CyberArk Software (CYBR) Risk Factors

We are incorporated in Israel, the majority of our directors and executive officers, and the Israeli auditors listed in this annual report reside outside of the United States, and most of our assets and most of the assets of these persons are located outside of the United States. Therefore, a judgment obtained against us, or any of these persons, including a judgment based on the civil liability provisions of the U.S. federal securities laws, may not be collectible in the United States and may not be enforced by an Israeli court. It also may be difficult for our shareholders to effect service of process on these persons in the United States or to assert U.S. securities law claims in original actions instituted in Israel. Israeli courts may refuse to hear a claim based on an alleged violation of U.S. securities laws reasoning that Israel is not the most appropriate forum in which to bring such a claim. In addition, even if an Israeli court agrees to hear a claim, it may determine that Israeli law and not U.S. law is applicable to the claim. If U.S. law is found to be applicable, the content of applicable U.S. law must be proven as a fact by expert witnesses, which can be a time consuming and costly process. Certain matters of the procedure will also be governed by Israeli law. There is little binding case law in Israel that addresses the matters described above. As a result of the difficulty associated with enforcing a judgment against us in Israel, our shareholders may not be able to collect any damages awarded by either a U.S. or foreign court.

Federal, state and international bodies continue to adopt, enact, and enforce new laws and regulations, as well as industry standards and guidelines, addressing cybersecurity, privacy, data protection and the collection, processing, storage, cross-border transfer and use of personal information. We are subject to diverse laws and regulations relating to data privacy, including but not limited to the EU General Data Protection Regulation 2016/679 (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act as amended by the Health Information Technology for Economic and Clinical Health Act (HIPAA), the U.K. Data Protection Act 2018, national privacy laws of EU Member States and other laws relating to privacy, data protection, and cloud computing. These laws are evolving rapidly, as exemplified by the recent adoption by the European Commission of a new set of Standard Contractual Clauses, the prospect of a new European “ePrivacy Regulation” (to replace the existing “ePrivacy Directive,” Directive 2002/58 on Privacy and Electronic Communications) and the forthcoming California Privacy Rights Act. Compliance with these laws, as well as efforts required to understand and interpret new legal requirements, require us to expend significant capital and other resources. We could be found to not be in compliance with obligations, or suffer from adverse interpretations of such legal requirements either as directly relating to our business or in the context of legal developments impacting our customers or other businesses, which could impact our ability to offer our products or services, impact operating results, or reduce demand for our products or services. Compliance with privacy and data protection laws and contractual obligations may require changes in services, business practices, or internal systems resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with firms that are not subject to these laws and regulations. For example, GDPR and the UK compliance regime impose several stringent requirements for controllers and processors of personal data and increase our obligations such as, requiring robust disclosures to individuals, establishing an individual data rights regime, setting timelines for data breach notifications, imposing conditions for international data transfers, requiring detailed internal policies and procedures and limiting retention periods. Ongoing compliance with these and other legal and contractual requirements may necessitate changes in services and business practices, which may lead to the diversion of engineering resources from other projects. As a company that focuses on identity security with a foundation in privilege access management, our customers may rely on our products and services as part of their own efforts to comply with security control obligations under GDPR and other laws and contractual commitments. If our products or services are found insufficient to meet these standards in the context of an investigation into us or our customers, or we are unable to engineer products that meet these standards, we could experience reduced demand for our products or services. There is also increased international scrutiny of cross-border transfers of data, including by the EU for personal data transfers to countries such as the United States, following recent case law and regulatory guidance. This increased scrutiny, as well as evolving legal and other regulatory requirements around the privacy or cross-border transfer of personal data could increase our costs, restrict our ability to store and process data as part of our solutions, or, in some cases, impact our ability to offer our solutions or services in certain jurisdictions. Enactment of further privacy laws in the United States, at the state or federal level, or introduction of new services or products that are subject to additional regulations, as well as ensuring compliance of solutions that we obtained through acquisitions, may require us to expend considerable resources to fulfill regulatory obligations, and could carry the potential for significant financial or reputational exposure to our business, delay introduction to the market and affect adoption rates. Claims that we or our service providers have breached our contractual obligations or failed to comply with applicable privacy and data protection laws, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business. In addition to litigation, we could face regulatory investigations, negative market perception, potential loss of business, enforcement notices and/or fines (which, for example, under GDPR / UK regime can be up to 4% of global turnover for the preceding financial year or €20 / £17.5 million, whichever is higher).

