RSA SECURITY INC/DE/ - 10-K Annual Report

Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or
15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes [X] No [ ]

Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K is not contained herein, and will not be contained, to the best of the registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K. [ ]

The approximate aggregate market value of the Common Stock held by non-affiliates of the registrant was $2,798,499,044 based on the last reported sale price of the registrant’s Common Stock on the Nasdaq National Market as of the close of business on March 3, 2000. There were 39,772,538 shares of Common Stock outstanding as of March 3, 2000.

This Annual Report on Form 10-K contains forward-looking statements within the meaning of Section 21E of the Securities Exchange Act of 1934, as amended, and Section 27A of the Securities Act of 1933, as amended. For this purpose, any statements contained herein that are not statements of historical fact may be deemed to be forward-looking statements. Without limiting the foregoing, the words “believes,” “anticipates,” “plans,” “expects” and similar expressions are intended to identify forward-looking statements. The factors discussed under the caption “Certain Factors That May Affect Future Results,” among others, could cause actual results to differ materially from those indicated by forward-looking statements made herein and presented elsewhere by management. Such forward-looking statements represent management’s current expectations and are inherently uncertain. Investors are warned that actual results may differ from management’s expectations.

SecurID, BSAFE, ACE/ Server, ACE/ Sentry, SoftID, WebID, RSA SecurPC, RC2 and RC4 are registered trademarks, and RSA, Keon, RSA Security, RSA Secured, RC5, RC6, The Most Trusted Name in e-Security and BoKs are trademarks of RSA Security Inc. All other trademarks or trade names referred to in this Annual Report on Form 10-K are the property of their respective owners.

The Company is a leading provider of electronic security (“e-security”) solutions. The Company helps organizations build secure, trusted foundations for electronic business (“e-business”) through use of the Company’s two-factor user authentication, encryption and public key management products and solutions. The Company sells to enterprise customers seeking turnkey security solutions, and to original equipment manufacturers (“OEMs”) and developers seeking software development components for embedding security in a range of applications. As used in this Annual Report on Form 10-K, the term “the Company” refers to RSA Security Inc. (formerly Security Dynamics Technologies, Inc.) and its subsidiaries.

Historically, e-security solutions were deployed primarily to protect corporate networks from erroneous and possibly malicious intrusion, and to preserve the integrity of data as it passed over insecure networks. It was typically the focus of businesses in security-conscious or -dependent industries such as banking, telecommunications, aerospace and defense. However, today e-security has become a fundamental requirement for conducting all forms of e-business, including but not limited to commerce and communications conducted through corporate intranets, extranets and other Internet-based applications. Many organizations, in a wide range of industries, are conducting e-business as a means of reducing costs, competing more aggressively, and more efficiently meeting increased business demands for speed, accuracy and delivery of information.

E-business requires e-security to create and ensure the same trust relationships that currently exist on paper in the brick-and-mortar world, so organizations can conduct e-business with the same confidence with which they conduct traditional commerce. There are several essential requirements for e-security:


	•	User Identification and Authentication. First, a user’s identity must be reliably authenticated. This ensures that unauthorized users do not gain access to computer networks and applications, and also ensures that organizations are certain of the identities of those with whom they are doing business. There are a number of generally accepted methods of user identification, including: (i) something secret the user knows, such as a word, phrase, PIN, code or fact; (ii) something physical the user possesses, such as a key, token, smart card, badge or other form of discrete “authenticator,” which is resistant to counterfeiting; or (iii) something unique to the user, such as a fingerprint, signature, retinal pattern, voice print or other measurable personal characteristic or “biometric.” The Company believes that the use of a strong, two-factor user authentication system, combining two of the three generally accepted methods of user identification, is required for reliable e-security.

	•	Access Control and Privilege Management. Once the user’s identity has been established, an organization must verify that the user is authorized to access the specific information he or she is seeking. One of the key challenges facing organizations is the proliferation of passwords required for users to access disparate operating systems, applications and databases. Products providing access control and privilege management must protect and manage access to corporate information and applications, and control user privileges at multiple levels within the enterprise, including networks, applications and data levels. The Company believes that through the use of public key infrastructure management systems, these criteria can be met.

	•	Data Privacy, Integrity and Authentication. In addition to authenticating the identity of users and ensuring that only authorized users access, view or modify certain data, a comprehensive e-security solution must ensure that the data transmitted over networks are not disclosed to unauthorized persons (data privacy), have not been altered or compromised by unauthorized manipulation (data integrity) and were actually transmitted by the purported sender (data authentication). Data authentication devices, such as digital signatures, also allow for non-repudiation of transactions, and thereby create an electronic trust environment that enables legally binding transactions online. Such data privacy, integrity and authentication solutions are provided by encryption technologies.


	•	Security Administration and Audit. Finally, organizations must be able to administer, monitor and audit the flow of the entire e-business transaction. With the growth of distributed, Internet-based computing, organizations are increasingly concerned about various administrative issues relating to e-security, including the scalability of their e-security solutions and the ability of the solutions to cover multiple geographic regions. Security administration and audit solutions must also monitor user activity for purposes of detection and deterrence in order to ensure that the network or data have not been compromised.

The Company is a leading provider of e-security solutions. The Company’s products are designed to help organizations conduct e-business securely and protect corporate information assets. The Company’s core competencies are in strong, two-factor user authentication solutions, encryption technologies and public key management systems. The Company believes that through its RSA SecurID®, RSA BSAFE® and RSA Keon™ product lines it directly addresses the e-security requirements for e-business.

Since its inception in 1986, the Company has focused on the fundamental need for user identification and authentication with an emphasis on solutions for secure remote access to enterprise networks. To further its strategy and extend its product line, in July 1996, the Company acquired RSA Data Security, Inc., a leader in cryptography, to address the need for data privacy, integrity and authentication.

In July 1997, the Company acquired DynaSoft AB, a vendor of platform-independent security solutions for distributed client/server networks. The DynaSoft BoKS product family included public key technologies for access control and privilege management. In January 1999, the Company introduced RSA Keon, a family of public key infrastructure-based (“PKI”) products, initially based on the BoKS technology and designed to provide organizations with application security and flexible electronic commerce solutions. As part of this introduction, the Company renamed the DynaSoft BoKS product family “RSA Keon.” In September 1999, the Company introduced the next-generation, standards-based implementation of RSA Keon.

Also in September 1999, the Company changed its name from Security Dynamics Technologies, Inc. to RSA Security Inc. The Company took this step because it had combined the management structure of Security Dynamics and RSA Data Security into a tightly integrated team, with sales executives dedicated to meeting the individual needs of both corporate and OEM/developer markets, unified marketing and engineering organizations, and a tight linkage within customer and professional services to serve customers developing solutions, deploying solutions or both. As part of the corporate renaming, all of the Company’s strategic partnership programs, including RSA Keon Ready, RSA SecurID Ready and RSA Secure, were united under the new RSA Secured™ partner program.

In connection with the legal restructuring and promotional activity surrounding the corporate name change, the Company incurred charges in the third and fourth quarters of 1999 in the approximate aggregate amount of $12.5 million.

The Company’s objective is to continue to be a leading provider of e-security solutions. Key elements of the Company’s strategy to achieve this objective include:


	•	Deliver e-Security Solutions. The Company believes e-security is driven by the proliferation of Web-based applications, whether for internal network security in the enterprise, for e-business applications deployed to customers, suppliers or employees, or for e-commerce Internet sites. Further, the Company believes that traditional, fear-based security is being augmented and in many cases replaced by e-security as an enabling technology that opens up new markets and channels for communications and commerce. The Company intends to defend and grow its leading position in providing strong, two-factor user authentication and encryption, and to create a comparable position in PKI management systems as fundamental building blocks of e-security. The Company also intends to leverage its installed customer base in order to achieve this growth.


	•	Maintain Technological Leadership. The Company plans to continue to add new capabilities and features to its e-security products to meet its customers’ evolving needs. The Company maintains a leading role in basic cryptographic research, develops new encryption technologies and maintains close working relationships with leading academic centers and custom development teams. The Company intends to support the proliferation of PKI as a key element of e-business through the marketing of and participation in industry initiatives such as the PKI Forum. Launched in December 1999 by the Company and a number of other leading security vendors, the PKI Forum is an industry-led collaboration to accelerate the adoption of PKI technology and PKI-based solutions as a trusted, secure foundation for e-business applications.

	•	Expand Market Opportunities. The Company intends to expand its market opportunities through strategic partnerships, industry initiatives and marketing designed to heighten awareness of e-security issues. Through its RSA Secured partner program, the Company has established strategic partnerships with more than 500 industry-leading vendors and plans to continue to foster and leverage these partnerships and enter into additional relationships with companies that can provide complementary technologies for its solutions. The Company also seeks to heighten awareness regarding e-security issues through marketing programs such as its annual RSA Security Conference.

	•	Expand Indirect Sales and Support Channel. The Company currently sells its products through a direct sales force and through relationships with a significant number of OEMs, value-added resellers (“VARs”) and distributors. The Company believes that an expanded indirect sales and support channel enables it to enter new markets and gain access to a larger installed base of potential customers in a cost-effective manner.

	•	Expand International Presence. The Company believes that international markets present a large, relatively new market for e-security products. Sales outside the United States as a percentage of total revenue were approximately 30.9% in 1997, 34.6% in 1998 and 30.3% in 1999. The Company has offices located throughout the United States, Canada, Europe, Asia, Japan and Australia and plans to continue to expand its international business through the establishment of new offices, hiring of additional sales personnel, establishment of additional distribution arrangements, primarily in Europe and Asia, and development of local presences in key markets. In addition, the U.S. Department of Commerce recently relaxed some of the restrictions on exports of commercial encryption products, and the Company expects that this relaxation may make it easier for the Company to sell its products into international markets. See “Government Regulation and Export Controls.”

The Company delivers a range of products and technologies that are designed to help organizations and developers secure their computing environments and build secure, trusted platforms for electronic commerce. The Company’s core competencies are in its three major product lines — RSA SecurID, RSA BSAFE and RSA Keon — which deliver two-factor user authentication, encryption and public key management systems and solutions, respectively.

The Company’s RSA SecurID solutions provide centrally managed, strong, two-factor user authentication services for enterprise networks, operating systems, e-business Web sites and other IT infrastructure, designed to ensure that only authorized users gain access to data, applications and communications. Supporting a range of authentication devices, including hardware tokens, key fobs, smart cards, cellular telephones and software tokens, RSA SecurID solutions are designed to create a barrier against unauthorized access, protecting network and data resources from potentially devastating accidental or malicious intrusion. RSA SecurID installations are managed through RSA ACE/ Server® authentication management software, which has the ability to scale deployments for hundreds of thousands of users.

The Company’s RSA SecurID user identification and authentication products combine two methods of user identification — something secret the user knows (a personal information number or “PIN”) and

something the user physically has (the RSA SecurID authenticator). To gain access to a protected resource, a user enters his or her PIN and the “authenticator code” that is automatically computed and displayed on the user’s RSA SecurID authenticator. The PIN and the authenticator code together form the user’s “pass code.” With a valid pass code, the authorized user is identified, authenticated and granted access to appropriate information resources.

Each RSA SecurID authenticator contains the Company’s proprietary technology and is programmed with a secret, randomly generated seed number unique to the individual user’s authenticator. The seed number and Greenwich Mean Time are used to generate code sequences at set intervals (typically every 60 seconds) which are then matched to the RSA ACE/ Server software using the same seed number and Greenwich Mean Time to generate a server code corresponding to the user’s authenticator code.

RSA BSAFE tools are a family of platform-independent crypto-security developer tools that are designed to enable enterprise and OEM software developers to reliably incorporate e-security into a wide range of applications. The Company’s encryption components are used to secure applications for electronic commerce and services over the Internet and intranets, enterprise security, entertainment, wireless communications, delivery of digital information over cable and other uses. The Company believes that the RSA BSAFE product line is the most widely deployed cryptographic software in the world, with more than 450 million licenses in use today. RSA BSAFE products include:


	•	RSA BSAFE Crypto-C and Crypto-J, popular core cryptography components for the C and Java programming languages;

	•	RSA BSAFE Cert-C and Cert-J, X.509, standards based certificate processing tools for C and Java;

	•	RSA BSAFE S/ MIME-C tool for adding e-security to messaging applications; and

	•	RSA BSAFE SSL-C and SSL-J, protocol tools that are designed to enable secure point-to-point communications over the Internet based on C and Java.

The Company believes that its RSA RC series of symmetric, or secret key, encryption technologies, which are available as part of the RSA BSAFE product family, are among the highest performing and most secure techniques of their class available to encrypt electronic data. RC2 and RC4 are designed to handle block and streaming data types, respectively, and are designed to provide for easy adjustment of key size for exportability as well as high performance without specialized hardware.

RSA Keon technology is a family of interoperable, standards-based PKI software modules for managing digital certificates and providing an environment for authenticated, private and legally binding electronic communications and transactions. RSA Keon software is designed to be easy to use and interoperable with other standards-based PKI solutions, and to feature enhanced security through its integration with the RSA SecurID authentication and RSA BSAFE encryption product families.

RSA Keon technology provides a common foundation for securing Internet and e-business applications. The RSA Keon family contains software modules for both enterprise customers who need turnkey solutions, and for enterprise customers and developers who want to build their own standards-based, native PKI applications or take advantage of PKI-aware applications. RSA Keon components include:


	•	RSA Keon Certificate Server, a powerful and flexible module for issuing digital certificates, managing their life cycle and making them available in public directories. The RSA Keon Certificate Server is an advanced system for conducting business online, and supports PKI-aware applications such as email or browsers.

	•	RSA Keon Advanced PKI, a set of software modules designed to be built on top of the RSA Keon Certificate Server, or any other standards-based certificate source, such as VeriSign Onsite or


		Netscape Certificate Management Software. RSA Keon Advanced PKI provides a variety of services designed to remove common barriers to PKI deployment by making digital certificates transparent across multiple applications, enforcing security policies for certificate and credential use and enabling the integration of multiple certificate and directory sources. RSA Keon Advanced PKI comprises the RSA Keon Security Server and RSA Keon Desktop components, as well as RSA Keon agents, RSA Keon Application Integration software developer kits and RSA BSAFE Cert-C and Cert-J encryption tools for integrating non-PKI applications with RSA Keon software.

Historically, the Company has placed a premium on establishing interoperability between its products and those from other vendors. To that end, the Company invests in and supports several strategic partnering programs under the umbrella name of “RSA Secured.” The RSA Secured partner program is designed to help vendors integrate or establish interoperability between partner products and the Company’s products, including the RSA SecurID, RSA BSAFE and RSA Keon product families.

The RSA Secured partner program includes specific programs for certifying interoperability between RSA SecurID and RSA ACE/ Server and the products from vendors of remote access devices, Internet firewalls, network and applications software and virtual private network products. The RSA Secured partner program also includes specific programs for licensees of its RSA BSAFE technology, who incorporate RSA BSAFE into their products. Finally, the RSA Secured partner program incorporates specific programs for vendors seeking to ensure interoperability between their products and RSA Keon. Collectively, through the RSA Secured partner programs, the Company has strategic relationships with more than 500 vendors — including AOL/ Netscape, Apple Computer, Ascend, AT&T, Check Point, Cisco Systems, Compaq, IBM, Intel, Microsoft, Nortel Networks, Novell, Oracle and others — who have integrated the Company’s technologies into more than 1,000 products. The end-user customers of the vendors who have joined the RSA Secured partner program can purchase authenticators and license RSA ACE/ Server software directly from the Company. The Company believes that these relationships help the Company and its customers to expand their enterprise network coverage and assist the Company in increasing its installed customer base and RSA SecurID authenticator usage.

The Company has created marketing programs to foster the use of the RSA Secured logo on vendor products that incorporate the Company’s technologies or are interoperable with the Company’s products. These programs include but are not limited to listings in online directories, use of logos on product packaging and promotional materials, RSA Secured advertising, and access to marketing funds and joint promotional activities, such as tradeshows, advertising, direct mail and joint press releases. For example, in January 2000, the Company announced a strategic alliance with the member companies of American International Group, Inc. (“AIG”) under which, among other elements, the Company intends to give discounts on the Company’s products to e-business insurers of AIG member companies, and AIG intends to give discounts on e-business insurance coverage underwritten by AIG member companies to organizations that secure their e-business initiatives with the Company’s products or with third parties’ RSA Secured products.

