1
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549
FORM 10-K
FOR ANNUAL AND TRANSITION REPORTS PURSUANT TO SECTIONS 13 OR
15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
[X] ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES
EXCHANGE ACT OF 1934
FOR THE FISCAL YEAR ENDED DECEMBER 31, 1997
OR
[ ] TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE
SECURITIES EXCHANGE ACT OF 1934
COMMISSION FILE NO. 0-25120
SECURITY DYNAMICS TECHNOLOGIES, INC.
(Exact name of registrant as specified in its charter)
DELAWARE 04-2916506
(State or other jurisdiction of (I.R.S. Employer
incorporation or organization) Identification No.)
20 CROSBY DRIVE
BEDFORD, MASSACHUSETTS 01730
(Address of principal (Zip Code)
executive offices)
REGISTRANT'S TELEPHONE NUMBER, INCLUDING AREA CODE: (781) 687-7000
------------------------------------------------------------------
SECURITIES REGISTERED PURSUANT TO SECTION 12(B) OF THE ACT: NONE
SECURITIES REGISTERED PURSUANT TO SECTION 12(G) OF THE ACT:
COMMON STOCK, $.01 PAR VALUE
(Title of class)
1
2
Indicate by check mark whether the registrant: (1) has filed all reports
required to be filed by Section 13 or 15(d) of the Securities Exchange Act of
1934 during the preceding 12 months (or for such shorter period that the
registrant was required to file such reports), and (2) has been subject to such
filing requirements for the past 90 days. Yes X No
--- ---
Indicate by check mark if disclosure of delinquent filers pursuant to Item
405 of Regulation S-K is not contained herein, and will not be contained, to the
best of registrant's knowledge, in definitive proxy or information statements
incorporated by reference in Part III of this Form 10-K or any amendment to this
Form 10-K. [ ]
The approximate aggregate market value of the common stock held by
non-affiliates of the registrant was $1,640,944,886 based on the last reported
sale price of the registrant's Common Stock on the Nasdaq National Market as of
the close of business on March 26, 1998. There were 40,857,538 shares of Common
Stock outstanding as of March 26, 1998.
DOCUMENTS INCORPORATED BY REFERENCE
PART OF FORM 10-K
DOCUMENT INTO WHICH INCORPORATED
-------- -----------------------
Portions of the Registrant's
1997 Annual Report to Stockholders Items 6, 7 & 8 of Part II
Portions of the Registrant's Proxy Items 10, 11 & 12
Statement for the 1998 Annual Meeting of Part III
of Stockholders
This Annual Report on Form 10-K contains forward-looking statements within
the meaning of Section 21E of the Securities Exchange Act of 1934, as amended.
For this purpose, any statements contained herein that are not statements of
historical fact may be deemed to be forward-looking statements. Without limiting
the foregoing, the words "believes," "anticipates," "plans," "expects" and
similar expressions are intended to identify forward-looking statements. The
important factors discussed under the caption "Certain Factors That May Affect
Further Operating Results" in the Company's 1997 Annual Report to Stockholders
and incorporated herein by reference, among others, could cause actual results
to differ materially from those indicated by forward-looking statements made
herein and presented elsewhere by management. Such forward-looking statements
represent management's current expectations and are inherently uncertain.
Investors are warned that actual results may differ from management's
expectations.
2
3
PART I.
ITEM 1. BUSINESS
The Company is a leading provider of enterprise network and data security
solutions. The Company's products help organizations conduct business securely,
protect corporate information assets and facilitate business-to-business and
business-to-consumer electronic commerce. Historically, the Company has
delivered security solutions that provide secure remote access to corporate
networks. Through its SecurSight family of enterprise security solutions
(formerly known as the Enterprise Security Services ("ESS") framework),
partnerships and acquisitions, the Company intends to expand its addressable
market by delivering solutions that provide secure access to information
wherever it resides in an enterprise. As used in this Annual Report on Form
10-K, the term "the Company" refers to Security Dynamics Technologies, Inc.
("SDI") and its subsidiaries, including without limitation, RSA Data Security,
Inc. ("RSA") and DynaSoft AB ("DynaSoft"), unless the context otherwise
requires.
INDUSTRY BACKGROUND
Historically, computer and enterprise network security has been the focus of
businesses engaged in security-conscious industries such as banking,
telecommunications, aerospace and defense. However, a number of factors have
contributed to an increased awareness of, and need for, enterprise security
solutions for companies that use and rely on network-based information
resources. These factors include the growing complexity of enterprise networks
and a shift in network security requirements driven by increased use of the
Internet and corporate intranets and extranets.
