1
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 10-K
[X] ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d)
OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended December 31, 1996
OR
[ ] TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES
EXCHANGE ACT OF 1934
Commission File No. 0-25120
SECURITY DYNAMICS TECHNOLOGIES, INC.
(Exact name of registrant as specified in its charter)
Delaware 04-2916506
(State or other jurisdiction of (I.R.S. Employer
incorporation or organization) Identification No.)
20 Crosby Drive
Bedford, Massachusetts 01730
(Address of principal (Zip Code)
executive offices)
Registrant's telephone number, including area code: (617) 687-7000
------------------------------------------------------------------
Securities registered pursuant to Section 12(b) of the Act: None
Securities registered pursuant to Section 12(g) of the Act:
Common Stock, $.01 par value
(Title of class)
2
Indicate by check mark whether the registrant: (1) has filed all reports
required to be filed by Section 13 or 15(d) of the Securities Exchange Act of
1934 during the preceding 12 months (or for such shorter period that the
registrant was required to file such reports), and (2) has been subject to such
filing requirements for the past 90 days. Yes X No
--- ---
Indicate by check mark if disclosure of delinquent filers pursuant to Item
405 of Regulation S-K is not contained herein, and will not be contained, to the
best of registrant's knowledge, in definitive proxy or information statements
incorporated by reference in Part III of this Form 10-K or any amendment to this
Form 10-K. [ ]
The approximate aggregate market value of the voting stock held by
non-affiliates of the registrant was $655,000,000 based on the last reported
sale price of the registrant's Common Stock on the Nasdaq National Market as of
the close of business on March 20, 1997. There were 34,955,965 shares of Common
Stock outstanding as of March 20, 1997.
DOCUMENTS INCORPORATED BY REFERENCE
Part of Form 10-K
Document into which incorporated
-------- -----------------------
Portions of the Registrant's
1996 Annual Report to Stockholders Items 6, 7 & 8 of Part II
Portions of the Registrant's Proxy Items 10, 11, 12 & 13
Statement for the 1997 Annual Meeting of Part III
of Stockholders
3
PART I
ITEM 1. BUSINESS
SDI
Security Dynamics Technologies, Inc. ("SDI") designs, develops, markets and
supports a family of security products used to protect and manage access to
computer-based information resources. SDI's family of products employs a
patent-protected combination of super smart card technology and software or
hardware access control products to authenticate the identity of users accessing
networked or stand-alone computing resources. SDI's SecurID Cards and other
"tokens" and its access control products, including its ACE/Server software and
Access Control Module software and hardware products, are designed to interface
with a wide variety of operating systems and hardware platforms on
client/server, mainframe and mid-range systems to enable enterprise-wide
security coverage. SDI's customers include Fortune 500 companies and financial
institutions as well as academic institutions, research laboratories, hospitals
and federal, state and foreign government organizations. SDI and its
subsidiaries are collectively referred to herein as the "Company."
In recent years, the task of managing access to computer-based information
resources has become increasingly difficult due to a variety of factors,
including: (i) the evolution of enterprise computing from centralized host-based
systems to distributed environments; (ii) the proliferation of desktop and
portable computers; (iii) the linking of local area networks and wide area
networks to mainframes and mid-range systems through internetworking solutions;
and (iv) the rapid increase in remote computing applications and use of the
Internet. As a result of these trends and technologies, the number of users with
direct access to information resources, as well as the number of potential
access points to these resources, has increased dramatically. Sensitive data
accessible from multiple locations include financial results, medical records,
personnel files, research and development projects, marketing plans and other
business information. Unauthorized access to information resources has become a
growing and costly problem for businesses and other enterprises and unauthorized
access prevention continues to be identified by information system professionals
as a priority in their system designs.
SDI's products combine a user's personal identification number or "PIN" and
a code automatically generated by a SecurID token to authenticate the identity
of the user. Each SecurID token contains SDI's proprietary algorithm, which
generates a sequence of pseudo-random token codes displayed on the SecurID token
at set intervals, typically every 60 seconds. When attempting to log-in, the
user is prompted by the Company's ACE/Server software or ACM software or
hardware access control product to enter both the PIN and the current token
code. If the PIN and the code generated by the access control product match
those input by the user, access is granted.
SDI's products are sold or licensed primarily through its direct sales
force, which is supported by a number of strategic marketing relationships.
During 1996, SDI also implemented its SecurVAR ( Value Added Reseller ) program,
through which SDI is able to deliver its security solutions through value added
resellers. As of December 31, 1996, the Company had sold or licensed over 6,500
software and hardware access control products and over 1,500,000 SecurID tokens
to over 1,600 customers worldwide. A significant portion of the Company's
revenue has historically been attributable to follow-on sales to existing
customers, either to support additional users or platforms or to replace SecurID
tokens at the expiration of their programmed lives.
4
RSA
Through SDI's wholly owned subsidiary, RSA Data Security, Inc. ("RSA"), the
Company also develops, markets and supports cryptographic and electronic data
security products and provides cryptographic consulting services. RSA's
developer toolkits and other products are used to implement cryptographic
electronic data security applications such as encryption and digital signatures
for products and services targeted at secure electronic commerce, secure
electronic mail, communications privacy, client/server data security, smart
cards and other key information technologies.
RSA licenses its toolkit products to original equipment manufacturers
("OEMs") such as Netscape Communications Corporation ("Netscape"), Microsoft
Corporation ("Microsoft"), International Business Machines Corporation ("IBM")
and Oracle Corporation ("Oracle"). OEMs incorporate RSA's encryption technology
into their products. RSA's encryption technology is embedded in current versions
of Microsoft Windows, Netscape Navigator, Quicken by Intuit, Inc. ("Intuit"),
Lotus Development Corporation ("Lotus") Notes and numerous other products. RSA
technologies are part of existing and proposed standards for the Internet and
World Wide Web, ITU, ISO, ANSI and IEEE as well as various business, financial
and electronic commerce networks.
In recent years, a number of trends have created an attractive environment
for RSA's proprietary technologies. The proliferation of remote computing,
enterprise networks, internetworking and, in particular, the Internet have
generated a substantial demand for cryptographic and electronic data security.
Security Dynamics, SecurID and ACE/Server are registered trademarks, and
the Security Dynamics logo, PASSCODE, Enterprise Security Services, SoftID,
WebID and PINPAD are trademarks of Security Dynamics Technologies, Inc. SecurPC,
BSAFE, TIPEM, BCERT, S/PAY and S/MAIL are trademarks of RSA Data Security, Inc.
All other trademarks or trade names referenced in this Annual Report on Form
10-K are the property of their respective owners.
Industry Background
SDI and RSA
Enterprise computing has been evolving over the last three decades from
host-based systems towards distributed network computing. During the 1980's, the
ease-of-use and low cost of personal computers and the development of personal
productivity software had led to rapid growth in the number of personal computer
users throughout organizations. These organizations increasingly began to
interconnect their personal computers into local area networks ("LANs") in order
to share files within work groups. Many enterprise applications continued to
operate on separate mainframe or minicomputers. Since the late 1980's,
specialized internetworking products have made it easier for organizations to
connect their disparate LANs both locally in a single facility and, through wide
area networks ("WANs"), in geographically dispersed locations. Organizations are
also increasingly integrating their LANs with their minicomputers and
mainframes, thus enabling users to communicate, exchange information and share
computing resources within and between organizations. Many of these
organizations are seeking to develop client/server implementations of their
enterprise applications to more fully exploit their distributed networks, many
of which are increasingly accessed by disparate users via remote, LAN and
Internet connections. These new enterprise-wide networks require a
2
5
comprehensive set of network products that can integrate a large number of users
and heterogeneous computing resources into a consistent, manageable and secure
computing environment.
As a result of the increase in the number of users having direct access to
enterprise networks and corporate data, unauthorized access to information
resources has become a growing and costly problem for businesses. Sensitive data
that require protection from unauthorized use include financial results, medical
records, personnel files, research and development projects, marketing plans and
other business information. Unauthorized access to these data may go undetected
by the computer user or system administrator, especially if the information is
not altered by the unauthorized party. Companies are vulnerable not only to
unauthorized access to information resources by suppliers, customers and other
third parties, but also to abuse by employees within their own organizations.
Computer and network security has historically been the focus of businesses
engaged in security-conscious industries such as banking, telecommunications,
aerospace and defense. However, with the increased use of enterprise-wide
computing and remote access, network security is of increasing concern to
businesses and other organizations in most industries that use computer or
network-based information resources.
Hierarchy of Computer and Network Security
Products for the protection of information resources on a computer system
or network can be grouped into the following four classes: (i) user
identification and authentication, (ii) privilege definition, (iii) encryption,
and (iv) audit. The effectiveness of each succeeding class of security products
is either dependent on or enhanced by the availability and effectiveness of one
or more of the preceding classes. For example, without proper authentication of
the identity of a user, it is difficult to assure that the privileges granted
after accessing a system or network are being granted to the proper authorized
user. The Company's current products are targeted at the fundamental need to
authenticate the identity of system and network users and to provide
cryptographic and electronic data security.
Identification and Authentication
Reliable authentication of the identity of users is necessary to prevent
unauthorized access to computer and network resources. There are three generally
accepted methods of user identification: (i) something secret the user knows,
such as a word, phrase, personal identification number ("PIN"), code or fact,
(ii) something physical the user possesses, such as a key, smart card, badge or
other form of discrete "token," which is resistant to counterfeiting, and (iii)
something unique to the user, such as a fingerprint, signature, retinal pattern,
voice print or other measurable personal characteristic or "biometric." The
Company believes that the use of a two-factor authentication system, combining
two of the three generally accepted methods of user identification, is required
for reliable computer and network security.
Enterprise Security
The Company believes that there is an emerging market for enterprise-wide
security solutions and, increasingly, for inter-enterprise security solutions
(e.g., between the enterprise and its vendors and customers).
3
6
These solutions must address the need for:
- Ease of use;
- Interoperability within heterogeneous enterprise environments;
- Scaleability;
- Ease of administration;
- Integration with existing customer applications; and
- System reliability and availability.
To date, most approaches to network security have been limited in scope and
have failed to address one or more of these requirements. SDI believes that, in
order to compete effectively in this market, vendors of computer and network
security products must develop a comprehensive set of network security services
that can accommodate a large number of users and integrate heterogeneous
computing resources into a consistent, manageable, reliable and secure computing
environment.
In recent years, a number of trends have created an attractive environment
for RSA's proprietary technologies. As described above, the proliferation of
remote computing, enterprise networks, internetworking and, in particular, the
Internet have generated significant demand for cryptographic and electronic data
security.
SDI Solution
SDI designs, develops, markets and supports a family of security products
used to protect and manage access to computer-based information resources. SDI's
family of products employs a patent-protected combination of super smart card
technology and software or hardware access control products to authenticate the
identity of users accessing networked or stand-alone computing resources. RSA, a
recognized leader in cryptography, supplies its technology and toolkits for
public key encryption to a growing list of major systems and software providers.
RSA's encryption technology is embedded in Microsoft Windows, Novell Netware,
Netscape Navigator, Intuit's Quicken, Lotus Notes and hundreds of other
products. The combined companies are positioned to supply solutions for
corporate enterprise-wide networks, intranets, and the Internet along with its
future promise of electronic commerce.
SDI's products combine two methods of user identification -- something
secret the user knows (a PIN) and something the user possesses (the SecurID
token). To gain access to a protected resource, a user enters his or her PIN and
the token code automatically computed and displayed on the liquid crystal
display ("LCD") of the user's SecurID token. The PIN and the token code together
form the user's "PASSCODE." With a valid PASSCODE, the authorized user is
identified and authenticated by the access control product and granted access to
appropriate information resources. If the PASSCODE generated by the system and
the PASSCODE entered by the user match, system access is authorized. If not,
system entry is blocked. In either case, a record is logged and an audit trail
is maintained by the system.