The Company has established a multi-channel distribution and sales network to serve the e-security market. The Company sells and licenses its products directly to end users through its direct sales force and indirectly through a network of OEMs, VARs and distributors. In addition, the Company supports its direct and indirect sales efforts through strategic marketing relationships and public relations programs, trade shows and other marketing activities.

In support of its sales efforts, the Company conducts sales training courses, comprehensive targeted marketing programs including direct mail, public relations, advertising, seminars, trade shows, interactive marketing, telemarketing and ongoing customer and third-party communications programs. The Company also seeks to stimulate interest in e-security through its public relations program, speaking engagements, white papers, technical notes and other publications.

The Company’s direct sales staff focuses on major accounts, provides technical advice and support with respect to the Company’s products and works closely with the Company’s customers, OEMs, VARs and distributors.

The Company also markets, sells and licenses its products indirectly through its RSA SecurWorld™ network of OEMs, VARs and distributors. As of December 31, 1999, the Company had relationships with approximately 300 OEMs, VARs and distributors.

Generally, the Company sells its RSA BSAFE products to OEMs and enterprise customers through its direct sales force, rather than through distributors. The Company has historically sold its RSA BSAFE products primarily to OEMs, but the Company’s sales staff is currently focusing on increasing sales of these products to enterprise customers as well.

To enhance demand for its products, the Company has participated in the development of various industry-specific protocols that incorporate the Company’s RSA BSAFE cryptographic data security technologies. The Company also hosts its own annual industry conference, the RSA Security Conference, and participates in other conferences to increase demand for its products. Through its RSA Laboratories division, the Company maintains a leading role in basic cryptographic research, develops new encryption technologies and maintains close working relations with leading academic centers and customer development teams.

As of December 31, 1999, the Company had licensed more than 6,000,000 RSA SecurID authenticators to more than 5,000 customers worldwide. Historically, the Company’s principal customers have been in the telecommunications, pharmaceutical, financial and healthcare industries as well as academic institutions, research laboratories and government organizations. These customers generally work with highly confidential information and are sophisticated and knowledgeable purchasers of e-security systems. The Company believes that as corporate networks proliferate and become more complex, the number of industries concerned with e-security will grow.

As of December 31, 1999, the Company had licensed its RSA BSAFE encryption engine and patent technology to more than 500 OEMs and developers that typically incorporate the encryption technology into their products. The Company’s RSA BSAFE encryption technology is embedded in current versions of Microsoft Windows NT®, Netscape Navigator®, Quicken® by Intuit®, Lotus Notes® and numerous other products, including mobile phones, pagers and other wireless products of Ericsson, Symbian and Phone.com. The Company also licenses its RSA BSAFE encryption technology directly to enterprise customers for incorporation into customers’ business, financial and electronic commerce networks. The Company’s RSA BSAFE technologies are part of existing and proposed standards for the Internet and World Wide Web, ITU, ISO, ANSI and IEEE.

No customer accounted for more than 5% of the Company’s total revenue in 1997, 1998 or 1999.

The Company maintains a customer support help desk, technical support organization and professional services group at its headquarters in Bedford, Massachusetts and at other locations throughout the world and offers telephone and Web support for certain of its products 24 hours a day, seven days a week. The Company continues to add advanced technical support and professional service personnel to its staff to address anticipated additional demands arising from the deployment of the Company’s e-security solutions into larger and more complex user environments. The Company also has field technical support personnel who work directly with the Company’s direct sales force, distributors and customers.

The Company’s standard practice is to provide a warranty on all RSA SecurID authenticators for the customer-selected programmed life of the authenticator (generally three to four years) and to replace any damaged authenticators (other than authenticators damaged by a user’s negligence or alteration) free of charge. The Company generally sells each of its other products to customers with a warranty for product defects for specified periods. At the time of purchase, customers may elect to purchase a maintenance contract for 12-month renewable periods. Under these contracts, the Company agrees to provide (i) corrections for documented program errors; (ii) version upgrades for both software and, if applicable, firmware; (iii) telephone consultation; and (iv) Web-based access to solutions, patches and documentation.

The Company’s product development efforts are focused on enhancing the functionality, reliability, performance and flexibility of its existing products, including but not limited to its RSA SecurID, RSA ACE/ Server, RSA BSAFE and RSA Keon product lines. The Company is developing architectures and technologies to continually enhance the administrative capabilities and scalability of its RSA ACE/ Server and RSA Keon products and to increase interoperability with additional network operating systems, applications and directory services. The Company also is developing tools to assist customers, strategic partners and other third-party integrators in integrating the Company’s products with custom and other third-party network or system applications.

The Company is working to increase its competitive position by developing standards-based protocols and solutions that address the needs of specific market segments and build on its industry-leading RSA BSAFE technology. In the latter case, the Company may choose to partner with other parties to develop and/or market the products. In addition, the Company has developed enhanced RSA BSAFE Cert-C and Cert-J tools to enable both OEM and enterprise developers to make new applications PKI “aware.”

In addition to enhancing its existing products, the Company continues to identify and prioritize various technologies for potential future product offerings. The Company may develop these products internally or enter into arrangements to license or acquire products or technologies from third parties. There can be no assurance, however, that the Company will be successful in enhancing or developing existing products or identifying and successfully acquiring new technologies.

The Company’s product development staff engages in software and hardware engineering, testing and quality assurance and technical documentation. The Company also engages outside contractors where appropriate to supplement the Company’s in-house expertise or expedite projects based on customer or market demand.

RSA SecurID Authenticators. The Company currently contracts for the manufacture of its RSA SecurID authenticators with two suppliers. In 1999, for the RSA SecurID card, one of these suppliers had its manufacturing operations in the United States, and the other supplier had its manufacturing operations in China. In early 2000, the Company notified its U.S. supplier of its intent to terminate its contract to manufacture the RSA SecurID card. The Company intends to continue to use the supplier in China to manufacture the RSA SecurID cards. For the RSA SecurID key fob, both of these suppliers will continue to manufacture the product, which is expected to represent over 60% of the authenticator sales, in China and Thailand.

The Company has generally been able to obtain adequate supplies of RSA SecurID authenticators in a timely manner and believes that alternate vendors can be identified if current vendors are unable to fulfill its needs. However, delays or failure to identify alternate vendors, if required, or a reduction or interruption in supply or a significant increase in the manufacturing costs could adversely affect the Company’s financial condition or results of operations and could impact customer relations.

RSA Software. The Company’s RSA ACE/ Server, RSA BSAFE and RSA Keon software products are distributed on standard magnetic diskettes, compact disks and tapes together with documentation. The Company contracts with media duplication subcontractors for the majority of its media duplication. The Company has the capability to do all media duplication in-house, but limits its use to small production runs such as beta programs.

Although the Company generally uses standard parts and components for its products, some components are currently available only from limited sources. For example, the Company purchases the microprocessor

chips contained in its RSA SecurID smart cards and PINPADs only from a Japanese electronics manufacturer, and a second Japanese electronics firm is the Company’s only supplier of microprocessor chips for the RSA SecurID key fobs. In addition, a Singapore corporation is the sole manufacturer of the Company’s RSA SecurID smart cards and PINPADs. If the Company were unable to obtain a sufficient supply of these or any other components, then the Company might be unable to fill customer orders and might have to expend significant resources to find new suppliers, and, accordingly, the Company attempts to maintain a three-to-four-month supply in inventory. The Company believes that it would take approximately six months to identify and commence production of suitable replacements for the microprocessor chip used in the Company’s RSA SecurID authenticators.

The market for e-security products is highly competitive and subject to rapid technological change. The Company believes that competition in this market is likely to intensify as a result of increasing demand for e-security products. The Company currently experiences direct and indirect competition from a number of sources, including (i) software operating systems suppliers and application software vendors that incorporate a single-factor static password security system into their products; (ii) vendors of hardware tokens competitive with the Company’s RSA SecurID products; (iii) smart card security device vendors; (iv) biometric security device vendors; (v) PKI and cryptographic software firms; and (vi) application access providers. In some cases, these vendors also support the Company’s products and those of its competitors. In the future the Company may also face competition from these and other parties that develop e-security products based upon approaches similar to or different from those employed by the Company, including operating system or network suppliers not currently offering competitive e-security products. There can be no assurance that the market for e-security products will not ultimately be dominated by approaches other than the approaches marketed by the Company.

The Company believes that the principal competitive factors affecting the market for e-security products include technical features, ease of use, interoperability, quality/reliability, level of security, customer service and support, distribution channels and price. Although the Company believes that its products currently compete favorably with respect to such factors, there can be no assurance that the Company can maintain its competitive position against current and potential competitors, especially those with significantly greater financial, marketing, service, support, technical and other competitive resources.

The Company relies on a combination of patent, trade secret, copyright and trademark laws, software licenses, nondisclosure agreements and technical measures to protect its proprietary technology. The Company also generally enters into nondisclosure and assignment of inventions agreements with its employees and confidentiality and/or license agreements with its distributors, strategic partners and customers and potential customers seeking proprietary information, and limits access to and distribution of its software, documentation and other proprietary information.

The Company’s 17 issued U.S. patents expire at various dates ranging from 2000 to 2018. The Company’s 32 foreign patents expire at various dates between 2006 to 2015. The Company has also filed patent applications on inventions embodied in new technologies developed by the Company and on inventions that may be useful in the field of e-business. There can be no assurance that any of these applications will result in an issued patent. In addition, the patent describing the RSA public key encryption methodology, which was developed at the Massachusetts Institute of Technology (U.S. Patent No. 4,405,829) and licensed to the Company, will expire on September 20, 2000. An implementation of this cryptographic algorithm described in this patent is embodied in the Company’s RSA BSAFE cryptographic toolkit products. To date, the Company has vigorously enforced its exclusive rights to the patented technology against infringers who have released, or threatened to release, competing products that use the invention embodied in the patent. The Company does not know what effect the expiration of the patent will have, but it believes that the expiration may encourage competitors to market competing products that previously would have infringed the patent.

The Company has registered, or is seeking to register, its trademarks and service marks in countries where the Company has sold its products. There can be no assurance that any such trademark application currently pending will not be opposed by a third party, or that every national trademark office will permit the Company to register the marks on terms acceptable to the Company. The Company will seek to enforce its trademark and service mark rights against third parties who are marketing goods or services under marks that the Company considers confusingly similar to the Company’s marks. However, there can be no assurance that the Company will prevail in any enforcement action.

All of the Company’s products are subject to U.S. export control laws and applicable foreign government import, export and/or use restrictions. Minimal U.S. export restrictions apply to all products, whether or not they perform encryption functions.

Exports of commercial encryption products are regulated by the Export Administration Regulations of the U.S. Department of Commerce, while exports of encryption products designed or adapted for military use require export licenses under the International Traffic in Arms Regulations of the U.S. State Department. Until recently, the U.S. government only permitted exports of commercial encryption products (other than general purpose encryption toolkits) with key lengths of up to 56 bits after a one-time technical review by the U.S. Department of Commerce. Under new regulations issued by the U.S. Department of Commerce in January 2000, encryption products of any key length, including general purpose encryption toolkits such as the Company’s RSA BSAFE products, may be exported, after a one-time technical review, to all end-users other than governmental end-users. The Company believes that it has completed the necessary technical reviews of the products and services it currently exports. Following export of certain of its products, the Company will be subject to various post-shipment reporting requirements. Encryption products may be exported to governmental end-users under special Encryption Licensing Arrangements or individual export licenses which may be issued at the discretion of the U.S. Department of Commerce. These regulations may be modified at any time, and there can be no assurance that, in the event of any such modification, the Company will be authorized to export encryption products from the United States without a license in the future. In the event of such a modification, the Company might be at a disadvantage in competing for international sales compared to companies located outside of the United States that would not be subject to such restrictions.

At December 31, 1999, the Company employed 834 employees. No employees are covered by any collective bargaining agreements. The Company believes that its relationships with its employees are good.

In the third quarter of 1999, the Company changed its name to RSA Security Inc. from Security Dynamics Technologies, Inc., and spent approximately $12.5 million for legal restructuring and promotional activity surrounding the name change.

The Company’s principal administrative, sales and marketing, research and development and support facilities are located in Bedford, Massachusetts under non-cancelable ten year leases expiring in August 2008. The facilities aggregate approximately 183,000 square feet of office space, and the annual base rents aggregate approximately $3.1 million including certain operating expenses. The Company also leases facilities for research and development and sales and marketing in San Mateo, California under non-cancelable ten-year leases expiring in 2008. The facilities aggregate approximately 58,000 square feet of office space, and the annual base rents aggregate approximately $2.3 million including certain operating expenses. Annual rent escalation provisions for all of theses leases are based on the Consumer Price Index. The Company also leases facilities for administration, field sales and customer support throughout the United States, Canada, Asia, and Europe at annual base rents aggregating approximately $2.8 million.

In connection with the consolidation of certain operations commenced in January 1999, the Company sublet to third parties a total of approximately 50,000 square feet of its facilities at various locations, expiring through June 2001. The income from these sublets aggregates approximately $0.3 million for the year ended December 31, 1999.

On or about December 11, 1998, a class action was filed in the United States District Court for the District of Massachusetts on behalf of all purchasers of the Company’s Common Stock during the period from and including September 30, 1997 through July 15, 1998: Fitzer v. Security Dynamics Technologies, Inc., Charles R. Stuckey, Jr., D. James Bidzos, Arthur W. Coviello, Jr., John Adams, Marian G. O’Leary and Linda B. Saris, Civil Action No. 98-CV-12496-WGY. The plaintiffs subsequently dismissed without prejudice the claims against Ms. Saris. The plaintiffs filed an amended complaint on May 4, 1999, which asserts that the defendants misled the investing public concerning demand for the Company’s products, the strengths of its technologies, and certain trends in the Company’s business. Plaintiffs seek unspecified damages, interest, costs and fees of their attorneys, accountants and experts. The Company is seeking to dismiss the plaintiffs’ complaint and intends to defend the lawsuit vigorously. Although the amounts claimed may be substantial, the Company cannot predict the ultimate outcome or estimate the potential loss, if any, related to the lawsuit. The Company believes that the disposition of this matter will not have a material adverse effect on the Company’s consolidated financial position. However, the adverse resolution of the lawsuit could materially affect the Company’s results of operations or liquidity in any one annual or quarterly reporting period.

On or about May 20, 1999, Kenneth P. Weiss, the founder and a former director, officer and employee of the Company, filed a demand for arbitration alleging that (a) the Company constructively terminated Mr. Weiss in May 1996 in violation of his Employment Agreement with the Company, and (b) the Company breached its obligations under Mr. Weiss’ Employment Agreement by refusing to release certain assignments of patents. Mr. Weiss seeks unspecified damages, interest, costs and fees of his attorneys and experts, as well as the return of his rights in certain patents he created and assigned to the Company in the course of his employment. The parties are currently conducting discovery. The Company believes that Mr. Weiss’ claims are without merit, and intends to defend the matter vigorously. The Company believes that the disposition of this matter will not have a material adverse effect on the Company’s consolidated financial position.

Mr. Stuckey has served as Chairman of the Board of Directors of the Company since July 1996, President from January 1987 to March 1999, Chief Executive Officer from March 1987 to January 2000, and President of RSA Capital Inc., a subsidiary of the Company focussing on strategic investments, since January 2000.

Mr. Coviello has served as Chief Executive Officer of the Company since January 2000, President since March 1999, Executive Vice President from September 1995 to March 1999, Chief Financial Officer and Treasurer from October 1995 to August 1997 and Chief Operating Officer from January 1997 to March 1999. Prior to joining the Company, Mr. Coviello served in various capacities with CrossComm Corporation, a developer of internetworking products, and as its Chief Operating Officer and Chief Financial Officer from March 1992 to January 1994.

Dr. Adams joined the Company as Senior Vice President, Engineering in March 1996 and was appointed its Chief Technology Officer in October 1999. Prior to joining the Company, Dr. Adams served in various capacities with Digital Equipment Corporation, including Vice President and Technical Director of its Network Operating Systems Division from 1991 to 1996.

Mr. Kennedy joined the Company as Senior Vice President, Finance, Chief Financial Officer and Treasurer in August 1999. Prior to joining the Company, Mr. Kennedy was Chief Financial Officer of décalog, NV, a developer of enterprise investment management software, from 1998 to 1999. From 1993 to 1998, he served as Vice President of Finance, Chief Financial Officer and Treasurer of Natural MicroSystems Corporation, a telecommunications company.

