property, Plant and Equipment Property, plant and equipment is stated at cost less accumulated depreciation and accumulated impairment losses. Cost comprises the aggregate amount paid and the fair value of any other consideration given to acquire the asset and includes costs directly attributable to making the asset capable of operating as intended. Except for freehold land, depreciation is provided to write off the cost less the estimated residual values of all property, plant and equipment on a straight-line basis over their estimated useful life as follows: Freehold buildings 25 years Leasehold improvements Over the lease period Computer equipment 3 – 5 years Other plant and equipment Motor vehicles 5 years 4 years Fixtures and fittings 6 – 10 years The carrying values of property, plant and equipment are reviewed for impairment if events or changes in circumstances indicate the carrying value may not be recoverable and are written down immediately to their recoverable amount. An item of property, plant and equipment is de-recognised upon disposal or when no future economic benefits are expected to arise from the continued use of the asset. Any gain or loss arising on de-recognition of the asset is included in the Consolidated Statement of Profit or Loss in the period of de-recognition. The residual values, useful lives and methods of depreciation of the assets are reviewed, and adjusted if appropriate, at each financial year-end. 3.8 Business Combinations and Goodwill Business combinations are accounted for using the acquisition accounting method. This involves recognising identifiable assets (including previously unrecognised intangible assets) and liabilities (including contingent liabilities and excluding future restructuring) of the acquired business at fair value. Business combinations on or after 1 April 2004 are accounted for under IFRS 3. Any excess of the cost of the business combination over the Group’s interest in the net fair value of the identifiable assets, liabilities and contingent liabilities is recognised in the Consolidated Statement of Financial Position as goodwill and is not amortised. To the extent that the net fair value of the acquired entity’s identifiable assets, liabilities and contingent liabilities is greater than the cost of the investment, a gain is recognised immediately in the Consolidated Statement of Profit or Loss. Goodwill recognised as an asset as at 31 March 2004 is recorded at its previous carrying amount under UK GAAP and is not amortised. After initial recognition, goodwill is stated at cost less any accumulated impairment losses, with the carrying value being reviewed for impairment, at least annually and whenever events or changes in circumstances indicate that the carrying value may be impaired. Goodwill assets considered significant in comparison to the Company’s total carrying amount of such assets have been allocated to cash-generating units or groups of cash-generating units. Where the recoverable amount of the cash-generating unit is less than its carrying amount including goodwill, an impairment loss is recognised in the Consolidated Statement of Profit or Loss. The carrying amount of goodwill allocated to a cash-generating unit is taken into account when determining the gain or loss on disposal of the unit, or of an operation within it. 3.9 Intangible Assets Intangible assets are carried at cost less accumulated amortisation and accumulated impairment losses. Intangible assets acquired separately from a business are carried initially at cost. An intangible asset acquired as part of a business combination is recognised outside goodwill if the asset is separable or arises from contractual or other legal rights and its fair value can be measured reliably. Expenditure on internally developed intangible assets is taken to the Consolidated Statement of Profit or Loss in the period in which it is incurred to the extent that the expenditure does not qualify for capitalisation under research and development costs. Where computer software is not an integral part of a related item of computer hardware, the software is classified as an intangible asset. The capitalised costs of software for internal use include external direct costs of materials and services consumed in developing or obtaining the software, and incremental payroll and payroll-related costs arising from the assignment of employees to implementation projects. Capitalisation of these costs ceases no later than the point at which the software is substantially complete and ready for its intended internal use. 104/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple Intangible assets with a finite life have no residual value and are amortised over their expected useful lives as follows: Intangible assets arising on acquisition of subsidiaries – Intellectual property 5 – 15 years reducing balance basis Brand names Customer base – – 15 – 20 years reducing balance basis 6 – 14 years reducing balance basis Other purchased intangible assets Software – 3 years straight-line basis The amortisation expense on intangible assets with finite lives is recognised in the Consolidated Statement of Profit or Loss as a general finance and administration cost. The amortisation period and the amortisation method for an intangible asset with a finite useful life are reviewed at least annually. The carrying value of intangible assets is reviewed for impairment whenever events or changes in circumstances indicate the carrying value may not be recoverable. Intangible assets with indefinite useful lives are tested for impairment annually either individually or at the cash-generating unit level. Such intangibles are not amortised. The term of their useful life is reviewed annually to determine whether indefinite life assessment continues to be appropriate. 3.10 Research and Development Costs Expenditure on research activities is expensed as incurred. Development expenditure is recognised as an intangible asset when its future recoverability can reasonably be regarded as assured and technical feasibility and commercial viability can be demonstrated. During the period of development, the asset is tested for impairment annually. Following the initial recognition of the development expenditure, the cost model is applied requiring the asset to be carried at cost less any accumulated amortisation and accumulated impairment losses. Amortisation of the asset begins when development is complete and the asset is available for use. It is amortised over the period of expected future sales. Development expenditure incurred on minor or major upgrades, or other changes in software functionalities does not satisfy the criteria, as the product is not substantially new in its design or functional characteristics. Such expenditure is therefore recognised as an expense in the Consolidated Statement of Profit or Loss as incurred. 3.11 Impairment of Assets At least annually, or when otherwise required, Directors review the carrying amounts of the Group’s tangible and intangible assets to determine whether there is any indication that those assets have suffered an impairment loss. If any such indication exists, the recoverable amount or value in use of the asset is estimated in order to determine the extent of any impairment loss. Where the asset does not generate cash flows that are independent from other assets, the Group estimates the recoverable amount of the cash-generating unit to which the asset belongs. The recoverable amount is the higher of fair value less costs to sell and value in use. In assessing value in use, the estimated future cash flows are discounted to their present value using a pre-tax discount rate that reflects current market assessments of the time value of money as well as risks specific to the asset for which the estimates of future cash flows have not been adjusted. If the recoverable amount of an asset or cash-generating unit is estimated to be less than its carrying amount, the carrying amount of the asset or cash-generating unit is reduced to its recoverable amount. An impairment loss is recognised as an expense immediately in the Consolidated Statement of Profit or Loss. Where an impairment loss subsequently reverses, the carrying amount of the asset is increased to the revised estimate of its recoverable amount, but not beyond the carrying amount that would have been determined had no impairment loss been recognised for the asset in prior-years. A reversal of an impairment loss is recognised immediately as income in the Consolidated Statement of Profit or Loss, although impairment losses relating to goodwill may not be reversed. /105 IntroductionGovernanceFinancial StatementsStrategic Report 3 Significant Accounting Policies continued 3.12 Inventories Inventories are stated at the lower of cost and net realisable value. Cost includes all costs incurred in bringing each product to its present location and condition. The cost of raw materials, consumables and goods for resale is based on the purchase cost and is determined on a first-in, first-out basis. Net realisable value is based on estimated selling price less any further costs expected to be incurred to completion and disposal. 3.13 Financial Instruments Financial assets and liabilities are recognised in the Group’s statement of financial position when the Group becomes party to the contractual provisions of the instrument. When financial instruments are recognised initially they are measured at fair value, being the transaction price plus, in the case of financial assets and financial liabilities not at fair value through profit or loss, directly attributable transaction costs. Trade receivables Trade receivables, which generally have 30-90 day payment terms mainly depending on the jurisdiction, are carried at original invoice amount, including value added tax and other sales taxes, less an estimate made for doubtful receivables based on a review of any outstanding amounts at the period-end and on historical performance. Provision for bad debts is made in the period in which they are identified. Cash and cash equivalents Cash and cash equivalents comprise cash in hand and bank deposits repayable in 90 days or less. For the purpose of the Consolidated Statement of Cash Flows, cash and cash equivalents consist of cash in hand and bank deposits net of outstanding bank overdrafts. Trade payables Trade payables are recognised at cost, which is deemed to be materially the same as the fair value. Classification of equity instruments as debt or equity Financial liabilities and equity instruments are classified according to the substance of the contractual arrangements entered into. An equity instrument is any contract that evidences a residual interest in the assets of the Group after deducting all of its liabilities. When equity instruments are issued, any component that creates a financial liability of the Group is presented as a liability in the Consolidated Statement of Financial Position; measured initially at fair value net of transaction costs and thereafter at amortised cost until extinguished on conversion or redemption. The corresponding dividends relating to the liability component are charged as interest expense in the Consolidated Statement of Profit or Loss. Equity instruments issued by the Company are recorded as the proceeds received, net of direct issue costs. Equity instruments are classified according to the substance of the contractual arrangements entered into. Interest bearing loans and borrowings Obligations for loans and borrowings are recognised when the Group becomes party to the related contracts and are measured initially at fair value less directly attributable transactions costs. After initial recognition, interest bearing loans and borrowings are subsequently measured at amortised cost using the effective interest method. Gains and losses arising on the re-purchase, settlement or other cancellation of liabilities are recognised respectively in finance income and finance expense. Derivative financial instruments The Group sometimes uses derivative financial instruments, principally forward foreign currency contracts to reduce its exposure to exchange rate movements and interest rate caps to reduce its exposure to fluctuating interest rates. The Group does not hold or issue derivatives for speculative or trading purposes. 106/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple Derivative financial instruments are recognised as assets and liabilities measured at their fair values at the reporting date. Changes in the fair values are recognised in the Consolidated Statement of Profit or Loss and this is likely to cause volatility in situations where the carrying value of the hedged item is either not adjusted to reflect fair value changes arising from the hedged risk or is so adjusted but that adjustment is not recognised in the Consolidated Statement of Profit or Loss. Provided the conditions specified by IAS 39 — Financial Instruments are met, hedge accounting may be used to mitigate this volatility. 3.14 Leases Leases are classified as finance leases whenever the terms of the lease transfer substantially all the risks and rewards of ownership to the lessee. All other leases are classified as operating leases. Rentals payable under operating leases are charged to income on a straight-line basis over the term of the relevant lease. Benefits received and receivable as an incentive to enter into an operating lease are also spread on a straight-line basis over the lease term. 3.15 Provisions A provision is recognised when the Group has a legal or constructive obligation as a result of a past event and it is probable that an outflow of economic benefits will be required to settle the obligation and a reliable estimate can be made of the amount of the obligation. If the effect is material, expected future cash flows are discounted using a current pre-tax rate that reflects, where appropriate, the risks specific to the liability. Where the Group expects some or all of a provision to be reimbursed, for example under an insurance policy, the reimbursement is recognised as a separate asset but only when recovery is virtually certain. The expense relating to any provision is presented in the Consolidated Statement of Profit or Loss net of any reimbursement. Where discounting is used, the increase in the provision due to unwinding the discount is recognised as a finance expense. 