Enterprise computing has evolved over the past three decades from host-based
systems to a distributed model where individuals are accessing corporate
resources from virtually anywhere inside or outside of an organization.
Enterprise computing environments today consist of heterogeneous computer
resources coupled with converging public and private networks. As such, they
require comprehensive, flexible products and solutions that can be deployed to a
large number of users in a consistent, manageable and secure fashion.
In addition, the traditional security model of network perimeter defense is
being expanded in light of increased use of the Internet. The growth of the
Internet as a business tool has led to a rapid increase in corporate intranets,
where employees share information, and extranets, where companies share
information with their suppliers, partners and customers. Companies that have
traditionally relied solely on static password protection or on corporate
firewalls are now seeking to adopt more sophisticated, comprehensive security
strategies to protect corporate information assets and to conduct business
securely. Companies today require scaleable enterprise security solutions that
can be easily integrated, deployed and managed across complex, heterogeneous
enterprise environments.
Classes of Enterprise Network and Data Security
The Company believes that enterprise network and data security requirements
can be grouped into the following four classes: (i) user identification and
authentication; (ii) access control and privilege management; (iii) data
privacy, integrity and authentication (encryption); and (iv) security
administration and audit.
3
4
User Identification and Authentication. Reliable authentication of the
identity of users is necessary to prevent unauthorized access to computer and
network resources. There are three generally accepted methods of user
identification: (i) something secret the user knows, such as a word, phrase,
PIN, code or fact; (ii) something physical the user possesses, such as a key,
smart card, badge or other form of discrete "token," which is resistant to
counterfeiting and (iii) something unique to the user, such as a fingerprint,
signature, retinal pattern, voice print or other measurable personal
characteristic or "biometric." The Company believes that the use of a two-factor
authentication system, combining two of the three generally accepted methods of
user identification, is required for reliable enterprise network and data
security.
Access Control and Privilege Management. One of the key challenges facing
organizations is the proliferation of passwords required for users to access
disparate operating systems, applications and databases. Products addressing
access control and privilege management must protect and manage access to
corporate information and applications and control user privileges at multiple
levels within the enterprise, including the network, application and data
levels. Single sign-on ("SSO") represents the ability to provide authenticated
users with transparent access to a variety of services, thereby improving user
productivity and reducing the frustration caused by users having to enter
multiple passwords. Early SSO solutions did not require authentication from a
security server; data centers could establish trust between two devices through
a direct connection in a static environment. With the growth in distributed
networks and the variety of operating systems and client/server applications,
reliable SSO now requires authentication, encryption and key exchange to ensure
secure communication between the desktop and the application. Together with
traditional SSO solutions, user authentication and application session
encryption capabilities make up a more complete solution called secure single
sign-on ("SSSO").
Data Privacy, Integrity and Authentication (Encryption). In addition to
authenticating the identity of users and ensuring that only authorized users can
access, view or modify certain data, a comprehensive security solution must
ensure that the data transmitted over a network are not disclosed to
unauthorized persons (data privacy), have not been altered or compromised by
unauthorized manipulation (data integrity) and were actually transmitted by the
purported sender (data authentication). Such data privacy, integrity and
authentication are provided by encryption and data authentication technologies.
Encryption. In traditional cryptography, known as secret key or symmetric
cryptography, the sender and receiver of a message know and use the same secret
keys. The sender uses the secret key to encrypt a message by transforming data
into a form unreadable by anyone without a secret decryption key. The receiver
uses the same secret key to decrypt the message by transforming the encrypted
data into the original readable message. A key is a value or series of bits used
by the cryptographic system to convert the original text into an encrypted text
or to decrypt the encrypted text back into the original text.
The principal problem with secret key cryptography is communicating the
secret key between the sender and receiver without anyone else discovering it.
If the sender and receiver are in separate physical locations, they must trust a
courier, a phone system or some other transmission medium to prevent the
disclosure of the secret key being communicated. Anyone who overhears or
intercepts the key in transit can later read, modify and forge messages
encrypted or
4
5
authenticated using that key. Because all keys in a secret key cryptosystem must
remain secret, secret key cryptography often has difficulty providing secure key
management, especially in open systems like the Internet.
The concept of public key cryptography attempts to solve the key management
problem by giving each person a pair of keys, one called the public key and the
other called the private key. Each person's public key is published while the
private key is kept secret. The sender encrypts a message using the public key
of the intended recipient and communicates it via a public mode of
communication. If implemented properly, the message can only be decrypted with
the recipient's private key, which is in the sole possession of the intended
recipient. All communications involve only public keys, and no private key is
ever transmitted or shared. With public key cryptography, it is not necessary to
trust a communications channel to be secure against eavesdropping or betrayal.