Ms. Saris joined the Company as Vice President, Finance and Operations, Treasurer and Chief Financial Officer in June 1989, and was appointed Senior Vice President, Customer Support, Information Services and Operations in July 1998. From January 1997 to July 1998, Ms. Saris served as Vice President, Customer Support and Operations of the Company and from October 1995 to January 1997, as its Vice President, Operations.

Mr. Schnell joined RSA Data Security, Inc., a former subsidiary of the Company that merged with the Company in September 1999, as Vice President of Marketing in March 1996, and was appointed Senior Vice President, Marketing in July 1998. Prior to joining RSA Data Security, Mr. Schnell was Vice President, Marketing of Photonics Corporation from June 1994 to July 1995 and held a number of positions, including Director of Sales, AppleSoft Software, and Director and General Manager of the electronic software retail unit at Apple Computer, Inc.

Ms. Seif joined the Company as General Counsel in March 1998, and was appointed Vice President and Secretary in June 1998. Prior to joining the Company, Ms. Seif was Vice President and General Counsel of Firefly Network, Inc., a personal information software company, from 1996 to 1998. In November 1993,

Ms. Seif joined Ziff-Davis Publishing Company as Senior Corporate Counsel. Through several combinations, Ziff-Davis Publishing Company became AT&T’s New Media Services division, where Ms. Seif served as Vice President — Legal Affairs until 1996.

Mr. Uniejewski joined the Company as Vice President of Product Marketing in October 1998 and was appointed Senior Vice President, Engineering in October 1999. Prior to joining the Company, Mr. Uniejewski served in various positions at Gradient Technologies, including Vice President of Engineering from 1996 to 1998. From 1994 to 1996 he served as Director of Marketing of Cisco Systems’ ATM business unit.

The Company’s Common Stock has been trading on the Nasdaq National Market under the symbol “RSAS” (formerly “SDTI”) since the Company’s initial public offering on December 14, 1994. The following table sets forth for the fiscal periods indicated the high and low sales prices per share of Common Stock as reported on the Nasdaq National Market.

There were 338 stockholders of record of the Company’s Common Stock as of February 4, 2000.

The Company has never declared or paid any cash dividends on its capital stock. The Company currently intends to retain earnings, if any, to support its growth strategy and does not anticipate paying cash dividends in the foreseeable future. Payment of future dividends, if any, will be at the discretion of the Company’s Board of Directors after taking into account various factors, including the Company’s financial condition, operating results, current and anticipated cash needs and plans for expansion.

As used in this Report, the term “the Company” refers to RSA Security Inc. (formerly known as Security Dynamics Technologies, Inc.) and its subsidiaries.

This Report contains forward-looking statements within the meaning of Section 21E of the Securities Exchange Act of 1934, as amended, and Section 27A of the Securities Act of 1933, as amended. For purposes of these Acts, any statement contained herein that is not a statement of historical fact may be deemed a forward-looking statement. Without limiting the foregoing, the words “believes,” “anticipates,” “plans,” “expects,” and similar expressions are intended to identify forward-looking statements. There are a number of factors that could cause the Company’s actual results to differ materially from those indicated by such forward-looking statements. These factors include, without limitation, those set forth below under the caption “Certain Factors That May Affect Future Results.”

The Company is a leading provider of electronic security (“e-security”) solutions. The Company helps organizations build secure, trusted foundations for electronic business (“e-business”) through use of the Company’s two-factor user authentication, encryption and public key management products and solutions. The Company sells to corporate (“Enterprise”) end users seeking turnkey e-security solutions, and to original equipment manufacturers and developers (“OEMs”) seeking software development components for embedding security in a range of applications.

The Company was founded in 1984 and began shipping its RSA SecurID® authenticators in 1986. Prior thereto, the Company was primarily engaged in research and development activities. In December 1991, the Company introduced its RSA ACE/ Server® software products for Enterprise network protection using a client/server architecture. The Company believes that its growth has historically been driven by the emergence of networks and a corresponding increase in users with direct access to core enterprise systems and confidential data. Further, the Company believes the number of users with such direct access is increasing because of the growth of the Internet and corporate intranets and extranets.

The Company has established a multi-channel distribution and sales network to serve the Enterprise e-security market. The Company sells and licenses its products directly to Enterprise end users through its direct sales force and indirectly through a network of OEMs, value added resellers and distributors. In addition, the Company supports its direct and indirect sales efforts through strategic marketing relationships and public relations programs, trade shows and other marketing activities.

The Company’s direct sales to its customers in countries outside of the United States are denominated in the local currency. As a result, fluctuations in currency exchange rates could affect the profitability in U.S. dollars of the Company’s products sold in those markets. The Company’s sales through indirect distribution channels are generally denominated in U.S. dollars.

The Company’s revenue is derived primarily from two distinct product lines: Enterprise solutions (including RSA SecurID authenticators, RSA ACE/ Server software, RSA Keon™ software, and maintenance and professional services) and OEM solutions (including RSA BSAFE® cryptographic development tools and protocol products, RSA Keon components, and maintenance and professional services). Customers’ purchases typically include an initial sale of RSA SecurID authenticators and RSA ACE/ Server software, with later add on sales of additional or replacement authenticators and software as the customer’s use of the products expands to include more users, such as the customer’s vendors, suppliers, customers and clients. RSA SecurID authenticators are programmed at the customer’s request to operate for a fixed period of up to four years, and RSA ACE/ Server and RSA Keon software license fees are typically based on the number of users authorized under the customer’s license. RSA BSAFE software licensing terms vary by product, but are typically composed of both initial fees and ongoing royalties paid as a percentage of the OEM’s product or service revenues. Sales to existing customers also include revenue associated with amendments to licensing agreements, usually in order to accommodate licensing of new software or technology to the customer, to increase the field of use rights, or both.

The Company’s RSA SecurID authenticators are produced by two outside contract manufacturing organizations (see “Certain Factors That May Affect Future Results”), and the Company licenses some of the technology included in some of its products from third parties. The Company’s cost of revenue consists primarily of costs associated with (1) the manufacture and delivery of RSA SecurID authenticators and (2) royalty fees payable by the Company under licenses for third parties’ technology included in its products. Cost of revenue also includes professional service costs, customer support costs and production costs. These production costs include shipping and labor costs associated with programming, inspection and quality control functions associated with the RSA SecurID authenticators. In the future, gross margin may be affected by several factors, including changes in product mix and distribution channels, price reductions (resulting from volume discounts or otherwise), competition, changes in the cost of revenue (including any software license fees or royalties payable by the Company) and other factors.

Information on the Company’s industry segments may be found in Note 10 of Notes to Consolidated Financial Statements.

The following table sets forth certain consolidated financial data as a percentage of revenue:

Total revenue increased 27.3% in 1999 to $218.1 million from $171.3 million in 1998. Sales to Enterprise solution customers increased 24% in 1999 to $165.1 million from $133.1 million in 1998, and sales to OEM customers increased 39% in 1999 to $53.0 million from $38.2 million in 1998. Approximately 57.8% of the increase in revenue in 1999 was attributable to increased sales of RSA SecurID authenticators and RSA ACE/ Server software, approximately 31.5% of the increase was attributable to increased sales of RSA BSAFE, and approximately 10.7% of the increase was attributable to increased maintenance and professional services revenues. The Company believes that the overall increase in sales was attributable to the growth in the e-security market due to increased use of the Internet and corporate intranets and extranets.

International revenue increased 11% in 1999 to $66.0 million from $59.3 million in 1998. The increase in international revenue was primarily from the continuing expansion of the Company’s international sales force and increased market penetration.

The Company’s gross profit increased 32.5% in 1999 to $173.0 million from $130.6 million in 1998. Approximately 20% of this increase was due to increased unit sales of RSA SecurID authenticators, approximately 21% was due to increased sales of RSA ACE/ Server and approximately 29% was due to increased sales of RSA BSAFE.

Research and development expenses increased 17.7% in 1999 to $37.6 million from $32.0 million in 1998. The majority of the increase in research and development expenses resulted from increased payroll expenses associated with the employment of additional staff.

In September 1999 the Company changed its name to RSA Security Inc. Legal and promotional costs incurred in connection with this rebranding were approximately $12.5 million, of which approximately $11.8 million has been included in marketing and selling and approximately $0.7 million has been included in general and administrative.

Marketing and selling expenses increased 34.7% in 1999 to $89.9 million from $66.8 million in 1998. Approximately 38% of the increase in 1999 was from increased payroll costs associated with the employment of additional staff, and approximately 11% of the increase was from increased sales commissions on increased revenues.

General and administrative expenses increased 43.4% in 1999 to $27.3 million, from $19.0 million in 1998. Approximately 62% of the increase in general and administrative expenses was from increased payroll expenses associated with the employment of additional staff and approximately 23% of the increase was from increased professional fees, the majority of which related to protection of intellectual property.

In 1999, the Company commenced and substantially completed consolidation of certain operations in an attempt to achieve operational efficiency. The Company recorded costs of $11.4 million consisting of severance costs of $9.4 million for employees who were employed primarily in research and development and general and administrative activities for the formerly separate operations of Intrusion Detection, Inc. (“IDI”), and facility exit costs of $2.0 million. Facility exit costs consist primarily of estimated shortfalls of sublease rental income compared to minimum lease payments due under a lease agreement. Costs of approximately $2.9 million were accrued and unpaid at December 31, 1999 and consisted of facility exit costs of $1.7 million and termination benefits, payable through the third quarter of 2000, of $1.2 million.

Interest income increased 15.3% in 1999 to $10.0 million from $8.7 million in 1998 from interest earned on higher cash and marketable securities balances.

For 1999, net gains from investments were $286.0 million from sales of marketable securities, which includes gains from the sale of VeriSign, Inc. (“VeriSign”) common stock and Trintech Group PLC (“Trintech”) ordinary shares of $276.4 million, and an increase in value of VeriSign common stock of $12.6 million from the write-up under the equity method. These gains are net of the Company’s equity in VeriSign’s loss of $0.5 million and an investment allowance of $2.5 million on other investments. Until June 30, 1999, the Company had accounted for its investment in VeriSign under the equity method. After June 1999, investments in VeriSign common stock were accounted for as marketable securities available for sale. For 1998, net gains from investments were $35.4 million from sales of marketable securities, which includes gains from the sale of VeriSign common stock of $31.3 million, and an increase in value of VeriSign common stock of $12.0 million from the write-up under the equity method upon VeriSign’s initial public offering. These gains are net of the Company’s equity in VeriSign’s loss of $4.3 million and an investment allowance of $3.6 million on other investments. The Company routinely evaluates the realizable value of its investments using qualitative and quantitative factors including discounted cash flow analysis and liquidation value assessments.

Minority stockholders owned an aggregate 26% of the Company’s Japanese subsidiary until November 1999, when the Company purchased the interests for $3.6 million. The excess purchase price over fair value of assets of $1.1 million was recorded as goodwill and is being amortized over ten years. Minority interests in the subsidiary’s net loss were $16,000 in 1999 and $600,000 in 1998.

The provision for income taxes increased to $119.0 million in 1999 from $23.6 million in 1998, primarily due to higher pre-tax income. The Company’s effective tax rate decreased to 39.3% in 1999 from 45.0% in 1998 primarily due to the effect of state taxes on investment income.

Total revenue increased 21.8% in 1998 to $171.3 million from $140.6 million in 1997. Sales to Enterprise solution customers increased 21% in 1998 to $133.1 million from $109.8 million in 1997, and sales to OEM customers increased 24% in 1998 to $38.2 million from $30.8 million in 1998. Approximately 43% of the increase in revenue in 1998 was attributable to increased sales of RSA SecurID authenticators, approximately 19% of the increase was attributable to increased sales of RSA BSAFE toolkits, approximately 22% of the increase was attributable to increased sales of RSA ACE/ Server software and approximately 11% of the increase was attributable to increased maintenance and professional services revenues. These increases in revenue were offset in part by decreased revenues from sales of RSA SecurPC software and from decreased revenue from sales of hardware. Revenue from sales of RSA Keon software and from sales of Kane Security Analyst and Kane Security Monitor software decreased slightly in 1998 compared to 1997. The Company believes that the overall increase in sales was attributable to growth in the information security market due to increased use of the Internet and corporate intranets and extranets.

International revenue increased 36.4% in 1998 to $59.3 million from $43.5 million in 1997. The increase in international revenue was primarily from the continuing expansion of the Company’s international sales force and increased market penetration.

The Company’s gross profit increased 16.6% in 1998 to $130.6 million, from $111.9 million in revenue in 1997. Gross profit as a percentage of revenue was lower in 1998, primarily due to write-offs to cost of revenue of prepaid license fees of $4.1 million under secure VPN and secure e-mail license agreements determined to have no future value and costs of $1.2 million associated with exiting certain hardware product lines.

Excluding the effects of the write-offs, gross margin remained relatively consistent as a percentage of revenue at 79.3% in 1998 compared to 79.6% in 1997. During 1998 and excluding the effect of the write-offs, approximately 47% of the increase in gross profit was attributable to increased unit sales of RSA SecurID authenticators, approximately 25% of the increase in gross profit was attributable to increased licensing sales of RSA ACE/ Server software and approximately 22% of the increase in gross profit was attributable to increased licensing sales of encryption engine technology and patent licensing. Gross profit increases in 1998 were offset in part by decreased gross profit associated with decreased revenue from sales of RSA SecurPC software, hardware, Keon and Kane Security Analyst and Kane Security Monitor software compared to 1997.

Research and development expenses increased 17.7% in 1998 to $32.0 million from $27.2 million in 1997. Excluding purchased research and development, the majority of the increase in research and development expenses resulted from increased payroll expenses from the employment of additional staff. During 1998 the Company purchased and recorded as purchased research and development expense certain technology from VeriSign for $500,000 and from other parties for $1.3 million. The Company incorporated these technologies into its RSA Keon product line.

During 1997, the Company purchased, and recorded as purchased research and development expense, certain technology from VeriSign for $2.7 million and from other third parties for $3.5 million. The Company incorporated the technologies into its RSA Keon and RSA BSAFE products.

Marketing and selling expenses increased 59.3% in 1998 to $66.8 million from $41.9 million in 1997. Approximately 52% of the increase in marketing and selling expenses in 1998 resulted from an increase in payroll costs from the employment of additional staff and approximately 31% of the increase was attributable to increased sales commissions. Sales commissions increased due to increased revenues and due to compensation programs designed to incent sales personnel to increase sales through the indirect channel and, in particular, the Internet and telecommunication service provider channels. The remainder of the increase in marketing and selling expenses resulted primarily from increased marketing program costs.

General and administrative expenses increased 10.7% in 1998 to $19.0 million, from $17.2 million in 1997. Approximately 68% of the increase in general and administrative expenses was due to increased payroll expenses from the employment of additional staff and approximately 31% of the increase in general and administrative expenses was due to increased professional fees offset by expense reduction synergies achieved in connection with the acquisitions of DynaSoft AB (“DynaSoft”) and IDI. The increase in professional fees was primarily due to the Company’s commencement of a program in 1998 to aggressively protect its intellectual property rights through worldwide trademark and patent registrations.

Merger and integration expenses from the acquisition of IDI were approximately $2.6 million in 1998 and were $5.7 million from the acquisition of DynaSoft in 1997.

In September 1998, the Company granted options to purchase an aggregate of 325,000 shares of common stock in connection with the settlement of threatened litigation arising out of the acquisition of IDI. The value of the options was determined to be $1.9 million, using the Black-Scholes option-pricing model.

Interest income increased 38.3% in 1998 to $8.7 million from $6.3 million in 1997 from interest earned on higher cash and marketable securities balances.

For 1998, net gains from investments were $35.4 million from sales of marketable securities, which includes gains from the sale of VeriSign, Inc. common stock of $31.3 million, an increase in value of VeriSign common stock of $12.0 million from the write-up under the equity method upon VeriSign’s initial public offering. These gains are net of the Company’s equity in VeriSign’s loss of $4.3 million and an investment valuation allowance of $3.6 million on other investments. For 1997, net gains from investments were $4.3 million from sales of marketable securities. The Company routinely evaluates the realizable value of its investments using qualitative and quantitative factors including discounted cash flow analysis and liquidation value assessments.

Minority stockholders owned an aggregate 26% of RSA’s Japanese subsidiary. Minority interests in the subsidiary’s net loss was $0.6 million in 1998, and minority interests in the subsidiary’s net income was $0.1 million in 1997.

The provision for income taxes increased to $23.6 million during 1998 from $13.3 million in 1997, primarily due to higher pre-tax income. The Company’s effective tax rate increased to 45.0% in 1998 from 43.7% in 1997 primarily due to the effect of state income taxes on investment gains and differences in amounts of nondeductible merger expenses in 1998 compared to 1997.