4
7
Each SecurID token contains SDI's proprietary algorithm and is programmed
with a secret, randomly generated seed number which is unique to the token. The
algorithm uses the seed number and Greenwich Mean Time to produce a sequence of
token codes at set intervals (typically every 60 seconds). SDI's access control
products, available in both software and hardware versions, use the same
algorithm, seed number and Greenwich Mean Time to generate a token code
corresponding to the token code generated by the user's SecurID token.
SDI's patented time synchronization software residing within the access
control product assures that the codes generated by the system stay synchronized
with the codes generated by the user's SecurID token. SDI's proprietary programs
are designed to intercept attempted system abuse and automatically take action
if the system suspects that a token is lost or stolen or a PIN is compromised.
During the fourth quarter of 1995, SDI began shipping a second generation
of its ACE/Server software ("ACE/Server v2.0") to meet the evolving enterprise
security needs of its customers. ACE/Server v2.0 incorporates Progress Software
Corporation's commercial relational database and is designed to provide a higher
degree of scaleability, facilitate interoperability of ACE/Server v2.0 with
enterprise environments and existing customer applications through the use of a
standard SQL interface and provide greater system reliability and availability.
ACE/Server v2.0 also incorporates an easy-to-use graphical user interface
("GUI") and flexible administration tools to simplify network security
management.
SDI believes that the architecture of ACE/Server v2.0 provides the
foundation for future enhancements to SDI's enterprise-wide security solution.
Areas for future development currently being pursued by SDI include: (i) server
to server authentication (cross realm or domain authentication) to support
mobile users by allowing access to protected resources over multiple
ACE/Servers; (ii) enhanced redundancy for each ACE/Server for increased
availability in large installations; (iii) use of standard SQL interfaces to
allow customer and third-party integrators to customize their applications and
integrate ACE/Server software with network management software such as HP
OpenView, Sun NetManager and CA UniCenter and to facilitate the support of
industry standard development tools such as PowerBuilder from Sybase and
PeopleTools from PeopleSoft; (iv) directory services to simplify the
administration of customer network resources; and (v) tools for building
customized GUIs for administrative applications. ACE/Server v2.0 is also
designed to provide an enterprise-enabled platform from which the Company can
address other classes of the network security hierarchy to deliver integrated
solutions for protecting information resources.
During the fourth quarter of 1996, the Company began shipping ACE/Server
for Windows NT, a key release of the flagship ACE/Server product. This product
is designed to provide network managers with scaleable performance to support
the authentication needs of NT enterprise users. It is also designed to provide
an easy-to-use Windows NT-based interface and a seamless integration of security
management with NT-based corporate information systems.
During the fourth quarter of 1996, the Company also began shipping the
ACE/Client for Windows NT 4.1 with the new WebID feature. Used in conjunction
with SDI's ACE/Server and SecurID technology, businesses can offer secure access
at the Web page level to their Internet and intranet sites, enabling
corporations to more fully exploit the World Wide Web's commercial potential.
5
8
RSA Solution
RSA believes that its public key cryptographic technology (or
"cryptosystem") is one of the most secure cryptographic techniques commercially
available to encrypt, and to verify the authenticity and integrity of,
electronic data.
RSA believes that its cryptosystem is a de facto standard for a number of
electronic security applications. It is built into current operating systems
offered by Microsoft, Apple Computer, Inc., Sun Microsystems, Inc. and Novell,
Inc. ("Novell"). In hardware, RSA technology is used in secure telephones, on
Ethernet network cards and on smart cards. In addition, RSA technology is
incorporated into all of the major protocols for secure Internet communications,
including SSL, S-HTTP, S/MIME, PCT, PKCS, SET and PEM. It is also used
internally in many institutions, including branches of the United States
government, major corporations, national laboratories and universities. RSA's
technology has also become widely selected as a standard for various electronic
banking applications.
The advantages of the RSA public key cryptosystem over traditional
cryptography and other public key cryptographic technologies include the fact
that the RSA cryptosystem can be used for both encryption and authentication.
Encryption
In traditional cryptography, known as secret key or symmetric cryptography,
the sender and receiver of a message know and use the same secret keys. The
sender uses the secret key to encrypt a message by transforming data into a form
unreadable by anyone without a secret decryption key. The receiver uses the same
secret key to decrypt the message by transforming the encrypted data into the
original readable message. A key is a value or series of bits used by the
cryptographic system to convert the original text into an encrypted text or to
decrypt the encrypted text back into the original text. The principal problem
with secret key cryptography is communicating the secret key between the sender
and receiver without anyone else discovering it. If they are in separate
physical locations, they must trust a courier, a phone system or some other
transmission medium to prevent the disclosure of the secret key being
communicated. Anyone who overhears or intercepts the key in transit can later
read, modify and forge messages encrypted or authenticated using that key.
Because all keys in a secret key cryptosystem must remain secret, secret key
cryptography often has difficulty providing secure key management, especially in
open systems like the Internet with a large number of users.
The concept of public key cryptography, introduced in 1976, attempts to
solve the key management problem by giving each person a pair of keys, one
called the public key and the other called the private key. Each person's public
key is published while the private key is kept secret. The sender encrypts a
message using the public key and communicates it via a public mode of
communication. If implemented properly, the message can only be decrypted with a
private key, which is in the sole possession of the intended recipient. All
communications involve only public keys, and no private key is ever transmitted
or shared. With public key cryptography, it is not necessary to trust a
communications channel to be secure against eavesdropping or betrayal. In
general, public key cryptography requires only that public keys be associated
with their users in a trusted manner, for instance, by maintaining the key in a
trusted directory, and that the private key not be disclosed.
The RSA public key cryptosystem was developed in 1977 by Ronald Rivest, Adi
Shamir and Leonard Adleman, then professors at the Massachusetts Institute of
Technology ("MIT"). This technology has been licensed by MIT to RSA. RSA's
toolkit products built around this technology
6
9
enable RSA's customers to develop applications that are designed to provide
secure electronic data communication.
The RSA public key cryptosystem uses a pair of large prime numbers to
generate private keys and public keys. The size of the keys determines the
degree of security provided. The security afforded by RSA's encryption products
is predicated on the assumption that "factoring" of the composite of large prime
numbers is difficult. Should an "easy factoring method" be developed, then the
security afforded by RSA's encryption products would be reduced or eliminated.
There can be no assurance that such a development will not occur. Moreover, even
if no breakthroughs in factoring are discovered, factoring problems can
theoretically be solved by a computer system significantly faster and more
powerful than those presently available. If such improved techniques for
attacking cryptosystems are ever developed, it would have a material adverse
impact on the business and results of operations of RSA.
Authentication
Authentication in a digital context is a process whereby the receiver of a
digital message can be confident of the identity of the sender and/or the
integrity of the message. In public key cryptosystems, authentication is enabled
by the use of digital signatures. Digital signatures play in the digital world a
function similar to that played by handwritten signatures for printed documents.
The signature is an authentic piece of data asserting that a named person wrote
or otherwise agreed to the document to which the signature is attached. The
recipient, as well as a third party, can verify both that the document
originated from the person whose signature is attached and that the document has
not been altered since it was signed. Secure digital signatures may be used to
refute a claim by the signer of a document that it was forged.
Strategy
SDI
The Company's objective is to be a leader in the computer and network
security market. Key elements of the Company's strategy to achieve this
objective are listed below:
- Enhance Enterprise-Enabled Identification and Authentication Product
Line. The Company plans to continue to add new capabilities and
features to its computer and network security products to meet its
customers' identification and authentication needs within the context
of an evolving enterprise environment. The Company continues to
develop significant expertise in the field of enterprise-wide resource
protection and its application to client/server architecture, which it
intends to use to develop and exploit the technologies best suited to
satisfy the security requirements of its customers.
- Expand Products into Additional Client/Server and Legacy Environments.
The Company intends to continue to expand its products into additional
client/server and legacy environments. SDI currently offers ACE/Server
software on a variety of popular UNIX server platforms, including
Hewlett-Packard HP-UX, Sun Solaris and SunOS, IBM AIX, Digital UNIX
and SCO (Santa Cruz Operations) UNIX. SDI has also developed a version
of its ACE/Server software for use on Microsoft Windows NT and expects
to develop versions for other platforms as market needs dictate. SDI
also offers versions of its ACE/Server client software that operate in
most UNIX operating environments, including Hewlett-Packard HP-UX, Sun
Solaris and SunOS, IBM AIX and SCO UNIX. In addition, SDI offers
versions of its ACE/Server client software that operate on
7
10
Novell NetWare (Versions 3.11 and 3.12), Microsoft Windows NT RAS
(Version 3.51), Apple Computer Inc.'s AppleTalk and Digital Equipment
Corporation's OSF1. The Company continues to work with third-party
partners to integrate or otherwise make its client software compatible
with a number of widely used management products, including gateway
and communication products.
- Expand Product Offerings Within the Security Hierarchy. SDI's products
currently offer user identification and authentication and security
audit trail capabilities. SDI intends to combine these products with
products developed by SDI and third parties that address other classes
of the network security hierarchy to deliver integrated solutions for
protecting information resources. The Company continues to identify
and prioritize various technologies addressing other classes of the
security hierarchy to determine potential future product offerings by
the Company, such as products for encryption and control of user
privileges. For example, during 1995 and 1996, the Company acquired a
minority equity interest in VeriSign, Inc., a company organized to
provide digital certificate and related services that use public key
cryptography to protect the privacy of electronic transmissions on
public and private networks. In December 1996, the Company also
acquired a minority interest in VPNet Technologies, Inc., a company
organized to provide a series of next-generation products designed to
make virtual private networks ("VPN's") a viable, secure and
affordable alternative to dedicated private leased lines.
- Expand Direct Sales and Support Channel. The Company currently sells
its products in North America and in targeted major markets abroad
through its direct sales force. The Company believes that a direct
sales force is well suited to differentiate the Company's products
from those of its competitors and to obtain insights into the future
security requirements of the Company's customers. The Company intends
to continue to expand its direct sales and support organization and to
enhance its direct sales efforts by adding OEMs. During 1996, the
Company added 54 sales and technical sales support personnel,
representing an increase of 96% over the sales and technical sales
support personnel at the end of 1995. During 1996, the Company
implemented its SecurVAR indirect sales channel program and, by
December 31, 1996, the Company had certified an aggregate of over 50
OEMs and VARs. The Company intends to continue to expand its indirect
sales channel opportunities by certifying additional OEMs and VARs in
the future.
- Expand International Presence. Sales outside North America represented
18% of the Company's total revenue for 1996. The Company's
operations outside North America currently consist of sales offices in
London, Paris, Frankfurt, Oslo, Tokyo and Singapore and independent
local distributors located in 17 key foreign markets. Additional
support is provided to the Company's international operations from its
headquarters in Bedford, Massachusetts. The Company believes that
international markets present a large, relatively new market for
computer and network security products, and plans to continue to
expand its business outside North America through the hiring of sales
personnel and the establishment of additional distribution
arrangements, primarily in Europe and the Far East.