The IT security market in which we operate is characterized by intense competition, constant innovation, rapid adoption of different technological solutions and services, and evolving security threats. We compete with a multitude of companies that offer a broad array of IT security products and that employ different approaches and delivery models to address these evolving threats. Our primary competitors consist of companies that offer Privileged Access Management solutions, such as BeyondTrust Corporation, Delinea Inc. (formerly ThycoticCentrify) and One Identity LLC, as well as companies that offer identity security and DevOps solutions, such as Okta Inc., Microsoft Corporation and HashiCorp, Inc. In addition, due to changes in the manner that organizations utilize IT assets and the security solutions applied to them, we may face competition from cloud providers such as Amazon Web Services, Google Cloud Platform and Microsoft Azure, that offer embedded capabilities to manage identity security and privileged access. IT security spending is spread across a wide variety of solutions and strategies, including, for example, endpoint, network and cloud security, vulnerability management and identity and access management. Organizations continually evaluate their security priorities and investments and may allocate their IT security budgets to other solutions and strategies and may not adopt or expand use of our solutions. Accordingly, we may also compete for budgetary reasons, to a certain extent, with additional vendors that offer threat protection solutions in adjacent or complementary markets to ours, such as Palo Alto Networks and CrowdStrike Holdings, Inc. As the identity and access and Privileged Access Management markets have matured and continue to grow significantly over recent years, it may become more attractive for new competitors, including both large security vendors and startups, or vendors in adjacent markets to enter our market, further increasing direct technology and pricing competition which could negatively impact our sales or market share. Our competitors may enjoy potential competitive advantages over us, such as: o greater name recognition, a longer operating history and a larger customer base; o larger sales and marketing budgets and resources; o broader distribution and established relationships with channel partners, advisory firms and customers; o increased effectiveness in protecting, detecting and responding to cyberattacks; o greater or localized resources for customer support and provision of services; o greater speed at which a solution can be deployed and implemented; o greater resources to make acquisitions; o lower pricing and attractive packaging; o greater operational flexibility and less stringent accounting, auditing and legal standards, applicable to privately held companies; o larger intellectual property portfolios; and o greater financial, technical and other resources. Our current and potential competitors may also establish cooperative relationships or alliances among themselves or with third parties that may further enhance their resources and capabilities. We may also face increased competition following an acquisition by our competitors of new lines of business that compete with solutions that we offer or from security vendors or other companies in adjacent markets extending their solutions into privilege access management or identity and access management (as relevant). Our collaborative efforts with our technology partners could also change if they elect to develop and market solutions that compete with our solutions, thus increasing the competitive landscape, while adversely affecting our partnership efforts and their resale and marketing of our products.