The Company used $81.1 million of cash for operations in 1999 compared to $8.9 million for 1998. Operating cash used in 1999 was primarily for taxes paid on investment gains. Cash used in operations for 1998 was primarily for working capital.

Investing activities provided cash in 1999 of $231.2 million and used cash of $49.5 million in 1998. Investing activities were primarily sales and purchases of marketable securities and investments. Purchases of property and equipment used cash of $13.7 million and $18.9 million in 1999 and 1998, respectively.

Cash used for financing activities in 1999 was $61.3 million compared to $4.7 million in 1998. In 1999 and 1998, the Company realized $45.3 million and $7.9 million, respectively, from the exercise of employee stock options and purchases under the employee stock purchase plan, including tax benefits thereon. The Company used cash of $103.0 million and $12.1 million to repurchase its common stock in 1999 and 1998, respectively.

At December 31, 1999, the Company had cash, cash equivalents and marketable securities of $1,383.2 million and working capital of $553.3 million, compared to $158.2 million and $180.9 million, respectively, at December 31, 1998. The Company believes that working capital will be sufficient to meet its anticipated cash requirements through at least 2001.

To protect a portion of its marketable securities position, the Company sold put and call options on its VeriSign shares to independent third parties. The put options entitle the holders to buy shares of VeriSign common stock, and the call options allow the Company to sell shares of VeriSign common stock on certain dates at specified prices, or permit a net-share settlement at the Company’s option. On December 31, 1999, 5,500,000 shares were covered by these put and call options. The outstanding put and call options expire quarterly in 500,000 share increments between March 31, 2000 and September 30, 2002 and have exercise

prices ranging from $47.46 to $77.00 per share. The options are recorded at intrinsic value, resulting in an unrealized hedge liability of $686,034 at December 31, 1999. There were no premiums paid for the options.

On March 26, 1998 the Company issued approximately 784,000 shares of Common Stock in exchange for all of the outstanding common stock of IDI in a transaction accounted for as a pooling of interests. Acquisition costs were approximately $2.6 million.

The Company was authorized to repurchase up to 4,000,000 shares of its common stock during the 12-month period ended October 11, 1999, and is authorized to purchase up to an additional 4,000,000 shares of its common stock during the 12-month period ending October 12, 2000. Repurchased shares may be used for the Company’s stock option and employee stock purchase plans, and for general corporate purposes. Through December 31, 1999, the Company had repurchased 5,134,500 shares of its common stock, for an aggregate amount of $115.1 million, at an average cost of $22.42 per share.

The Company issued warrants to purchase 80,000 shares of common stock in September 1999 in connection with a software sale. The value of the warrants of $1.0 million was determined using the Black-Scholes option-pricing model and allocated to additional paid in capital.

In August 1998, the Company repriced options to purchase approximately 5,500,000 shares of common stock to the then fair market value of $12.0625 per share.

The Company’s systems are configured to process Euro denominated transactions. The Company does not believe the Euro will have a significant effect on its business, financial position, cash flows or the results of its operations.

In June 1998, the Financial Accounting Standards Board (FASB) issued Statement of Financial Accounting Standards (SFAS) No. 133, “Accounting for Derivative Instruments and Hedging Activities.” In June 1999, the FASB issued SFAS No. 137, “Accounting for Derivative Instruments and Hedging Activities — Deferral of the Effective Date of FASB Statement 133.” The Statement defers the effective date of SFAS No. 133 to January 1, 2001. The effect of adopting the standard is being evaluated. The Company estimates that, based on the valuation of the put and call options as of December 31, 1999, the effect of adopting this standard would be to decrease net gains from investments by $29.8 million. SFAS No. 133 will require the Company to recognize all derivatives on the balance sheet at fair value. Derivatives that are not hedges must be adjusted to fair value through income. If the derivative is a hedge, depending on the nature of the hedge, changes in the fair value of derivatives will either be offset against the change in fair value of hedged assets, liabilities, or firm commitments through earnings or recognized in accumulated other comprehensive income until the hedged item is recognized in earnings. The ineffective portion, if any, of a derivative’s change in fair value will be immediately recognized in earnings.

Gains from sales of VeriSign common stock of $74,489, $54,802, $86,837 and $60,310 in the first, second, third and fourth quarters of 1999, respectively, and $1,836 and $29,449 in the third and fourth quarters of 1998, respectively. The Company’s proportionate share of VeriSign’s quarterly losses of $358 and $167 for the first and second quarters of 1999, respectively and $1,173, $1,214 and $1,800 for the second, third and fourth quarters of 1998, respectively. Gains from the write-up under the equity method of the Company’s investment in VeriSign of $12,576 in the second quarter of 1999 and $11,976 in the second quarter of 1998. Losses relating to the investment valuation allowance on the Company’s investments of $2,537 in the third quarter of 1999, and $3,647 in the fourth quarter of 1998.

Costs associated with the Company’s corporate rebranding of $5,363 and $7,137 in the third and fourth quarters of 1999. Costs associated with the formation of RSA Capital Inc. were $147 in the fourth quarter of 1999.

Costs associated with the Company’s restructuring of $6,550, $3,800 and $1,000 for the first, third and fourth quarters of 1999, respectively. Merger costs incurred during the acquisition of IDI of $2,600 in the first quarter of 1998.

Costs associated with purchased technology of $210 and $1,550 in the first and fourth quarters of 1998, respectively. The write-off of a secure messaging license to cost of sales of $3,000 in the second quarter of 1998. The costs associated with terminating select hardware and VPN product lines of $2,346 in the fourth quarter of 1998. Costs associated with accelerated stock option compensation from terminations and headcount reductions of $821 in the fourth quarter of 1998.

A one-time, non cash charge relating to settlement of threatened litigation in connection with the Company’s acquisition of IDI of $1,872 in the third quarter of 1998.

Income tax provisions (benefits for non-recurring items were $31,644, $30,173, $23,972 and $20,757 in the first, second, third and fourth quarters of 1999, respectively, and $80, $3,211, ($464), and $9,979 in the first, second, third and fourth quarters of 1998, respectively.

Historically, computer systems and software products were coded to accept only two digit entries in the date code field. These date code fields had to be modified to accept four digit entries to distinguish 21st century dates from 20th century dates. As a result, such software and computer systems needed to be upgraded or replaced in order to comply with such “Year 2000” requirements.

Prior to December 31, 1999, the Company tested substantially all of its products for Year 2000 readiness. In measuring Year 2000 readiness, the Company applied the following specifications: “Year 2000 Ready” means that: (1) no value for current date will cause any interruption in operation; (2) date-based functionality must be consistent for dates prior to, during and after Year 2000; (3) in all interfaces and data storage, the century in any date must be specified either explicitly or by unambiguous algorithms or inferencing rules; and (4) Year 2000 must be recognized as a leap year.

The Company’s RSA SecuriID authenticators are Year 2000 Ready. Assuming that a customer is utilizing the Company’s software products in conjunction with a Year 2000 Ready operating system, then the Company’s most recent software releases, RSA ACE/ Server v3.3, RSA Keon Security Server v4, RSA Keon Desktop v4, RSA Keon Agents v4 and above, RSA Keon Agent SDK, RSA Keon UNIX Platform Security v4, (Keon software products were formerly known as BoKS), RSA Keon Certificate Server v5.0, RSA SoftID, RSA SecurPC, RSA BSAFE Crypto-C, RSA BSAFE Crypto-J, RSA BSAFE Cert-C, RSA BSAFE SSL-C and RSA BSAFE SSL-J are Year 2000 Ready. The Company’s ACE/ Sentry hardware products are also Year 2000 Ready. Certain prior versions of the Company’s software products, as well as the Company’s ACM 100, 400, 1600 and 5100 hardware products, are not fully Year 2000 Ready, and customers were informed of the status of the Company’s products in the ordinary course of business. In certain circumstances, the Company has made available to customers who have implemented prior releases of the Company’s software products software updates to make the products Year 2000 Ready.

While the Company has completed what it believes to be an effective Year 2000 Readiness testing program for its products, and although the Company has not yet received any complaints from its customers about the Year 2000 Readiness of its products, the Company’s products may contain undetected errors or defects associated with Year 2000 date functions. Such errors or defects in the Company’s products could result in delay or loss of revenue and diversion of development resources, which might materially adversely affect the Company’s business, financial condition or results of operations.

The Company established a Year 2000 task force to determine the state of readiness of all Company information technology (“IT”) and non-IT systems, including the microprocessors contained in infrastructure products, such as card-swipe entry devices, which are used at the Company’s facilities. Before December 31, 1999, the task force identified the third-party equipment, software, vendors, systems and suppliers used by the Company that were not Year 2000 Ready and replaced non-Year 2000 Ready third-party equipment and software with Year 2000 Ready equipment and software. With respect to certain other business applications and systems licensed by the Company from third parties (including but not limited to the Company’s telephone systems and management information system installed in 1998), the Company relied on those licensors’ written representations that the applications were Year 2000 Ready. To date, the Company has not experienced any significant problems due to non-Year 2000 Ready equipment or software.

The Company incurred direct costs to modify or replace existing systems used by the Company in the operation of its business to ensure that all systems would be Year 2000 Ready before December 31, 1999. The total amounts spent by the Company addressing this issue were not material.

In addition, the Company spent substantial time and effort testing and evaluating its own products to determine Year 2000 Readiness of those products. In the case of prior product releases that are not Year 2000 Ready, the Company expects to devote internal engineering and customer support resources to resolving any issues for existing customers of those products.

The Company has made representations and warranties, both in contracts and in written communications, to certain of its customers regarding the Year 2000 Readiness of its products. The Company has reviewed all of those representations to determine the accuracy of those statements. The Company has determined that it made Year 2000 Readiness representations in fewer than 10% of its customer contracts, and many of those customers have requested, and received, Year 2000 Ready versions of the Company’s products.

With respect to any contractual representation made by the Company regarding Year 2000 Readiness that were not accurate, the Company will seek to upgrade the affected customer to the Company’s current Year 2000 Ready version of the product(s) being used by that customer. If the Company has made a materially inaccurate statement regarding the Year 2000 Readiness of its products and the customer chooses not to upgrade to a Year 2000 Ready version of the product, the Company may face the risk of one or more lawsuits from its customers alleging breach of representation.

The foregoing shall be considered a Year 2000 readiness disclosure to the maximum extent allowed under the Year 2000 Information and Readiness Disclosure Act.

The Company’s operating results tend to fluctuate from quarter to quarter. The Company’s quarterly operating results may vary significantly from quarter to quarter depending on a number of factors, including, among other factors:


	•	the timing of introduction or enhancement of products by the Company or its competitors;

	•	the size, timing and shipment of individual orders for the Company’s products;

	•	customers deferring their orders in anticipation of new products;

	•	market acceptance of new products;

	•	changes in the Company’s operating expenses;

	•	personnel changes;

	•	foreign currency exchange rates;

	•	changes in the mix of products sold;

	•	changes in product pricing;

	•	development of the Company’s direct and indirect distribution channels; and

	•	general economic conditions.

The Company may not be able to grow or sustain its profitability from quarter to quarter. Because the Company’s operating expenses are based on anticipated revenue levels and a high percentage of the Company’s expenses are fixed, a small variation in when revenue is recognized can cause significant variations in operating results from quarter to quarter.

The Company’s business has historically tended to be seasonal, with revenue increasing at a higher rate in the last quarter of the year and at a lower rate in the following quarter. The Company believes that the higher rate of increase during the last quarter is due to the Company’s quota-based compensation plans, year-end budgetary pressures on the Company’s customers and the tendency of some of the Company’s customers to implement changes in enterprise network or data security just before the end of the calendar year. In addition, revenue tends to increase at lower rates in the summer months, particularly in Europe, when businesses defer purchase decisions.

The Company’s stock price has been volatile and is likely to remain volatile. During 1999, the Company’s stock price ranged from a per share high of $77.50 to a low of $14.88. At the close of the market on February 9, 2000, the Company’s stock price was $63.73. Announcements, litigation developments and the Company’s ability to meet the expectations of brokerage firms, industry analysts and investors with respect to its operating and financial results may contribute to this volatility. The Company may not discover, or be able to confirm, revenue or earnings shortfalls until the end of a quarter, which may result in an immediate drop in the Company’s stock price. Securities class action litigation is often instituted against publicly traded companies after a period of volatility in the market price of the companies’ securities. In December 1998, some of the Company’s stockholders filed a class action against the Company and some of its officers and directors. This litigation, and other litigation if instituted, could result in substantial costs and a diversion of management’s attention and resources.

The market for the Company’s products is new and still developing. An increasing number of businesses, government agencies and individuals are using computer networks, including enterprise-wide and remote computing, as well as the Internet, intranets and extranets. Because these computer networks enhance the ability of users, both authorized and unauthorized, to access sensitive and proprietary information and resources, demand for the Company’s enterprise network and data security products has increased as well. With this growth of computer networks has also come a growing use of public and private keys, digital signatures and digital certificates for verifying user identities and establishing information access privileges for users in an enterprise.

This growth may not continue. The use of computer networks to conduct business and enhance authorized access to information and resources is relatively new, and many business and government agencies will need to invest substantial resources and make major changes in their ways of doing business in order to benefit from computer networks. Many businesses and government agencies may be reluctant to make these investments and changes and may be deterred from using computer networks for a number of reasons, including:


	•	actual or perceived inadequacies in the development of network and Internet infrastructure and the lack of cost-effective, high-speed service;

	•	concerns about the security of communications and commerce over computer networks;

	•	the complexity of developing and administrating computer networks; and

	•	the difficulty of integrating business applications on computer networks and the incompatibility of different business and security applications.

In addition, the distribution channels for the Company’s products are changing. For example, the Company believes that an increasing number of businesses are choosing to “rent” access to enterprise applications from application service providers and other vendors, rather than buying the applications and investing the resources required to set up their own computer networks. As new distribution channels evolve, the Company may need to adjust its sales strategy to address these channels.

Demand for the Company’s products depends highly on the continued growth in the use of computer networks to allow users access to confidential and proprietary information and resources. This demand depends on, among other things:


	•	the continued evolution of electronic commerce as a viable means of conducting business;

	•	the public’s perception of the need for secure electronic commerce and communications over computer networks;

	•	market acceptance and use of public and private key cryptography, digital signatures and digital certificates in communication and commerce;

	•	the perceived quality, price, availability and interoperability of the Company’s products over its competitors’ products;

	•	the pace of technological change, both in the development and use of computer networks generally and in the hardware and software environments in which the Company’s products operate, and the Company’s ability to keep up with these changes; and

	•	general economic conditions.

A well-publicized actual or perceived breach of network or data security could trigger a heightened awareness of computer abuse, resulting in an increased demand for security products such as those offered by the Company. On the other hand, an actual or perceived breach of network or data security at the Company or one of the Company’s customers, whether or not the breach was caused by the failure of one of the Company’s products, could hurt the Company’s reputation and cause potential customers to turn to competitors’ products. For example, in February 2000, a third party attacker briefly redirected the Company’s www.rsa.com URL (which is one of the Company’s inactive web sites that points users to the Company’s main web site) to a false rsa.com site. Although the company’s security was not compromised in any way, the Company believes that the public may have perceived that the Company or its products were less secure because of this incident. In addition, although the effectiveness of the Company’s identification and authentication products does not depend on the secrecy of its proprietary algorithm, the public disclosure or “breaking” of this algorithm could lead the public to believe that the Company’s products have been compromised, which could reduce demand for the Company’s products.

Changes in e-security technology and standards could render the Company’s products obsolete. The market for e-security products is fast-moving and evolving. E-security technology is constantly changing as the Company and its competitors introduce new products and retire old ones and as customer requirements quickly develop and change.

In addition, the standards for e-commerce and network security are continuing to evolve. If any segments of the Company’s market adopt technologies or standards that are inconsistent with the Company’s products and technology, sales of the Company’s products in those market segments could decline.