In general, public key cryptography requires only that public keys be associated
with their users in a trusted manner, for instance, by maintaining the key in a
trusted directory and that the private key not be disclosed.
Data Authentication. Data authentication is a process whereby the receiver of
a digital message can be confident of the identity of the sender and/or the
integrity of the message. In public key cryptosystems, authentication is enabled
by the use of digital signatures. Digital signatures play in the digital world a
function similar to that played by handwritten signatures for printed documents.
The signature is an authentic piece of data asserting that a named person wrote
or otherwise agreed to the document to which the signature is attached. The
recipient, as well as a third party, can verify both that the document
originated from the person whose signature is attached and that the document has
not been altered since it was signed. Secure digital signatures may be used to
refute a claim by the signer of a document that it was forged.
Security Administration and Audit. With the growth of distributed computing
environments, including those utilizing the Internet, organizations are
increasingly concerned about various administrative issues relating to network
security, including the scaleability of their security solutions and the ability
of the solutions to cover multiple geographic regions. Security administration
and audit solutions must also monitor user activity for purposes of detection
and deterrence and in order to ensure that the network or data have not been
compromised.
Enterprise Security
The Company believes that there is an emerging market for enterprise-wide
security solutions in several categories, including secure remote access via
dial-up and virtual private networks; secure access to corporate networks and
resources; secure access to applications, intranets and extranets; email
security; and platform security for desktops and UNIX hosts. These enterprise
security solutions must incorporate elements of all four classes of security and
address the need for: (i) ease of use; (ii) interoperability within
heterogeneous enterprise environments; (iii) scaleability; (iv) integrated
network security administration; (v) integration with existing customer
applications; (vi) secure access to information, including secure remote access;
(vii) information privacy, integrity and authentication; and (viii) system
reliability and availability.
To date, most approaches to network security have been limited in scope and
have failed to address one or more of these requirements. The Company believes
that, in order to compete
5
6
effectively in this market, network security vendors must develop comprehensive
network security services that can accommodate a large number of local and
remote users and integrate security management across heterogeneous computing
resources.
SECURITY DYNAMICS SOLUTION
Security Dynamics is the leading provider of enterprise network and data
security solutions. The Company's products help companies conduct business
securely, protect information assets and facilitate business-to-business and
business-to-consumer electronic commerce. The Company's solutions employ a
patent-protected combination of super-smart card technology, access control and
privilege management products, public key encryption technology and security
administration software to protect information wherever it resides in an
enterprise.
A key element of the Company's strategy has been and continues to be the
expansion of its product offerings to address each of the four classes of
enterprise network and data security and deliver integrated solutions for
protecting information resources. Since its inception, the Company has focused
on the fundamental need for user identification and authentication with an
emphasis on solutions for secure remote access to enterprise networks. In
furtherance of its strategy to expand product offerings within the security
classes, in July 1996, the Company acquired RSA, a leader in cryptography, to
address the need for data privacy, integrity and authentication.
The Company's solutions have historically focused on addressing secure remote
access through: (i) SecurID tokens for user identification and authentication;
(ii) ACE/Server administration software; and (iii) ACE/Agent code embedded in
remote access devices such as remote access servers and firewalls. The RSA
SecurPC product and RSA encryption engines have contributed to secure remote
access by allowing customers to control access to the network and by providing
data privacy, integrity and authentication.
As businesses expand their networks to make use of the Internet, intranets
and extranets, companies have begun to realize that the internal network is
becoming more vulnerable and that there is a critical need for products and
services that allow system administrators to control user privileges at multiple
levels within an enterprise and encrypt information within an internal network.
Through its SecurSight family of enterprise security solutions, the Company
intends to address these needs by moving beyond secure remote access to secure
information access, thereby providing security across an enterprise. SecurSight
solutions address a wide range of enterprise security requirements, including
secure remote access via dial-up lines and virtual private networks; secure
network access; secure access to applications, intranets and extranets; email
security; and platform security for desktops and UNIX host systems.
SecurSight is built on the framework formerly known as "ESS" and is intended
to combine products and technologies developed or acquired by the Company with
solutions gained through partnerships with leading vendors, and is designed to
assist in the development of systems and applications that facilitate and
control secure access to information.
In support of SecurSight, in July 1997, the Company acquired DynaSoft, a
leading vendor of platform-independent security solutions for distributed
client/server networks. The DynaSoft BoKS product family includes technologies
for access control and privilege management which the
6
7
Company intends to incorporate into the SecurSight solutions.