3.16 Taxation The income tax charge represents the sum of the current and deferred taxes. Current tax payable or recoverable is based on the taxable profit for the period. Taxable profit differs from profit reported in the Consolidated Statement of Profit or Loss because some items of income or expense are taxable in different periods or may never be taxable or deductible. The Group’s liability for current tax is calculated using UK and foreign rates and laws that have been enacted or substantively enacted by the reporting period date. A current tax provision is recognised when the Group has a present obligation as a result of a past event and it is probable that the Group will be required to settle that obligation. Tax liabilities are recognised when it is considered probable that there will be a future outflow of funds to a taxing authority. They are measured using one of the following methods, depending on which of the methods management expects will better reflect the amount it will pay over to the tax authority: • The single best estimate method is used where there is a single outcome that is more likely than not to occur. This will happen, for example, where the tax outcome is binary or the range of possible outcomes is limited. The most likely outcome may be that no tax is expected to be payable, in which case the provision is nil; or • A probability weighted expected value is used where, on the balance of probabilities, something will be paid to the tax authority but the possible outcomes are widely dispersed with low individual probabilities (i.e. there is no single outcome more likely than not to occur). In this case, the provision is the sum of the probability-weighted amounts in the range. In assessing provisions against uncertain tax positions, management uses in-house tax experts, professional firms and previous experience of the taxing authority to evaluate the risk. However, it remains possible that uncertainties will ultimately be resolved at amounts greater or smaller than the liabilities provided. The Group’s current tax provision relates to the management’s estimate of the amount of tax payable on open tax computations where the liabilities remain to be agreed with authorities. The uncertain tax items for which provision is made (see note 13), relate to the interpretation of tax legislation impacting arrangements entered into in the ordinary course of business. Due to the uncertainty associated with such items, it is possible that at a future date, on conclusion of open tax matters, the final outcome may vary. We report cross-border transactions undertaken between Group subsidiaries on an arm’s-length basis in tax returns in accordance with OECD guidelines. However, transfer pricing relies on the making of estimates and it is frequently possible for there to be a range of legitimate and reasonable views. This means that it is impossible to be certain that the tax returns basis will be sustained on examination. Discussions with tax authorities relating to cross-border transactions and other matters are ongoing in several of the Group’s major trading jurisdictions. /107 IntroductionGovernanceFinancial StatementsStrategic Report 3 Significant Accounting Policies continued 3.16 Taxation continued Although the timing and amount of final resolution of these uncertain tax positions cannot be reliably predicted, no significant impact on the profitability of the Group is expected to result. Deferred tax is the tax expected to be payable or recoverable in the future arising from temporary differences between the carrying amounts of assets and liabilities in the Consolidated Financial Statements and the corresponding tax bases used in the computation of taxable profit. It is accounted for using the balance sheet liability method. Deferred tax liabilities are generally recognised for all taxable temporary differences and deferred tax assets are recognised to the extent that it is probable that taxable profits will be available against which deductible temporary differences can be utilised. Such assets and liabilities are not recognised if the temporary difference arises from the initial recognition of goodwill or from the initial recognition (other than in a business combination) of other assets and liabilities in a transaction that affects neither the tax profit nor the accounting profit. Deferred tax liabilities are recognised for taxable temporary differences arising on investments in subsidiaries, except where the Group is able to control the reversal of the temporary difference and it is probable that the temporary difference will not reverse in the foreseeable future. The carrying amount of deferred tax assets is reviewed at each reporting date and reduced to the extent that it is no longer probable that sufficient taxable profits will be available to allow all or part of the asset to be recovered. Deferred tax is calculated at the tax rates that are expected to apply in the period when the liability is settled or the asset is realised. The rate is based on tax rates that have been enacted or substantively enacted by the reporting period date. Deferred tax is charged or credited in the Consolidated Statement of Profit or Loss, except when it relates to items charged or credited to other comprehensive income or directly to equity, in which case the deferred tax is dealt with in other comprehensive income or in equity. Deferred tax assets and deferred tax liabilities are offset if a legally enforceable right exists to set off current tax assets against current tax liabilities and the deferred taxes relate to the income taxes levied in the same taxation authority on either the same entity or on different taxable entities which intend to settle the current tax assets and liabilities on a net basis. Disclosures relating to tax are set out in note 13 3.17 Pensions and Other Post-Retirement Benefits The Group operates defined contribution pension schemes for its employees. The assets of the schemes are held separately from those of the Group in independently administered funds. Contributions to defined contribution schemes are recognised in the Consolidated Statement of Profit or Loss in the period in which they become payable. 3.18 Share-Based Payments Employees (including senior executives) of the Group receive remuneration in the form of share-based payment transactions, whereby employees render services as consideration for equity instruments (“equity-settled transactions”). The Group also grants cash-settled awards in certain jurisdictions in order to ensure compliance with tax, regulatory or legal country specific requirements. Equity-settled transactions The cost of equity-settled transactions with employees is measured by reference to the fair value at the date on which they are granted. The fair value is determined by using an appropriate pricing model, further details of which are given in note 28. The cost of equity-settled transactions is recognised, together with a corresponding increase in equity, ending on the date on which the relevant employees become fully entitled to the award. At each reporting date before vesting, the cumulative expense is calculated, representing the extent to which the vesting period has expired and the Directors best estimate of the achievement or otherwise of non-market conditions and of the number of equity instruments that will ultimately vest or, in the case of an instrument subject to a market condition, be treated as vesting as described above. The movement in cumulative expense since the previous reporting date is recognised in the Consolidated Statement of Profit or Loss, with a corresponding entry in equity. Where the terms of an equity-settled award are modified or a new award is designated as replacing a cancelled or settled award, the cost based on the original award terms continues to be recognised over the original vesting period. In addition, an expense is recognised over the remainder of the new vesting period for the incremental fair value of any modification, based on the difference between the fair value of the original award and the fair value of the modified award, both as measured on the date of the modification. No reduction is recognised if this difference is negative. 108/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple Where an equity-settled award is cancelled, it is treated as if it had vested on the date of cancellation, and any cost not yet recognised in the Consolidated Statement of Profit or Loss for the award is expensed immediately. Any compensation paid up to the fair value of the award at the cancellation or settlement date is deducted from equity, with any excess over fair value being treated as an expense in the Consolidated Statement of Profit or Loss. Cash-settled transactions A liability is recognised for the fair value of cash-settled transactions. The fair value is measured at grant and each subsequent reporting date up to and including the settlement date. The change in fair value is recognised in the Consolidated Statement of Profit or Loss with a corresponding entry in liabilities for cash-settled transactions. 3.19 Exceptional Items Exceptional items are those that in the judgment of the Directors need to be disclosed by virtue of their size, nature or incidence, in order to draw the attention of the reader and to show the underlying business performance of the Group. Such items are included within the income statement caption to which they relate, and are separately disclosed either in the notes to the Consolidated Financial Statements or on the face of the Consolidated Statement of Profit or Loss. 3.20 Events After the Reporting Date Events between the reporting date and the date on which the Consolidated Financial Statements are approved, favourable and unfavourable, providing evidence of conditions that existed at the reporting date, adjust the amounts recognised in the Consolidate Financial Statements. Those that indicate conditions arising after the reporting date are disclosed but are not recognised within the Consolidated Financial Statements. 4 Alternative Performance Measures (“APMs”) The Group uses certain financial measures that are not defined or recognised under IFRS. The Directors believe that these non-GAAP measures supplement GAAP measures to help in providing a further understanding of the results of the Group and are used as key performance indicators within the business to aid in evaluating its current business performance. The measures can also aid in comparability with other companies, particularly in the cybersecurity industry, who use similar metrics. However as the measures are not defined by IFRS, other companies may calculate them differently or may use such measures for different purposes to the Group. Constant currency measures have limitations, particularly as the currency effects that are eliminated may constitute a significant element of the Group’s revenue and expenses and could materially impact the Group’s performance. The Directors do not evaluate the Group’s results and performance on a constant currency basis without also evaluating the Group’s financial information prepared at actual foreign exchange rates in accordance with IFRS. The definition of non-GAAP measures in the year-ended 31 March 2018 is consistent with those presented for the year- ended 31 March 2017. The reconciliation of non-GAAP measures to GAAP measures is set out below. Billings Billings represent the value of products and services invoiced to customers after receiving a purchase order from the customer and delivering products and services to them, or for which there is no right to a refund. Billings do not equate to statutory revenue. Revenue Net deferral of revenue (see note 22) Billings Currency revaluation Constant currency billings Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 640.7 127.9 768.6 (30.2) 738.4 529.7 102.4 632.1 (8.8) 623.3 /109 IntroductionGovernanceFinancial StatementsStrategic Report 4 Alternative Performance Measures (“APMs”) continued Adjusted Operating Profit and Cash EBITDA Adjusted operating profit provides a supplemental measure of earnings that facilitates review of operating performance on a period-to-period basis by excluding non-recurring and other items that are not indicative of the Group’s underlying operating performance. Adjusted operating profit is a key profit measure used by the Board to assess the underlying financial performance of the Group. Adjusted operating profit is stated before the following items for the following reasons • Exceptional items, as set out in Note 7, are one of the items that in the Director’s judgment should be disclosed separately by virtue of their size, nature or incidence, in order to show the underlying business performance of the Group. • Charges for the amortisation of acquired intangibles are excluded from the calculation of adjusted operating profit. This is because these charges are based on judgments about their value and economic life, are the result of the application of acquisition accounting rather than core operations, and whilst revenue recognised in the income statement does benefit from the underlying technology that has been acquired, the amortisation