The Company’s future success will depend in part upon its ability to enhance its existing products and to introduce new, competitively priced products with features that meet changing customer requirements, all in a timely and cost-effective manner. However, the Company may not be successful in introducing new or enhanced products. A number of factors, including the following, could have an adverse impact on the success of a product:


	•	delays or difficulties in product development;

	•	quality, reliability or security failure problems, which could result in returns, delays in collecting accounts receivable, unexpected service or warranty expenses, reduced orders and a decline in the Company’s competitive position;

	•	undetected software errors or bugs in the final products shipped to the Company’s customers, which could cause market acceptance of the products to be lost or delayed, recalls of hardware products incorporating the software or loss of data;


	•	the Company’s competitors introducing their new products ahead of the Company’s new products or introducing superior or cheaper products;

	•	the market’s failure to accept new technologies;

	•	the Company’s failure to anticipate changes in customers’ requirements; and

	•	implementation of standards that are inconsistent with the technology embodied in the Company’s products.

The Company’s success depends on the success of the RSA Keon product line. During 1999, the Company launched its RSA Keon product line, a family of enterprise security solutions designed to enable organizations to support and manage the growing use of public and private keys, digital signatures and digital certificates for verifying user identities and establishing information access privileges for these users in an enterprise. This new product line is critical to the Company’s strategy and the evolution of its business into new markets. If the RSA Keon product line is not successful, the Company’s financial condition or results of operations could be adversely affected. All of the factors listed above as affecting the success of new products generally also affect the RSA Keon product line. In addition, RSA Keon’s success especially depends on market acceptance of digital certificate and public and private key management technologies.

Transactions for the RSA Keon products often involve large expenditures by the Company’s customers, and the sales cycles for these transactions are often lengthy and unpredictable. The long nature of the sales cycles may impact the Company’s quarterly results of operations. The sales cycles for these transactions are subject to a number of uncertainties such as:


	•	customers’ budgetary constraints;

	•	the timing of customers’ budget cycles; and

	•	customers’ internal review process.

The Company must manage its growth. The Company’s business has grown significantly in size and complexity over the last few years. This growth has placed, and is expected to continue to place, a significant strain on the Company’s management and operations. In addition, the Company’s personnel, systems, procedures and controls may not be adequate to support its growth. The geographic dispersal of the Company’s operations may also make it more difficult to manage its growth.

The Company’s market is highly competitive. The Company competes with: (1) established e-security companies that currently offer network security products or services; (2) newly organized e-security companies that are developing new, competitive products and technologies; and (3) established computer hardware or software companies that introduce their own network security products, either separately or bundled with their existing hardware or software products. Some of the Company’s current and potential competitors have significantly greater financial, marketing and technical resources than the Company. As a result, they may be able to leverage an installed customer base, adapt more quickly to new technologies and changes in customer requirements, or devote greater resources to the promotion and sale of their products than the Company can. The Company believes that maintaining its competitive position will require it to continue investing in research and development and sales and marketing. The Company may not have sufficient resources to make these investments and may not be able to make the technological advances necessary to maintain its competitive position. In addition, current and potential competitors may establish collaborative relationships to increase their ability to address the security needs of the Company’s prospective customers. Accordingly, new competitors or alliances that emerge could pose unforeseen competitive threats.

The Company must establish and maintain strategic relationships. One of the Company’s business strategies is to enter into strategic marketing alliances or other similar collaborative relationships in order to reach a larger customer base than the Company could reach alone through its direct sales and marketing efforts. If the Company is unable to create relationships with strategic partners, then it will need to devote more resources to sales and marketing. The Company may not be able to find appropriate strategic partners or may not be able to enter into potential relationships on commercially favorable terms. Furthermore, the

relationships the Company does enter into may not be successful. Since the Company’s strategic relationships are generally non-exclusive, the Company’s strategic partners may decide to pursue alternative technologies or to develop alternative products in addition to or instead of the Company’s products either on their own or in collaboration with the Company’s competitors.

The Company’s products are subject to export regulations. Under new regulations issued by the U.S. Department of Commerce in January 2000, encryption products of any key length, including general purpose encryption tools such as the Company’s RSA BSAFE products, may be exported, after a one-time technical review, to all end-users other than governmental end-users. The Company believes that it has completed the necessary technical reviews of the products and services it currently exports. Following export of certain of its products, the Company will be subject to various post-shipment reporting requirements. Encryption products may be exported to governmental end-users under special encryption licensing arrangements or individual export licenses which may be issued at the discretion of the U.S. Department of Commerce.

These regulations may be modified at any time, and there can be no assurance that, in the event of any such modification, the Company will be authorized to export encryption products from the United States without a license. If there is such a modification, the Company might be at a disadvantage in competing for international sales as compared to companies located outside of the United States that would not be subject to such restrictions.

International sales make up a significant portion of the Company’s business. International sales accounted for more than 30% of the Company’s revenue in each of the years ended December 31, 1997, 1998 and 1999. There are certain risks inherent in doing business internationally, including:


	•	foreign regulatory requirements;

	•	legal uncertainty regarding liability

	•	export and import restrictions on cryptographic technology and products incorporating that technology;

	•	difficulties and delays in establishing international distribution channels;

	•	difficulties in collecting international accounts receivable;

	•	fluctuations in currency exchange rates;

	•	tariffs and other trade barriers;

	•	difficulties in enforcement of intellectual property rights; and

	•	political instability.

The Company depends on U.S. and foreign intellectual property laws and agreements to protect its rights in its technology. The Company relies on a combination of patent, trade secret, copyright and trademark laws, software licenses, nondisclosure agreements and technical measures to protect its proprietary technology. The Company also generally enters into confidentiality and/or license agreements with its employees, distributors and strategic partners as well as with its customers and potential customers seeking proprietary information, and limits access to and distribution of its software, documentation and other proprietary information. However, these steps may prove inadequate to keep other parties from misappropriating the Company’s technology or from developing their own competitive versions of the Company’s technology. The Company’s 17 issued U.S. patents expire at various dates ranging from 2000 to 2018. When each of the Company’s patents expires, competitors may develop and sell products based on the same or similar technologies as those covered by the expired patent.

The Company relies heavily on patents to protect its proprietary rights in its technology, but it is possible that any patent owned or held by the Company or its licensors might be invalidated, circumvented, challenged or terminated. It is also possible that the Company’s pending or future patent applications may not be within the scope of claims sought by the Company. In addition, the laws of certain countries in which the Company’s products are now, or may in the future be, developed or sold may not protect the Company’s products and intellectual property rights to the same extent as the laws of the United States. The inability of the Company

One of the Company’s important patents will expire during 2000. A patent developed at the Massachusetts Institute of Technology (U.S. Patent No. 4,405,829) and licensed to the Company will expire on September 20, 2000. An implementation of the cryptographic algorithm described in this patent is embodied in the Company’s RSA BSAFE cryptographic tool products. To date, the Company has vigorously enforced its exclusive rights to the patented technology against infringers who have released, or threatened to release, competing products that use the invention embodied in the patent. The Company does not know what effect the expiration of the patent will have, but it believes that the expiration may encourage competitors to market competing products that previously would have infringed the patent.

The encryption industry is highly litigious. From time to time, the Company has received correspondence alleging that its products may infringe patents held by third parties. In addition, foreign parties have recently claimed that the Company’s use of its trademarks abroad infringe their trademarks, and third parties located in the U.S. and abroad may assert infringement claims against the Company in the future. The Company is and has been involved in litigation relating to its intellectual property rights in its products. Any litigation carries a number of significant risks including:


	•	litigation is often very expensive, even if it is resolved in the Company’s favor;

	•	litigation diverts the attention of management and other resources; and

	•	if a court or other government agency rules against it in any intellectual property litigation, the Company might be required to:


	•	discontinue the use of certain processes,

	•	cease the manufacture, use and sale of infringing products,

	•	expend significant resources to develop non-infringing technology,

	•	obtain licenses to the infringing technology, or

	•	pay significant monetary damages, which could include treble damages.

Cryptographic technologies are under constant attack. The strength of the Company’s cryptographic technologies is constantly being tested by computer professionals, academics and “hackers.” Any significant advance in the techniques for attacking cryptographic systems could make some or all of the Company’s products obsolete or unmarketable. The Company’s cryptographic systems depend in part on the application of certain mathematical principles. The security afforded by the Company’s encryption products is based on the assumption that the “factoring” of the composite of large prime numbers is difficult. If an “easy factoring method” were developed, then the security of the Company’s encryption products would be reduced or eliminated. Even if no breakthroughs in factoring are discovered, factoring problems can theoretically be solved by a computer system significantly faster and more powerful than those currently available. If these improved techniques for attacking cryptographic systems are ever developed, the Company’s business or results of operations could be adversely impacted.

The Company depends heavily on key, talented employees in a competitive labor market. The Company’s success depends on its ability to attract, motivate and retain highly skilled technical, managerial and marketing personnel. In some areas of the United States and in some foreign countries, the demand for these kinds of employees exceeds the supply of unemployed workers, and many firms are competing for the few employees with the skills the Company needs. The Company believes that its compensation plans are competitive, but it may not be able to hire and retain the employees it needs.

Acquisitions may hurt the Company’s business. A component of the Company’s business strategy is to seek to buy businesses, products and technologies that complement or augment the Company’s existing businesses, products and technologies. Acquisitions are difficult to identify and complete for a number of reasons, including competition among prospective buyers and the need for regulatory approvals. The Company

may not be able to complete any given acquisition. Furthermore, in order to finance a potential acquisition, the Company may need to raise additional funds by selling its stock or borrowing money. The Company may not be able to find financing on favorable terms, and the Company’s sale of its stock may result in the dilution of the Company’s existing stockholders.

Even if the Company does complete any given acquisition, the integration of the business and operations of the acquiree into the Company’s business and operations is a complex, time consuming and expensive process. Before any acquisition, each company has its own business, culture, customers, employees and systems. Following an acquisition, the Company and the acquiree must operate as a combined organization using common communication systems, operating procedures, financial controls and human resource practices. In order to successfully integrate acquired companies, the Company must, among other things, successfully:


	•	attract and retain key management and other personnel;

	•	integrate, both from an engineering and a sales and marketing perspective, the acquired products into the Company’s suite of product offerings;

	•	coordinate research and development efforts;

	•	integrate sales forces; and

	•	consolidate duplicate facilities.

An acquisition may disrupt ongoing operations, divert management from day-to-day business and adversely impact the Company’s results of operations. In addition, these types of transactions often result in charges to earnings for such things as transaction expenses, amortization of goodwill, or expensing of in-process research and development expenses.

The Company depends on a limited number of suppliers for some of its product components. Although the Company generally uses standard parts and components for its products, some components are currently available only from limited sources. For example, the Company purchases the microprocessor chips contained in its SecurID smart cards and PINPADs only from Sanyo Electric Co., Ltd., and Epson Electronics, a Japanese computer chip manufacturer, is the Company’s only supplier of microprocessor chips for the SecurID Key Fobs. In addition, Flextronics International, a Singapore corporation, is the sole manufacturer of the Company’s SecurID smart cards and PINPADs. If the Company were unable to obtain a sufficient supply of these or any other components, then the Company may be unable to fill customer orders and would have to expend significant resources to find new suppliers. Even if the Company were able to find new suppliers, these suppliers may not be able to produce the components in sufficient quantities or at competitive prices.

The Company licenses from Progress Software Corporation the relational database management software contained in the Company’s ACE/ Server and Keon software, and the Company relies on Progress Software for ongoing maintenance and support for the licensed software. The Company also licenses certain technology such as its LDAP Directory from Netscape Corporation and relies on Netscape for ongoing maintenance and support for this licensed technology. If any of the licensed technology were to fail or experience significant problems in functioning, then the Company would not be able to fix the problem without the support of Progress or Netscape.

The value of the Company’s business may fluctuate because the value of some of its assets fluctuates. A portion of the Company’s assets includes the equity securities of both publicly traded and non-publicly traded companies. In particular, the Company owns a significant number of shares of common stock of VeriSign and Trintech, both of which are publicly traded companies. The market price and valuations of the securities that the Company holds in these and other companies may fluctuate due to market conditions and other conditions over which the Company has no control. Fluctuations in the market price and valuations of the securities that the Company holds in other companies may result in fluctuations of the market price of the Company’s common stock and may reduce the amount of working capital available to the Company.

In June 1998, the FASB issued SFAS No. 133, “Accounting for Derivative Instruments and Hedging Activities,” which will affect the accounting of some of the Company’s investments. In June 1999, the FASB issued SFAS No. 137, “Accounting for Derivative Instruments and Hedging Activities — Deferral of the Effective Date of FASB Statement 133.” The Statement defers the effective date of SFAS No. 133 to fiscal 2001. The effect of adopting the standard is being evaluated. The Company estimates, based on the valuation of the Company’s put and call options as of December 31, 1999, the effect of adopting this standard would be to decrease net gains from investments by $29.8 million. SFAS No. 133 will require the Company to recognize all derivatives on the balance sheet at fair value. Derivatives that are not hedges must be adjusted to fair value through income. If the derivative is a hedge, depending on the nature of the hedge, changes in the fair value of derivatives will either be offset against the change in fair value of hedged assets, liabilities, or firm commitments through earnings or recognized in accumulated other comprehensive income until the hedged item is recognized in earnings. The ineffective portion, if any, of a derivative’s change in fair value will be immediately recognized in earnings.

Some provisions of the Company’s charter and the Company’s adoption of a rights plan may inhibit potential acquisition bids. The Company has a classified Board of Directors and has also adopted a Stockholders Rights Plan, both of which could make it more difficult for a potential acquiror to complete a merger, tender offer or proxy contest involving the Company. While these provisions are intended to enable the Board to maximize stockholder value, they may have the effect of discouraging takeovers that could be in the best interest of certain stockholders and may therefore have an adverse effect on the market price of the Common Stock.

Except as set forth below, the Company does not generally use derivative financial instruments and generally purchases its marketable securities in high credit quality instruments, primarily U.S. Government and Federal Agency obligations, tax-exempt municipal obligations and corporate obligations with contractual maturities of ten years or less. The Company does not expect any material loss from its marketable security investments and therefore believes that its potential interest rate exposure is not material. The Company also makes equity investments determined by the Board of Directors to be strategic to the Company and routinely evaluates the realizable value of these investments using qualitative and quantitative factors including discounted cash flow analysis and liquidation value assessments.

During September 1999, one of the Company’s investments, Trintech, concluded an initial public offering of its ordinary shares. The Company is restricted in its right to sell the Trintech shares until March 21, 2000 by certain provisions of an agreement between the Company and the underwriters of the Trintech offering. At December 31, 1999 the Company held 958,627 shares of Trintech.

To protect a portion of its marketable securities position, the Company sold put and call options on its VeriSign shares to independent third parties. The put options entitle the holders to buy shares of VeriSign common stock and the call options allow the company to sell shares of VeriSign common stock on certain dates at specified prices, or permit a net-share settlement at the Company’s option. This provides the Company with protection against a portion of the market risk associated with the securities in exchange for the Company foregoing a portion of the potential price appreciation of the securities. On December 31, 1999, 5,500,000 shares were covered by these put and call options. The outstanding put and call options expire between March 31, 2000 and September 30, 2002 and have strike prices ranging from $47.46 to $77.00 per share.

The Company invoices customers primarily in U.S. Dollars and in local currency in those countries in which the Company has branch and subsidiary operations. The Company is exposed to foreign exchange rate fluctuations from when customers are invoiced in local currency until collection occurs. This exposure is offset by the Company’s use of local currency for operating expenses incurred in those countries. Historically, the Company has not entered into foreign currency hedge transactions. Through December 31, 1999, foreign currency fluctuations have not had a material impact on the Company’s financial position or results of

The foregoing risk management discussion and the effects thereof are forward-looking statements. Actual results in the future may differ materially from these projected results due to actual developments in global financial markets. The analytical methods used by the Company to assess and mitigate risk discussed above should not be considered projections of future events or losses.

Management is responsible for preparing the RSA Security Inc. (formerly Security Dynamics Technologies, Inc.) financial statements and the other information that appears in this annual report. Management believes that the financial statements fairly reflect the form and substance of transactions and reasonably present the Company’s financial condition and results of operations in conformity with generally accepted accounting principles. Management has included in the Company’s financial statements amounts that are based on estimates and judgments, which it believes are reasonable under the circumstances.

The Company maintains a system of internal accounting policies, procedures, and controls intended to provide reasonable assurance, at appropriate cost, that transactions are executed in accordance with Company authorization and are properly recorded and reported in the financial statements, and that assets are adequately safeguarded.

Deloitte & Touche LLP audits the Company’s financial statements in accordance with generally accepted auditing standards and provides an objective, independent review of the Company’s internal controls and the fairness of its reported financial condition and results of operations.

The RSA Security Inc. Board of Directors has an Audit Committee composed of nonmanagement Directors. The Committee meets with financial management and the independent auditors to review internal accounting controls and accounting, auditing, and financial reporting matters.