Through SecurSight, the Company intends to provide additional security
applications, including certificate management (certificates which attest to the
authenticity of the owners of public keys) and key management (services such as
generation, distribution, validation, replacement, termination and recovery of
keys). The Company intends to provide these and other applications through a set
of products that are the integration of the ACE/Server and BoKS product
families, and that are also branded with the SecurSight name. First releases of
the integrated SecurSight products - including the SecurSight Manager,
SecurSight Desktop and SecurSight Agents-are expected to be delivered in 1998.
The integrated SecurSight products are modular add-ons to its ACE/Server and
BoKS Manager software, thereby protecting customers' investments and ensuring
backwards compatibility. As part of SecurSight, the Company also plans to
provide a broader administrative framework to manage security services and to
add access control agents to support application access control and smart cards
as an additional form factor for user authentication.
SECURITY DYNAMICS STRATEGY
The Company's objective is to continue as a leading provider of enterprise
network and data security solutions. Key elements of the Company's strategy to
achieve this objective include the following:
o Deliver Enterprise Security Services. The Company's strategy has been and
continues to be to expand the depth and breadth of its product offerings
across the classes of enterprise network and data security to meet the
evolving requirements for the protection of its customers' information
assets. Through its SecurSight products, the Company plans to develop and
deliver scaleable, reliable enterprise security solutions that enable
companies to conduct business securely, protect corporate information
assets and facilitate electronic commerce. For instance, the Company
intends to introduce or acquire products and technologies and form
partnerships that are expected to enable delivery of security services such
as certificate management and key management. In addition, through
partnerships the Company plans to expand its agent roster to include
application-specific agents and add additional authentication form factors,
including smart cards.
o Maintain Technological Leadership. The Company plans to continue to add new
capabilities and features to its enterprise network and data security
products to meet its customers' identification and authentication needs
within the context of evolving enterprise environments. The Company also
plans to continue to establish RSA's proprietary technology as a de facto
encryption standard. Through its RSA Laboratories division, RSA maintains a
leading role in basic cryptographic research, develops new encryption
technologies and maintains close working relationships with leading
academic centers and custom development teams.
o Expand Market Opportunities. The Company intends to expand its market
opportunities through strategic partnerships, industry initiatives and
marketing designed to heighten awareness of security issues. The Company
has strategic partnerships with approximately 70 industry-leading vendors
and plans to continue to foster and leverage these partnerships and enter
into additional relationships with companies that can provide complementary
technologies for its SecurSight solutions. The Company also seeks to
heighten awareness regarding enterprise network and
7
8
data security issues through marketing programs such as the annual RSA
Data Security Conference.
o Expand Indirect Sales and Support Channel. The Company currently sells its
products through a direct sales force and through relationships with a
significant number of OEMs, VARs and distributors. In October 1997, the
Company announced the SecurWorld program designed to develop and expand its
indirect sales and support channel through the establishment of two-tier
distribution of the Company's solutions. The Company believes that an
expanded indirect sales and support channel will enable it to enter new
markets and gain access to a larger installed base of potential customers
in a cost-effective manner.
o Expand International Presence. The Company believes that international
markets present a large, relatively new market for enterprise network and
data security products. Sales outside the United States and Canada
represented approximately 23.3% and 26.6% of the Company's total revenue
for 1996 and 1997, respectively. The Company plans to continue to expand
its business outside North America through the hiring of sales personnel,
the establishment of additional distribution arrangements, primarily in
Europe and the Far East and the development of local presence in key
markets.
PRODUCTS
The Company offers products designed to address all classes of enterprise
network and data security. The Company's products interoperate with a wide
variety of operating systems, network environments and third-party hardware and
software products, thus enabling customers to select optimal configurations for
the installation of the Company's computer and enterprise network security
products.
User Identification and Authentication
The Company's user identification and authentication products combine two
methods of user identification -- something secret the user knows (a PIN) and
something the user possesses (the SecurID token). To gain access to a protected
resource, a user enters his or her PIN and the token code automatically computed
and displayed on the liquid crystal display ("LCD") of the user's SecurID token.
The PIN and the token code together form the user's "PASSCODE." With a valid
PASSCODE, the authorized user is identified, authenticated and granted access to
appropriate information resources.
Each SecurID token contains the Company's proprietary algorithm and is
programmed with a secret, randomly generated seed number which is unique to the
token. The algorithm uses the seed number and Greenwich Mean Time to produce a
sequence of token codes at set intervals (typically every 60 seconds). The
Company's ACE/Server software uses the same algorithm, seed number and Greenwich
Mean Time to generate a token code corresponding to the token code generated by
the user's SecurID token.