costs bear no relation to the Group’s underlying ongoing operational performance. In addition, amortisation of acquired intangibles is not included in the analysis of segment performance used by the chief operating decision maker. • Share-based payment charges are similarly excluded from the calculation of adjusted operating profit because these represent a non-cash accounting charge for transactions that could otherwise have been settled in cash or not be limited to employee compensation. These charges also represent long-term incentives designed for long-term employee retention, rather than reflecting the short-term underlying operations of the Group’s business. The Directors acknowledge that there is an ongoing professional debate on the add-back of share-based payment charges but believe that as they are not included in the analysis of segment performance used by the chief operating decision maker and their add-back is consistent with metrics used by a number of other companies in the global cybersecurity industry, that this treatment remains appropriate. Cash earnings before interest, taxation, depreciation and amortisation (“Cash EBITDA”) is defined as the Group’s operating profit / (loss) adjusted for depreciation and amortisation charges, any gain or loss on the sale of tangible and intangible assets, share option charges, unrealised foreign exchange differences (on the basis that they are non-cash income and expenses) and exceptional items, with billings replacing recognised revenue. The unrealised foreign exchange differences are included within the foreign exchange loss of $6.9M disclosed on the face of the Consolidated Statement of Profit or Loss. The Directors consider this metric a useful supplemental measure of earnings that provides visibility on actual cash earned in the year. The replacement of revenue with billings adjusts for the net deferral of revenue, whereas the weighted average contract term is around 28 months, a more material adjustment is generated than for the short-term working capital variations derived from the application of the accruals concept. Therefore, whilst Cash EBITDA is not a pure cash flow metric, it represents a closer approximation to cash earned in the period from the trading that has taken place. Depreciation and unrealised foreign exchange differences are adjusted as they do not represent cash costs of the business. Operating loss Amortisation of intangible purchased assets Share-based payments expense Exceptional items Adjusted operating profit Depreciation Unrealised foreign exchange loss Net deferral of revenue Cash EBITDA Billings Revenue Net deferral of revenue 110/ Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M Note (31.9) (44.3) 7 25.2 39.6 13.2 46.1 11.6 8.1 127.9 193.7 768.6 (640.7) 127.9 19.9 31.3 31.4 38.3 9.4 – 102.4 150.1 632.1 (529.7) 102.4 Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple Unlevered Free Cash Flow Unlevered free cash flow represents net cash flow from operating activities adjusted for exceptional items and net capital expenditure. Unlevered free cash flow provides an understanding of the Group’s cash generation and is a supplemental measure of liquidity in respect of the Group’s operations without the distortions of exceptional and other non-operating items. Net cash flow from operating activities Exceptional items – cash-settled Net capital expenditure Unlevered free cash flow Cash EBITDA Net capital expenditure Change in working capital Corporation tax paid Unlevered free cash flow 5 Segment Information Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 147.7 13.0 (21.1) 139.6 118.5 31.4 (16.5) 133.4 Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 193.7 (21.1) (10.9) (22.1) 139.6 150.1 (16.5) 19.0 (19.2) 133.4 For internal management reporting purposes, the operating segments are determined to be geographic segments as the Group’s risks and rates of return are affected predominantly by the different economic environments. This is consistent with the information provided to the Chief Operating Decision Maker. The Group has only one operating segment based on product on the basis that the products and services offered to external customers are very similar and therefore do not result in different risks and rates of return for the Group. The Group’s geographical segments are based on the location of the Group’s operations consisting of Europe, Middle East and Africa (“EMEA”), The Americas and Asia Pacific and Japan (“APJ”). Billings are classified by the geographic location of direct customers, OEMs and the distributors which purchase our products. The geographic location of OEMs or distributors may be different from that of end customers. A disclosure of billings and revenue by region is included in the Financial Review on pages 29 to 31. The accounting policies of the reportable segments are the same as the Group’s accounting policies described in note 3. Segment profits represent the profit earned by each segment without allocation of central administration costs including Directors’ salaries, finance costs and income tax expense. This is the measure reported to the Chief Operating Decision Maker, the Chief Executive Officer, and Senior Management Team for the purposes of resource allocation and assessment of segment performance. Transfer prices between geographical segments are set on an arm’s length basis in a manner similar to transactions with third parties. /111 IntroductionGovernanceFinancial StatementsStrategic Report 5 Segment Information continued Geographical Segments The following tables present billings, expenditure and certain asset information regarding the Group’s geographical segments for the year-ended 31 March 2018 and 31 March 2017. Year-ended 31 March 2018 Billings Regional cost of sales Regional gross margin Regional sales and marketing expense Regional operating profit Revenue deferral Central costs Amortisation Depreciation Operating loss Year-ended 31 March 2017 Billings Regional cost of sales Regional gross margin Regional sales and marketing expense Regional operating profit Revenue deferral Central costs Amortisation Depreciation Operating loss Other Segment Information Segment assets Americas EMEA APJ Total segment assets Unallocated assets Consolidated total assets Americas $M 270.0 (14.7) 255.3 (76.7) 178.6 Americas $M 217.6 (16.2) 201.4 (64.2) 137.2 EMEA $M 395.1 (38.1) 357.0 (79.0) 278.0 EMEA $M 319.5 (36.5) 283.0 (69.0) 214.0 APJ $M 103.5 (16.2) 87.3 (32.0) 55.3 APJ $M 95.0 (15.2) 79.8 (29.5) 50.3 Total $M 768.6 (69.0) 699.6 (187.7) 511.9 (127.9) (379.1) (25.2) (11.6) (31.9) Total $M 632.1 (67.9) 564.2 (162.7) 401.5 (102.4) (314.1) (19.9) (9.4) (44.3) 31 March 2018 $M 31 March 2017 $M 377.8 690.4 150.4 1,218.6 125.8 1,344.4 369.4 599.4 149.1 1,117.9 105.3 1,223.2 Unallocated assets relate to deferred tax, as the measure of segment assets reviewed by the Chief Operating Decision Maker does not include deferred tax. Following the finalisation of the segment allocation of goodwill arising on the acquisition of Invincea, Inc. in the prior-year, comparatives have been re-stated. 112/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple Depreciation and amortisation Americas EMEA APJ Total depreciation and amortisation Non-current assets by country UK USA Germany Other countries Total non-current assets by country Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 7.5 24.9 4.4 36.8 4.9 22.0 2.4 29.3 31 March 2018 $M 31 March 2017 $M 39.8 13.6 2.7 14.5 70.6 42.4 13.6 3.0 12.4 71.4 Non-current assets by country excludes deferred tax assets and goodwill. Goodwill has been excluded as a split by country is not available and the Directors consider that the cost to develop such analysis would be excessive. Revenue from external customers by country UK USA Germany Other countries Total Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 74.0 203.9 127.4 235.4 640.7 58.7 169.3 103.1 198.6 529.7 The Group’s revenue is diversified across its entire end customer base and no single end user accounted for greater than 10 per cent of the Group’s revenue in either 2017 or 2018. In 2018 three distributors accounted for 15 per cent, 14 per cent and 12 per cent each of Group billings which were attributable to all segments of the Group (2017: three distributors accounted for 15 per cent, 13 per cent and 11 per cent each). /113 IntroductionGovernanceFinancial StatementsStrategic Report 6 Revenue Revenue recognised in the Consolidated Statement of Profit or Loss is analysed as follows: Revenue by Product: Network Enduser Other Total Revenue by Type: Subscription Hardware Other Total 7 Exceptional Items Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 315.6 294.7 30.4 640.7 271.2 231.6 26.9 529.7 Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 515.3 114.2 11.2 640.7 410.7 106.7 12.3 529.7 Exceptional items are those that in the judgment of the Directors need to be disclosed by virtue of their size, nature or incidence, in order to draw the attention of the reader and to show the underlying business performance of the Group. Such items are included within the income statement caption to which they relate and are separately disclosed on the face of the Consolidated Statement of Profit or Loss. During the year-ended 31 March 2018, restructuring and integration costs of $10.2M (2017: ($0.4M)) and costs incurred in relation to the defence of certain intellectual property (“IP”) litigation of $3.0M (2017: $24.6M) were incurred. In the prior- year intellectual property litigation costs included an omnibus agreement entered into with Finjan Inc. on 30 March 2017 resolving all the parties’ disputes. Additionally, in the prior-year, acquisition related expenses of $7.2M, including earn-outs from acquisitions in earlier periods, were incurred. This resulted in total exceptional items of $13.2M (2017: $31.4M). Tax relief on these exceptional items amounted to $2.6M (2017: $4.8M). 8 Loss on Ordinary Activities The loss on ordinary activities before taxation is stated after charging: Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 11.6 25.2 145.8 12.5 1.6 8.4 0.6 6.9 9.4 19.9 117.8 10.8 1.4 6.5 0.1 1.2 Depreciation of property, plant and equipment Amortisation of intangible assets Research and development expenditure Operating lease rentals: Property Other Pension scheme contributions Impairment of trade receivables Net foreign currency differences 114/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple 9 Auditor’s Remuneration The Group paid the following amounts to its auditors in respect of the audit of the historical financial information and for other non-audit services provided to the Group. Audit of the financial statements Subsidiary local statutory audits Total audit fees Taxation compliance services Total non-audit fees Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 0.4 0.4 0.8 – – 0.4 0.2 0.6 0.2 0.2 The audit of a number of foreign subsidiaries were transferred from other auditors to the Group’s auditor during the current-year. 10 Employee Costs Wages and salaries Social security costs Pension costs Other costs Share-based payments (see note 28) Total employee costs Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 280.9 27.3 8.4 12.1 328.7 42.2 370.9 234.2 22.2 6.5 9.2 272.1 32.5 304.6 The average number of employees during the period, analysed by category, was as follows: Technical Sales and marketing Administration Total average number of employees 11 Directors’ Remuneration Directors’ emoluments Share-based payment - equity-settled Total Directors’ remuneration Year-ended 31 March 2018 Year-ended 31 March 2017 1,868 1,124 327 3,319 1,830 998 294 3,122 Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 3.3 7.0 10.3 3.2 7.9 11.1 Directors’ emoluments represent all earnings and aggregate contributions to pension schemes made during the year as a Director of Sophos Group plc and its subsidiaries. Further details can be found in the Group’s Remuneration Report on pages 72 to 81. /115 IntroductionGovernanceFinancial StatementsStrategic Report 12 Finance Income and Expense Finance income Interest on bank deposits Finance expense Interest expense on loans and borrowings Other interest and bank charges Accretion on contingent consideration Foreign exchange loss / (gain) on borrowings Amortisation of facility fees Total finance expense 13 Taxation Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 0.3 0.1 Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 8.7 0.3 9.0 0.9 9.6 1.2 20.7 7.8 0.4 8.2 0.2 (4.2) 0.9 5.1 UK corporation tax for the year-ended 31 March 2018 is calculated at 19 per cent (2017: 20 per cent) of the estimated assessable loss for the period. Current income tax: UK corporation tax Adjustments in respect of previous years UK tax Overseas tax before exceptional items Overseas tax on exceptional items Adjustment in respect of previous years Total current tax charge Deferred tax: Origination and reversal of temporary differences Origination and reversal of temporary differences on exceptional items Impact of changes in US tax rate Adjustment in respect of previous years Total deferred tax credit Total income tax charge / (credit) Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M (2.5) 0.3 23.0 – 11.1 31.9 (19.8) – 5.4 (3.5) (17.9) 14.0 (4.0) (1.1) 22.5 0.1 4.1 21.6 (18.9) (5.0) – (0.3) (24.2) (2.6) 116/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple The charge for the year can be reconciled to the loss for the year before taxation per the Consolidated Statement of Profit or Loss as follows: Loss for the year before taxation Loss for the year before taxation multiplied by the standard rate of corporation tax in the UK of 19% (2017: 20%) Effects of: Adjustments in respect of previous years Change in tax rate during the year Expenses not deductible for tax purposes Losses