Security products, solutions and services such as ours are complex in development, design and deployment and may contain errors, bugs, misconfigurations or vulnerabilities, that are potentially incapable of being remediated or detected until after their deployment, if at all. Any real or perceived errors, bugs, design failures, defects, vulnerabilities, misconfigurations in our solutions or their accompanying documentation, or untimely or insufficient remediation thereof, could cause our solutions not to meet their specifications or security standards. The affected solutions may not fulfil their primary security functions, falsely identify threats or create new security threats, and be vulnerable to security attacks. There is no guarantee that our products would be free of flaws or vulnerabilities at all times and we may not correct all known vulnerabilities or errors, promptly or at all. Further, our solutions serve as mission-critical applications in our customers’ operational environments, allowing them to manage access and privileges in their systems and networks. Any breach, interruption or shut down of our solutions could significantly damage customers’ internal and external operations, and therefore we may suffer significant reputational, financial and legal adverse impact. Potential vulnerabilities or deficiencies associated with a product developed or obtained through an acquisition could also deteriorate our solutions’ security and expose our customers to additional risk (see “—We may fail to fully execute, integrate, or realize the benefits expected from acquisitions, which may require significant management attention, disrupt our business, dilute shareholder value and adversely affect our results of operations.”). Several of our solutions are made available to our customers as SaaS. Delivering software as a service involves storage and transmission of customers’ proprietary information, including personal data, related to their assets, employees and users. Security breaches, bugs, vulnerabilities, defects or improper configuration of our solutions, cloud accounts or production and development environments (including those embedded in third-party technology used in our products or by our customers) could result in loss or alteration of, or unauthorized access to this data and compromise of our networks or our customers’ networks secured by our SaaS solutions. Any such incident, whether or not caused by us, could result in significant liability for us and negative business repercussions. Our solutions not only reinforce but also rely on the common security concept of placing multiple layers of security controls throughout an IT environment. The failure of our customers, channel partners, managed service providers, subcontractors or similar entities to correctly implement or effectively manage and maintain our solutions and the environments in which they are utilized, or to consistently implement and utilize generally accepted and comprehensive, multi-layered security measures and processes, may lessen the efficacy of our solutions, in whole or in part. These entities may also independently develop or change existing application programming interfaces (APIs) that we provide or other customizable components in an incorrect or insecure manner. Such failures or actions may lead to security breaches and data loss, which could result in a perception that our solutions or services failed and associated negative business implications. In addition, we are expected to provide a high level of transparency regarding vulnerabilities in our products, which, once conveyed, may increase our customers’ exposure to a security breach until they properly implement the relevant fix. Further, our failure to provide our customers and channel partners with adequate services or accurate product documentation and training related to the use, implementation and maintenance of our solutions, could lead to claims against us. Similarly, and as demonstrated by the 2020 attack on SolarWinds, a failure by a provider like us to effectively secure and detect threats within our own resources and networks, such as development or customer-serving production environments, could lead to threat actors compromising our customers’ environments through a breach or exploitation of our products or services (see “—If our internal IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially adversely affected.”). As demonstrated by the 2021 Apache Log4j vulnerabilities, a similar effect could arise from the use of compromised third-party open-source software in our products or by our vendors, which could expose our solutions, networks and environments – and thereby our customers – to additional vulnerabilities. As we increase our developers’ workforce globally to meet our business goals, including by engaging external developers or through mergers and acquisitions, the risk of errors, misconfigurations, vulnerabilities or intentional misconduct, may be heightened due to governance difficulties and limited centralized oversight. In addition, difficulties or delays in hiring and retaining personnel may impact the resources available to us for continuous improvement of our product security posture and therefore, increase this risk (see “—The tight global labor market has created difficulty to attract and retain qualified personnel, has increased wages and compensation, and has increased employee turnover across industries. If we are unable to hire, retain and motivate qualified personnel, our business will suffer.”). An actual or perceived error, bug, misconfiguration, vulnerability, cyberattack or other security breach, regardless of whether the vulnerability or breach is actually attributable to the failure of our products, SaaS solutions or the related services we provide, could adversely affect the market’s perception of the efficacy of our solutions and our industry standing. Such circumstances could cause current or potential customers to look to our competitors for alternatives to our solutions and subject us to negative media attention, reputational harm, lawsuits, regulatory investigations and other government inquiries, indemnity claims and financial losses, as well as the expenditure of significant financial resources to, among other actions, analyze, correct or eliminate any vulnerabilities. Provisions in our agreements that attempt to limit our liability towards our customers, channel partners and relevant third parties may not withstand legal challenges, and certain liabilities may not be limited or capped. Additionally, any insurance coverage we have may not adequately cover all claims asserted against us and may leave a significant portion of such claims to be directly covered by us. In addition, such insurance may not be available to us in the future on economically reasonable terms, or at all.

The COVID-19 pandemic, its continuing effects, and the diverse measures taken in response by governments and businesses worldwide to contain its spread, have placed constraints on the operations of businesses, decreased consumer mobility and activity, and caused significant global economic volatility. In light of the uncertain and evolving nature of the pandemic and the economic environment, we have taken precautionary measures intended to reduce the risk of virus infection to our employees and our customers and to address our ability to execute on our operating plans. Such circumstances and uncertainties have adversely affected our business, workforce and results of operations - primarily in 2020 - as well as that of our customers, suppliers and partners globally, and may have a negative impact over the foregoing in the future. Our business has been affected in various ways, including our ability to closely and effectively engage with customers, changes to customer purchase patterns and to our sales and marketing operations, and our ability to timely hire new employees or successfully retain certain existing employees. There is considerable uncertainty regarding the duration, scope and severity of the pandemic or its effects on us and our customers, channel partners, managed service providers or subcontractors, which can result in extended customer sales cycles, reduced demand for our solutions, lower renewal rates, delayed spending on our solutions, smaller deal sizes, lower revenue from new customers, impairment of our ability to collect accounts receivable, reduced payment frequencies, and attrition and availability of employees. Any of the foregoing may have a material adverse impact on our business and results of operations.