The Company currently offers the following user identification and
authentication products:
PRODUCT DESCRIPTION
------- -----------
SecurID Tokens o Three form factors -- SecurID Card,
8
9
SecurID PINPAD and SecurID Key Fob --
that can be programmed to function for
between one and four years
SoftID o Authentication software that can be
deployed on a PC
The Company's SecurID tokens and SoftID software work in conjunction with the
Company's ACE/Server software to provide user identification and authentication
services. The SecurID tokens and SoftID software will also work in conjunction
with the integrated SecurSight Manager when it is released.
Access Control and Privilege Management
The Company's access control and privilege management products provide a
modular set of security services for protecting and managing access to corporate
information and applications. These services are delivered through a flexible
framework designed to control user privileges at multiple levels within the
enterprise including at the network, application and data levels. The Company's
BoKS products can be used together to form a comprehensive security solution or
independently for use with other system components. BoKS software also employs
encryption to protect application data transiting the network as well as for the
protection of local files and data used within the security management system.
The Company's access control and privilege management products include the
following:
PRODUCT DESCRIPTION
------- -----------
BoKS Desktop o Manages a user's security credentials,
providing security for PCs as well as SSO
functionality to host systems, database
applications and network domains
o Supports Windows 3.1, Windows for
Workgroups 3.11, Windows 95, Windows NT
3.51 and 4.0
BoKS Connect o Application access control solution that
operates with BoKS Desktop to secure
database sessions, Telnet sessions and
other TCP/IP-based client/server
connections
ToolBoKS o Toolkit that allows developers to
implement SSSO functionality and create
secure applications, including secure
mail, secure remote access, secure
Internet services and secure electronic
commerce
Each of the foregoing products works in conjunction with the Company's BoKS
Manager software to provide access control and privilege management services.
These products will work in conjunction with the integrated SecurSight Manager
when it is released.
Data Privacy, Integrity and Authentication (Encryption)
RSA's toolkit products, built around the RSA public key cryptographic
technology (or "cryptosystem"), enable the Company's customers to develop
applications that are designed to
9
10
provide secure data communication. The RSA public key cryptosystem uses a pair
of large prime numbers to generate private keys and public keys. The size of the
keys determines the degree of security provided. The Company believes that RSA's
public key cryptosystem is one of the most secure cryptographic techniques
commercially available to encrypt, and to verify the authenticity and integrity
of, electronic data.
The Company believes that the RSA cryptosystem is a de facto standard for a
number of data security applications. RSA's encryption technology is embedded in
current versions of Microsoft Windows NT, Netscape Navigator, Quicken by Intuit,
Lotus Notes and numerous other products. RSA technology is also used in secure
telephones, on Ethernet network cards and on smart cards, and is incorporated
into major protocols for secure Internet communications including SSL, S-HTTP,
S/MIME, PCT, PKCS, SET and PEM. It is also used internally in many institutions
including financial institutions, major corporations, U.S. governmental
agencies, national laboratories and universities. RSA's technology has also
become widely selected as a standard for various electronic banking
applications.
The Company currently offers the following data privacy, integrity and
authentication (encryption) products:
PRODUCT DESCRIPTION
------- -----------
BSAFE o RSA's flagship encryption engine and
developer toolkit that allows programmers
to integrate encryption and data
authentication features into a wide range
of applications, including digitally
signed electronic forms and virtual
private networks
JSAFE o RSA's newest encryption engine and
developer toolkit that allows Java
developers to integrate encryption and
data authentication features into
applications
TIPEM o Developer toolkit providing flexible,
secure electronic messaging foundation for
a variety of messaging protocols,
including PEM, MOSS and S/MIME; used in
products or services offered by Lotus,
Netscape and America Online Inc.
BCERT o Developer toolkit designed to allow
developers to incorporate public key
certificates into their applications and
containing all cryptographic support
necessary to generate certificate
requests, sign certificates and create and
distribute certificate revocation lists
(CRLs)
S/MAIL o Standards-based secure messaging engine
and toolkit for providing a secure
messaging infrastructure based on the
S/MIME protocol
S/PAY o Standards-based secure transaction engine
and developer toolkit suite for providing
a secure payment card (including credit
cards) transaction infrastructure based on
the SET standard
RSA SecurPC o Encryption software based on RSA public
10
11
key and RC4 symmetric key cryptosystem
that protects and encrypts data in transit
via email and protects data on local hard
drives, network drives and laptop PCs
In addition, at the RSA Conference in January 1998, RSA announced its
Certificate Security Suite, set of high-level security components and tools
designed to reduce the cost and time-to-market for developing certificate-based
secure applications, and to help developers integrate applications and public
key management products in the enterprise. Products created with Certificate
Security Suite will integrate with the SecurSight solutions. RSA Certificate
Security Suite is expected to be available in 1998.