not recognised Higher tax rates on overseas earnings Research and development and other tax credits Impact of US tax reform on deferred tax Other movements Charge / (credit) for taxation on loss for the year Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M (52.3) (9.9) 7.9 3.7 9.4 – 3.8 (5.1) 5.4 (1.2) 14.0 (49.3) (9.9) 2.7 1.6 (1.8) 1.8 6.5 (5.4) – 1.9 (2.6) The Group’s taxation strategy is aligned to its business strategy and operational needs. Oversight of taxation is within the remit of the Audit and Risk Committee. The Chief Financial Officer is responsible for tax strategy supported by a global team of tax professionals. Sophos strives for an open and transparent relationship with all revenue authorities and are vigilant in ensuring that the Group complies with current tax legislation. The Group proactively seeks to agree arm’s length pricing with tax authorities to mitigate tax risks of significant cross-border operations. The Group actively engages with policy makers, tax administrators, industry bodies and international institutions to provide informed input on proposed tax measures, so that it and they can understand how those proposals would affect the Group. However, a tax authority may seek adjustment to the filing position adopted by a Group company and it is accepted that interpretation of complex regulations may lead to additional tax being assessed. Uncertain tax positions are monitored regularly and a provision made in the accounts where appropriate. Key Influences The Group’s tax rate is sensitive to the geographic mix of profits and reflects a combination of higher rates in certain jurisdictions, such as Germany and India, a low rate in the UK and other rates that lie in between. The Group receives incentives in certain jurisdictions. In the UK, the Research and Development Expense Credit resulted in a lower tax charge in the income statement and a lower net cash tax payment. There is no guarantee that these incentives will continue to be applicable in future years. In the UK, a reduction in the corporate tax rate from 19 per cent to 17 per cent from April 2020 was enacted on 6 September 2016. The US Tax Cuts and Jobs Act was enacted on 22nd December 2017, reducing the statutory rate of US federal corporate income tax from 35 per cent to 21 per cent with effect from 1st January 2018. The US Tax Cuts and Jobs Act is expected to positively impact future after tax earnings, primarily because of the reduced tax rate. Consequently, the Group has measured its US deferred tax assets and liabilities at the end of the reporting period at a combined (federal and state) tax rate of 27.08 per cent. The value of US deferred tax assets has reduced by $5.4M in the year-ended 31 March 2018 as a result of the reduced statutory rate of US federal corporate income tax rate; this is identified in tax rates movement in the reconciliation of effective tax rate. The re-evaluation has resulted in a one-off charge of $5.4M to the taxation charge. The current tax adjustment in respect of prior periods of $11.1M includes an update in the estimate of tax of $5.6M arising in the US when the group modified it’s transfer pricing policy, on an arm’s length basis, to ensure that policies continue to reflect the ongoing development of our management and commercial structure as the business grows. The remainder includes a $5.1M increase in the provision for uncertain tax positions and $0.4M for tax filing position adjustments across all other territories..Tax liabilities are recognised when it is considered probable that there will be a future outflow of funds to a taxing authority. The methodology used to estimate liabilities is set out in note 3.16. Within current liabilities is $21.8 million (FY17: $16.7 million) in respect of liabilities for uncertain tax positions, the majority of which relates to the risk of challenge from tax authorities to the geographic allocation of profits across the Group. The Group anticipates that a number of tax audits are likely to conclude in the next twelve to twenty four months. Due to the uncertainty associated with such tax items, it is possible at a future date, on the conclusion of open tax matters, the final outcome may vary significantly. /117 IntroductionGovernanceFinancial StatementsStrategic Report 13 Taxation continued Expected Future Rate Over the medium-term the tax rate is likely to stabilise as the integration of acquisitions in higher rate jurisdictions are completed. However, the tax rate may fluctuate if business changes are implemented in response to legislation arising from the OECD’s Base Erosion & Profit Shifting Project. Legislative change in key territories is being monitored and acted upon. The Group does not anticipate any significant impact on the future tax charge, liabilities or assets, as a result of the triggering of Article 50(2) of the Treaty on European Union, but cannot rule out the possibility that, for example, a failure to reach satisfactory arrangements for the UK’s future relationship with the European Union, could have an impact on such matters. The European Commission has announced that an investigation will be opened in to the UK’s controlled foreign company (“CFC”) rules. The CFC rules levy a charge on foreign entities controlled by the UK that are subject to a lower rate of tax, however there is currently an exemption available for 75 per cent of this charge if the activities being undertaken by the CFC relate to financing. The EC considers that this exemption is in breach of EU State Aid rules. No provision for this potential liability of £3.2M has been provided in these Consolidated Financial Statements as it is not clear what, if any, the ultimate financial result will be. Deferred tax assets and liabilities are attributable to the following: Deferred income tax assets in relation to: Deferred revenue Tax value of carry forward losses of UK subsidiaries Tax value of carry forward losses of overseas subsidiaries Advanced capital allowances Share-based payments Other timing differences Total Deferred income tax liabilities in relation to: Intangible assets Other timing differences Total 31 March 2018 $M 31 March 2017 $M 45.1 24.2 6.4 7.7 27.7 14.7 37.1 15.4 13.1 6.2 19.7 13.8 125.8 105.3 5.9 0.1 6.0 14.4 – 14.4 As at 31 March 2018 the aggregate amount of temporary differences associated with undistributed earnings of subsidiaries for which deferred tax liabilities have been recognised was $Nil (2017: $Nil). No liability has been recognised because the Group is in a position to control the reversal of temporary differences and it is probable that such differences will not reverse in the foreseeable future. Deferred tax assets and liabilities are measured at the tax rates that are expected to apply in the period when the asset is realised or the liability settled, based on tax rates that have been enacted or substantively enacted at the reporting date. Losses A deferred tax asset has been recognised in respect of losses where current forecasts indicate profits will arise in the forecast period against which the losses recognised will be offset. At the balance sheet date the Group has unused tax losses of $500.4M (2017: $336.6M) available for offset against future profits. A deferred tax asset has been recognised in respect of $166.4M (2017: $118.2M) of such losses. No deferred tax asset has been recognised in respect of the remaining $334.0 (2017: $218.4M) as it is not considered probable that there will be the required type of future trading or non-trading profits available in the correct entities necessary to permit offset and recognition. 118/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple Share-Based Payments A remuneration expense for share based payments is recorded in the Consolidated Statement of Profit or Loss over the period from the award date to the vesting date of the relevant options. Where there is a temporary difference between the accounting and tax bases, a deferred tax asset may be recorded. Any deferred tax asset arising on share option awards is calculated as the estimated amount of tax deduction to be obtained in the future. This is based on the Group’s share price at the reporting date so will be impacted by share price movement and is pro-rated to the extent that the services of the employee have been rendered over the vesting period. If this amount exceeds the cumulative amount of the remuneration expense at the statutory rate, the excess is recorded directly in equity, against retained earnings. Similarly, current tax relief in excess of the cumulative amount of the remuneration expense at the statutory rate is also recorded in retained earnings. Deferred tax assets have only been recognised in jurisdictions in which future tax deductions are expected. 14 Earnings Per Share Basic earnings per share (“EPS”) is calculated by dividing the profit for the period attributable to equity holders of the parent by the weighted average number of ordinary shares outstanding during the period. Diluted EPS is calculated by dividing the profit for the period attributable to equity holders of the parent by the weighted average number of ordinary shares outstanding during the period plus the weighted average number of shares that would be issued if all dilutive potential ordinary shares were converted into ordinary shares. In accordance with IAS 33, the dilutive earnings per share are without reference to adjustments in respect of outstanding shares when the impact would be anti-dilutive. Adjusted Operating EPS is calculated by dividing the Adjusted Operating Profit for the period attributable to equity holders of the parent by the weighted average number of ordinary shares outstanding during the period. In each case, the weighted average number of shares takes into account the weighted average number of own shares held during the period. The following reflects the income and share data used in calculating EPS: Loss for the period attributable to the equity holders of the Company Adjusted Operating Profit for the period attributable to the equity holders of the Company (see note 4) Weighted average number of shares (000’s): Effects of dilution from: Share options Restricted Share Units Diluted Basic and diluted EPS Adjusted operating EPS Diluted adjusted operating EPS Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M (66.3) (46.7) 46.1 38.3 Year-ended 31 March 2018 Year-ended 31 March 2017 459,969 452,338 11,475 17,125 488,569 11,434 10,589 474,361 Year-ended 31 March 2018 $ Cents Year-ended 31 March 2017 $ Cents (14.4) 10.0 9.5 (10.3) 8.5 8.1 /119 IntroductionGovernanceFinancial StatementsStrategic Report 15 Intangible Assets Cost At 31 March 2016 Additions Acquired through business combinations Effect of movements in exchange rates At 31 March 2017 Additions Disposals Effect of movements in exchange rates At 31 March 2018 Amortisation/Impairment loss At 31 March 2016 Charge for the year Effect of movements in exchange rates At 31 March 2017 Charge for the period Effect of movements in exchange rates At 31 March 2018 Net book value At 31 March 2017 At 31 March 2018 Goodwill $M Intellectual Property $M 716.3 368.9 – 99.8 (6.6) 809.5 – – 16.7 826.2 0.2 – – 0.2 – – 0.2 809.3 826.0 – 21.6 (2.2) 388.3 14.8 – 5.1 408.2 356.3 7.4 (2.1) 361.6 13.4 5.0 380.0 26.7 28.2 Software $M 36.2 5.1 – (4.2) 37.1 6.1 – 4.4 47.6 20.9 7.0 (2.6) 25.3 8.1 3.1 36.5 11.8 11.1 Others $M 267.2 – 1.2 (3.1) Total $M 1,388.6 5.1 122.6 (16.1) 265.3 1,500.2 – – 7.6 20.9 – 33.8 272.9 1,554.9 254.6 5.5 (3.0) 257.1 3.7 7.5 268.3 8.2 4.6 632.0 19.9 (7.7) 644.2 25.2 15.6 685.0 856.0 869.9 Intellectual property is amortised on a reducing balance basis over its estimated useful life of up to 15 years. Other intangibles comprise customer relationships, with a gross value of $250.4M and a net book value of $2.6M, and brand names with a gross value of $22.5M and a net book value of $2.0M. Customer relationships are amortised on a reducing balance basis over a period of up to 14 years and brand names on a reducing balance basis over a period of up to 20 years. Software is amortised on a straight-line basis over three years. The Group does not have any intangible assets with indefinite useful lives. The Group has not capitalised development costs in the year-ended 31 March 2018 (2017: $Nil) as the Directors believe the criteria set out in IAS38 has not been met. See note 3. 