8
11
To enhance each of the foregoing strategies, the Company has established,
and expects to continue to establish, strategic marketing and other third-party
relationships with vendors of operating systems and network operating systems
(OS/NOS), remote access products, Internet-related products and application
software. As of December 31, 1996, the Company's strategic marketing or other
relationships included the following:
OS/NOS
- ------
Apple Computer Inc. (AppleTalk)
Cisco Systems, Inc. (TACACS and TACACA+)
Microsoft Corporation (Windows NT and NT RAS)
Novell (Netware Versions 3.11 and
3.12 and Netware Connect Version 2.0)
INTERNET-RELATED PRODUCTS
- -------------------------
Advanced Network Services, Inc. (Interlock Service)
Border Networks Technologies, Inc. (Janus)
Checkpoint Systems, Inc. (Firewall-1)
IBM (NetSP Firewall)
Milky Way Networks Corporation (Black Hole)
NeXT Software, Inc. (Web Objects)
Raptor Systems, Inc. (Eagle)
Secure Computing Corporation (Sidewinder)
SOS Corporation (Brimstone)
Technologic Inc. (Firewall)
Trusted Information Systems Inc. (Gauntlet)
APPLICATION SOFTWARE
- --------------------
Advantis (Dial Service)
CyberSAFE Corporation (Challenger)
IBM (NetSP)
Mergent International Inc. (PC DACS)
Oracle Corporation (Secure Network Services)
OTG, Incorporated (Call Control System)
TGV Inc. (Secure/IP)
REMOTE ACCESS PRODUCTS
- ----------------------
3Com Corp. (Access Builder)
Ascend Communications Inc.(Max, Pipeline)
Attachmate Corp. (Remote Lan Node)
Bay Networks, Inc. (Lattis System 3000,9000, BAY RS)
Cisco Systems, Inc. (TACACS and TACACS+ supported)
Emulex Corporation (Connect+Pro)
Gandalf Technologies Inc. (XpressWay)
IBM (8235, Lan Distance)
Kasten Chase Applied Research, Inc. (Optiva)
Livingston Enterprises, Inc. (PortMaster)
Microcom, Inc. (Lan Express)
Penril Datability Networks (CSX)
Rockwell (NetHopper)
Shiva Corporation (LanRover)
TechSmith Inc. (Enterprise Wide)
Telebit Corporation (NetBlazer)
U.S. Robotics (Sportster Modem)
Xylogics, Inc. (Annex)
Xyplex, Inc. (MaxServer, Network 9000 Server)
The Company believes its strategic marketing relationships provide it with
a competitive advantage by enabling the Company to expand its network coverage,
increase its installed customer base and increase SecurID token usage.
An overriding goal of the Company in pursuing its strategy is to achieve a
high level of customer satisfaction through technological support, product
performance and reliability, and prompt and accurate order processing.
RSA
Critical aspects of RSA's strategy include:
- developing proprietary cryptographic technology and broadly licensing
this technology to hardware manufacturers and software developers;
- establishing RSA's proprietary technology as a de facto encryption
standard;
- establishing alliances with strategic partners in the software,
hardware and telecommunications industries;
9
12
- creating value-added cryptographic and electronic data security
toolkits that rely on RSA's proprietary technology to enable new
markets; and
- developing products based on open protocols to address the specialized
needs of market segments such as electronic mail and networking where
electronic data security is a competitive priority.
Because the market for the Company's products is only recently emerging,
declines in demand for the Company's products, whether as a result of
competition, technological change, the public's perception of the need for
security products, developments in the hardware and software environments in
which these products operate, general economic conditions or other factors,
could have a material adverse effect on the Company's financial condition or
results of operations.
A well-publicized actual or perceived breach of network or computer
security could trigger a heightened awareness of computer abuse, resulting in an
increased demand for security products such as those offered by the Company.
Similarly, an actual or perceived breach of network or computer security at one
of the Company's customers, regardless of whether such breach is attributable to
the Company's products, could adversely affect the market's perception of the
Company and the Company's financial condition or results of operations. In
addition, although the effectiveness of the Company's products is not dependent
upon the secrecy of its proprietary algorithm, the public disclosure or
"breaking" of this algorithm could result in a perception of breached security
which could have an adverse effect on the Company's financial condition or
results of operations.
Products
The Company's family of security products includes SecurID tokens,
ACE/Serve and ACM software and ACM hardware access control products and RSA
encryption and toolkit products. All of SDI's products use the patented SecurID
token technology as a common user interface. The Company currently offers three
types of tokens and a number of software and hardware access control products
designed to function with a wide variety of operating systems, network
environments and third-party hardware and software products, thus enabling
customers to select optimal configurations for the installation of the Company's
computer and network security products.
SecurID Tokens
The Company's current SecurID tokens contain LCD displays and are offered
in a number of numeric and alphanumeric display configurations. Both the SecurID
Card and the SecurID PINPAD Card are credit-card sized super smart cards, and
the SecurID Key Fob is a key fob for customers requiring a durable and compact
token that can be carried with a user's keys. The SecurID PINPAD Card includes a
keypad on the face of the SecurID Card to permit direct entry of a user's PIN
into the Card, thus reducing the risk of electronic eavesdropping by enabling a
user to transmit an embedded combination of the user's PIN and token code. The
SecurID Modem is an integration of the SecurID token technology with a
high-performance PC Card modem from Motorola. The SoftID authentication
software, deployed on PC's, utilizes the same technology as found in the SecurID
token.
10
13
SDI currently offers the following SecurID tokens:
COMMERCIAL CURRENT U.S.
SecurID Token INTRODUCTION LIST PRICE*
------------- ------------- --------------
SecurID Card 1986 $34 - $90
SecurID PINPAD Card 1989 $42 - $98
SecurID Key Fob 1995 $38 - $90
SecurID Modem 1996 $396 - $450
SoftID Authentication
Software 1996 $25 - $45
* Token prices vary based on programmed life and functionality.
SecurID tokens can be programmed to operate for any period of time from one
to four years, as specified by the customer. At the end of its programmed life,
a SecurID token will automatically cease to function and must be replaced,
thereby providing an additional level of security for the Company's customers.
SecurID tokens can also be configured with multiple seeds for use by users who
otherwise might require multiple cards.
ACE/Server
The Company's ACE/Server software, an integrated security server, manages
access to network resources via the Internet, public gateways, remote dial-up
modems, leased lines, workstations, terminals, personal computers or direct
connection. It permits centralized user authentication and security
administration for all customer resources protected on a TCP/IP network. The
ACE/Server software consists of a combination of server software and
client-resident software. The server software contains administrative and
reporting functions, the algorithm, the synchronization code and a database of
protected resources or "clients." Clients may include workstations, personal
computers and third-party communications, gateway and network software and
hardware. The server software allows a network administrator to restrict user
access to identified clients. The Company's ACE/Server v2.0 software is
currently available for the following UNIX-based operating systems at list
prices (not including negotiated, world-wide licenses) currently ranging from
$2,450 to $150,000, based on the number of users.
ACE/SERVER COMMERCIAL
MODEL INTRODUCTION OPERATING SYSTEM
----- ------------ ----------------
ACM/8101 1991 Sun SunOS
ACM/6201 1992 IBM AIX
ACM/9601 1992 Hewlett-Packard HP-UX
ACM/8201 1994 Sun Solaris
ACM/9401 1996 Windows NT (3.51 and above)
ACE/Server for Windows NT
In the fourth quarter of 1996, the Company began shipping ACE/Server for
Windows NT, the latest version of its ACE/Server network security software.
ACE/Server for Windows NT is designed to provide network managers with scaleable
performance to support the authentication needs of enterprise users,
easy-to-learn Windows NT-based user interfaces and seamless integration of
security management with corporate information systems. Network administration
of SecurID tokens and SoftID authentication software is now optimized for
Microsoft Windows NT environments.
11
14
ACE/Server for Windows NT has the following features:
- ACE/Server for Windows NT serves as the platform for the Company's
Windows NT-based database engine, development tools and user interfaces,
capitalizing on the market demand for Windows NT-based technology.
- administrators can manage the ACE/Server software from distributed
Windows NT workstations, allowing for multiple facilities and organizations to
share in the administration of a single ACE/Server.
- all distributed administrative dialogs with ACE/Server for Windows
NT are encrypted as they travel across the corporate network allowing for
security of SecurID user credentials.
ACE/Server for Windows NT v4.0 with WebID Feature Set
The ACE/Client for Windows NT 4.0 features the first implementation of the
Company's WebID Feature Set. The two-factor end-user authentication found in the
Company's ACE/Server and SecurID technology can be used to protect sensitive
information found on corporate intranets. ACE/Client for Windows NT v4.0 adds
support for Microsoft's Windows NT 4.0 and is integrated with Microsoft's
Internet Information Server (IIS) in accordance with the Microsoft Internet
Security Framework (MISF). The WebID Feature Set defines the necessary
requirements in securing access to Web server content. The WebID Feature Set has
the following features:
- the WebID Feature Set specifies support for major Web servers,
enabling customers to flexibly deploy a security solution over a variety of Web
server platforms.
- administrators have the ability to select specific pages and
directories of pages for protection. Access to sensitive information found on
corporate intranets can be easily secured. Public protected pages effectively
reside on a common Web server.
- the WebID Feature Set allows for high multiple authentication rates,
and integration of administration with Web servers to efficiently deploy SecurID
access controls.
- the WebID Feature Set supports major browsers found on the Internet,
allowing SecurID user authentication to take place irrespective of the end
users' choice of browser. End users authenticate only once per browsing session,
allowing users to securely and conveniently follow links to other protected
pages.
- the addition of SecurID end-user authentication technology adds an
additional layer of security to the Secure Sockets Layer (SSL) encryption that
already exists in current Web products.
12
15
ACM Software
The Company's ACM software products interface directly with the host
computer's operating system to restrict access to the protected system or
resource. The Company's ACM software products can accommodate an unlimited
number of users and provide security audit trails, user accountability and
activity reporting. The Company currently offers the following ACM software
products:
COMMERCIAL CURRENT U.S.
MODEL INTRODUCTION OPERATING SYSTEM LIST PRICE*
----- ------------ ---------------- -----------
ACM/5100 1988 Digital VAX/VMS $1,950 - $25,000
ACM/6150 1988 IBM MVS, MVS/ESA $18,500 - $32,500
* List prices vary depending upon the number of authorized users.
ACM Hardware
The Company's ACM hardware products employ a multi-tasking operating system
for communication control, user authentication, auditing of access attempts,
automatic response to unauthorized access, report generation and management of
the system's internal database of SecurID token data. Each ACM contains a custom
single-board computer that connects directly with any RS-232 asynchronous host
and provides access control through leased lines, dial-up modems, networks, X.25
networks, ISDN lines, workstations or terminals located near the host computer.
The Company currently offers the following ACM hardware products:
COMMERCIAL NUMBER OF CURRENT U.S.
MODEL INTRODUCTION PORTS/USERS LIST PRICE
----- ------------ ----------- ----------
ACM/1600HS 1995 16 RS-232 Ports; 400 users; $9,850
expandable to 256 ports, 6400
users; up to 115.2k baud
ACM/400HS 1995 4 RS-232 Ports; 200 users; up $2,850
to 115.2k baud
ACM/100HS 1995 1 RS-232 Port; 100 users; up $650
to 115.2k baud
SecurADM Software
The Company acquired Infratel S.A.R.L.'s SecurADM technology during 1995.
SecurADM software provides secure single sign-on and central administration and
management for heterogeneous network environments. SecurADM software utilizes
the Company's SecurID technology to manage, encrypt and propagate passwords and
security information across multiple platforms. Working with ticket granting
technology from third-party vendors such as Hewlett-Packard, Computer Associates
and Sun Microsystems or with IBM's NetSP product, SecurADM software manages and
authenticates user access to secure applications and services, allowing the user
to log on once to the enterprise and access multiple protected resources.