The Company also believes that RSA's RC series of symmetric, or secret key,
encryption technologies are among the highest performance and most secure
techniques of their class available to encrypt electronic data. RC2 and RC4 are
designed to handle block and streaming data types, respectively, and are
designed to provide for easy adjustment of key size for exportability as well as
high performance without specialized hardware.
Security Administration and Audit
The Company offers highly scaleable network security solutions that are easy
to deploy and provide system administrators with the ability to administer the
entire global authentication network from any location, delegate administrative
roles and privileges, write customized reports on security-related activities on
the network and perform other administrative functions with a high degree of
granularity and flexibility. The Company's security administration and audit
products include its ACE/Server and BoKS Manager software products, and will
include the integrated SecurSight Manager when it is released.
The Company's ACE/Server software manages access to network resources via the
Internet, public gateways, remote dial-up modems, leased lines, workstations,
terminals, personal computers or direct connection. It permits centralized user
authentication and security administration for all customer resources protected
on a TCP/IP network. ACE/Server software is currently available for most popular
UNIX-based operating systems and Windows NT.
BoKS Manager is the administration framework for the BoKS product family.
BoKS Manager provides customers with centralized user, security and public key
administration through Web-based graphical interfaces. Its primary functions are
to provide UNIX platform security and to create and administer security domains,
including UNIX systems, with BoKS Desktop.
As part of its SecurSight framework, the Company intends to integrate the
functionality of its ACE/Server and BoKS Manager software into a unified server
platform.
Pricing
Subject to volume discounts and other licensing terms and conditions, the
suggested U.S. list prices for the Company's products range as follows: SecurID
tokens from $34 to $86 per token; ACE/Server software products from $3,950 to
$553,000; RSA encryption engine and toolkit licenses from $25,000 to $50,000;
and BoKS products from $52 to $275 per user for BoKS Desktop and from
11
12
$1,250 to $3,100 per server for BoKS Manager. The Company continually reviews
and adjusts its product pricing policies in light of factors such as relative
value, industry standards and demand.
STRATEGIC PARTNERS
To enhance its enterprise network and data security solutions, the Company
has established relationships with approximately 70 vendors of remote access
products, Internet firewalls, network and applications software and virtual
private network ("VPN") products. Most of these vendors integrate the Company's
client software into one or more of their products to provide compatibility
between their product offerings and the Company's ACE/Server software. Other
vendors build call routines, software hooks or APIs into their products to
provide compatibility with the Company's ACE/Server software. The Company has
also entered into strategic relationships with vendors that share technical
information with the Company to enable it to develop products which will be
interoperable with the vendors' products. The Company's strategic partners
include the following:
REMOTE ACCESS INTERNET FIREWALLS NETWORK AND APPLICATIONS VPN
- ---------------------------------- -------------------- ------------------------- ------------------
Access Beyond Lanoptics ANS Apple Computer Ascend
ACT Networks Lantronix Check Point Cisco Aventail
ADTRAN Livingston CyberGuard CyberSAFE Bay Networks
Apple Computer Microcom IBM Gradient Check Point
Ascend Microsoft Milkyway IBM Digital Equipment
Attachmate MultiLink Raptor Systems Lucent Technologies Fortress Technologies
Bay Networks Network General Secure Computing nCipher IBM
Cisco NNTI SOS Netscape InfoExpress
DigitalEquipment Osicom Technologic Network Express New Oak
Emulex Shiva Trusted Information NIT Raptor Systems
Gandalf Telebit Systems Novell Timestep
Hewlett-Packard 3COM V-ONE Oracle Trusted Information Systems
IBM U.S. Robotics OTG V-ONE
Kasten Chase Xyplex PLATINUM technologies VPNet
Sun Microsystems
Utimaco
WorldTalk
SALES AND MARKETING
The Company has established a multi-channel distribution and sales network to
serve the enterprise network and data security market. The Company sells and
licenses its products directly to end users through its direct sales force and
indirectly through a network of OEMs, VARs and distributors. In addition, the
Company supports its direct and indirect sales efforts through strategic
marketing relationships and public relations programs, trade shows and other
marketing activities. In October 1997, the Company announced the SecurWorld
program designed to enhance its indirect channel through the establishment of
two-tier distribution.
Sales
The Company's direct sales staff focuses on major accounts, provides
technical advice and support with respect to the Company's products and works
closely with the Company's customers, OEMs, VARs and distributors. As of
December 31, 1997, the Company's direct sales organization consisted of 154
sales and technical support personnel located throughout the world. The
Company's revenue from direct sales efforts for the years ended December 31,
1995, 1996 and 1997 was approximately
12
13
95%, 90% and 75% of total revenue, respectively.