120/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple 16 Impairment of Goodwill and Intangibles Before recognition of impairment losses, the carrying amount of goodwill had been allocated as follows: Americas EMEA APJ 31 March 2018 $M 31 March 2017 $M 288.2 434.2 103.6 826.0 253.0 473.2 83.1 809.3 Impairment of goodwill and intangible assets is tested annually, or more frequently where there is indication of impairment. The goodwill of $96.4M arising on the acquisition of Invincea, Inc. on 21 March 2017 was initially allocated to the EMEA CGU. During the year the Directors have re-assessed and re-allocated this goodwill based upon synergies provided to each CGU, the comparatives have also been re-stated. Where the asset does not generate cash flows that are independent from other assets, the Group estimates the recoverable amount of the cash-generating unit to which the asset belongs. If the recoverable amount of an asset or cash-generating unit is estimated to be less than its carrying amount, the carrying amount of the asset or cash-generating unit is reduced to its recoverable amount. An impairment loss is recognised as an expense immediately in the Consolidated Statement of Profit or Loss. Goodwill is considered impaired if the carrying value of the cash-generating unit to which it relates is greater than the higher of fair value less costs of disposal and the value in use. For the year-ended 31 March 2018, the Directors have reviewed the value of goodwill based on internal value in use calculations. The key assumptions for these calculations are discount rates, growth rates and expected changes to billings and direct costs during the period. The Group prepares cash flow forecasts derived from the Directors’ most recent financial forecasts for the following five years. The growth rates for the five-year period are based on Directors expectations of the medium-term operating performance of the cash-generating unit, planned growth in market share, industry forecasts, growth in the market and specific regional considerations and are in line with past experience. Discount rates have been estimated based on rates that reflect current market assessments of the Group’s weighted average cost of capital. The key assumptions used in the assessments in the year-ended 31 March 2018 are as follows: Long-term regional growth rate beyond five years Discount rate Americas % 2.5% 9.5% The key assumptions used in the assessments in the year-ended 31 March 2017 were as follows: Long-term regional growth rate beyond five years Discount rate Americas % 2.5% 10.5% EMEA % 1.5% 9.5% EMEA % 1.5% 10.0% APJ % 2.0% 10.5% APJ % 2.0% 11.5% As at 31 March 2018, there were no indicators of impairment that suggested the carrying amounts of the Group’s long-lived assets are not recoverable. /121 IntroductionGovernanceFinancial StatementsStrategic Report 17 Property, Plant and Equipment Cost As at 31 March 2016 Additions Acquired through business combinations Disposals Effect of movements in exchange rates As at 31 March 2017 Additions Disposals Effect of movements in exchange rates As at 31 March 2018 Depreciation As at 31 March 2016 Charge for the year Acquired through business combinations Disposals Effect of movements in exchange rates As at 31 March 2017 Charge for the year Disposals Effect of movements in exchange rates As at 31 March 2018 Net book value As at 31 March 2017 As at 31 March 2018 Land and Buildings $M Plant and Machinery $M Fixtures and Fittings $M 20.5 0.9 – – (6.4) 15.0 0.9 – 5.4 21.3 8.8 2.7 – – (3.3) 8.2 2.6 – 3.1 13.9 6.8 7.4 29.4 9.8 0.5 (0.3) (2.5) 36.9 7.8 (0.4) 4.0 48.3 18.9 6.0 0.4 (0.3) (2.0) 23.0 8.1 (0.3) 2.8 33.6 13.9 14.7 4.4 0.7 0.1 – (0.3) 4.9 1.3 – 0.6 6.8 1.7 0.7 – – (0.2) 2.2 0.9 – 0.4 3.5 2.7 3.3 Total $M 54.3 11.4 0.6 (0.3) (9.2) 56.8 10.0 (0.4) 10.0 76.4 29.4 9.4 0.4 (0.3) (5.5) 33.4 11.6 (0.3) 6.3 51.0 23.4 25.4 Included in the net book value of property, plant and equipment are assets under finance lease of $0.0M (2017: $0.1M). There has been no impairment to the property, plant and equipment held by the Group during the year. 18 Inventories Finished goods and goods for resale 31 March 2018 $M 31 March 2017 $M 16.0 16.2 The amount of write-down of inventories included as an expense within the Consolidated Statement of Profit or Loss was $1.4M (2017: $0.1M). 122/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple 19 Trade and Other Receivables Current Trade receivables Prepayments Other receivables Total current trade and other receivables Non-current Other receivables Total non-current trade and other receivables 31 March 2018 $M 31 March 2017 $M 151.8 18.6 7.4 177.8 1.3 1.3 123.1 14.1 8.0 145.2 1.3 1.3 Trade receivables are non interest-bearing and are generally on 30–90 day payment terms depending on the geographical territory in which sales are generated. The carrying value of trade and other receivables also represents their fair value. During the year-ended 31 March 2018 a provision for impairment of $0.6M (2017: $0.1M) was recognised in operating expenses against receivables. At 31 March 2018, trade receivables at a nominal value of $0.9M (2017: $0.4M) were impaired and fully provided for. Movements in the provision for impairment of receivables were as follows: At 1 April Charge for the year Amounts written off Unused amounts reversed At 31 March The analysis of trade receivables that were past due, but not impaired is as follows: Up to 3 months 3 to 6 months Greater than 6 months Total 20 Cash and Cash Equivalents Cash at bank and in hand Short-term deposits Total cash and cash equivalent 31 March 2018 $M 31 March 2017 $M 0.4 0.6 (0.1) – 0.9 1.5 0.2 1.0 2.7 0.7 0.1 (0.3) (0.1) 0.4 0.4 – 0.4 0.8 31 March 2018 $M 31 March 2017 $M 67.2 52.8 120.0 62.3 5.8 68.1 Cash at bank earns interest at floating rates based on daily bank deposit rates. Short-term deposits are made for varying periods of between one day and three months, depending on the immediate cash requirements of the Group, and earn interest at the respective short-term deposit rates. /123 IntroductionGovernanceFinancial StatementsStrategic Report 21 Trade and Other Payables Current Trade payables Accruals Social security and other taxes Other payables Total current trade and other payables Non-current Other payables Total non-current trade and other payables 31 March 2018 $M 31 March 2017 $M 39.6 68.4 14.9 11.2 134.1 8.2 8.2 34.9 53.5 11.5 7.4 107.3 3.9 3.9 Trade payables are non interest-bearing and are normally settled on 30-day terms or as otherwise agreed with suppliers. 22 Deferred Revenue Current Non-current At 1 April Billings deferred during the year Revenue released to the Consolidated Statement of Profit or Loss Net deferral Acquired through business combinations Translation and other adjustments Current Non-current At 31 March 31 March 2018 $M 31 March 2017 $M 330.6 250.4 581.0 768.6 (640.7) 127.9 – 46.8 423.9 331.8 755.7 286.5 212.2 498.7 632.1 (529.7) 102.4 4.1 (24.2) 330.6 250.4 581.0 On acquisition of Invincea, Inc. on 21 March 2017, acquired deferred revenue of $6.1M was reduced by $2.0M representing the fair value of original selling cost and associated profit. $3.1M (2017: $4.1M) remains unamortised at 31 March 2018. 23 Financial Liabilities The fair values of financial assets and liabilities are included at the price that would be received to sell an asset, or paid to transfer a liability, in an orderly transaction between market participants at the end of the reporting period. The following methods and assumptions are used to estimate the fair values: • Cash and cash equivalents – approximates to the carrying amount • Finance leases • Bank loans – approximates to the carrying amount – approximates to the carrying amount • Receivables and payables – approximates to the carrying amount Where financial assets and liabilities are measured at fair values their measurement should be classified into the following hierarchy: • Level 1 – quoted prices (unadjusted) in active markets from identical assets or liabilities • Level 2 – inputs other than quoted prices included within level 1 that are observable for the asset or liability, either directly (i.e. as prices) or indirectly (i.e. derived from prices) • Level 3 – inputs for the asset or liability that are not based on observable market data 124/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple The Group had a Level 3 financial liability of $17.9M of contingent consideration measured at fair value through profit and loss at 31 March 2018 (2017: $21.7M). The fair value of contingent consideration is determined using a probability-weighted average of outcomes discounted back to the acquisition date. The primary unobservable inputs comprise the forecast billings ($Nil to $20M) and billings growth rate (83 per cent) and the risk adjusted discount rate (5.0 per cent – 10 per cent). The estimated fair value would increase / (decrease) if the revenue growth rate was higher / (lower) or the risk adjusted discount rate was lower / (higher). Total financial liabilities at the end of the reporting period were as follows: Current instalments due on finance leases Current instalments due on bank loans Contingent consideration Total current financial liabilities Non-current instalments due on bank loans Contingent consideration Unamortised facility fees Total non-current financial liabilities Total financial liabilities Finance Leases 31 March 2018 $M 31 March 2017 $M – – 17.4 17.4 308.8 0.5 (2.5) 306.8 324.2 0.1 50.0 21.0 71.1 299.2 0.7 (3.6) 296.3 367.4 The Group acquired lease obligations on certain of its fixtures and fittings under finance leases with terms of three to five and a half years and at underlying interest rates ranging from 5.2 per cent – 6.3 per cent per annum as part of the acquisition of Reflexion Inc. At 31 March 2018, the present value of future lease payments was $0.0M (2017: $0.1M). Contingent Consideration Invincea, Inc. As part of the purchase agreement with the previous owners of Invincea, Inc., a contingent consideration has been agreed. The consideration is dependent on the billings of products including the intellectual property acquired with Invincea, Inc. for the 12 month period to 21 March 2018 with a maximum payout of $20.0M. The fair value of the contingent consideration at the acquisition date was estimated at $19.3M. The contingent consideration is due for measurement to the former shareholders on 30 June 2017, 30 September 2017, 31 December 2017 and 21 March 2018 respectively. The final instalment is due for payment in the year-ending 31 March 2019. Silent Break LLC As part of the purchase agreement with the previous owners of the “PhishThreat” technology, a contingent consideration has been agreed. The consideration is dependent on the billings of the “PhishThreat” product range for three annual periods commencing 1 March 2017 and ending on 28 February 2020 with a maximum payout of $2.0M. The fair value of the contingent consideration at the acquisition date was estimated at $1.2M. The contingent consideration is due for measurement to the sellers on 28 February 2018, 2019 and 2020 respectively. Movements in contingent consideration during the year-ended 31 March 2018 were as follows: Contingent Consideration At 31 March 2016 Assumed on business combination Accretion Cash paid At 31 March 2017 Fair value contingent consideration Accretion Cash paid At 31 March 2018 Invincea, Inc. $M Silent Break Security LLC $M Reflexion Networks Inc. $M – 19.3 0.1 – 19.4 – 0.6 (3.7) 16.3 – 1.2 – – 1.2 0.2 0.2 – 1.6 2.2 – 0.1 (1.2) 1.1 – 0.1 (1.2) – Total $M 2.2 20.5 0.2 (1.2) 21.7 0.2 0.9 (4.9) 17.9 /125 IntroductionGovernanceFinancial StatementsStrategic Report 23 Financial Liabilities continued The undiscounted contingent consideration is due as follows; Due within one year Due between two and five years Total undiscounted contingent consideration Loans and Borrowings 31 March 2018 $M 31 March 2017 $M 17.4 0.6 18.0 21.8 0.9 22.7 Included in borrowings are bank loans of $308.8M (2017: $349.2M) as analysed below. This note provides information about the contractual terms of the Group’s interest-bearing loans and borrowings, which are measured at amortised cost. For more information about the Group’s exposure to interest rate, foreign currency and liquidity risk, see note 25. Current instalments due on bank loans Non-current instalments due on bank loans Total bank loans The bank loans are repayable as follows: Due within one year Due between two and five years Total bank loans 31 March 2018 $M 31 March 2017 $M – 308.8 308.8 50.0 299.2 349.2 31 March 2018 $M 31 March 2017 $M – 308.8 308.8 50.0 299.2 349.2 The Group entered into an amended Senior Facilities agreement on 6 February 2017, whereby an additional Revolving Credit Facility was added to the existing agreement. Following the amendment, the following terms apply to the bank loans outstanding at 31 March 2018: Facility Facility – A Facility – B Revolving Credit Facility 1 Revolving Credit Facility 2 Repayment and Maturity Interest Libor Euribor Libor Libor Margin 1.50% 1.50% 1.25% 2.25% Principal M $ 235.0 € 60.0 – – Principal $M 235.0 73.8 – – 308.8 Facility A ($235.0M), Facility B (€60.0M), Revolving Credit Facility 1 (multicurrency up to $30.0M) are repayable in full on the termination date at the end of the 60-month term on 1 July 2020. Revolving Credit Facility 2 (multicurrency up to $40.0M) is repayable in full on the termination date on 2 July 2020. Any utilisation of a Revolving Credit facility is repayable on the last day of its interest period, any amount repaid may be re-borrowed. The margin payable on the facilities is dependent upon the ratio of the Group’s net debt to Cash EBITDA as defined in the facility agreement. The bank loans are secured by fixed and floating charges over the assets of certain Group companies including businesses, undertakings, securities, properties, revenues or rights of every description. 126/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple 24 Provisions At 31 March 2016 Arising during the year Utilised Released during the year Disposal of a business Exchange differences At 31 March 2017 Arising during the year Utilised Released during the year Disposal of a business Exchange differences At 31 March 2018 31 March 2018 Current Non-current Total provisions 31 March 2017 Current Non-current Total provisions Other Provisions Re-structuring $M 0.3 – (0.3) – – – – – – – – – – – – – – – – Other $M 1.0 0.6 (0.1) – – – 1.5 0.2 – (0.4) – 0.1 1.4 – 1.4 1.4 0.4 1.1 1.5 Total $M 1.3 0.6 (0.4) – – – 1.5 0.2 – (0.4) – 0.1 1.4 – 1.4 1.4 0.4 1.1 1.5 The opening provisions partially related to the Group’s obligations to make good the dilapidations of various leasehold premises at the end of the lease periods. Additionally, in France the Group operates an unfunded, compulsory retirement indemnity plan, payable only if the employees are working for the Group when they retire. The provision arising in the year-ended 31 March 2018 relating to the retirement indemnity plan was $0.2M (2017: $0.1M). 