Version 2.0 of SecurADM software, which was introduced in 1995, addresses
customer environments that include centralized and distributed legacy mainframe
and UNIX-based client/server applications in local and wide area networks.
SecurADM software is currently installed in a number of
13
16
European insurance companies and financial institutions and will initially be
marketed by the Company in Europe through the Company's direct sales force and
its European distributors.
RSA SecurPC
In the fourth quarter of 1996, the Company began shipping RSA SecurPC, an
easy-to-use encryption product based on the RSA public key cryptosystem. RSA
SecurPC marks the first end-user encryption product offered by the Company since
the acquisition of RSA. RSA SecurPC is a general purpose encryption product
designed to protect data stored on users' local hard drives, network drives and
laptop computers and can also be used to protect confidential data in transit
via email by utilizing RSA's encryption technology. RSA SecurPC is
cross-compatible, enabling users to exchange encrypted files across multiple
platforms, in addition to transparently securing information throughout extended
enterprises. Users can provide the "combination" or pass phrase to a person who
needs to decrypt files so users not equipped with RSA SecurPC can decrypt
encrypted files. Emergency Access file recovery enables administrators to split
emergency decryption authority among multiple authorities. Promoting ease of use
as a central feature, the AutoCrypt function enables files to be encrypted
on-demand automatically.
RSA SecurPC is available from the Company for Windows 3.1x, Windows 95,
Windows NT 3.51 and Macintosh, and the U.S. price list currently ranges from $29
to $129 per licensed copy, depending on the number of users. Maintenance, sold
at 20% of the cost of the product, entitles the user to all updates and upgrades
released during the period of maintenance coverage, as well as technical
support.
Toolkit Products
BSAFE. BSAFE, RSA's flagship product, was introduced in 1987 as a
general-purpose cryptography toolkit designed to allow programmers to integrate
encryption and authentication features into their applications. It supports
RSA's patented RSA public key cryptosystem, as well as more than a dozen of the
world's most popular cryptographic techniques. BSAFE is designed to provide the
security tools for a wide range of applications, such as digitally signed
electronic forms and virtual private networks. Many of the most important data
security industry standards incorporate BSAFE's technologies, including SSL,
S-HTTP, S/MIME, PCT, PKCS, SET and PEM. The BSAFE 3.0 product offers greater
security by supporting public key operations with up to 2048-bit keys, and
better performance by enhancing the throughput of both the public key and secret
key algorithms. BSAFE is written in portable "C" with assembly language
optimizations for performance and is available on a wide variety of platforms.
BSAFE customers include Netscape, Lotus, Oracle, IBM, Intuit and Microsoft.
TIPEM. TIPEM is an interoperable, secure electronic mail development
toolkit based on the Secure Multipurpose Internet Mail Extension (S/MIME)
standard. TIPEM allows a message sent using one vendor's email product (such as
Lotus' cc:Mail) to be read by another vendor's email product (such as Novell's
Groupwise). TIPEM customers include Netscape, America Online and IBM/Lotus.
TIPEM is RSA's core messaging toolkit and is complemented by other add-on
toolkit products such as S/MAIL.
BCERT. The BCERT development toolkit is designed to allow developers to
incorporate public key certificates into their applications. A public key
certificate verifies the identity of a user and his or her public key. The BCERT
toolkit supports the ITU-T X.509 V3 international standard for public key
certificates. BCERT, introduced in October 1996, contains all the cryptographic
support necessary to generate certificate requests, sign certificates and create
and distribute certificate revocation lists
14
17
(CRLs). A public key certificate infrastructure is an important part of the
combined Company's next-generation security architecture and forms the framework
for the Company's future information security solutions, ranging from RSA
cryptographic engines to Security Dynamics' Enterprise Security Services.
S/MAIL. The S/MAIL development toolkit is a standards-based secure
messaging solution designed to allow developers to provide a secure messaging
infrastructure based on the Secure Multipurpose Internet Mail Extension (S/MIME)
standard. Introduced in January 1997, the S/MAIL developer kit is offered as a
special-purpose add-on to RSA's TIPEM toolkit and offers specific message
formatting, user interface primitives, local management of certificates,
database integration and management of other configuration information. The
S/MAIL developer kit is designed to remove the confidentiality and integrity
threats to electronic mail by providing that electronic mail messages are read
only by designated recipients, regardless of their electronic mail platform. The
S/MAIL developer kit is also designed to authenticate the sender and maintain
the validity of the message contents as intended by the sender through
implementation of digital signatures and hashing algorithms.
The Company's Enterprise Security Services is an extension of the
ACE/Server technology to support services such as certificate management, key
management and privilege management. During 1997, the Company intends to
introduce products and form partnerships that will enable delivery of security
services such as certificate management (certificates which attest to the
authenticity of the owners of public keys), key management (services which are
currently expected to include generation, distribution, validation, replacement,
termination and recovery of keys) and privilege management (services which are
currently expected to manage privileges that define what enterprise resources
users can access and what they can do with those resources). In conjunction with
the enhancement of the ACE/Server platform and the availability of add-on
service modules, the Company currently intends to add machine-readable, credit
card-sized smart cards to its existing token offerings. It is currently expected
that these smart cards would provide a secure and convenient form factor for
delivering authentication functions and key and certificate storage. The Company
expects that ACE/Server will provide a common management interface, accessible
through Web browsers, to manage all Enterprise Security Services, thereby
enabling the administration of the various security services from a single,
easy-to-use management platform.
Because the Company currently derives substantially all of its revenue from
sales of its computer and network security products, developer toolkits and
related services, any factor adversely affecting sales of these products and
services would have a material adverse effect on the Company. Existing and new
versions of such products are expected to continue to represent a high
percentage of the Company's revenues for the foreseeable future. As a result,
any factor adversely affecting sales of these products, or any factor impeding
or delaying the Company's ability to diversify its product offering to lessen
its dependency on those products, would have a material adverse effect on the
business and financial results of the Company.
The RSA/MIT Patent (as defined below), the claims of which cover
significant elements of these products, will expire on September 20, 2000, which
may enable competitors to thereafter market competing products which previously
would have infringed the RSA/MIT Patent. In addition, one of the Stanford
Patents (as defined below), the practice of which can be used to substitute for
methods covered by the RSA/MIT Patent, will expire in 1997, and its applications
may become more widespread as a result, which may adversely impact sales of
RSA's products. See "Item 3 -- Legal Proceedings."
15
18
The market for security products, especially in the Internet and intranet
markets, is characterized by rapidly changing technology, emerging and evolving
industry standards, new product introductions, relatively short product life
cycles and rapid and constant changes in customer requirements and preferences.
To the extent that a specific method other than the method employed by the
Company is adopted as the standard for implementing network and computer
security, sales of the Company's existing and planned products in that market
segment may be adversely impacted, which could have a material adverse effect on
the Company's financial condition and results of operations. There can be no
assurance that competing products or technologies developed by others or the
emergence of new industry standards will not adversely affect the Company's
competitive position or render its products or technologies noncompetitive or
obsolete. Thus, the Company's future success will depend in part upon its
customers' and end users' demand for electronic security products and upon the
Company's ability, on a timely and cost-effective basis, to enhance its existing
products and to introduce new products with features that meet changing customer
requirements and with competitive prices. There can be no assurance that the
Company will be successful in doing so. Delays in product enhancement and
development or the failure of the Company's new products or enhancements to gain
market acceptance would have a material adverse effect on the Company's business
and results of operations. Despite testing, new products may be affected by
quality, reliability or security failure problems, including software errors,
bugs or viruses, which could result in returns, delays in collecting accounts
receivable, unexpected service or warranty expenses, reduced orders and a
decline in the Company's competitive position.
Sales and Marketing
The Company has established a multi-channel distribution and sales network
to serve the computer and network security market. The Company sells and
licenses its products in the Americas, the United Kingdom, France, Germany,
Norway, Japan and Singapore directly to end users through its direct sales force
and indirectly through a limited number of OEMs. It also employs independent
distributors outside the United States. In addition, the Company supports its
direct and indirect sales efforts through strategic marketing relationships and
public relations programs, trade shows and other marketing activities. The
Company sells and licenses its products through written sales and license
agreements under terms and conditions that the Company believes are consistent
with industry practice. In August 1996, the Company launched its SecurVAR
reseller program comprising remote access and vertical industry VARs. The
SecurVAR program enables resellers to integrate the Company's user
authentication and encryption technology with their existing product portfolios.
All SecurVAR resellers are provided with sales training and must complete a
technical certification program designed to enable them to install, troubleshoot
and offer first level support to customers.
Sales
The Company believes that a direct sales force is well suited to
differentiate the Company's products from those of its competitors, to work with
customers to provide security solutions for the protection of information
resources and to obtain insights into customers' future security requirements.
The Company's direct sales staff solicits prospective customers, provides
technical advice and support with respect to the Company's products and works
closely with customers and the Company's distributors and OEMs. As of December
31, 1996, the Company's direct sales organization consisted of 67 sales and
technical support personnel operating at 32 locations in North America and 48
sales and technical support personnel operating at four locations in Europe with
locations also in Singapore and Japan. The Company's revenue from direct sales
efforts for the years ended December 31, 1994, 1995 and 1996 was approximately
97%, 97% and 95% of total revenue, respectively.
16
19
SDI also markets, sells and licenses its products indirectly through
distributors and OEMs. As of December 31, 1996, SDI had relationships with 31
distributors, and over 50 OEMs and VARs. SDI's OEMs sublicense, on a
non-exclusive basis, SDI's ACE/Server client software and/or ACM software
products and are generally selected for their capability to offer SDI's products
in combination with related products and services, as well as for their
capability to serve particular markets or platforms. Customers of SDI's OEMs
purchase all of their ACE/Server software and SecurID tokens directly from SDI.
RSA typically licenses its toolkit technology to OEMs. As of December 31, 1996,
RSA had relationships with over 250 OEMs. RSA also licenses its patent
technology and as of December 31, 1996, RSA had relationships with over 10
patent licensees. RSA typically licenses its products on a royalty-bearing basis
and generally requires a prepayment of royalties. In certain circumstances, RSA
licenses its products on a fully paid-up basis, with the payment computed based
on anticipated usage.
The Company's international sales are being made through its direct sales
force as well as through 31 distributors located in Europe, the Middle East,
South America and the Pacific Rim. The Company's international distributors
provide initial sales support, installation, technical support and follow-on
service to local customers. The Company generally grants its distributors
non-exclusive distribution rights.
Sales outside North America accounted for approximately 11%, 13% and 18% of
the Company's revenue in the years ended December 31, 1994, 1995 and 1996,
respectively. While the Company believes its current products are designed to
meet the regulatory standards of foreign markets, any inability to obtain
foreign regulatory approvals on a timely basis could have an adverse effect on
the Company's financial condition or results of operations. In addition, the
Company's international business may be subject to a variety of risks, including
delays in establishing international distribution channels, difficulties in
collecting international accounts receivable, and increased costs associated
with maintaining international marketing efforts. The Company's direct sales in
Canada, the United Kingdom, France, Germany, Norway and Japan are denominated in
the local currency, and the Company is subject to the risks associated with
fluctuations in currency exchange rates. A decrease in the value of any of these
foreign currencies relative to the U.S. dollar could affect the profitability in
U.S. dollars of the Company's products sold in these markets. In addition, the
Company is subject to the usual risks of doing business abroad, including
increases in duty rates, the introduction of non-tariff barriers and
difficulties in enforcement of intellectual property rights.