The Company also markets, sells and licenses its products indirectly through
its SecurWorld network OEMs, VARs and distributors. As of December 31, 1997, the
Company (excluding RSA) had relationships with approximately 250 OEMs, VARs and
distributors, and RSA had relationships with more than 350 OEMs. DynaSoft has
traditionally complemented its direct sales force with VARs and distributors and
is currently a party to OEM agreements with Sun Microsystems, Inc. and
Hewlett-Packard Company.
International sales (excluding Canada) accounted for approximately 18.6%,
23.3% and 26.6% of the Company's total revenue in the years ended December 31,
1995, 1996 and 1997, respectively.
Marketing
In support of its sales efforts, the Company conducts sales training courses,
comprehensive targeted marketing programs including direct mail, public
relations, advertising, seminars, trade shows and telemarketing and ongoing
customer and third-party communications programs. The Company also seeks to
stimulate interest in enterprise network and data security through its public
relations program, speaking engagements, white papers, technical notes and other
publications.
The Company has entered into strategic marketing relationships with various
vendors of operating systems and network operating systems, remote access
products, Internet-related products and application software. The Company has
also entered into strategic relationships with vendors that share technical
information with the Company to enable it to develop products which will be
interoperable with the vendors' products. The Company has developed a separate
program, the SecurID Ready strategic partner program, to market the
compatibility between the vendors' products and the Company's ACE/Server
software. The end-user customers of all of these vendors must purchase tokens
and license ACE/Server software directly from the Company. The Company believes
that these relationships help the Company and its customers to expand their
enterprise network coverage and assist the Company in increasing its installed
customer base and SecurID token usage.
To enhance demand for its products, RSA has participated in the development
of various industry-specific protocols that rely on RSA's cryptographic data
security technologies. RSA also hosts its own annual industry conference and
participates in others to increase demand for its products. Through its RSA
Laboratories division, RSA maintains a leading role in basic cryptographic
research, develops new encryption technologies and maintains close working
relations with leading academic centers and customer development teams.
CUSTOMERS
As of December 31, 1997, SDI had sold or licensed more than 4,600 ACE/Server
products and over 2.5 million SecurID tokens to more than 3,000 customers
worldwide. Historically, SDI's principal customers have been in the
telecommunications, pharmaceutical, financial and healthcare industries as well
as academic institutions, research laboratories and government organizations.
These customers are generally sophisticated and knowledgeable purchasers of
security systems and work with highly confidential information. The Company
believes that as corporate networks proliferate and become more complex, the
number of industries concerned with system security and access to
13
14
information will grow.
As of December 31, 1997, RSA had licensed its encryption engine and patent
technology to more than 400 OEMs that typically incorporate RSA's encryption
technology into their products. RSA's encryption technology is embedded in
current versions of Microsoft Windows NT, Netscape Navigator, Quicken by Intuit,
Lotus Notes and numerous other products. RSA also licenses its encryption
technology directly to customers for incorporation into customers' business,
financial and electronic commerce networks. RSA technologies are part of
existing and proposed standards for the Internet and World Wide Web, ITU, ISO,
ANSI and IEEE.
As of December 31, 1997, DynaSoft had sold or licensed its BoKS systems to
more than 130 customers worldwide, representing more than 110,000 users.
Historically, DynaSoft's principal customers have been government organizations
and businesses in the healthcare, telecommunications and financial services
industries.
In the years ended December 31, 1996 and 1997, no customer accounted for more
than 5% of the Company's total revenue.
CUSTOMER SERVICE AND SUPPORT
The Company maintains a customer support help desk and technical support
organization at its headquarters in Bedford, Massachusetts and at other
locations throughout the world and offers telephone support for certain of its
products 24 hours a day, seven days a week. The Company continues to add
advanced technical support personnel to its support staff to address anticipated
additional demands arising from the deployment of the Company's security
solutions into larger and more complex user environments. The Company also has
field technical support personnel who work directly with the Company's direct
sales force, distributors and customers. As of December 31, 1997, the Company's
customer support organization consisted of an aggregate of 69 full-time
employees located in Massachusetts, California, New Jersey, the United Kingdom,
Germany, France and Sweden.
The Company's standard practice is to provide a warranty on all SecurID
tokens for the customer-selected programmed life of the token and to replace any
damaged tokens (other than tokens damaged by a user's negligence or alteration)
free of charge. The Company generally sells each of its other products to
customers with a warranty for specified periods. After the expiration of the
applicable warranty period, customers may elect to purchase a maintenance
contract for 12-month renewable periods. Under these contracts, the Company
agrees to provide (i) corrections for documented program errors; (ii) version
upgrades for both software and, if applicable, firmware; and (iii) telephone
consultation.