We have audited the accompanying consolidated balance sheets of RSA Security Inc. and subsidiaries as of December 31, 1999 and 1998, and the related consolidated statements of income, stockholders’ equity, and cash flows for each of the three years in the period ended December 31, 1999. Our audits also included the financial statement schedule listed at Item 14(a)(2). These financial statements and financial statement schedule are the responsibility of the corporation’s management. Our responsibility is to express an opinion on the financial statements and financial statement schedule based on our audits.

We conducted our audits in accordance with generally accepted auditing standards. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.

In our opinion, such consolidated financial statements present fairly, in all material respects, the financial position of RSA Security Inc. and subsidiaries as of December 31, 1999 and 1998, and the results of their operations and their cash flows for each of the three years in the period ended December 31, 1999 in conformity with generally accepted accounting principles. Also, in our opinion, such financial statement schedule, when considered in relation to the basic consolidated financial statements taken as a whole, presents fairly in all material respects the information set forth therein.

[Continued from above table, first column(s) repeated]


	Accumulated
	Other			Total
	Comprehensive			Stockholders’
	Income			Equity

Balance January 1, 1997	$	3,973		$	125,104




Issuance of common stock					62,351




Stock compensation					794




Comprehensive income




Translation adjustment		(1,243	)		(1,243	)




Unrealized loss on marketable securities, net		(3,401	)		(3,401	)




Net income					17,048

Total comprehensive income					12,404

Balance, December 31, 1997		(671	)		200,653




Issuance of common stock					9,271




Foreign acquisition tax benefit					13,835




Stock compensation					1,983




Share repurchase program					(12,135	)




Comprehensive income




Translation adjustment		(425	)		(425	)




Unrealized gain on marketable securities, net		123			123




Net income					29,415

Total comprehensive income					29,113

Balance, December 31, 1998		(973	)		242,720




Issuance of common stock and warrants					49,748




Stock compensation					1,128




Share repurchase program					(102,973	)




Comprehensive income




Translation adjustment		(147	)		(147	)




Unrealized gain on marketable securities, net		236,786			236,786




Net income					183,762

Total comprehensive income					420,401

Balance, December 31, 1999	$	235,666		$	611,024

Nature of Business — RSA Security Inc. and its subsidiaries (formerly Security Dynamics Technologies, Inc.) (the “Company”) is a leading provider of electronic security (“e-security”) solutions. The Company helps organizations build secure, trusted foundations for electronic business (“e-business”) through use of its two-factor user authentication, encryption and public key management products and solutions. The Company sells to corporate end users (“Enterprise”) seeking turnkey security solutions, and to original equipment manufacturers and developers (“OEM”) seeking software development components for embedding security in a range of applications. In September 1999, the Company changed its name to RSA Security Inc. Costs incurred in connection with the rebranding were approximately $12,500.

Reclassification — Certain prior year amounts have been reclassified to conform with the 1999 presentation.

Principles of Consolidation — The consolidated financial statements include the accounts of the Company and its subsidiaries. Minority stockholders owned an aggregate 26% of the Company’s Japanese subsidiary until November 1999 when the Company purchased the interests for $3,600. The excess purchase price over fair value of assets of $1,096 was recorded as goodwill and is being amortized over ten years.

Revenue Recognition — Revenue is recognized when earned. The Company’s revenue recognition policies are in compliance with all applicable accounting regulations, including American Institute of Certified Public Accountants (AICPA) Statement of Position (SOP) 97-2, “Software Revenue Recognition” and SOP 98-9, “Modification of SOP 97-2 With Respect to Certain Transactions.” Revenue from products is recognized when shipped, no further material obligations exist, and collection is considered probable. Revenue from shipments to distributors is recognized upon receipt of evidence of sale to end-users. Revenues from licensing other intellectual property are recognized when evidence of an arrangement exists, the fee is fixed or determinable and collection is considered probable. When arrangements contain multiple elements and vendor specific objective evidence exists for all undelivered elements, the Company recognizes revenue for the delivered elements using the residual method. For arrangements containing multiple elements wherein vendor specific objective evidence does not exist for all undelivered elements, revenue for the delivered and undelivered elements is deferred until vendor specific objective evidence exists or all elements have been delivered. Maintenance services revenues, whether sold separately or as part of a multiple element arrangement, are deferred and recognized ratably over the term of the maintenance contract, generally twelve months. Professional service revenues are recognized as services are provided. No customer accounted for 5% or more of the Company’s revenue in any period reported.

Warranty Policy — Reserves are provided for warranties based upon historical experience.

Cash Equivalents — All highly liquid investments purchased with a remaining maturity of three months or less are considered cash equivalents.

Marketable Securities — Marketable securities are classified as “available for sale” and carried at aggregate fair value. Unrealized gains and losses are included in accumulated other comprehensive income, net of tax effects. Realized gains are determined based on the specific identified cost of the securities.

Inventory — Inventory consists primarily of RSA SecurID authenticators and is stated at the lower of cost (first-in, first-out method) or market.

Property and Equipment — Property and equipment are stated at cost. Depreciation and amortization are computed using the straight-line method over the shorter of the lease term or estimated useful lives of the related assets (two to ten years).

Investments — Investments are accounted for using the equity method in situations where the Company has the ability to exercise significant influence over the investee’s business. All other investments are accounted for using the cost method. Until June 30, 1999, the Company accounted for its investment in VeriSign, Inc. (“VeriSign”) under the equity method. After June 1999 investments in VeriSign common stock were considered marketable securities.

Impairment of Long-lived Assets — The recoverability of long-lived assets is periodically assessed by comparing the undiscounted cash flows expected to be generated to the carrying value. If the sum of the undiscounted cash flows is less than the carrying value of the assets, an impairment charge is recognized.

Research and Development — Research and development costs are expensed as incurred. Statement of Financial Accounting Standards (SFAS) No. 86, “Accounting for the Costs of Computer Software to be Sold, Leased or Otherwise Marketed”, does not materially affect the Company.

Advertising — Advertising costs are expensed as incurred and were approximately $850, $837 and $2,484 in 1997, 1998 and 1999, respectively.

Income Taxes — The liability method is used for income taxes. Deferred taxes are determined based on the estimated future tax effects of differences between the financial statement and tax bases of assets and liabilities given the provisions of the enacted tax laws. Taxes are provided on the undistributed earnings of foreign subsidiaries, which are ultimately expected to be remitted to the parent company. Unrecognized provisions for taxes on undistributed earnings of foreign subsidiaries which are considered permanently invested are not material to the Company’s consolidated financial position or results of operations. Valuation allowances are provided against net deferred tax assets, if based upon the available evidence, it is more likely than not that some or all of the deferred tax assets will not be realized. The ultimate realization of deferred tax assets is dependent upon the generation of future taxable income and when temporary differences become deductible. Management considers, among other available information, uncertainties surrounding the recoverability of deferred tax assets, scheduled reversals of deferred tax liabilities, projected future taxable income, and other matters in making this assessment.

Foreign Currency — Local currencies of the countries in which the Company’s branches and subsidiaries are domiciled are the functional currencies. Translation adjustments are accumulated in other comprehensive income.

Earnings Per Share — Basic earnings per share is computed on the basis of the weighted average number of common shares outstanding. Diluted earnings per share is computed on the basis of the weighted average number of common shares outstanding plus the effect of potential outstanding common shares, such as options and warrants using the “treasury stock” method.

Financial Instruments — The carrying amounts of cash and cash equivalents, accounts receivable and accounts payable approximate fair value due to the short-term nature of these instruments.

Marketable securities and investments are comprised of publicly traded and private debt and equity securities. Publicly traded securities are classified as available for sale and are recorded at market using the specific identification method. Unrealized gains and losses are reflected in other comprehensive income.

Derivative financial instruments are used to hedge the Company’s investment in VeriSign and are, therefore, held primarily for purposes other than trading. These instruments may involve elements of credit and market risk in excess of the amounts recognized in the financial statements. The Company monitors its positions and the credit quality of counter parties, consisting primarily of major financial institutions, and does not anticipate nonperformance by any counter party. The Company can settle its hedging obligations by delivering its shares of VeriSign common stock.

Use of Estimates — The preparation of the Company’s consolidated financial statements in conformity with generally accepted accounting principles necessarily requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities at the date of the financial statements and the reported amounts of revenue and expenses during the reporting periods. Actual results could differ from those estimates.

Concentration of Credit Risk — The Company provides enterprise network and data security solutions to various customers in diverse industries. The Company performs ongoing credit evaluations of its customers and maintains allowances for potential credit losses.

Stock-Based Compensation Plans — Stock-based compensation cost is accounted for in accordance with the Accounting Principles Board Opinion No. 25 “Accounting for Stock Issued to Employees.” Accordingly, no accounting recognition is given to stock options granted at fair market value until they are exercised. Upon exercise, net proceeds, including tax benefit realized, are credited to equity. The pro forma impact on earnings per share has been disclosed in the Notes as required by SFAS No. 123.

New Accounting Pronouncements — In June 1998, the Financial Accounting Standards Board (FASB) issued Statement of Financial Accounting Standards (SFAS) No. 133, “Accounting for Derivative Instruments and Hedging Activities.” In June 1999, the FASB issued SFAS No. 137, “Accounting for Derivative Instruments and Hedging Activities — Deferral of the Effective Date of FASB Statement 133.” The Statement defers the effective date of SFAS No. 133 to January 1, 2001. The effect of adopting the standard is being evaluated. The Company estimates that, based on the valuation of certain put and call options on its holdings of VeriSign’s common stock as of December 31, 1999, the effect of adopting this standard would be to decrease net gains from investments by $29,800. SFAS No. 133 will require the Company to recognize all derivatives on the balance sheet at fair value. Derivatives that are not hedges must be adjusted to fair value through income. If the derivative is a hedge, depending on the nature of the hedge, changes in the fair value of derivatives will either be offset against the change in fair value of hedged assets, liabilities, or firm commitments through earnings or recognized in accumulated other comprehensive income until the hedged item is recognized in earnings. The ineffective portion, if any, of a derivative’s change in fair value will be immediately recognized in earnings.

Debt securities include corporate and government notes and bonds. Equity securities recorded at cost primarily include preferred stock and common stock that are restricted or not publicly traded. To protect a portion of its marketable securities position, the Company sold put and call options on its VeriSign shares to independent third parties. The put options entitle the holders to buy shares of VeriSign common stock and the call options allow the Company to sell shares of VeriSign common stock on certain dates at specified prices, or permit a net-share settlement at the Company’s option. On December 31, 1999, 5,500,000 shares were covered by these put and call options. The outstanding put and call options expire quarterly in 500,000 share increments between March 31, 2000 and September 30, 2002 and have exercise prices ranging from $47.46 to $77.00 per share. The options are recorded at intrinsic value, resulting in an unrealized hedge liability of $686,034 at December 31, 1999. There were no premiums paid for the options.

The Company routinely evaluates the realizable value of its investments using qualitative and quantitative factors including discounted cash flow analysis and liquidation value assessments.

For 1999, net gains from investments were $285,952 from sales of marketable securities, which includes gains from the sale of VeriSign common stock and Trintech Group PLC (“Trintech”) ordinary shares of $276,438, and an increase in value of VeriSign common stock of $12,576 from the write-up under the equity method. These gains are net of the Company’s equity in VeriSign’s loss of $525 and an investment allowance of $2,537 on other investments. For 1998, net gains from investments were $35,427 from sales of marketable securities, which includes gains from the sale of VeriSign common stock of $31,285, and an increase in value of VeriSign common stock of $11,976 from the write-up under the equity method upon VeriSign’s initial public offering. These gains are net of the Company’s equity in VeriSign’s loss of $4,187 and an investment allowance of $3,647 on other investments.

In 1997, the Company acquired DynaSoft AB (“DynaSoft”), and in 1998, the Company acquired Intrusion Detection, Inc. (“IDI”), in transactions accounted for as poolings of interests. To acquire DynaSoft, the Company issued approximately 2,700,000 shares of its common stock in exchange for approximately 95% of the outstanding common stock of DynaSoft and certain outstanding stock options. The Company paid $6,038 to certain other stockholders of DynaSoft in exchange for the remaining outstanding common stock and stock options. To acquire IDI, the Company issued approximately 784,000 shares of its common stock in exchange for all of IDI’s outstanding common stock. Investment banking, professional fees and other direct expenses incurred in connection with the DynaSoft and the IDI acquisitions were charged to operations and were approximately $5,700 and $2,600 in 1997 and 1998, respectively.

Revenues and net income (loss) for DynaSoft and IDI as independent companies for the periods before their acquisition were for DynaSoft, revenues of $5,277 and net loss of $(155), for the period January 1, 1997 to July 15, 1997, the date DynaSoft was acquired. For IDI, revenues and net income (loss) of $4,700 and $680, respectively, in 1997 and $900 and $(137), respectively for the period January 1, 1998 to March 26, 1998, the date IDI was acquired.

The 1994 Stock Option Plan, as amended — 1998 Restatement (“1994 Plan”), allows (i) the grant of options to purchase common stock intended to qualify as incentive stock options and (ii) the grant of options that do not so qualify (non-statutory options) to employees, officers, directors and consultants of the Company. Option exercise prices for incentive stock options granted under the 1994 Plan may not be less than 100% of the fair market value of the shares. In general, 1994 Plan option grants become exercisable as to 25% on the first anniversary of the grant date, and in equal quarterly amounts thereafter for three years. Options generally expire eight years from the grant date.

The 1994 Director Stock Option Plan, as amended (“Director Plan”), allows the granting of options to purchase common stock to non-employee members of the Board of Directors. The exercise price of the options may not be less than 100% of the fair market value on the date of the grant. Options granted under the Director Plan become exercisable at the date of grant and expire up to ten years from the date of grant.

The Amended and Restated 1998 Non-Officer Employee Stock Incentive Plan (“1998 Plan”) allows the grant of non-statutory stock options, restricted stock awards, and other stock-based awards to employees, consultants and advisors of the Company, other than those who are also officers within the meaning of Section 16 of the Securities Exchange Act of 1934, as amended. In general, stock options granted under the 1998 Plan become exercisable as to 25% on the first anniversary of the grant date and in equal quarterly installments thereafter for three years.

Authorized shares at December 31, 1999 were 11,570,000 shares under the 1994 Plan, 500,000 shares under the Director Plan and 3,910,509 shares under the 1998 Plan. Shares available for grant were 2,164,801 under the 1994 Plan, 482,000 under the Director Plan and 184,753 under the 1998 Plan.

The 1994 Employee Stock Purchase Plan, as amended (“Purchase Plan”), provides for sales of common stock to participating employees at prices of not less than 85% of the closing price on either the first day or the last day of the offering period, whichever is lower. At December 31, 1999 1,000,000 shares were authorized under the Purchase Plan and 448,161 shares were available for purchase. The cumulative total shares purchased under the plan through 1997, 1998 and 1999 were 145,203, 366,955 and 551,839, respectively.

The following table sets forth information regarding stock options outstanding at December 31, 1999 under all plans:

Accounting for Stock Options — For certain options and stock awards granted in 1997, 1998 and 1999, the Company is recognizing compensation expense based on the excess of fair market value over the option exercise or award prices at dates of grant. Compensation is being recognized ratably over the vesting periods and amounted to $1,205, $1,982 and $1,128 in 1997, 1998 and 1999, respectively.

Stock Option Repricing — In August 1998, the Company repriced options to purchase approximately 5,500,000 shares of common stock to the then fair market value of $12.0625 per share.

Pro Forma Disclosure — Had the Company recognized compensation costs for its stock option and purchase plans based on the fair value for awards under those plans, in accordance with SFAS No. 123 “Accounting for Stock Based Compensation,” pro forma net income and pro forma net income per share would have been as follows:

The fair values used to compute pro forma net income and net income per share were estimated fair value at grant date using the Black-Scholes option-pricing model with the following weighted average assumptions:

Stockholder Rights Plan — On July 20, 1999 the Company announced that its Board of Directors had adopted a Stockholder Rights Plan and a Rights Agreement to govern the Plan in which common stock purchase rights (each, a “Right”) would be distributed as a dividend at the rate of one Right for each share of the Company’s Common Stock outstanding as of the close of business on July 30, 1999. Each Right entitles rightsholders to purchase one share of Common Stock of the Company at a purchase price of $125.00, subject to adjustment (the “Purchase Price”). The Rights will be exercisable if another party acquires, or obtains the right to acquire, beneficial ownership of 15% or more of the Company’s Common Stock, or upon the commencement of a tender or exchange offer that, if consummated, would result in another party acquiring

15% or more of the Company’s Common Stock. In the event of an acquisition or a similar event, each Right, except those owned by the acquiring party, will enable the holder of the Right to purchase that number of shares of the Company’s Common Stock which equals the Purchase Price divided by one-half of the current market price (as defined in the Rights Agreement) of such Common Stock.