25 Financial Risk Management Financial risk management is conducted at a Group level, applying treasury policies which have been approved by the Board. The major financial risks to which the Group is exposed relate to interest rate risk, credit risk and movements in foreign currency exchange rates. Where appropriate, cost effective and practicable, the Group uses various financial instruments to manage these risks. The main purpose of these financial instruments is to reduce the impact on the Group operations of changes in market rates. No speculative use of derivatives, currency or other instruments is permitted. The Directors review and agree policies for managing each of these risks as summarised below: Liquidity Risk The Group prepares budgets annually in advance. This enables the Group’s operating cash flow requirements to be anticipated and to ensure sufficient liquidity is available to meet foreseeable needs, financial obligations and to invest any surplus cash assets safely and profitably. Quarterly covenant tests are performed and monitored by the Directors at quarterly Board meetings. The Group’s objective is to maintain a balance between continuity of funding, minimising finance costs and maintaining flexibility through the use of short-term deposits and intra-group loan arrangements. /127 IntroductionGovernanceFinancial StatementsStrategic Report 25 Financial Risk Management continued Capital Management The primary objective of the Group’s capital management is to ensure that it maintains a strong credit rating and healthy capital ratios in order to support its business and maximise shareholder value. The capital structure of the Group consists of cash and cash equivalents as disclosed in note 20, borrowings as disclosed in note 23 and equity attributable to equity holders of the parent, comprising issued capital, reserves and retained earnings, as disclosed in the Consolidated Statement of Changes in Equity. The Group manages its capital structure, and makes adjustments to it, in light of changes in economic conditions. The Group reviews the capital structure on a regular basis and considers the cost of capital and the risks associated with each class of capital. Credit Risk The Group’s principal financial assets are cash and bank deposits and trade and other receivables. The Group’s credit risk is primarily attributable to its trade receivables. In order to manage credit risk, the Directors set limits for customers based on a combination of payment history and third party credit references. Credit limits are reviewed by the credit controller on a regular basis in conjunction with debt ageing and collection history. The amounts presented in the Consolidated Statement of Financial Position are net of allowance for doubtful debts. An allowance for impairment is made where there is an identified loss event which, based on previous experience, is evidence of a reduction in the recoverability of cash flows. The expense recognised in the Consolidated Statement of Profit or Loss in respect of doubtful debts during the period was $0.6M, as disclosed in note 19. The Group has no significant concentration of credit risk in trade receivables; exposure is spread over a large number of counterparties and customers. With respect to cash and deposits, the Group’s exposure to credit risk arises from the risk of default by the counterparty with a maximum exposure equal to the carrying amount of these assets. To mitigate this risk, cash and deposits are only held with reputable banking institutions. The Group reduces the concentrations of credit risk in cash and deposits by holding balances with a number of separate institutions, wherever possible with banks that are also lenders to the Group. Interest Rate Risk The Group is exposed to interest rate risk primarily due to the long-term debt obligations with floating rates of interest. Interest Rate Sensitivity A change of 100 basis points in market interest rates would have increased/(decreased) equity and profit and loss by the amounts shown below. Increase in interest rates Decrease in interest rates Foreign Currency Risk Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M (3.3) 3.3 (3.1) 3.1 The Group is exposed to translation and transaction foreign exchange risk. Several other currencies in addition to the reporting currency of US Dollar are used, including Sterling and the Euro. The Group experiences currency exchange differences arising upon retranslation of monetary items (primarily short-term inter-company balances and long-term borrowings), which are recognised as an expense in the period the difference occurs. The Group endeavours to match the cash inflows and outflows in the various currencies; the Group typically invoices its customers in their local currency and pays its local expenses in local currency, as a means to mitigate this risk. The Group is also exposed to exchange differences arising from the translation of its subsidiaries’ financial statements into the Group’s reporting currency of US Dollar with the corresponding exchange differences taken directly to equity. The following table illustrates the movement that 10 per cent in the value of Sterling or the Euro against the USD would have had on the Group’s profit or loss for the period and on the Group’s equity as at the end of the period. 128/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple 10% movement in Sterling to US Dollar value Profit or loss Equity 10% movement in Euro to US Dollar value Profit or loss Equity Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 5.1 37.4 7.5 (10.8) 0.6 25.9 6.5 (11.9) Any foreign exchange variance would be recognised as unrealised foreign exchange in the Consolidated Statement of Profit or Loss and have no impact on cash flows. 26 Share Capital Shares issued and fully paid At 1 April of £0.03 each Issued for cash on exercise of options Issued under the Sophos Group Long Term Incentive Plan 2015 At 31 March, Ordinary shares of £0.03 27 Distributions Made and Proposed Year-ended 31 March 2018 Year-ended 31 March 2017 000’s 459,642 3,445 5,401 468,488 $M 21.6 0.4 – 22.0 000’s 452,172 4,087 3,383 459,642 $M 21.3 0.3 – 21.6 Cash dividends on ordinary shares declared and paid Final dividend for the year-ended 31 March 2016 at $0.011 per share Interim dividend for the year-ended 31 March 2017 at $0.013 per share Final dividend for the year-ended 31 March 2017 at $0.033 per share Interim dividend for the year-ended 31 March 2018 at $0.014 per share Total cash dividends paid Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M – – 15.3 6.5 21.8 5.0 5.9 – – 10.9 The Directors have proposed that the Company will pay a full-year dividend for the year-ended 31 March 2018 amounting to 3.5 US Cents per share. Proposed final dividends on ordinary shares are subject to approval at the Annual General Meeting to be held on 30 August 2018, and are not recognised as a liability at 31 March 2018. 28 Share-Based Payments On 25 June 2015, and in connection with the reorganisation of the Group immediately prior to admission of the Company’s shares for trading on the London Stock Exchange, participants with existing options outstanding under the Pentagon Holdings SARL approved share plans were offered to exchange their options for new options over shares in Sophos Group plc. On 11 June 2015, and in connection with the admission of the Company’s shares for trading on the London Stock Exchange, the Company’s Board of Directors approved the following share-based payment plans: The Sophos Group Long Term Incentive Plan 2015, (“2015 LTIP”) The 2015 LTIP plan aims to motivate and retain employees and align their interest with shareholders. Under the plan the remuneration committee of the Board can award the following types of awards: Performance Share Units, Restricted Share Units, Share Options, Conditional Share Awards, Cash-Based Awards or Forfeitable Shares. Sophos Group SAYE Option Scheme 2015 (“SAYE”) The SAYE plan aims to encourage wider share ownership amongst UK employees of the Group by offering an HMRC approved share save scheme, whereby employees are offered options to buy shares at a discount following a pre-set savings period. /129 IntroductionGovernanceFinancial StatementsStrategic Report 28 Share-Based Payments continued Sophos Group 2015 Employee Stock Purchase Plan (“ESPP”) The ESPP plan aims to encourage wider share ownership amongst US employees of the Group by offering options compliant with Section 423 of the Internal Revenue Code. Employees are offered options to buy shares at a discount following a pre-set savings period. Sophos Group International SAYE Option Scheme 2015 “(International SAYE”) The International SAYE plan aims to encourage wider share ownership amongst the Group’s employees outside of the UK and US by offering options to buy shares at a discount following a pre-set savings period. Share-Based Payment Expense The expense recognised for employee services received during the year is as follows: Cash-settled transactions Equity-settled transactions Total share-based payment expense Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 2.7 39.6 42.3 1.2 31.3 32.5 The cash-settled expense comprises cash-based awards together with certain social security taxes. The carrying value of the liability as at 31 March 2018 was $3.1M (2017: $1.8M). Share Options The fair value of equity-settled share options granted is measured as at the date of grant using a Black-Scholes model, taking into account the terms and conditions upon which the options were granted. The following table illustrates the weighted average inputs into the Black-Scholes model in the year: Weighted average share price ($ cents) Weighted average exercise price ($ cents) Expected volatility Expected life of options (years) Risk free rate Dividend yield Year-ended 31 March 2018 Year-ended 31 March 2017 628.23 516.70 38.20% 2.08 1.49% 3.56% 291.00 234.00 42.40% 3.20 0.92% 0.62% The weighted average fair value of options granted during the year was $ cents 185.33 (2017: $ cents 51.75). The expected volatility reflects the assumption that the historical share price volatility is indicative of future trends, which may not necessarily be the actual outcome. An increase in the expected volatility will increase the estimated fair value. The expected life of the options is based on historical data and is not necessarily indicative of exercise patterns that may occur. The expected life used in the model has been adjusted, based on the Director’s best estimate, taking into account the effects of exercise restrictions, non-transferability and behavioural considerations. An increase in the expected life will increase the estimated fair value. 130/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple The number and weighted average exercise prices (“WAEP”) of, and movements in, share options during the year are set out below: Year-ended 31 March 2018 Year-ended 31 March 2017 Outstanding at the start of the year Awarded Forfeited Exercised Outstanding at the end of the year Number 000’s 16,973 1,667 (648) (3,768) 14,224 WAEP £ pence 79.9 317.2 138.6 92.7 94.0 Number 000’s 22,677 1,725 (642) (6,787) 16,973 Exercisable at the end of the year 10,030 58.3 10,958 WAEP £ pence 51.8 162.0 105.0 33.9 79.9 59.0 The weighted average share price for options exercised during the year was £ pence 512 (2017: £ pence 262). Options outstanding at the end of the year had the following range of exercise prices and weighted average remaining contractual terms (“WARCT”): Exercise price $ Cents / £ pence Number 000’s WARCT Years Number 000’s WARCT Years 31 March 2018 31 March 2017 $ 1.8598 $ 47.5891 $ 51.9154 $ 59.7813 $ 70.7937 $ 91.2452 $ 155.7461 $ 210.8078 £ 162.0000 £ 371.0000 £ 367.8800 – 259 – 8,134 300 23 2,742 371 1,537 620 238 14,224 – 2.2 – 4.7 6.2 6.2 6.5 6.9 1.9 2.9 0.3 4.6 153 676 32 9,972 378 175 3,523 419 1,645 – – 16,973 3.2 3.2 5.7 5.7 7.2 7.2 7.5 7.9 2.9 – – 5.9 Outstanding at the end of the year Restricted Shares The following table illustrates the number and weighted average share price (“WASP”) on date of award of, and movements in, non-vested restricted shares in the year: Restricted shares Outstanding at the start of the year Vested Outstanding at the end of the year Year-ended 31 March 2018 Year-ended 31 March 2017 Number 000’s 127 (63) 64 WASP $ Cents 155.75 155.75 155.75 Number 000’s 127 – 127 WASP $ Cents 155.75 – 155.75 /131 IntroductionGovernanceFinancial StatementsStrategic Report 28 Share-Based Payments continued Restricted Share Units The following table illustrates the number and weighted average share price (“WASP”) on date of award, and movements in, restricted share units (“RSUs”) and cash based awards granted under the 2015 LTIP: Restricted share units Outstanding at the start of the year Awarded Forfeited Released Outstanding at the end of the year Year-ended 31 March 2018 Year-ended 31 March 2017 Number 000’s 15,350 6,337 (1,421) (5,426) 14,840 WASP £ pence 215.92 453.14 284.15 218.49 316.09 Number 000’s 9,389 10,930 (1,652) (3,317) 15,350 WASP £ pence 264.74 187.00 209.94 261.81 215.92 RSUs and cash-based awards vest as to 25 per cent (20 per cent in the case of RSUs with a five year vesting period) on the anniversary of the award and the remaining 75 per cent (or 80 per cent in the case of RSUs with a five year vesting period) quarterly thereafter. Performance Share Units The following table illustrates the number and weighted average share price (“WASP”) on date of award, and movements in, performance share units (“PSUs”) granted under the 2015 LTIP: Performance share units Outstanding at the start of the year Awarded Forfeited Released Outstanding at the end of the year Year-ended 31 March 2018 Year-ended 31 March 2017 Number 000’s 6,024 1,719 (197) – 7,546 WASP £ pence 219.41 440.50 223.96 – 269.65 Number 000’s 2,785 4,090 (745) (106) 6,024 WASP £ pence 265.00 186.75 203.99 265.00 219.41 PSUs vest on one vesting date following a three year vesting period which will comprise three financial years. The awards are divided into three equal parts which will each be subject to a separate annual performance condition linked to the financial performance of the Group. 