The Company has experienced, and may experience in the future, significant
seasonality in its business, and the Company's financial condition or results of
operations may be affected by such trends in the future. Such trends have
included higher revenue in the last quarter of the year and lower revenue in the
next succeeding quarter. The Company believes that revenue tends to be higher in
the last quarter due to the Company's quota-based compensation plans, year-end
budgetary pressures on the Company's customers and the tendency of certain of
the Company's customers to implement changes in computer or network security
prior to the end of the calendar year. In addition, revenue tends to be lower in
the summer months, particularly in Europe, when businesses defer purchase
decisions. Because the Company's operating expenses are based on anticipated
revenue levels and a high percentage of the Company's expenses are fixed, a
small variation in the time of recognition of revenue can cause significant
variations in operating results from quarter to quarter. The Company believes
that its order backlog is not a material factor in determining future revenues.
17
20
Marketing
In support of its sales efforts, the Company conducts sales training
courses, comprehensive targeted marketing programs, including direct mail,
public relations, advertising, seminars, trade shows and telemarketing, and
ongoing customer and third-party communications programs. The Company also seeks
to stimulate interest in computer and network security through its public
relations program, speaking engagements, white papers, technical notes and other
publications.
With competing vendors offering different solutions, customers in the
market for computer and network security tend to evaluate thoroughly new
products and vendors. SDI offers a Trial Sale Program for prospective customers
desiring first-hand experience in using the SecurID system prior to making a
purchase decision. Under this program, prospective customers install a
demonstration version of one of the Company's access control products on their
own system and generally run pilot programs with up to ten SecurID token users.
The Company has entered into strategic marketing relationships with various
vendors of operating systems and network operating systems, remote access
products, Internet-related products and application software. Certain of these
vendors integrate the Company's client software into their products to provide
compatibility between their product offerings and the Company's ACE/Server
software. Other vendors build call routines, software hooks or application
program interfaces (API's) into their products to provide compatibility with the
Company's ACE/Server software. The Company has also entered into strategic
relationships with vendors that share technical information with the Company to
enable it to develop products which will be interoperable with the vendors'
products. The Company has developed a separate program, the SecurID Ready
strategic partner program, to market the compatibility between the vendors'
products and the Company's ACE/Server software. The end-user customers of all of
these vendors must purchase tokens and license ACE/Server software directly from
the Company. The Company believes that these relationships help the Company and
its customers to expand their enterprise network coverage and assist the Company
in increasing its installed customer base and SecurID token usage.
There can be no assurance, however, that the Company's existing strategic
relationships will be commercially successful, that the Company will be able to
negotiate additional strategic relationships, that such additional relationships
will be available to the Company on acceptable terms or that any such
relationships, if established, will be commercially successful. In addition,
there can be no assurance that parties with whom the Company has established
strategic relationships will not pursue alternative technologies or develop
alternative products in addition to or in lieu of the Company's products either
on their own or in collaboration with others, including the Company's
competitors. The Company's financial condition or results of operations may also
be affected by the success of its collaborators in marketing any successfully
developed products.
To enhance demand for its products, RSA has participated in the development
of various industry-specific protocols that rely on RSA's cryptographic and
electronic data security technologies, including Cellular Digital Packet Data
(CDPD), a protocol for sending data over cellular networks, Secure Socket Layer
(SSL), an Internet protocol designed to secure the communication link between
two parties on the World Wide Web, Secure HyperText Transfer Protocol (S/HTTP),
an interoperable extension of the World Wide Web's existing HyperText Transfer
Protocol that provides communication and transaction security for World Wide Web
clients and servers, Public Key Cryptography Standards (PKCS), a set of
standards for public key cryptography developed by RSA Laboratories and certain
of RSA's customers, and Secure Electronic Transaction (SET), a proposed standard
application-level
18
21
protocol to enable secure bank card transactions on the World Wide Web. RSA also
hosts its own annual industry conference and participates in others to increase
demand for its products. Finally, through its RSA Laboratories division, RSA
maintains a leading role in basic cryptographic research, develops new
encryption technologies, and maintains close working relations with the leading
academic centers and customer development teams.
Customers
As of December 31, 1996, SDI had sold or licensed over 6,500 ACE/Server and
ACM products and approximately 1,500,000 SecurID tokens to over 1,600 customers
worldwide. Historically, SDI's principal customers have been in the
telecommunications, pharmaceutical, financial and medical industries as well as
academic institutions, research laboratories and government organizations. These
customers are generally sophisticated and knowledgeable purchasers of security
systems and work with highly confidential information. The Company believes that
as corporate networks proliferate and become more complex, the number of
industries concerned with system security and access to information will grow.
As of December 31, 1996, RSA had licensed it's toolkit and patent licensing
technology to over 250 OEM's. RSA licenses its products to OEM's who incorporate
RSA's encryption technology into their products. RSA's developer toolkits and
other products are used to implement cryptographic electronic data security
applications such as encryption and digital signatures for products and services
targeted at secure electronic commerce, secure electronic mail, communications
privacy, client/server data security, smart cards and other key information
technologies. RSA's encryption technology is embedded in current versions of
Microsoft Windows and Windows NT, Netscape Navigator, Intuit's Quicken, Lotus
Notes and numerous other products. RSA technologies are part of existing and
proposed standards for the Internet and World Wide Web, ITU, ISO, ANSI and IEEE
as well as various business, financial and electronic commerce networks.
In the year ended December 31, 1996, no customer accounted for more than
10% of the Company's total revenue.
Customer Service and Support
SDI maintains a customer support help desk and technical support
organization at its headquarters in Bedford, Massachusetts and in Wokingham,
United Kingdom. RSA also offers customer support through its offices at Redwood
City, California. During 1996, the Company added advanced technical support
personnel to its support staff to address anticipated additional demands arising
from the deployment of the Company's security solutions into larger and more
complex user environments. The Company also has field technical support
personnel that work directly with the Company's direct sales force, distributors
and customers. Most of the Company's products are designed for easy customer
installation. Accordingly, a significant portion of the Company's service and
support activities is provided remotely from the Company's headquarters in
Bedford, Massachusetts. As of December 31, 1996, the Company's customer support
organization consisted of an aggregate of 40 full-time employees located in
Massachusetts, California, the United Kingdom, Germany and France.
SDI's standard practice is to provide a warranty on all SecurID tokens for
the customer-selected programmed life of the token and to replace any damaged
tokens (other than tokens damaged by a user's negligence or alteration) free of
charge. SDI generally sells each of its other products to customers with a
90-day warranty. After the expiration of the warranty period, customers may
elect to
19
22
purchase a maintenance contract for 12-month renewable periods. Under these
contracts, SDI agrees to provide (i) corrections for documented program errors,
(ii) version upgrades for both software and firmware, (iii) repair or
replacement of ACM hardware that does not perform in accordance with its
functional specifications, and (iv) telephone consultation.
Customers rely on the Company's information security products for critical
electronic security applications. Failure of the Company's products to work as
designed could result in tort or warranty claims. The Company attempts to reduce
the risk of losses resulting from such claims through warranty disclaimers and
liability limitation clauses in its sales agreements. However there can be no
assurance that such measures will be effective in limiting the Company's
liability. Any liability for damages resulting from any such failure could be
substantial and could have a material adverse effect on the Company's business
and results of operations.
Product Development
The Company's product development efforts are focused on enhancing the
functionality, reliability, performance and flexibility of its existing
products. In the fourth quarter of 1996, the Company began shipping it's
ACE/Server software version for Windows NT. In the fourth quarter of 1995, the
Company began shipping versions of its ACE/Server client software that operate
on Novell NetWare (Versions 3.11 and 3.12), NT RAS and Digital Equipment
Corporation's OSF1. In the first and second quarters of 1996, the Company began
shipping versions of its ACE/Server client software for Microsoft Windows NT and
Novell NetWare Connect (Version 2.0), respectively. The Company is developing
technology to enhance the administrative capabilities of its ACE/Server and ACM
products and the scaleability of its ACE/Server. Areas for future development of
the ACE/Server currently being pursued by the Company include cross realm
authentication, enhanced redundancy and interoperability with additional network
operating systems and directory services. The Company also is developing tools
to assist customers, strategic marketing partners and other third-party
integrators in integrating the Company's products with custom and other
third-party network or system applications.
RSA plans to increase its competitive position by strengthening its core
cryptography toolkit and developing standards, protocols and applications that
address the needs of specific market segments and build on RSA's proprietary
technology. In the latter case, RSA may choose to partner with other parties to
develop and/or market the products.
RSA is currently developing the following enhanced toolkits based on its
general purpose cryptography engine to enable emerging new applications. Each of
these value-added toolkits will be designed to address the needs of a specific
market segment.
SET Toolkit. RSA has developed a suite of toolkits known as S/PAY to
support the Secure Electronic Transaction (SET) protocol developed by an
industry group led by MasterCard and Visa for secure credit card purchases over
the Internet. The S/PAY toolkit consists of three separate toolkits, one each
for the three participants defined by the SET protocol involved in the
transaction: the cardholder, the merchant and the payment gateway. The toolkits
have a common core cryptographic architecture, but are tailored to fit the
specific actions of the three different entities. RSA began shipping S/PAY 1.0
in March 1997.
In addition to S/PAY 1.0, RSA is working with NEC on extensions to the SET
protocol that will meet the needs of the Japanese payment environment. It is
currently anticipated that the Japanese version of the SET toolkit, known as
J/PAY, will premier during 1997. RSA anticipates working with a
20
23
group of vendors in Japan in addition to NEC to evolve the payment protocol
extensions into a widely adopted standard.
In 1996, RSA purchased the Secure Messenger Toolkit from WorldTalk
Corporation as the basis for RSA's S/MAIL toolkit, a complete, secure messaging
development solution that will make it much easier for developers to create
applications that conform to the S/MIME standard. Building on top of RSA's core
messaging toolkit, TIPEM, S/MAIL saves developers significant development effort
by providing the infrastructure for managing certificates, creating a consistent
user interface, and formatting messages according to the S/MIME protocol.
S/WAN Toolkit. The S/WAN (Secure Wide Area Network) standard is an RSA-led
effort to standardize the networking industry around an interoperable security
protocol. RSA anticipates that the S/WAN toolkit will enable developers to more
quickly create secure networking solutions. Companies in the Internet firewall
and virtual private network industry that have adopted the S/WAN Standard
include Raptor Systems, Inc., Digital Equipment Corporation and CheckPoint
Systems, Inc.
RSA Secure. RSA is continuing to develop new features for RSA Secure and to
develop versions of RSA Secure for Windows 95, Windows NT and the Apple
Macintosh operating system.
In addition to enhancing its existing products, one of the Company's
strategies is to offer products in other classes of the network security
hierarchy. The Company continues to identify and prioritize various technologies
for potential future product offerings. The Company may develop these products
internally or enter into arrangements to license or acquire products or
technologies from third parties. There can be no assurance, however, that the
Company will be successful in enhancing or developing existing products or
identifying and successfully acquiring new technologies.
The Company's strategy also includes the acquisition of businesses that
complement or augment the Company's existing product lines. Product acquisitions
are difficult to identify and complete for a number of reasons, including
competition for prospective buyers and the need for regulatory approvals,
including antitrust approvals. There can be no assurance that the Company will
be able to complete future acquisitions or that the Company will be able to
successfully integrate any acquired business. In order to finance such
acquisitions, it may be necessary for the Company to raise additional funds
through public or private financings. Any equity or debt financings, if
available at all, may be on terms which are not favorable to the Company and, in
the case of equity financings, may result in dilution to the Company's
stockholders.
As of December 31, 1996, the Company's product development staff consisted
of 84 full-time employees engaged in engineering and development, including
software and hardware engineering, testing and quality assurance and technical
documentation. The Company also engages outside contractors where appropriate to
supplement the Company's in- house expertise or expedite projects based on
customer or market demand. The Company's total research and development expenses
for the years ended December 31, 1994, 1995 and 1996 were approximately $3.3
million, $5.7 million and $11.2 million, respectively.