In addition, if the Company is involved in a merger or other transaction with another company in which it is not the surviving corporation, or it sells or transfers 50% or more of its assets or earning power to another company, each Right will entitle its holder to purchase that number of shares of common stock of the acquiring company which equals the Purchase Price divided by one-half of the current market price of such company’s common stock. The Company will generally be entitled to redeem the Rights at $0.001 per Right at any time until the tenth business day following the later of a public announcement that an acquiring party has acquired, or obtained the right to acquire, 15% or more of the Company’s Common Stock or the actual knowledge by an executive officer of the Company of such acquisition. Unless the Rights are redeemed or exchanged earlier, they will expire on July 20, 2009.

Share Repurchase Program — The Company was authorized to repurchase up to 4,000,000 shares of its common stock during the 12-month period ended October 11, 1999, and is authorized to purchase up to an additional 4,000,000 shares of its common stock during the 12-month period ending October 12, 2000. Repurchased shares may be used for the Company’s stock option and employee stock purchase plans, and for general corporate purposes. Through December 31, 1999, the Company had repurchased 5,134,500 shares of its common stock, for an aggregate amount of $115,108, at an average cost of $22.42 per share.

Stock Purchase Warrants — The Company issued warrants to purchase 80,000 shares of common stock in September 1999 in connection with a software sale. The value of the warrants of $1,040 was determined using the Black-Scholes option-pricing model and was allocated to additional paid-in capital.

Significant components of the Company’s deferred tax assets and liabilities at December 31 were as follows:

In the fourth quarter of 1998, the Company made certain elections for U.S. tax reporting purposes that resulted in a deferred tax asset of approximately $39,333 relating to the DynaSoft acquisition, a taxable business combination in 1997 which was accounted for as a pooling of interests. In accordance with provisions of SFAS No. 109, the Company simultaneously recorded a $25,498 valuation allowance, reducing the deferred tax asset to an amount that management believes is more likely than not to be realized. The net deferred tax asset of $13,835 was recorded with a corresponding increase to additional paid-in capital.

Tax benefits arising from exercise of stock options were $2,012, $4,482, and $16,790 in 1997, 1998 and 1999, respectively.

Cash payments for income taxes were approximately $15,542, $18,249 and $101,929 in 1997, 1998 and 1999, respectively.

The Company has a 401(k) retirement and savings plan which allows each participant to defer up to 20% of annual earnings up to an amount not to exceed an annual statutory maximum. The Company may make, at its discretion, matching and profit-sharing contributions. Matching contributions were $367, $582 and $657 in 1997, 1998 and 1999, respectively, and profit sharing contributions were $400, $336 and $786 in 1997, 1998 and 1999, respectively.

The Company leases office facilities under non-cancelable operating leases expiring through 2009. Future minimum rental payments are as follows:

Net rent expense was approximately $3,437, $4,884 and $7,952 in 1997, 1998 and 1999, respectively. Rent collected from subleases of the Company’s former headquarters was $527 in 1997, $81 in 1998, and $271 in 1999.

The Company has an agreement with another company for the right to use certain software. In order to obtain favorable pricing, the Company has, from time to time, prepaid royalties due under the agreement. Royalties are recorded as a component of cost of revenue as the related products are sold. Unamortized prepaid royalties were $4,800 and $6,900 at December 31, 1998 and 1999 respectively.

The Company also has a license, granted through September 2000, for cryptographic communication technology and devices from the Massachusetts Institute of Technology, which allows an exclusive right to use, lease or sell technology, subject to payment of royalties. Total royalty expense under all agreements was $6,061, $6,235 and $6,890 in 1997, 1998 and 1999, respectively.

The Company has one reportable segment, Enterprise network and data security solutions, which generates revenue from two product lines, enterprise solutions and OEM solutions. Products sold include software, licensing, hardware, maintenance and professional services. The segment was determined primarily on how management views and evaluates the business.

The Company’s operations are conducted throughout the world. Operations in the United States represent more than 10% of revenues or income from operations. The Company’s operations in other countries are individually insignificant and have been included in “Rest of world” below. The following table presents information about revenues:

On or about December 11, 1998, a class action was filed in the United States District Court for the District of Massachusetts on behalf of all purchasers of the Company’s Common Stock during the period from and including September 30, 1997 through July 15, 1998: Fitzer v. Security Dynamics Technologies Inc., Charles R. Stuckey, Jr., D. James Bidzos, Arthur W. Coviello, Jr., John Adams, Marian G. O’Leary and Linda B. Saris, Civil Action No. 98-CV-12496-WGY. The plaintiffs subsequently dismissed without prejudice the claims against Ms. Saris. The plaintiffs filed an amended complaint on May 4, 1999, which asserts that the defendants misled the investing public concerning demand for the Company’s products, the strengths of its technologies, and certain trends in the Company’s business. Plaintiffs seek unspecified damages, interest, costs and fees of their attorneys, accountants and experts. The Company is seeking to dismiss the plaintiffs’ complaint and intends to defend the lawsuit vigorously. Although the amounts claimed may be substantial, the Company cannot predict the ultimate outcome or estimate the potential loss, if any, related to the lawsuit. The Company believes that the disposition of this matter will not have a material adverse effect on the Company’s consolidated financial position. However, the adverse resolution of the lawsuit could materially affect the Company’s results of operations or liquidity in any one annual or quarterly reporting period.

In September 1998, the Company granted options to purchase an aggregate of 325,000 shares of common stock in connection with the settlement of threatened litigation arising out of the acquisition of IDI. The value of the options was determined to be $1,872, using the Black-Scholes option-pricing model.

The Company has been named as a defendant in other legal actions arising from its normal business activities, which it believes will not have a material adverse effect on the Company or its business.

VeriSign developed certain technology for the Company in exchange for an initial license fee of $2,700. The Company is the exclusive distributor of VeriSign’s certificate authority software for a five year term subject to annual cancellation at the Company’s election. The Company paid VeriSign $500 at the execution of the distributor agreement, $1,100 in 1999 and additional prepaid license fees are due in minimum quarterly installments of $2,300 in 2000, $3,000 in 2001, $4,000 in 2002, and $4,000 in 2003. The Company sublet facilities to VeriSign in exchange for lease payments of $105 in 1997 and $81 in 1998. A Company director serves as VeriSign’s Chairman of the Board of Directors.

A stockholder, who owns less than 5% of the Company’s common stock, provides consulting services to the Company and received $104, $82 and $48 in 1997, 1998 and 1999, respectively. The Company also had approximately $25 payable on demand to a less than 5% stockholder as of December 31, 1998.

In 1999, the Company commenced and substantially completed consolidation of certain operations in an attempt to achieve operational efficiency. The Company recorded costs of $11,350 consisting of severance costs of $9,370 for 41 employees who were employed primarily in research and development and general and administrative activities for the formerly separate operations of IDI, and facility exit costs of $1,980. Facility exit costs consist primarily of estimated shortfalls of sublease rental income compared to minimum lease payments due under a lease agreement. Costs of approximately $2,884 were accrued and unpaid at December 31, 1999 and consisted of facility exit costs of $1,749 and termination benefits, payable through the third quarter of 2000, of $1,135.

The tax effects of unrealized holding gains (losses) were $(291), $82 and $157,857 for 1997, 1998 and 1999, respectively.

The information required by this item is contained in part under the caption “Executive Officers of the Company” in Part I hereof, and the remainder is contained in the Company’s Proxy Statement for the Company’s Annual Meeting of Stockholders to be held on April 19, 2000 (the “2000 Proxy Statement”) under the captions “Proposal 1 — Election of Directors” and “Section 16(a) Beneficial Ownership Reporting Compliance” and is incorporated herein by this reference.

Officers are elected on an annual basis and serve at the discretion of the Board of Directors.

The information required by this item is contained under the captions “Director Compensation” and “Compensation of Executive Officers” in the 2000 Proxy Statement and is incorporated herein by this reference.

The information required by this item is contained under the caption “Stock Ownership of Certain Beneficial Owners and Management” in the 2000 Proxy Statement and is incorporated herein by this reference.

The information required by this item is contained under the caption “Certain Relationships and Related Transactions” in the 2000 Proxy Statement and is incorporated herein by reference.

1. Financial Statements. The Consolidated Financial Statements are filed as part of this Report. The Consolidated Financial Statements include:


	Independent Auditors’ Report Consolidated Balance Sheets Consolidated Statements of Income Consolidated Statements of Stockholders’ Equity Consolidated Statements of Cash Flow Notes to Consolidated Financial Statements

2. Financial Statement Schedule. Financial Statement Schedule II “Valuation and Qualifying Accounts” immediately following the “Exhibit Index” is filed as part of this Report.

3. Exhibits. The Exhibits listed in the Exhibit Index following the signature page to this Report are filed as part of this Report.

The Company did not file any Current Reports on Form 8-K during the quarter ended December 31, 1999.

Pursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, the Company has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized.


	RSA SECURITY INC.

	By:/s/ ARTHUR W. COVIELLO, JR.

	Arthur W. Coviello, Jr.
	Chief Executive Officer
	and President

Pursuant to the requirements of the Securities Exchange Act of 1934, this report has been signed below by the following persons on behalf of the Company and in the capacities and on the dates indicated.


*	Management contract or compensatory plan or arrangement filed in response to Item 14(a)(3) of the instructions to Form 10-K.

†	Confidential treatment previously granted by the Securities and Exchange Commission as to certain portions.

#	Confidential treatment requested as to certain portions.






Delaware		04-2916506
(State or other jurisdiction of Incorporation or Organization)		(I.R.S. Employer Identification No.)





36 Crosby Drive Bedford, Massachusetts		01730
(Address of Principal Executive Offices)		(Zip Code)


		PART OF FORM 10-K
DOCUMENT		INTO WHICH INCORPORATED

Portions of the Registrant’s Proxy Statement for the 2000 Annual Meeting of Stockholders		Items 10, 11, 12 & 13 of Part III


PART I
	ITEM 1. BUSINESS
	ITEM 2. PROPERTIES
	ITEM 3. LEGAL PROCEEDINGS
	ITEM 4. SUBMISSION OF MATTERS TO A VOTE OF SECURITY-HOLDERS
EXECUTIVE OFFICERS OF THE COMPANY
PART II
	ITEM 5. MARKET FOR THE COMPANY’S COMMON EQUITY AND RELATED STOCKHOLDER MATTERS
	ITEM 6. SELECTED FINANCIAL DATA
	ITEM 7. MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS
	ITEM 7A. QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK
	ITEM 8. FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA
PART III
	ITEM 10. DIRECTORS AND EXECUTIVE OFFICERS OF THE COMPANY
	ITEM 11. EXECUTIVE COMPENSATION
	ITEM 12. SECURITY OWNERSHIP OF CERTAIN BENEFICIAL OWNERS AND MANAGEMENT
	ITEM 13. CERTAIN RELATIONSHIPS AND RELATED TRANSACTIONS
PART IV
	ITEM 14. EXHIBITS, FINANCIAL STATEMENT SCHEDULES AND REPORTS ON FORM 8-K
SIGNATURES
EXHIBIT INDEX


	High			Low

1998




First Quarter	$	42	1/8	$	29	1/2




Second Quarter	$	42	3/4	$	15	1/8




Third Quarter	$	20	3/4	$	9	3/8




Fourth Quarter	$	23	1/2	$	5	7/16


	High			Low

1999




First Quarter	$	28	7/8	$	14	1/2




Second Quarter	$	22	1/8	$	15	1/16




Third Quarter	$	29	5/8	$	16	1/16




Fourth Quarter	$	77	1/2	$	29	5/8


[X]	ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE


[ ]	TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE


Name	Age		Position

Charles R. Stuckey, Jr.		57	Chairman of the Board and President of RSA Capital Inc.




Arthur W. Coviello, Jr.		46	President, Chief Executive Officer and Director




John Adams, Ph.D.		58	Senior Vice President and Chief Technology Officer




John F. Kennedy		51	Senior Vice President, Finance, Chief Financial Officer and Treasurer




Linda E. Saris		47	Senior Vice President, Customer Support, Information Services and Operations




Scott T. Schnell		41	Senior Vice President, Marketing




Margaret K. Seif		38	Vice President, General Counsel and Secretary




Joseph Uniejewski		46	Senior Vice President, Engineering


ITEM 5.	MARKET FOR THE COMPANY’S COMMON EQUITY AND RELATED STOCKHOLDER MATTERS



			Years Ended December 31,

			1995		1996		1997			1998		1999

Statement of Operations Data




Revenue			$	50,812	$	86,417	$	140,630		$	171,334	$	218,124




Cost of revenue				8,999		18,431		28,704			40,781		45,161

Gross profit				41,813		67,986		111,926			130,553		172,963




Costs and expenses




	Research and development			7,260		13,682		27,180			31,981		37,640




	Marketing and selling			14,478		24,829		41,926			66,788		89,943




	General and administrative			10,775		14,603		17,171			19,007		27,261




	Merger and integration			—		6,100		5,700			2,600		—




	Restructuring			—		—		—			—		11,350




	Legal settlement			—		—		—			1,872		—

		Total		32,513		59,214		91,977			122,248		166,194

Income from operations				9,300		8,772		19,949			8,305		6,769




Interest income				1,917		4,889		6,273			8,676		10,007




Net gain from investments				—		11,027		4,264			35,427		285,952

Income before provision for income taxes				11,217		24,688		30,486			52,408		302,728




Provision for income taxes				3,487		11,003		13,324			23,571		118,982




Minority interests				—		—		(114	)		578		16

Net income			$	7,730	$	13,685	$	17,048		$	29,415	$	183,762

Basic earnings per share




Per share amount			$	0.24	$	0.37	$	0.44		$	0.72	$	4.69

Weighted average shares				32,577		37,165		38,956			40,909		39,171

Diluted earnings per share




Per share amount			$	0.22	$	0.35	$	0.42		$	0.69	$	4.38

	Weighted average shares			32,577		37,165		38,956			40,909		39,171




	Effect of dilutive options			2,209		2,533		1,692			1,588		2,809

Adjusted weighted average shares				34,786		39,698		40,648			42,497		41,980



	December 31,

	1995		1996		1997		1998		1999

Balance Sheet Data




Cash, cash equivalents and marketable securities	$	112,643	$	107,008	$	164,659	$	158,236	$	1,383,281




Working capital		104,753		110,103		178,348		180,885		553,307




Total assets		129,279		147,355		233,975		280,855		1,512,124




Stockholders’ equity		109,442		125,104		200,653		242,720		611,024


ITEM 7.	MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS


	First Quarter		Second Quarter		Third Quarter		Fourth Quarter


	(in thousands, except per share data)




1999




Net sales	$	48,672	$	51,809	$	55,658	$	61,985




Gross profit		37,235		41,427		44,412		49,889




Income before provision for income taxes		74,754		75,969		85,687		66,318




Net income	$	40,989	$	42,995	$	58,585	$	41,193




Basic earnings per share	$	1.03	$	1.11	$	1.50	$	1.05




Diluted earnings per share	$	0.97	$	1.05	$	1.42	$	0.96




Results excluding non-core activity:




Net income	$	5,052	$	5,957	$	7,422	$	9,922




Basic earnings per share	$	0.13	$	0.15	$	0.19	$	0.25




Diluted earnings per share	$	0.12	$	0.15	$	0.18	$	0.23




1998




Net sales	$	40,246	$	43,372	$	40,801	$	46,915




Gross profit		31,630		31,479		32,435		35,009




Income before provision for income taxes		5,918		17,124		4,937		24,429




Net income	$	2,964	$	10,673	$	3,188	$	12,590




Basic earnings per share	$	0.07	$	0.26	$	0.08	$	0.31




Diluted earnings per share	$	0.07	$	0.25	$	0.08	$	0.30




Results excluding non-core activity:




Net income	$	5,696	$	6,084	$	3,975	$	3,283




Basic earnings per share	$	0.14	$	0.15	$	0.10	$	0.08




Diluted earnings per share	$	0.14	$	0.15	$	0.10	$	0.08



	Common Stock				Additional					Deferred			Treasury Stock
					Paid-in-		Retained			Stock
	Shares		Amount		Capital		Earnings			Compensation			Shares		Amount