29 Pension Schemes The Group contributes to defined contribution pension schemes in the UK and to similar or state pension schemes overseas for the benefit of the employees and Directors. The assets of the schemes are administered by trusts or other bodies in funds independent from the Group. The pension cost charge for the period represents contributions payable by the Group to the funds and amounted to $8.4M (2017: $6.5M). Contributions of $1.3M (2017: $1.5M) to the defined contribution pension scheme were outstanding, but not overdue, at 31 March 2018. 132/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple 30 Related Party Transactions The consolidated financial information includes the financial information of Sophos Group plc and the subsidiaries listed in the following table: Country of incorporation Subsidiary undertaking Principal activity / registered address Class of shares held Percentage of shares held Australia Sophos Pty Ltd 3 Selling IT security solutions Ordinary 100% Level 11, 1 Elizabeth Plaza, North Sydney, NSW 2060, Australia Canada Sophos Inc 3 Selling IT security solutions Common 100% France Sophos Sarl 3 Selling IT security solutions Ordinary 100% 3400, 350-7th Ave SW, Calgary AB T2P 3N9, Canada Germany Sophos Holdings GmbH 3 Holding Company Ordinary 100% River Ouest, 80 Quai Voltaire, 95870 Bezons, France Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany Sophos Technology GmbH 4 Research and Development Ordinary 100% Amalienbadstr. 41/ Bau 52 76227 Karlsruhe, Germany Hong Kong Sophos Hong Kong Co Ltd 3 Selling IT security solutions Ordinary 100% Hungary Sophos Hungary Kft 3 Research and Development Ordinary 100% Unit K, 12/F., MG Tower, No. 133 Hoi Bun Road, Kwun Tong, Kowloon, Hong Kong India Sophos Technology Private Ltd 10 Aliz Utca, 1 Office Garden, Irodahaz A Epulet, 1117 Budapest, Hungary Selling IT security solutions Ordinary 100% Sophos House, Saigulshan Complex, Beside White House, Panchwati Cross Road, Ahmedabad 380006, Gujarat, India Ireland Sophos Security Technology Ltd 3 Research and Development Ordinary 100% Unit C/D, Building 2100, Cork Airport Business Park, Cork, T12 KV8R, Republic of Ireland Italy Sophos Italia Srl 3 Selling IT security solutions Ordinary 100% Japan Sophos KK 3 Selling IT security solutions Ordinary 100% Via Tonale 26, CAP 20125 Milano (MI), Italy Izumi Garden Tower 10F, 1-6-1 Roppongi, Minato-ku Tokyo 106-6010 Japan Luxembourg Aspen Finance Co Sarl 2 Financing Company Ordinary 100% Netherlands Sophos BV 3 Selling IT security solutions Ordinary 100% 1-3, Boulevard de la Foire, L-1528, Luxembourg Hoevestein 11B, 4903 SE Oosterhout NB, Netherlands Threatstar Holding BV 8 Holding Company Threatstar BV 9 Research and Development SurfRight BV 8 Selling IT security solutions Ordinary Ordinary Ordinary 100% 100% 100% Singapore Sophos Computer Security Pte Ltd 3 Lansinkesweg 4, 7553 AE Hengelo, Netherlands Selling IT security solutions Ordinary 100% 60 Paya Lebar Road, #08-13 Paya Lebar Square, Singapore 409051 Spain Sophos Iberia Srl 3 Selling IT security solutions Ordinary 100% Calle Orense 81, 28020 Madrid, Spain /133 IntroductionGovernanceFinancial StatementsStrategic Report 30 Related Party Transactions continued Country of incorporation Subsidiary undertaking Principal activity / registered address Class of shares held Percentage of shares held Sweden Sophos AB 3 Selling IT security solutions Ordinary 100% Switzerland Sophos Schweiz AG 3 Selling IT security solutions Ordinary 100% Färögatan 33, 164 51 Kista, Stockholms län, Sweden Bernstrasse 388, 8953 Dietikon, Switzerland Astaro Trading AG 5 Historical purchasing entity Ordinary 100% Blumenaustr. 28, 8200 Schaffhausen, Switzerland Taiwan Sophos Taiwan Ltd 3 Services Company Ordinary 100% 5F-4, No. 57, Sec. 1 Chongqing S. Road, Zhongzheng Dist., Taipei City 100 Taiwan (R.O.C.) Turkey Sophos Turkey Technoji Ltd Sirketi 3 Services Company Ordinary 100% 19 Mayıs Mah. Turaboğlu Sok., Hamdiye Yazgan, İş M. Apt. No: 4 / 2 Kadıköy, İstanbul, Turkey UK Sophos Holdings Ltd 1 Holding Company Sophos Treasury Ltd 2 Financing Company Sophos Limited 2 Selling IT security solutions Sophos Overseas Limited 3 Services Company Sophos Nominees Limited 3 Share nominee company Ordinary Ordinary Ordinary Ordinary Ordinary 100% 100% 100% 100% 100% The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK USA Sophos Inc 3 Selling IT security solutions Ordinary 100% 3 Van de Graaff Drive, 2nd Floor, Burlington, MA 01803, USA Cyberoam Inc 6 Services Company Ordinary 100% 10 Schalks Crossing Road, Suite 501-329, Plainsboro, NJ 08536, USA Reflexion Networks Inc 7 Selling IT security solutions Ordinary 100% 1209 Orange St, Wilmington, County of New Castle DE 19801, USA Invincea, Inc 7 Selling IT security solutions Sandboxie Holdings, LLC 11 Services Company Ordinary Ordinary 100% 100% 2711 Centerville Rd Suite 400, Wilmington, New Castle, DE 19808, USA 1 Shares held by Sophos Group Plc 5 Shares held by Sophos Technology GmbH 9 Shares held by Threatstar Holding BV 2 Shares held by Sophos Holdings Ltd 6 Shares held by Sophos Technology Private Ltd 10 Shares held by Sophos Limited and 3 Shares held by Sophos Limited 7 Shares held by Sophos Inc 4 Shares held by Sophos Holdings GmbH 8 Shares held by Sophos BV Sophos Nominees Limited 11 Shares held by Invincea, Inc 134/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple Other Related Parties During the year the Group entered into transactions, in the ordinary course of business, with other related parties. During the year-ended 31 March 2018, no provisions were made for doubtful debts relating to amounts owed by related parties (2017: $Nil). Sales and purchases between related parties are made at normal market prices. Outstanding balances with entities other than subsidiaries are unsecured, interest free and cash settlement is expected within 60 days of invoice. Terms and conditions for transactions with subsidiaries are the same, with the exception that balances are placed on inter-company accounts with no specified credit period. The Group has not provided or benefitted from any guarantees for any related party receivables or payables. The Company and certain subsidiaries have provided unsecured guarantees to certain third parties within the normal course of business, the majority of which were in favour of certain lenders in respect of some of the Group’s borrowing facilities. As at 31 March 2018, these guarantees totalled $308.8M (2017: $349.2M) relating to the Group’s financing facilities. Compensation of Key Management Personnel (Including Directors) Short-term employee benefits Post-employment benefits Share-based payments – equity-settled Total Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 9.1 0.1 17.7 26.9 9.7 0.1 16.0 25.8 Short-term employee benefits comprise fees, salaries, benefits and bonuses earned during the year as well as non- monetary benefits. Post-employment benefits comprise the cost of providing defined contribution pensions to senior management in respect of the current period. Share-based payments comprise the cost of senior management’s participation in share-based payment plans for the period as measured by the fair value of awards in accordance with IFRS2. 31 Business Combinations The Group has not entered into any business combinations during the year-ended 31 March 2018. Invincea, Inc. In the prior-year, on 21 March 2017, Sophos Inc. acquired for cash 100 per cent of the share capital of Invincea, Inc., a company based in Fairfax, Virginia, United States. The acquisition is significantly strengthening the Group’s industry leading next-generation endpoint protection product by adding Invincea, Inc.’s machine learning and artificial intelligence technology threats. Acquisition-related expenses of $4.1M have been excluded from the consideration transferred and have been recognised as an expense within General finance and administration – exceptional items. /135 IntroductionGovernanceFinancial StatementsStrategic Report 31 Business Combinations continued Assets acquired and liabilities assumed on the day of acquisition were as follows: Non-current assets: Intangible assets Intellectual property Customer relationships Plant and equipment Current assets: Trade and other receivables Deferred tax asset Cash and cash equivalents Non-current liabilities: Deferred tax liability Current liabilities: Deferred revenues Trade and other payables Lease obligations Net assets recognised at the date of acquisition Cash paid Contingent consideration Goodwill arising on acquisition – Invincea, Inc. Book value $M Adjustment $M Fair value $M – – 0.2 1.3 13.8 0.3 – 6.1 3.7 – 5.8 18.5 1.2 – – – – 18.5 1.2 0.2 1.3 13.8 0.3 8.7 8.7 (2.0) – – 13.0 4.1 3.7 – 18.8 95.9 19.3 96.4 Prior to the acquisition, Invincea, Inc. operated in a complimentary market sector to the Group and, accordingly, the results of Invincea, Inc. are incremental to those of the Group. Revenue of $529.7M for the twelve-months to 31 March 2017 includes $0.2M in respect of Invincea, Inc. The impact of Invincea, Inc. on the operating loss of the Group for the period- ended 31 March 2017 was insignificant. Had Invincea, Inc. been owned since 1 April 2016, revenue for the year-ended 31 March 2017 would have increased over the reported revenue by approximately $19.1M. The impact on the operating loss of the Group would have been $7.0M. Included in the assets acquired was a deferred taxation balance of $13.8M. The deferred tax asset relates to tax losses of $11.3M, deferred revenue of $1.1M and intangible assets of $1.4M. Sufficient profits are forecasted, in the timeframe in which the Group forecasts, against which the recognised tax losses will be offset. 136/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple Intellectual Property – Silent Break Security In the prior-year, on 18 November 2016, Sophos Limited entered into an agreement to buy for cash the trade and assets of Silent Break Security LLC and acquire the Intellectual Property of “PhishThreat”, a phishing attack simulator used to train users to spot phishing attacks, dangerous attachments and bogus scripts. The Group also secured the ongoing services of certain key employees. Assets acquired Cash paid Contingent consideration Goodwill arising on asset acquisition from Silent Break Security LLC Fair value $M 3.1 3.0 1.2 1.1 Had the trade and assets of Silent Break Security LLC been owned since 1 April 2016, the impact on the operating loss of the Group would have been insignificant. Barricade Security Systems Limited In the prior-year, on 20 October 2016, Sophos Limited acquired for cash 100 per cent of the share capital of Barricade Security Systems Limited, a company based in Cork, Ireland. The company was a start-up company providing cloud-based security analytics and the acquisition has strengthened the Group’s machine learning and artificial intelligence expertise. Non-current assets Trade and other receivables Cash and cash equivalents Trade and other payables Net liabilities recognised at the date of acquisition Cash paid Goodwill arising on acquisition – Barricade Security Systems Limited Fair value $M 0.1 0.1 – 0.5 0.3 1.9 2.2 Prior to the acquisition, Barricade Security Systems Limited had immaterial revenues and all trading ceased on the day of acquisition. The impact of Barricade Security Systems Limited on the operating loss of the Group for the period is insignificant. Had Barricade Security Systems Limited been owned since 1 April 2016, the impact on the operating loss of the Group would have been insignificant. Goodwill arose in all the above business combinations because the cost of the combination included amounts in relation to the benefit of expected synergies, future market development and the assembled workforce. These benefits are not recognised separately from goodwill because they do not meet the recognition criteria for identifiable intangible assets. None of the goodwill recognised is expected to be deductible for income tax purposes. /137 IntroductionGovernanceFinancial StatementsStrategic Report 32 Notes to the Consolidated Statement of Cash Flows Acquisition of subsidiaries net of cash acquired Consideration paid, satisfied in cash: – Invincea, Inc. – Intellectual Property - Silent Break Security – Barricade Security Systems Limited – Reflexion Networks Inc. Net cash purchased Acquisition of subsidiaries net of cash Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 3.7 – – 1.2 – 4.9 95.9 3.0 1.9 1.2 (0.3) 101.7 Movement in net debt Cash at bank and in hand Short-term deposits Cash and cash equivalents Obligations under finance leases Bank loans Gross debt Net debt Movement in net debt Cash at bank and in hand Short-term deposits Cash and cash equivalents Obligations under finance leases Bank loans Gross debt Net debt 31 March 2017 $M Cash flow $M Non-cash movements $M Effect of movements in exchange rates $M 31 March 2018 $M (62.3) (5.8) (68.1) 0.1 345.6 345.7 277.6 1.1 (46.3) (45.2) (0.1) (50.1) (50.2) (95.4) – – – – 1.1 1.1 1.1 (6.1) (0.7) (6.8) – 9.7 9.7 2.9 (67.3) (52.8) (120.1) – 306.3 306.3 186.2 31 March 2016 $M Cash flow $M Non-cash movements $M Effect of movements in exchange rates $M 31 March 2017 $M (49.7) (17.1) (66.8) 0.2 324.7 324.9 258.1 (16.2) 8.7 (7.5) (0.1) 24.1 24.0 16.5 – – – – 0.9 0.9 0.9 3.6 2.6 6.2 – (4.1) (4.1) 2.1 (62.3) (5.8) (68.1) 0.1 345.6 345.7 277.6 Non-cash movements comprise amortisation of facility fees. 138/ Notes to the Consolidated Financial Statements continuedFor the year-ended 31 March 2018Cybersecurity made simple 33 Commitments and Contingent Liabilities Operating lease arrangements Amount recognised for the year: Property Other Total Year-ended 31 March 2018 $M Year-ended 31 March 2017 $M 12.5 1.6 14.1 10.8 1.4 12.2 At the reporting date, the Group had outstanding commitments for future minimum lease payments under non-cancellable operating leases, which fall due as follows: Within one year In the second to fifth years inclusive After five years Total 31 March 2018 $M 31 March 2017 $M 14.0 34.8 19.7 68.5 12.0 34.8 20.6 67.4 Commitments for the Acquisition of Property, Plant and Equipment At 31 March 2018 the Group had entered into contractual commitments for the acquisition of property, plant and equipment amounting to $Nil (2017: $0.2M). Guarantees At 31 March 2018 the Group had outstanding guarantees provided to third parties of $1.3M (2017: $1.2M). Legal Proceedings The Group is involved in a number of legal proceedings that are incidental to our business. Although it is possible that adverse decisions (or settlements) may occur in one or more of the cases, it is not currently possible to estimate the potential loss or losses. The final outcome of these proceedings, individually or in the aggregate, is not expected to have a material impact on the business. Litigation is currently in process against an entity within the Group by RPost Holdings Inc. The company allege patent infringements and claim unspecified damages. In accordance with IAS 37.92, the Group does not provide further information on the grounds that this could seriously prejudice the outcome of the litigation. The Directors are of the opinion that the claim can be successfully resisted by the Group. 