Software products may contain undetected errors or bugs when first
introduced or as new versions are released, and software products or media may
contain undetected viruses. Errors, bugs or viruses may result in loss of or
delay in market acceptance, recalls of hardware products incorporating the
software or loss of data. In December 1992, the Company recalled approximately
13,000 SecurID tokens due to an error in token programming software. Delays or
difficulties associated with new
21
24
product introductions or product enhancements could have a material adverse
effect on the Company's financial condition or results of operations.
In addition, a number of factors, including the timing of the introduction
or enhancement of products by the Company or its competitors, market acceptance
of new products, and customer order deferrals in anticipation of new products,
may cause significant variations in the Company's quarterly operating results.
Manufacturing, Suppliers, and Quality Control
Manufacturing
SecurID Tokens. The Company has historically contracted for the manufacture
of its SecurID tokens with RJP International, Ltd. ("RJP"), an assembly
subcontractor located in China. During 1996, the Company qualified two
additional source suppliers in the United States for the manufacture of its
SecurID Card and PINPAD tokens. Although RJP will continue to provide the
Company with tokens, the Company believes that the qualification of the
additional token suppliers reduces the risks associated with the supply of its
products and product components. After delivery to the Company, SecurID tokens
are activated and programmed for, among other things, the appropriate token
life, display configuration, number of discrete random seeds and length and
frequency of change of code display.
ACE/Server and ACM Software Products. The Company has established an
in-house software duplication operation for its UNIX ACE/Server and VAX ACM
software products. The Company purchases duplicating services for its other ACM
software products from outside vendors. The Company's ACE/Server and ACM
software products are distributed as object code on standard magnetic diskettes
and tapes, together with printed documentation.
ACM Hardware Products. The Company contracts for the manufacture of its ACM
hardware products with an assembly operation located in New England. This
subcontractor manufactures products in accordance with the Company's
specifications and, with the exception of microprocessor chips, purchases all
components from independent vendors selected by the subcontractor. The Company
specifies the vendor from which its subcontractor may purchase microprocessor
chips for ACM hardware products.
The Company currently has limited sources for the manufacture of each of
its SecurID tokens and ACM hardware products. The Company has generally been
able to obtain adequate supplies of these products in a timely manner from
current vendors and believes that alternate vendors can be identified if current
vendors are unable to fulfill its needs. However, delays or failure to identify
alternate vendors, if required, or a reduction or interruption in supply or a
significant increase in the manufacturing costs could adversely affect the
Company's financial condition or results of operations and could impact customer
relations.
Suppliers
Although the Company generally uses standard parts and components for its
products, certain components are currently available only from a single source
or from limited sources. For example, the microprocessor chips contained in the
Company's SecurID tokens are currently purchased only from Sanyo Electric Co.,
Ltd. ("Sanyo"), a Japanese computer chip manufacturer. Sanyo has introduced
22
25
commercially an alternative chip and is continuing to work with the Company on
the development and testing of this chip as a replacement chip for the Company's
SecurID tokens. Sanyo has agreed to give the Company at least 12 months' notice
prior to any cessation of production of the existing chip. There can be no
assurance that Sanyo will be able to furnish the Company with a sufficient
number of chips to meet customer demand, that the Company will be able to
purchase chips from Sanyo at commercially acceptable prices or, if Sanyo
discontinues the manufacture of certain chips, that the Company will be able to
procure chips from another supplier on a timely basis and at commercially
acceptable prices. The inability of the Company to obtain a sufficient number of
chips at commercially acceptable prices could result in delays in product
shipments or increase the Company's material costs, either of which would
adversely affect the Company's financial condition or results of operations.
The lithium batteries contained in the Company's SecurID tokens are
purchased from one supplier located in the United States, Gould Electronics
("Gould"). Gould has agreed to give the Company at least 24 months' notice prior
to any cessation of production. The inability to obtain sufficient lithium
batteries as required, or to obtain or develop alternative sources at
competitive prices and quality if and as required in the future, could result in
delays in product shipments or increase the Company's material costs, either of
which would adversely affect the Company's financial condition or results of
operations.
The Company believes that it would take approximately six months to
identify and commence production of suitable replacements for the microprocessor
chip or lithium battery used in the Company's SecurID tokens. The Company
attempts to maintain a three-month supply of SecurID tokens in inventory.
Quality Control
The Company believes that its success in the market for computer and
network security products will depend in large part on its ability to provide
quality products and services. The Company has a formal quality control program
to satisfy its customers' requirements for high quality and reliable security
products. As part of this program, the Company is working with its suppliers to
improve process control and product design. The Company's SecurID tokens and ACM
hardware products are tested by the Company's subcontractors prior to shipment
and tested again by the Company as part of the Company's acceptance-inspection
procedure.
The Company is currently experiencing a period of rapid growth that could
place a significant strain on its management and other resources. The Company's
ability to manage its growth will require it to continue to improve its
operational, financial and management information systems, and to motivate and
effectively manage its employees. If the Company's management is unable to
manage growth effectively, the quality of the Company's products, its ability to
identify, hire and retain key personnel and its results of operations could be
materially and adversely affected.
Competition
SDI
The market for computer and network security products is highly competitive
and subject to rapid technological change. The Company believes that competition
in this market is likely to intensify as a result of increasing demand for
security products. The Company currently experiences competition from a number
of sources, including (i) software operating systems suppliers and application
software
23
26
vendors that incorporate a single-factor static password security system into
their products, (ii) token-based password generator vendors promoting
challenge/response technology, such ActiveCard Inc., AXENT Technologies, Inc.,
Vasco Data Security, Inc., Secure Computing Corporation, Leemah DataCom Security
Corporation and Racal-Guardata, Inc., (iii) smart card security device vendors,
such as Gemplus, Siemens A.G. and Schlumberger, Limited, (iv) biometric security
device vendors, such as Ultra-Scan Corporation, The National Registry, Inc., Eye
Dentify Systems, Fingermatrix (U.K.) Limited, IriScan Inc. and Identix, Inc. and
(v) public-key infrastructure and hardware suppliers such as Entrust
Technologies Inc. and Cylink Corporation. In some cases, these vendors also
support the Company's products and those of its competitors. The Company may
also face competition from these and other parties in the future that develop
computer and network security products based upon approaches similar to or
different from those employed by the Company. There can be no assurance that the
market for computer and network security products will not ultimately be
dominated by approaches other than the approach marketed by the Company. While
the Company believes that it does not currently compete against manufacturers of
other classes of security products (such as encryption), there can be no
assurance that the Company's customers will not perceive such other companies as
competitors of SDI.
RSA
The market for cryptographic and electronic data security products is
competitive, and competition is expected to increase as remote computing,
enterprise networks and internetworking become more prevalent and as the
Internet becomes a viable medium for electronic commerce. RSA's competitors
include Cylink Corporation, Entrust Technologies Inc. and Terisa Systems, Inc.
and other organizations that provide cryptographic software products based upon
approaches similar to and different from those employed by RSA. RSA's
competitors include organizations with certain rights to RSA's technology and
organizations with alternate technologies that perform substantially the same
operations as RSA's products. There can be no assurance that the market for
computer and network security products will not ultimately be dominated by
approaches other than the approach marketed by RSA.
The Company believes that the principal competitive factors affecting the
market for computer and network security products include technical features,
ease of use, quality/reliability, level of security, customer service and
support, distribution channels and price. Although the Company believes that its
products currently compete favorably with respect to such factors, there can be
no assurance that the Company can maintain its competitive position against
current and potential competitors, especially those with significantly greater
financial, marketing, service, support, technical and other competitive
resources.
Many of the Company's potential competitors have significantly greater
financial, marketing, technical and other competitive resources than the
Company. As a result, they may be able to adapt more quickly to new or emerging
technologies and changes in customer requirements, or to devote greater
resources to the promotion and sale of their products than can the Company.
Competition could increase if new companies enter the market or if existing
competitors expand their product lines. Any reduction in gross margins could
have a material adverse effect on the Company's financial condition or results
of operations. Although the Company believes it has certain technological and
other advantages over its competitors, maintaining such advantages will require
continued investment by the Company in research and development and sales and
marketing. There can be no assurance that the Company will have sufficient
resources to make such investments or that the Company will be able to make the
technological advances necessary to maintain such competitive advantages. In
addition, current and potential competitors have established or may in the
future establish collaborative
24
27
relationships among themselves or with third parties, including third parties
with whom the Company has strategic relationships, to increase the ability of
their products to address the security needs of the Company's prospective
customers. Accordingly, it is possible that new competitors or alliances may
emerge and rapidly acquire significant market share. If this were to occur, the
financial condition and results of operations of the Company would be materially
adversely affected.
Proprietary Rights
The Company relies on a combination of patent, trade secret, copyright and
trademark law, software licenses and nondisclosure agreements to establish and
protect its proprietary rights in its products. The Company enters into
confidentiality and/or license agreements with all of its employees and
distributors, as well as with its customers and potential customers seeking
proprietary information, and limits access to and distribution of its software,
documentation and other proprietary information. Despite these precautions, it
may be possible for unauthorized third parties to copy aspects of the Company's
products or to obtain and use information that the Company regards as
proprietary. The Company has applied for patent protection in only certain
foreign jurisdictions. In addition, the laws of many foreign jurisdictions, as
well as the scope of certain foreign counterparts to the Company's patents, do
not protect the Company's proprietary rights to the same extent as do the laws
of the United States.
SDI currently holds 13 issued United States patents expiring at various
dates ranging from 2005 to 2014. SDI also has two applications pending for
additional United States patents and a number of foreign counterparts for its
patents in various foreign countries. In addition, SDI has certain registered
and other trademarks.
RSA holds a license to the RSA/MIT Patent, which pertains to certain of its
current products and expires on September 20, 2000, and is the exclusive agent
for licensing a cryptography patent held by Dr. Claus P. Schnorr. RSA believes
that the ownership of its intellectual property is a significant factor in its
business. RSA has vigorously pursued legal action against companies and
individuals infringing on its intellectual property rights. RSA's success also
depends on the innovative skills, technical competence and marketing abilities
of its personnel. There can be no assurance, however, that any patent,
trademark, copyright or license owned or held by RSA will not be invalidated,
circumvented, challenged or terminated, that any patent granted under RSA's
pending or future patent applications will be within the scope of claims sought
by RSA, if at all, or that the steps taken by RSA to protect its rights will be
adequate to prevent misappropriation of RSA's technology or to preclude
competitors from developing products with features similar to RSA's products.
The inability of RSA to protect its intellectual property adequately could have
a material adverse effect on its financial condition or results of operations.
See "Item 3 -- Legal Proceedings."
The Company has from time to time received correspondence alleging that its
products may infringe patents held by third parties. To date, none of these
allegations has been pursued, and the Company believes that its products and
other proprietary rights do not infringe the proprietary rights of third
parties. There can be no assurance, however, that third parties will not assert
infringement claims against the Company in the future or that any such claims
will not require the Company to enter into license arrangements or result in
protracted and costly litigation, regardless of the merits of such claims.