Our functional and reporting currency is the U.S. dollar. In 2021, the majority of our revenues were denominated in U.S. dollars and the remainder primarily in euros and British pounds sterling. In 2021, the majority of our cost of revenues and operating expenses were denominated in U.S. dollars and New Israeli Shekels (NIS) and the remainder primarily in euros and British pounds sterling. Our foreign currency-denominated expenses consist primarily of personnel, marketing programs, rent and other overhead costs. Since the portion of our expenses generated in NIS and British pounds sterling is greater than our revenues in NIS and British pounds sterling, respectively, any appreciation of the NIS or the British pounds sterling relative to the U.S. dollar could adversely impact our operating income. In addition, since the portion of our revenues generated in euros is greater than our expenses incurred in euros, any depreciation of the euro relative to the U.S. dollar would adversely impact our operating income. We estimate that a 10% strengthening or weakening in the value of the NIS against the U.S. dollar would have decreased or increased, respectively, our operating income by approximately $11.6 million in 2021. We estimate that a 10% strengthening or weakening in the value of the euro against the U.S. dollar would have increased or decreased, respectively, our operating income by approximately $2.3 million in 2021. We estimate that a 10% strengthening or weakening in the value of the British pounds sterling against the U.S. dollar would have decreased or increased, respectively, our operating income by approximately $0.9 million in 2021. These estimates of the impact of fluctuations in currency exchange rates on our historic results of operations may be different from the impact of fluctuations in exchange rates on our future results of operations since the mix of currencies comprising our revenues and expenses may change. We evaluate periodically the various currencies to which we are exposed and take hedging measures to reduce the potential adverse impact from the appreciation or the depreciation of our non U.S. dollar-denominated operations, as appropriate. We expect that the majority of our revenues will continue to be generated in U.S. dollars with the balance primarily in euros and British pounds sterling for the foreseeable future, and that a significant portion of our expenses will continue to be denominated in NIS, U.S. dollars, British pounds sterling and in euros. We cannot provide any assurances that our hedging activities will be successful in protecting us from adverse impacts from currency exchange rate fluctuations. In addition, we have monetary assets and liabilities that are denominated in non-U.S. dollar currencies. For example, starting January 1, 2019, in accordance with a then newly introduced lease accounting standard, we were required to present a significant NIS linked liability related to our operational leases in Israel. As a result, significant exchange rate fluctuations could have a negative effect on our net income. See “Item 11—Quantitative and Qualitative Disclosures About Market Risk—Foreign Currency Risk.”

Our SaaS solutions are hosted by third-party providers of cloud infrastructure services (“Cloud Service Providers”), primarily Amazon Web Services (AWS). We do not have control over the operations or the facilities of Cloud Service Providers that we use and Cloud Service Providers have also in the past experienced and may in the future experience cyberattacks. If any of the services provided by the Cloud Service Providers fail or become unavailable due to extended outages, cyberattacks interruptions or because they are no longer available on commercially reasonable terms or prices, we may be unable to deliver our committed uptime under our service level agreements, our revenues could be reduced, our reputation could be damaged, we could be exposed to legal liability and incur additional expenses, and our ability to manage our finances and our processes for managing sales of our offerings could be interrupted. If we are unable to renew our agreements with our Cloud Service Providers on commercially reasonable terms, or an agreement is prematurely terminated, or we need to add new Cloud Services Providers to increase capacity and uptime, we could experience interruptions, downtime, delays, and additional expenses related to transferring to and providing support for these new platforms. Any of the above circumstances or events may harm our reputation and brand, reduce the availability or usage of our platform and impair our ability to attract new users, any of which could adversely affect our business, financial condition and results of operations.