34 Principal Exchange Rates Principal exchange rates Translation of Sterling into US dollar ($:£1.00) Average Closing Translation of Euro into US dollar ($:€1.00) Average Closing Year-ended 31 March 2018 Year-ended 31 March 2017 1.3264 1.4028 1.1664 1.2299 1.3200 1.2505 1.1017 1.0696 When calculating performance measures on a constant currency basis, the Group uses the closing balance sheet rate of the previous year. 35 Events After the Reporting Period There are no material events after the reporting period which require disclosure under IAS10. /139 IntroductionGovernanceFinancial StatementsStrategic Report Company Only Statement of Financial Position At 31 March 2018 Company registered number: 09608658 Note 31 March 2018 $M 31 March 2017 $M Non-current assets Deferred tax asset Investments Loan due from subsidiary Current assets Amounts due from subsidiaries Total current assets Total assets Current liabilities Trade and other payables Amounts due to subsidiaries Total current liabilities Net assets Represented by: Share capital Share premium Retained earnings Share-based payment reserve Total equity 3 4 5 8.8 1,099.1 93.5 1,201.4 27.8 27.8 13.6 1,068.4 93.5 1,175.5 24.0 24.0 1,229.2 1,199.5 – 46.7 46.7 0.6 26.2 26.8 1,182.5 1,172.7 22.0 122.3 946.1 92.1 21.6 118.4 977.1 55.6 1,182.5 1,172.7 These Financial Statements were approved by the Board of Directors on 16 May 2018 and were signed on its behalf by: Nick Bray Chief Financial Officer The notes on pages 142 and 143 form an integral part of these financial statements. 140/ Cybersecurity made simple Company Only Statement of Changes in Equity At 31 March 2018 At 31 March 2016 Loss for the period: Other comprehensive profit or loss: Total comprehensive loss Share options exercised Disposal of EBT treasury shares Share-based payments – expense Share-based payments – deferred tax Cash dividend At 31 March 2017 Loss for the period: Other comprehensive profit or loss: Total comprehensive loss Share options exercised Share-based payments - expense Share-based payments - taxation Cash dividend At 31 March 2018 Share Capital $M Share Premium $M Retained Earnings $M Share Based Payment Reserve $M Total $M 21.3 115.9 993.7 19.0 1,149.9 – – – 0.3 – – – – – – – 2.5 – – – – 21.6 118.4 – – – 0.4 – – – – – – 3.9 – – – 22.0 122.3 (5.6) – (5.6) – (0.1) – – (10.9) 977.1 (9.2) – (9.2) – – – (21.8) 946.1 – – – – – 31.3 5.3 – 55.6 – – – – 39.6 (3.1) – 92.1 (5.6) – (5.6) 2.8 (0.1) 31.3 5.3 (10.9) 1,172.7 (9.2) – (9.2) 4.3 39.6 (3.1) (21.8) 1,182.5 The notes on pages 142 to 143 form an integral part of these financial statements. /141 IntroductionGovernanceFinancial StatementsStrategic Report Notes to the Company Financial Statements For the year-ended 31 March 2018 1 Principal Accounting Policies The following accounting policies have been applied consistently in dealing with items which are considered material in relation to the Company’s Financial Statements. Basis of Preparation The Company and its trading subsidiaries have considerable financial resources and a large number of customer contracts across different geographic areas and industries. As a consequence, the Directors believe the Company is well placed to manage its business risks successfully. The Company operates as an investment company for the Sophos Group, holding investments in subsidiaries financed by Group companies. As the Company is an intrinsic part of the Group’s structure, the Directors have a reasonable expectation that Group companies will continue to support the Company through trading and cash generated from trading for the foreseeable future. Thus the Group continues to adopt the going concern basis in preparing the Financial Statements. The Financial Statements have been prepared in accordance with Financial Reporting Standard 102 (“FRS 102”) and under the historical cost accounting rules. Under section 408 of the Companies Act 2006, the Company is exempt from the requirement to present its own profit and loss account. The Company is considered to be a qualifying entity for the purposes of FRS 102 and has applied the exemptions available under FRS 102 in respect of the cash flow statement and key management personnel compensation. As the Consolidated Financial Statements of the Company include the equivalent disclosures, the Company has also taken the exemptions available under FRS 102 in respect of disclosures in respect of share-based payments, financial instruments and the requirements of Section 33 Related Party Disclosures paragraph 33.7. Investments Investments in subsidiary undertakings are stated at cost less any provision for impairment. Foreign Currencies Transactions in foreign currencies are recorded using the rate of exchange ruling at the date of the transaction. Monetary assets and liabilities denominated in foreign currencies are translated using the rate of exchange ruling at the balance sheet date and the gains or losses on translation are included in the profit and loss account. Non-monetary assets and liabilities denominated in foreign currencies are stated at historical foreign exchange rates. Interest-Bearing Loans and Borrowings Obligations for loans and borrowings are recognised when the Company becomes party to the related contracts and are measured initially at fair value less directly attributable transactions costs. After initial recognition, interest-bearing loans and borrowings are subsequently measured at amortised cost using the effective interest method. Gains and losses arising on the repurchase, settlement or otherwise cancellation of liabilities are recognised respectively in finance income and finance expense. Going Concern Basis The Company operates as an investment company for the Sophos Group, holding investments in subsidiaries financed by Group companies. As the Company is an intrinsic part of the Group’s structure, the Directors have a reasonable expectation that Group companies will continue to support the Company through distribution or debt/financing supported by trading and cash generated. Thus the Group continues to adopt the going concern basis in preparing the Financial Statements. 142/ Cybersecurity made simple 2 Profit and Loss Account The loss after tax dealt with in the books of the Company was $9.2M (2017: $5.6M). Under section 408 of the Companies Act 2006 the Company is exempt from the requirement to present its own profit and loss account. 3 Investments Investment in Sophos Holdings Limited Investment in Sophos Limited At 31 March 31 March 2018 $M 31 March 2017 $M 1,035.8 63.3 1,099.1 1,035.8 32.6 1,068.4 The investment in Sophos Holdings Limited, a holding company for the Sophos Group, comprises 100 per cent of the ordinary share capital. The investment in Sophos Limited comprises share-based payment expenses for equity awards granted to participants employed by Sophos Limited and its subsidiaries. 4 Loan Due From Subsidiary As part of the re-financing of the Group on 1 July 2015, the Company lent $93.5M to Sophos Holdings Limited, a wholly owned subsidiary. The loan carries a variable interest rate based on the Group’s Senior Facility A loan plus a margin of 0.1 per cent and is repayable in full at the end of a 60-month term on 1 July 2020. 5 Share Capital Shares issued and fully paid At 1 April of £0.03 each Issued for cash on exercise of options Issued under the Sophos Group Long Term Incentive Plan 2015 At 31 March, Ordinary shares of £0.03 6 Functional Currency Year-ended 31 March 2018 Year-ended 31 March 2017 000’s 459,642 3,445 5,401 468,488 $M 21.6 0.4 – 22.0 000’s 452,172 4,087 3,383 459,642 $M 21.3 0.3 – 21.6 Sophos Group plc is registered in England and Wales and has a functional currency of US Dollars. /143 IntroductionGovernanceFinancial StatementsStrategic Report Glossary Adjusted operating profit Adjusted operating profit represents the Group’s operating profit/(loss) adjusted for amortisation charges, share option charges and exceptional items AES Americas APJ Billings Advanced Encryption Standard North and South America Asia-Pacific and Japan Billings represents the value of products and services invoiced to customers after receiving a purchase order from the customer and delivering products and services to them, or for which there is no right to a refund Blue chip Channel partners who transact five or more deals in a trailing six-month period Board BYOD CAGR Cash EBITDA The Board of Directors of Sophos Group plc Bring Your Own Device Compound annual growth rate Cash EBITDA is defined as the Group's operating profit adjusted for depreciation and amortisation charges, any gains or losses on the sale of tangible and intangible assets, share option charges, unrealised foreign exchange differences and exceptional items with billings replacing revenue Cash EBITDA margin Cash EBITDA margin is calculated as cash EBITDA as a percentage of billings Channel first The distribution model used by the Group, where products are sold to end customers through a network of channel partners and distributors Company Sophos Group plc Constant currency The group uses US Dollar-based constant currency models to measure performance. These are calculated by applying a single exchange rate to local currency transactions for both the current and prior-year. This gives US Dollar denominated measures that exclude variances attributable to foreign exchange rate movements Deep Learning An advanced form of machine learning inspired by the way the human brain works. It is the same type of machine learning often used for facial recognition, natural language processing, self-driving cars, and other advanced fields of computer science and research Directors The Executive and Non-Executive Directors of the Company DPI EBITDA EMEA Deep Packet Inspection Earnings before interest, taxation, depreciation and amortisation Europe, Middle East and Africa Enduser / end user Enduser being a sub-set of the Group’s products; end user being the ultimate user and customer of the Group’s products GHG Group HTML5 IASB IFRS KPI MSP OEM RED Greenhouse gas The group of companies owned by Sophos Group plc The fifth revision of the HyperText Markup Language of the internet used for structuring and presenting content for the world wide web International Accounting Standards Board International Financial Reporting Standards Key Performance Indicator Managed Service Provider Original Equipment Manufacturer Remote Ethernet Device Renewal rate Retention rate Renewal rates are calculated by comparing the US Dollar amount of contracts renewed in a period (including instances of cross-sell and upsell) to the US Dollar amount of contracts available for renewal in the period Retention rates are calculated by comparing the US Dollar amount of contracts renewed into the following period (including instances of cross-sell and upsell) to the US Dollar amount of total contracts at the start of the period Secure SSL Secure Sockets Layer, a standard security technology for establishing an encrypted link between a server and a client Unlevered free cash flow Unlevered free cash flow represents cash EBITDA less purchases of property, plant and equipment and intangibles, plus cash flows in relation to changes in working capital and taxation UTM/NGFW Unified Threat Management/Next-Generation Firewall VAR VPN Value-Added Reseller Virtual Private Network Weighted average contract length Weighted average contract length is calculated on a last twelve month basis, at constant currency and provides an indication of the period over which future revenue will be recognised 144/ Cybersecurity made simple Company Information Directors Peter Gyenes Kris Hagerman Nick Bray Sandra Bergeron Roy Mackenzie Rick Medlock Steve Munford Vin Murria Paul Walker Registered Office Sophos Group plc The Pentagon Abingdon Science Park Abingdon OX14 3YP Registered number: 09608658 www.sophos.com Registrar Services Link Asset Services 34 Beckenham Road Beckenham BR3 4TU Investor Relations investors.sophos.com investor.relations@sophos.com Public Relations Tulchan Communications 85 Fleet Street London EC4Y 1AE Auditor KPMG LLP 15 Canada Square London E14 5GL /145 IntroductionGovernanceFinancial StatementsStrategic Report 2 0 1 8 A n n u a l R e p o r t a n d A c c o u n t s

Continue reading text version or see original annual report in PDF format above