25
28
Government Regulation and Export Controls
Although SDI's user authentication products are subject to export controls
under United States law, the Company believes it has obtained all necessary
export approvals for the export of SDI's user authentication products. There can
be no assurance, however, that the list of products and countries for which
export approval is required, and the regulatory policies with respect thereto,
will not be revised from time to time. The inability of the Company to obtain
required approvals under these regulations could adversely affect the ability of
the Company to make international sales. Exports of RSA's encryption products,
or third-party products bundled with the encryption technology of RSA, are
expected to continue to be restricted by the United States government. All
cryptographic products need export licenses from the United States State
Department, acting under the authority of the International Traffic in Arms
Regulation, which defines cryptographic devices, including software, as
munitions. The United States government generally limits the export of software
with encryption capabilities to mass marketed software with limited key sizes,
which significantly constrains the security effectiveness of RSA products
available for export. There can be no assurance that the United States
government will ease its export restrictions on encryption technology in any
significant manner. As a result, RSA may be at a disadvantage in competing for
international sales compared to companies located outside the United States that
are not subject to such restrictions.
Employees
At December 31, 1996, the Company employed 360 employees. Of these
employees, 84 were involved in research and development, 184 in sales, marketing
and customer support, 48 in production and information technology, and 44 in
administration and finance. No employees are covered by any collective
bargaining agreements. The Company believes that its relationships with its
employees are good.
ITEM 2. PROPERTIES
The Company's principal administrative, sales and marketing, research and
development and support facilities consist of approximately 75,000 square feet
of office space in Bedford, Massachusetts. The Company occupies these premises
under a lease expiring in August 2006. As of December 31, 1996, the annual base
rent for this facility was approximately $950,000. In support of its field sales
and support organization, the Company also leases facilities and offices in 27
other locations in the United States, four locations in Canada and one location
in each of the United Kingdom, France, Germany, Norway, Singapore and Japan.
RSA leases approximately 20,000 square feet of office space in Redwood
City, California under a lease expiring in October 1999. As of December 31,
1996, the annual base rent for this facility was approximately $390,000.
ITEM 3. LEGAL PROCEEDINGS
Schlafly Action. In July 1994, RSA was named co-defendant with Public Key
Partners ("PKP") in an action filed by an individual, Roger Schlafly, in the
U.S. District Court for the Northern District of California. In this action Mr.
Schlafly contests the validity of the RSA/MIT Patent and the Stanford Patents,
alleges causes of action for non-infringement, interference with contractual
business relationships, unfair business practices, antitrust, libel and fraud;
and seeks injunctive relief and damages in excess of $2 million. To date the
actions for libel, fraud and interference with contractual
26
29
business relationships have been resolved in RSA's favor, either through actions
for dismissal or through summary judgment. Cylink intervened in this action as
co-defendant in late 1995.
Cylink Settlement. Since 1994, RSA had been involved in arbitration and
litigation proceedings (collectively, the "Litigation") relating, among other
things, to (i) the validity of a U.S. patent (the "RSA/MIT Patent") developed at
MIT and licensed to RSA; (ii) the rights of Cylink Corporation ("Cylink") and
its subsidiary Caro Kann Corporation ("CKC"), competitors of RSA, to use and
sublicense the RSA/MIT Patent; (iii) the validity and scope of certain U.S.
patents (the "Stanford Patents") which cover Cylink's fundamental encryption
technology and have been licensed to Cylink by The Board of Trustees of the
Leland Stanford Junior University; and (iv) the liability, if any, of RSA for
infringing or contributing to the infringement of the Stanford Patents. On
December 31, 1996, RSA, Cylink and CKC entered into a comprehensive settlement
relating to the Litigation. As part of the settlement, (a) the parties agreed to
dismiss all claims relating to the Litigation, (b) Cylink granted to RSA all
necessary rights to the Stanford Patents and (c) RSA granted to Cylink a license
to RSA's cryptographic software toolkit.
ActivCard Settlement. In December 1995, the Company, together with
co-plaintiff Vasco Data Security, Inc. ("Vasco"), filed suit in the U.S.
District Court for the Northern District of California against ActivCard, Inc.
and ActivCard S.A. (together, "ActivCard") alleging infringement of certain
patents of the Company and Vasco that collectively cover a range of technology
used to secure data access. The suit sought monetary damages and an injunction
against further infringement. In February 1996, in response to the Company's
repeated infringement allegations and prior to the serving of the Company's
complaint on ActivCard, ActivCard filed a complaint against the Company in the
same court seeking a declaratory judgement of non-infringement, invalidity and
unenforceability of the Company's patents asserted in the suit brought with
Vasco.
In September 1996, Vasco, the Company and ActivCard entered into a
settlement agreement with respect to this litigation. Pursuant to the terms of
the settlement agreement, the Company and Vasco agreed to dismiss with prejudice
their claims against ActivCard and ActivCard similarly agreed to dismiss with
prejudice its claims against the Company and Vasco. In connection with this
settlement, ActivCard agreed to license certain patents from the Company and
Vasco.
The Company has been named as a defendant in other legal actions arising
from its normal business activities. The Company carries insurance against
liability for certain types of risks. Although the amount of liability that
could result from any litigation cannot be predicted, in the opinion of
management, the Company's potential liability on all known claims would not have
a material adverse effect on the consolidated financial position or results of
the Company.
27
30
ITEM 4. SUBMISSION OF MATTERS TO A VOTE OF SECURITY-HOLDERS
None.
Executive Officers of the Company
The executive officers of the Company and their respective ages are as
follows:
Name Age Position
---- --- --------
Charles R. Stuckey, Jr. 54 Chairman, President, Chief Executive
Officer and Director
D. James Bidzos 41 Executive Vice President and Director
Arthur W. Coviello, Jr. 43 Executive Vice President, Treasurer and
Chief Financial Officer
John Adams 55 Senior Vice President, Engineering
Gary A. Rogers 42 Senior Vice President, World Wide Sales
and Field Operations
W. David Power 43 Vice President, Marketing
Linda E. Saris 44 Vice President, Operations
Mr. Stuckey joined the Company as President in January 1987, was appointed
Chief Executive Officer and elected a director of the Company in March 1987 and
appointed Chairman of the Board in July 1996. From 1984 to January 1987, Mr.
Stuckey served as Vice President of Scientific Information Services, a systems
and commercial data service company and a division of Control Data Corporation.
Mr. Bidzos joined SDI as an Executive Vice President in July 1996. He
joined RSA in 1986 and has served as RSA's President and Chief Executive Officer
and as a director since 1988. Mr. Bidzos also is Chairman and a founder of
VeriSign, a company specializing in providing public-key certificates and
related products and services, and a director and a founder of Terisa Systems,
Inc., a company specializing in security protocols for the World Wide Web. He
also is a director of the Electronic Privacy Information Center. Mr. Bidzos
became a director of SDI following the acquisition of RSA by SDI in July 1996.
Mr. Coviello joined the Company as Executive Vice President in September
1995 and was appointed Treasurer and Chief Financial Officer in October 1995.
From January 1994 to August 1995, Mr. Coviello served as Chief Operating Officer
and from March 1992 to January 1994, Mr. Coviello served as Vice President,
Finance and Administration, Chief Financial Officer and Treasurer of CrossComm
Corporation, a developer of inter-networking products. From April 1984 to
January 1992, Mr. Coviello served as Vice President, Finance and Operations of
Autographix, Inc., a computer graphics company.
Mr. Adams joined the Company as Senior Vice President, Engineering, in
March 1996 after over twenty years of diversified management, engineering and
network service for Digital Equipment Corporation. From 1976 to 1996, Mr. Adams
served in a number of diversified positions with Digital Equipment Corporation,
including Vice President and Technical Director of the company's Network
Operating Systems Division from 1991 to 1996. Prior to joining Digital Equipment
Corporation, Mr. Adams served as a structural engineer for Mitchell Systems.
28
31
Mr. Rogers joined the Company as Senior Vice President, World Wide Sales
and Field Operations in February, 1997. From 1994 to 1996, Mr. Rogers served as
Vice President, International Sales and Operations with Bay Networks, Inc.
Before joining Bay Networks, Inc., from 1992 to 1994, Mr. Rogers was Vice
President, Sales and Operations - Europe with Wellfleet Communications, Inc.
Prior to joining Wellfleet Communications, Inc., Mr. Rogers served in a number
of positions with several other organizations, including managerial-level sales
and marketing positions.
Mr. Power joined the Company as Vice President, Marketing in November 1996.
Mr. Power served as Vice President with Nets, Inc. (comprising two divisions,
Industry Net and Business Net, formerly AT&T New Media Services Division) in
1995 and 1996. From 1992 to 1995, Mr. Power served as Vice President and General
Manager for two Sun Microsystems business units: SunSoft PC Desktop Integration
Products and SunSelect. Before joining Sun Microsystems, Mr. Power was a Vice
President at Mercer Management Consulting, a marketing and strategic consulting
firm, from 1980 to 1992.
Ms. Saris joined the Company as Vice President, Finance and Operations,
Treasurer and Chief Financial Officer in June 1989, and has served as Vice
President, Operations since October 1995. From 1980 to 1989, Ms. Saris served in
a number of positions, including Senior Vice President and General Manager and
Vice President of Finance, with Clinical Data, Inc., a medical technology and
services company.
29
32
PART II
ITEM 5 MARKET FOR REGISTRANT'S COMMON EQUITY AND RELATED STOCKHOLDER MATTERS
The Company's Common Stock has been trading on the Nasdaq National Market
under the symbol "SDTI" since the Company's public offering on December 14,
1994. The following table sets forth for the fiscal periods indicated the high
and low sales prices per share of Common Stock as reported on the Nasdaq
National Market and after giving effect to both of the Company's two-for-one
splits of its Common Stock in the form of stock dividends, which became
effective as of October 30, 1995 and November 15, 1996, respectively.
Fiscal 1995
-----------
High Low
---- ---
First Quarter $ 9.00 $ 4.375
Second Quarter 11.625 7.00
Third Quarter 12.00 8.875
Fourth Quarter 29.125 11.00
Fiscal 1996
-----------
High Low
---- ---
First Quarter $ 33.00 $ 21.25
Second Quarter 54.00 23.125
Third Quarter 48.375 25.625
Fourth Quarter 43.00 29.75
There were 259 stockholders of record of the Company's Common Stock as of
March 20, 1997.
The Company has never declared or paid any cash dividends on its capital
stock. The Company currently intends to retain earnings, if any, to support its
growth strategy and does not anticipate paying cash dividends in the foreseeable
future. Payment of future dividends, if any, will be at the discretion of the
Company's Board of Directors after taking into account various factors,
including the Company's financial condition, operating results, current and
anticipated cash needs and plans for expansion.
ITEM 6. SELECTED FINANCIAL DATA
The information required by this item is contained under the caption
"Selected Consolidated Financial Data" appearing in the Company's 1996 Annual
Report to Stockholders (the "1996 Annual Report") and is incorporated herein by
this reference.
ITEM 7. MANAGEMENT'S DISCUSSION AND ANALYSIS OF FINANCIAL
CONDITION AND RESULTS OF OPERATIONS
The information required by this item is contained under the caption
"Management's Discussion and Analysis of Financial Condition and Results of
Operations" appearing in the Company's 1996 Annual Report and is incorporated
herein by this reference.
30
33
ITEM 8. FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA
The information required by this item is contained in the Consolidated
Financial Statements appearing in the Company's 1996 Annual Report and is
incorporated herein by this reference.
ITEM 9. CHANGES IN AND DISAGREEMENTS WITH ACCOUNTANTS ON
ACCOUNTING AND FINANCIAL DISCLOSURE
Not applicable.
PART III
ITEM 10. DIRECTORS AND EXECUTIVE OFFICERS OF THE REGISTRANT
The information required by this item is contained in part under the
caption "Executive Officers of the Company" in PART I hereof, and the remainder
is contained in the Company's Proxy Statement for the Company's Annual Meeting
of Stockholders to be held on April 24, 1997 (the "1997 Proxy Statement") under
the captions "PROPOSAL 1 ELECTION OF DIRECTORS" and "SECTION 16(a) BENEFICIAL
OWNERSHIP REPORTING COMPLIANCE" and is incorporated herein by this reference.