Balance January 1, 1997		38,005,235	$	380	$	102,463	$	18,462		$	(174	)		296		—




Issuance of common stock		2,461,883		25		62,552		(226	)					213




Stock compensation						736					58




Comprehensive income




Translation adjustment




Unrealized loss on marketable securities, net




Net income								17,048

Total comprehensive income

Balance, December 31, 1997		40,467,118		405		165,751		35,284			(116	)		509		—




Issuance of common stock		1,067,241		10		9,658		(397	)




Foreign acquisition tax benefit						13,835




Stock compensation						1,941					42




Share repurchase program														1,058,000	$	(12,135	)




Comprehensive income




Translation adjustment




Unrealized gain on marketable securities, net




Net income								29,415

Total comprehensive income

Balance, December 31, 1998		41,534,359		415		191,185		64,302			(74	)		1,058,509		(12,135	)




Issuance of common stock and warrants		2,506,877		25		49,723




Stock compensation						1,116					12




Share repurchase program														4,076,500		(102,973	)




Comprehensive income




Translation adjustment




Unrealized gain on marketable securities, net




Net income								183,762

Total comprehensive income

Balance, December 31, 1999		44,041,236	$	440	$	242,024	$	248,064		$	(62	)		5,135,009	$	(115,108	)



			December 31, 1998								December 31, 1999

						Net								Net
			Cost			Unrealized		Recorded			Cost			Unrealized			Recorded
			Basis			Gains		Basis			Basis			Gains			Basis

Debt securities recorded at market, maturing:




	Within one year		$	12,168		$	13	$	12,181		$	58,315		$	(126	)	$	58,189




	Between 2 and 15 years			112,553			324		112,877			107,900			(2,586	)		105,314

		Debt securities recorded at market		124,721			337		125,058			166,215			(2,712	)		163,503




Equity securities recorded at market:




	VeriSign, Inc. common stock, 5,500,000 shares			—			—		—			9,005			1,041,151			1,050,156




	Trintech Group Plc.			—			—		—			4,877			42,575			47,452

		Equity securities recorded at market		—			—		—			13,882			1,083,726			1,097,608




Equity securities recorded at cost				17,895			—		17,895			6,183			—			6,183




Valuation adjustment for equity securities recorded at cost				(3,647	)		—		(3,647	)		(6,183	)		—			(6,183	)

Total equity securities recorded at cost				14,248			—		14,248			—			—			—

		Marketable securities	$	138,969		$	337	$	139,306		$	180,097		$	1,081,014		$	1,261,111


	/s/ ARTHUR W. COVIELLO, JR.

	/s/ JOHN F. KENNEDY



		December 31,

		1998			1999

Furniture and equipment		$	37,269		$	45,244




Leasehold improvements			6,486			11,915

	Total		43,755			57,159




Less: Accumulated depreciation and amortization			(14,187	)		(23,063	)

Property and equipment, net		$	29,568		$	34,096


					Weighted Average
					Exercise
		Shares			Price Per Share

Outstanding at January 1, 1997			4,722,457		$	15.71




	Granted		2,437,383			34.29




	Exercised		(959,143	)		3.58




	Canceled		(147,056	)		26.43

Outstanding at December 31, 1997			6,053,641			24.87




	Granted		9,125,937			15.09




	Exercised		(972,740	)		1.85




	Canceled		(6,178,366	)		32.59

Outstanding at December 31, 1998			8,028,472			13.35


						Weighted Average				Weighted Average
				Weighted		Remaining		Number		Exercise Price for
Range		Number of		Average		Contractual Life		Currently		Currently
Exercise Price		Shares		Exercise Price		(Years)		Exercisable		Exercisable

	$.45		10,712	$	.45		4.0		10,712	$	.45
	.90		11,221		.90		0.8		11,221		.90
	2.95 – 3.31		37,527		3.18		2.6		37,058		3.18
	6.62		3,959		6.62		1.3		3,959		6.62
	9.97 – 14.31		3,577,461		11.80		6.8		1,293,432		11.62
	16.00 – 22.50		2,478,915		18.74		7.3		123,505		18.71
	24.13 – 35.63		2,687,600		26.93		7.4		323,749		26.04
	37.15 – 44.21		1,628,000		40.87		7.8		77,281		41.10

	$.45 – $44.21		10,435,395	$	21.83		7.2		1,880,917	$	15.48


		1998			1999

Deferred tax assets (liabilities) — current:




	Unrealized hedge liability				$	274,414




	Marketable securities	$	(5,760	)		(442,032	)




	Deferred revenue		1,107			1,107




	Royalty valuation		920			779




	Sales returns		605			2,602




	Allowance for doubtful accounts		284			413




	Compensation		237			247




	Inventory reserves		225			225




	Warranty obligation		42			42




	Commissions		95			—




	Other		125			472

Net deferred tax asset (liability) — current		$	(2,120	)	$	(161,731	)

Deferred tax assets (liabilities) — non current:




	Foreign acquisition asset	$	39,333		$	36,302




	Purchased research and development		2,642			2,568




	Compensation		2,269			4,169




	Investment valuation		1,459			2,474




	Capitalized software development costs and other		(920	)		1,206




	Valuation allowance		(25,498	)		(25,498	)

Net deferred tax assets — non current		$	19,285		$	21,221




Years Ended December 31,

2000	$	7,010




2001		6,816




2002		6,245




2003		6,057




2004 and thereafter		30,634



	Years Ended December 31,

Product and services	1997		1998		1999

Enterprise solutions	$	109,865	$	133,129	$	165,168




OEM solutions		30,765		38,205		52,956

	$	140,630	$	171,334	$	218,124



	Years Ended December 31,

Geographic areas	1997		1998		1999

United States	$	97,162	$	112,042	$	152,103




Rest of world		43,468		59,292		66,021

	$	140,630	$	171,334	$	218,124


				Unrealized
				Holding
	Foreign			(Loss)			Accumulated
	Currency			Gain on			Other
	Translation			Marketable			Comprehensive
Accumulated other comprehensive income	Adjustments			Securities			Income

Balance, January 1, 1997	$	493		$	3,480		$	3,973




Period change		(1,243	)		(3,401	)		(4,644	)

Balance, December 31, 1997		(750	)		79			(671	)




Period change		(425	)		123			(302	)

Balance, December 31, 1998		(1,175	)		202			(973	)




Period change		(147	)		236,786			236,639

Balance, December 31, 1999	$	(1,322	)	$	236,988		$	235,666


ITEM 9.	CHANGES IN AND DISAGREEMENTS WITH ACCOUNTANTS ON ACCOUNTING AND FINANCIAL DISCLOSURE


Signature	Title	Date

/s/ ARTHUR W. COVIELLO, JR. --------------------------------------------------- Arthur W. Coviello, Jr.	Chief Executive Officer, President and Director (Principal Executive Officer)	March 13, 2000
/s/ JOHN F. KENNEDY --------------------------------------------------- John F. Kennedy	Senior Vice President, Finance and Chief Financial Officer (Principal Financial and Accounting Officer)	March 13, 2000
/s/ CHARLES R. STUCKEY, JR. --------------------------------------------------- Charles R. Stuckey, Jr.	Chairman of the Board of Directors	March 13, 2000
/s/ ROBERT P. BADAVAS --------------------------------------------------- Robert P. Badavas	Director	March 13, 2000
/s/ D. JAMES BIDZOS --------------------------------------------------- D. James Bidzos	Director	March 13, 2000
/s/ RICHARD L. EARNEST --------------------------------------------------- Richard L. Earnest	Director	March 13, 2000
/s/ TAHER ELGAMAL --------------------------------------------------- Taher Elgamal	Director	March 13, 2000
/s/ JOSEPH B. LASSITER, III --------------------------------------------------- Joseph B. Lassiter, III	Director	March 13, 2000
/s/ JAMES K. SIMS --------------------------------------------------- James K. Sims	Director	March 13, 2000


	3.1			Third Restated Certificate of Incorporation, as amended, of the Company is incorporated herein by reference to Exhibit 3.1 to the Company’s Quarterly Report on Form 10-Q for the quarter ended June 30, 1999

	3.2			Certificate of Ownership and Merger merging RSA Data Security, Inc. into Security Dynamics Technologies, Inc., as filed with the office of the Secretary of State of the State of Delaware on September 10, 1999 is incorporated herein by reference to Exhibit 2.1 to the Company’s Current Report on Form 8-K dated September 10, 1999
	3.3			Amended and Restated By-Laws, as amended, of the Company is incorporated herein by reference to Exhibit 3.3 to the Company’s Registration Statement on Form S-1 (File No. 33-85606) (the “Form S-1”)
	4.1			Specimen Certificate for shares of Common Stock, $.01 par value per share, of the Company is incorporated herein by reference to Exhibit 4.1 to the Company’s Current Report on Form 8-K dated September 10, 1999
	4.2			Rights Agreement dated as of July 20, 1999 between the Company and State Street Bank and Trust Company, which includes as Exhibit A the Form of Rights Certificate and as Exhibit B the Summary of Rights to Purchase Common Stock, is incorporated herein by reference to Exhibit 1 to the Company’s Registration Statement on Form 8-A (File No. 000-25120)
	4.3			Common Stock Purchase Warrant of the Company dated September 24, 1999 in favor of General Electric Company is incorporated herein by reference to Exhibit 4.2 to the Company’s Quarterly Report on Form 10-Q for the quarter ended September 30, 1999
	*10.1			1986 Stock Option Plan, as amended, is incorporated herein by reference to Exhibit 10.1 to the Form S-1
	*10.2			1994 Stock Option Plan, as amended, is incorporated herein by reference to Exhibit 10.2 to the Company’s Annual Report on Form 10-K for the year ended December 31, 1996
	*10.3			1994 Stock Option Plan, as amended — 1998 Restatement, as amended, is incorporated herein by reference to Appendix A to the Company’s Preliminary Schedule 14A filed March 5, 1999
	*10.4			1994 Director Stock Option Plan, as amended, is incorporated herein by reference to Exhibit 10.3 to the Company’s Quarterly Report on Form 10-Q for the quarter ended June 30, 1999
	*10.5			Amended and Restated 1998 Non-Officer Employee Stock Incentive Plan
	*10.6			1994 Employee Stock Purchase Plan, as amended, is incorporated herein by reference to Exhibit 10.2 to the Company’s Quarterly Report on Form 10-Q for the quarter ended September 30, 1999
	*10.7			1998 Deferred Compensation Plan is incorporated herein by reference to Exhibit 10.4 to the Company’s Quarterly Report on Form 10-Q for the quarter ended March 31, 1998
	*10.8			Amended and Restated Employment Agreement between the Company and Charles R. Stuckey, Jr., dated as of November 1, 1997, is incorporated herein by reference to Exhibit 10.5 to the Company’s Annual Report on Form 10-K for the year ended December 31, 1997
	*10.9			Amendment No. 1 to Amended and Restated Employment Agreement, dated as of March 4, 1999,between the Company and Charles R. Stuckey, Jr. is incorporated herein by reference to Exhibit 10.1 to the Company’s Quarterly Report on Form 10-Q for the quarter ended March 31, 1999
	*10.10			Letter Agreement between the Company and Arthur W. Coviello, Jr., dated as of August 21, 1995, is incorporated herein by reference to Exhibit 10 to the Company’s Quarterly Report on Form 10-Q for the quarter ended September 30, 1995
	*10.11			Letter Agreement between the Company and Linda E. Saris, dated as of May 1, 1989, is incorporated herein by reference to Exhibit 10.7 to the Form S-1
	*10.12			Form of Management Employment Agreement is incorporated herein by reference to Exhibit 10.1 to the Company’s Quarterly Report on Form 10-Q for the quarter ended September 30, 1998


	*10.13			Agreement and Release, dated as of February 18, 1999, between the Company and D. James Bidzos is incorporated by reference to Exhibit 10.2 to the Company’s Quarterly Report on Form 10-Q for the quarter ended March 31, 1999
	*10.14			Amendment Number One to Agreement and Release dated July 20, 1999 between the Company and D. James Bidzos is incorporated herein by reference to Exhibit 10.1 to the Company’s Quarterly Report on Form 10-Q for the quarter ended September 30, 1999
	*10.15			Consulting Agreement, dated as of February 18, 1999, between the Company and D. James Bidzos is incorporated by reference to Exhibit 10.3 to the Company’s Quarterly Report on Form 10-Q for the quarter ended March 31, 1999
	†10.16			Terms and Conditions of Purchase, dated January 1, 1994, between the Company and Gould Electronics is incorporated herein by reference to Exhibit 10.15 to the Form S-1
	†10.17			Letter, dated October 12, 1994, from Sanyo Electric Co., LTD. to the Company is incorporated herein by reference to Exhibit 10.16 to the Form S-1
	†10.18			Progress Software Application Partner Agreement between the Company and Progress Software Corporation, dated December 5, 1994, as amended, is incorporated herein by reference to Exhibit 10.17 to the Form S-1
	†10.19			Second Amendment to Progress Software Application Partner Agreement, dated as of November 29, 1995, between the Company and Progress Software Corporation is incorporated herein by reference to Exhibit 10.13 to the Company’s Quarterly Report on Form 10-Q for the quarter ended June 30, 1997
	†10.20			Third Amendment to Progress Software Application Partner Agreement, dated as of November 15, 1996, between the Company and Progress Software Corporation is incorporated herein by reference to Exhibit 10.14 to the Company’s Quarterly Report on Form 10-Q for the quarter ended June 30, 1997
	†10.21			Fourth Amendment to Progress Software Application Partner Agreement, dated as of April 1, 1998, between the Company and Progress Software Corporation, is incorporated herein by reference to Exhibit 10.18 to the Company’s Quarterly Report on Form 10-Q for the quarter ended June 30, 1998
	#10.22			Fifth Amendment to Progress Software Application Partner Agreement, dated as of February 18, 1999, between the Company and Progress Software Corporation
	#10.23			Sixth Amendment to Progress Software Application Partner Agreement, dated as of October 26, 1999, between the Company and Progress Software Corporation
	10.24			Indenture of Lease, dated as of March 11, 1996, between the Company and Beacon Properties, L.P. is incorporated herein by reference to Exhibit 10.17 to the Company’s Registration Statement on Form S-4 (File No. 333-7265)
	10.25			Rider to Indenture of Lease, dated as of March 11, 1996 between the Company and Beacon Properties, L.P., is incorporated herein by reference to Exhibit 10.6 to the Company’s Quarterly Report on Form 10-Q for the quarter ended March 31, 1998
	10.26			First Amendment to Lease, dated as of May 10, 1997, between the Company and Beacon Properties, L.P. is incorporated herein by reference to Exhibit 10.2 to the Company’s Quarterly Report on Form 10-Q for the quarter ended June 30, 1997
	10.27			Second Amendment to Lease, dated as of April 8, 1998, by and between the Company and EOP — Crosby Corporate Center, L.L.C., is incorporated herein by reference to Exhibit 10.5 to the Company’s Quarterly Report on Form 10-Q for the quarter ended March 31, 1998
	10.28			Lease Agreement, dated as of August 15, 1997, by and between the Company and Peninsula Office Park Associates, L.P., is incorporated herein by reference to Exhibit 10.7 to the Company’s Quarterly Report on Form 10-Q for the quarter ended March 31, 1998
	10.29			Lease Agreement, dated as of December 19, 1997, by and between the Company and Peninsula Office Park Associates, L.P., is incorporated herein by reference to Exhibit 10.8 to the Company’s Quarterly Report on Form 10-Q for the quarter ended March 31, 1998
	10.30			Sublease Agreement, dated as of April 12, 1999, between the Company and netDialog Incorporated is incorporated herein by reference to Exhibit 10.1 to the Company’s Quarterly Report on Form 10-Q for the quarter ended June 30, 1999


	10.31			Master Development and License Agreement, dated September 30, 1997, between the Company and VeriSign, Inc. (“VeriSign”) is incorporated herein by reference to Exhibit 10.19 to VeriSign’s Registration Statement on Form S-1 (File No. 333-40789)
	10.32			Amendment Number One to Master Development and License Agreement dated as of December 31, 1998 between the Company and VeriSign is incorporated herein by reference to Exhibit 10.30 to VeriSign’s Registration Statement on Form S-1 (File No. 333-70121)
	21.1			Subsidiaries of the Company
	23.1			Consent of Deloitte & Touche LLP, Independent Auditors
	27.1			Financial Data Schedule