Officers are elected on an annual basis and serve at the discretion of the
Board of Directors.
ITEM 11. EXECUTIVE COMPENSATION
The information required by this item is contained under the captions
"Director Compensation," "Compensation of Executive Officers" and "Compensation
Committee Interlocks and Insider Participation" in the Company's 1997 Proxy
Statement and is incorporated herein by this reference.
ITEM 12. SECURITY OWNERSHIP OF CERTAIN BENEFICIAL OWNERS AND MANAGEMENT
The information required by this item is contained in the Company's 1997
Proxy Statement under the caption "Stock Ownership of Certain Beneficial Owners
and Management" and is incorporated herein by this reference.
ITEM 13. CERTAIN RELATIONSHIPS AND RELATED TRANSACTIONS
The information required by this item is contained under the caption
"Certain Transactions" appearing in the Company's 1997 Proxy Statement and is
incorporated herein by this reference.
31
34
PART IV
ITEM 14. EXHIBITS, FINANCIAL STATEMENT SCHEDULES, AND REPORTS ON FORM 8-K
(a) Documents filed as a part of this Form 10-K:
1. Financial Statements. The Consolidated Financial Statements are
included in the Company's 1996 Annual Report, which is filed as
an exhibit to this Annual Report on Form 10-K. The Consolidated
Financial Statements include:
Consolidated Balance Sheets
Consolidated Statements of Income
Consolidated Statements of Stockholders' Equity
Consolidated Statements of Cash Flows
Notes to Consolidated Financial Statements
2. Financial Statement Schedules. The Financial Statement Schedules,
Schedule II, "Valuation and Qualifying Accounts" and the Report of Ernst & Young
LLP, Independent Auditors follow immediately after the "Exhibit Index".
3. Exhibits. The Exhibits listed in the Exhibit Index immediately
preceding such Exhibits are filed as part of this Annual Report on Form 10-K.
(b) Reports on Form 8-K:
None.
32
35
SIGNATURES
Pursuant to the requirements of Section 13 or 15(d) of the Securities
Exchange Act of 1934, the Registrant has duly caused this report to be signed on
its behalf by the undersigned, thereunto duly authorized.
SECURITY DYNAMICS TECHNOLOGIES, INC.
By: /s/ Charles R. Stuckey, Jr.
------------------------------------
Charles R. Stuckey, Jr.
Chairman, President and Chief Executive Officer
Date: March 26, 1997
Pursuant to the requirements of the Securities Exchange Act of 1934, this
report has been signed below by the following persons on behalf of the
Registrant and in the capacities and on the dates indicated.
Signature Title Date
/s/ Charles R. Stuckey, Jr. Chairman, President and March 26, 1997
- --------------------------- Chief Executive Officer
Charles R. Stuckey, Jr. (Principal Executive Officer)
/s/ Arthur W. Coviello, Jr. Executive Vice President, March 26, 1997
- --------------------------- Chief Financial Officer
Arthur W. Coviello, Jr. and Treasurer
(Principal Financial and
Accounting Officer)
/s/ D. James Bidzos Director March 26, 1997
- ---------------------------
D. James Bidzos
/s/ Richard L. Earnest Director March 26, 1997
- ---------------------------
Richard L. Earnest
/s/ Joseph B. Lassiter, III Director March 26, 1997
- ---------------------------
Joseph B. Lassiter, III
/s/ George M. Middlemas Director March 26, 1997
- ---------------------------
George M. Middlemas
/s/ Marino R. Polestra Director March 26, 1997
- ---------------------------
Marino R. Polestra
/s/ Sanford M. Sherizen Director March 26, 1997
- ---------------------------
Sanford M. Sherizen
33
36
Exhibit Index
-------------
Exhibit
No. Description Page
--- ----------- ----
2 Agreement and Plan of Merger, dated as of April 14, 1996,
among the Registrant, Card-Key Inc. and RSA Data Security,
Inc. ("RSA") (filed as an Annex to the Joint Proxy Statement
and Prospectus constituting a part of the Registrant's
Registration Statement on Form S-4 (File No. 333-7265) (the
"Form S-4") and incorporated herein by reference) ................. *
3.1 Third Restated Certificate of Incorporation, as amended, of
the Registrant (filed as Exhibit 3 to the Registrant's
Quarterly Report on Form 10-Q for the Quarter Ended
September 30, 1996 and incorporated herein by reference) .......... *
3.2 Amended and Restated By-Laws, as amended, of the Registrant
(filed as Exhibit 3.3 to the Registrant's Registration
Statement on Form S-1 (File No. 33-85606) (the "Form S-1")
and incorporated herein by reference) ............................. *
4 Specimen Certificate for shares of Common Stock, $.01 par
value, of the Registrant (filed as Exhibit 4.1 to the Form
S-1 and incorporated herein by reference) ......................... *
#10.1 1986 Stock Option Plan, as amended (filed as Exhibit 10.1 to
the Form S-1 and incorporated herein by reference) ................ *
#10.2 1994 Stock Option Plan, as amended ................................
#10.3 1994 Director Stock Option Plan, as amended .......................
#10.4 1994 Employee Stock Purchase Plan, as amended .....................
#10.5 Employment Agreement between the Registrant and Charles R.
Stuckey, Jr., dated as of July 9, 1993 (filed as Exhibit
10.5 to the Form S-1 and incorporated herein by reference) ........ *
#10.6 Employment Agreement, dated as of April 14, 1996, as
amended, among the Registrant, RSA and D. James Bidzos
(filed as Exhibit 10.18 to the Form S-4 and incorporated
herein by reference) .............................................. *
#10.7 Letter Agreement between the Registrant and Arthur W.
Coviello, Jr., dated as of August 21, 1995 (filed as Exhibit
10 to the Registrant's Quarterly Report on Form 10-Q for the
Quarter Ended September 30, 1995 and incorporated herein by
reference) ........................................................ *
34
37
#10.8 Letter Agreement between the Registrant and Linda E. Saris,
dated as of May 1, 1989 (filed as Exhibit 10.7 to the Form
S-1 and incorporated herein by reference) ......................... *
10.9 Amended and Restated Registration Rights Agreement, dated as
of September 7, 1988, as amended, among the Registrant and
certain stockholders of the Registrant (filed as Exhibit
10.11 to the Form S-1 and incorporated herein by reference) ....... *
10.10 Amendment to Amended and Restated Registration Rights
Agreement, dated as of October 31, 1995, among the
Registrant and certain stockholders of the Registrant (filed
as Exhibit 10.19 to the Registrant's Registration Statement
on Form S-1 (File No. 33-98818) and incorporated herein by
reference) ........................................................ *
10.11 Stock Restriction Agreement between the Registrant Richard
L. Earnest, dated October 25, 1994 (filed as Exhibit 10.13
to the Form S-1 and incorporated herein by reference) ............. *
**10.12 Terms and Conditions of Purchase, dated January 1, 1994,
between the Registrant and Gould Electronics (filed as
Exhibit 10.15 to the Form S-1 and incorporated herein by
reference) ........................................................ *
**10.13 Letter, dated October 12, 1994, from Sanyo Electric Co.,
LTD. to the Registrant (filed as Exhibit 10.16 to the Form
S-1 and incorporated herein by reference) ......................... *
**10.14 Agreement between the Registrant and Progress Software
Corporation, dated December 1994 (filed as Exhibit 10.17 to
the Form S-1 and incorporated herein by reference) ................ *
10.15 Indenture of Lease, dated as of March 11, 1996, between the
Registrant and Beacon Properties, L.P. (filed as Exhibit
10.17 to the Form S-4 and incorporated herein by reference) ....... *
10.16 Stockholder Agreement, dated as of April 14, 1996, among the
Registrant, RSA and Addison Fischer (filed as Exhibit 10.19
to the Form S-4 and incorporated herein by reference) ............. *
10.17 Stockholder Agreement, dated as of April 14, 1996, among the
Registrant, RSA and D. James Bidzos (filed as Exhibit 10.20
to the Form S-4 and incorporated herein by reference) ............. *
35
38
10.18 Stockholder Agreement, dated as of April 14, 1996, among the
Registrant, RSA and Ronald Rivest (filed as Exhibit 10.21 to
the Form S-4 and incorporated herein by reference) ................ *
11 Computation of Income Per Common Share ............................
13 Portions of the Registrant's 1996 Annual Report to
Stockholders (which is not deemed to be "filed" except to the
extent that portions thereof are expressly incorporated by
reference in this Annual Report on Form 10-K) .....................
21 Subsidiaries of the Registrant ....................................
23.1 Consent and Report on Schedule of Deloitte & Touche LLP ...........
23.2 Consent of Ernst & Young LLP, Independent Auditors ................
27 Financial Data Schedule ...........................................
- ----------
* Incorporated herein by reference.
** Confidential treatment previously granted by the Securities and
Exchange Commission as to certain portions.
# Management contract or compensatory plan or arrangement filed in
response to Item 14(a)(3) of the instructions to Form 10-K.
36
39
REPORT OF ERNST & YOUNG LLP, INDEPENDENT AUDITORS
To the Board of Directors and Shareholders
RSA Data Security, Inc.
We have audited the consolidated balance sheets of RSA Data Security, Inc. as
of December 31, 1995 and the related statements of operations, shareholders'
equity and cash flows for the years ended December 31, 1995 and 1994 (not
presented separately herein). Our audits also included the financial statement
schedule of RSA Data Security, Inc. (not presented separately herein) listed in
the Index at Item 14(a). These financial statements and schedule are the
responsibility of the Company's management. Our responsibility is to express an
opinion on these financial statements and schedule based on our audits.
We conducted our audits in accordance with generally accepted auditing
standards. Those standards require that we plan and perform the audit to obtain
reasonable assurance about whether the financial statements are free of material
misstatement. An audit includes examining, on a test basis, evidence supporting
the amounts and disclosures in the financial statements. An audit also includes
assessing the accounting principles used and significant estimates made by
management, as well as evaluating the overall financial statement presentation.
We believe that our audits provide a reasonable basis for our opinion.
In our opinion, the financial statements referred to above present fairly, in
all material respects, the consolidated financial position of RSA Data
Security, Inc. at December 31, 1995 and the consolidated results of its
operations and its cash flows for the years ended December 31, 1995 and 1994 in
conformity with generally accepted accounting principles. Also, in our opinion,
the related financial statement schedule, when considered in relation to the
basic financial statements taken as a whole, presents fairly, in all material
respects, the information set forth therein.
Ernst & Young LLP
April 8, 1996
37
40
SCHEDULE II
SECURITY DYNAMICS TECHNOLOGIES, INC.
AND SUBSIDIARIES
VALUATION AND QUALIFYING ACCOUNTS
- --------------------------------------------------------------------------------
Charged
Balance at to Costs Balance
Beginning and at End
of Period Expenses Deductions of Period
ALLOWANCE FOR DOUBTFUL ACCOUNTS:
For the year ended December 31, 1996 $ 723,715 $ 223,120 $ 419,877 $ 526,958
For the year ended December 31, 1995 415,785 541,000 233,070 723,715
For the year ended December 31, 1994 230,000 185,785 -- 415,785
ACCRUED WARRANTY COSTS:
For the year ended December 31, 1996 $ 105,000 $ 128,000 $ 128,000 $ 105,000
For the year ended December 31, 1995 105,000 64,000 64,000 105,000
For the year ended December 31, 1994 105,000 37,000 37,000 105,000
38