PRODUCT DEVELOPMENT
The Company's product development efforts are focused on enhancing the
functionality, reliability, performance and flexibility of its existing
products, and in integrating the BoKS product family with SDI's core products.
As part of its SecurSight architecture, the Company is developing technology to
enhance the administrative capabilities and scaleability of its ACE/Server
products and to increase interoperability with additional network operating
systems and directory services. The
14
15
Company also is developing tools to assist customers, strategic marketing
partners and other third-party integrators in integrating the Company's products
with custom and other third-party network or system applications.
RSA plans to increase its competitive position by strengthening its core
cryptography toolkit and developing standards, protocols and applications that
address the needs of specific market segments and build on RSA's proprietary
technology. In the latter case, RSA may choose to partner with other parties to
develop and/or market the products. RSA is currently developing enhanced
toolkits to enable emerging new applications. Each of these value-added toolkits
is being designed to address the needs of a specific market segment.
In addition to enhancing its existing products, the Company continues to
identify and prioritize various technologies for potential future product
offerings. The Company may develop these products internally or enter into
arrangements to license or acquire products or technologies from third parties.
There can be no assurance, however, that the Company will be successful in
enhancing or developing existing products or identifying and successfully
acquiring new technologies.
As of December 31, 1997, the Company's product development staff consisted of
184 full-time employees engaged in engineering and development including
software and hardware engineering, testing and quality assurance and technical
documentation. The Company also engages outside contractors where appropriate to
supplement the Company's in-house expertise or expedite projects based on
customer or market demand. The Company's total research and development expenses
(including purchased research and development) for the years ended December 31,
1995, 1996 and 1997 were approximately $6.9 million, $13.4 million and $26.3
million, respectively.
MANUFACTURING AND SUPPLIERS
Manufacturing
SecurID Tokens. The Company contracts for the manufacture of its SecurID
tokens with two suppliers in the United States, only one of which, Pemstar,
Inc., has been qualified to manufacture the Company's SecurID Key Fob. The
Company has generally been able to obtain adequate supplies of SecurID tokens in
a timely manner and believes that alternate vendors can be identified if current
vendors are unable to fulfill its needs. However, delays or failure to identify
alternate vendors, if required, or a reduction or interruption in supply or a
significant increase in the manufacturing costs could adversely affect the
Company's financial condition or results of operations and could impact customer
relations.
SecurPC and ACE/Server Software Products. The Company's SecurPC and
ACE/Server software products are distributed on standard magnetic diskettes,
compact disks and tapes together with printed documentation. The Company
contracts with media duplication subcontractors for the majority of its media
duplication. The Company has the capability to do all media duplication
in-house, but limits its use to small production runs such as beta programs.
Suppliers
Although the Company generally uses standard parts and components for its
products, certain components are currently available only from a single source
or from limited sources. For example, the microprocessor chips contained in the
Company's SecurID tokens are currently
15
16
purchased only from Sanyo Electric Co., Ltd., a Japanese computer chip
manufacturer, and the lithium batteries contained in the Company's SecurID
tokens are purchased from Gould Electronics, a supplier located in the United
States. The inability to obtain sufficient sole or limited source components as
required or to obtain or develop alternative sources at competitive prices and
quality if and as required in the future, could result in delays in product
shipments or increase the Company's material costs either of which would
adversely affect the Company's financial condition or results of operations.
The Company believes that it would take approximately six months to identify
and commence production of suitable replacements for the microprocessor chip or
lithium battery used in the Company's SecurID tokens. The Company attempts to
maintain a three-month supply of SecurID tokens in inventory.
COMPETITION
The market for enterprise network and data security products is highly
competitive and subject to rapid technological change. The Company believes that
competition in this market is likely to intensify as a result of increasing
demand for security products. The Company currently experiences competition from
a number of sources, including (i) software operating systems suppliers and
application software vendors that incorporate a single-factor static password
security system into their products; (ii) token-based password generator vendors
promoting challenge/response technology; (iii) smart card security device
vendors; (iv) biometric security device vendors; (v) public key infrastructure
and cryptographic software firms; and (vi) SSO providers. In some cases, these
vendors also support the Company's products and those of its competitors. The
Company may also face competition from these and other parties in the future
that develop enterprise network and data security products based upon approaches
similar to or different from those employed by the Company including operating
system or network suppliers not currently offering competitive enterprise-wide
security products. There can be no assurance that the market for enterprise
network and data security products will not ultimately be dominated by
approaches other than the approaches marketed by the Company. RSA has agreed, in
connection with the April 1995 formation of VeriSign, not to engage, directly or
indirectly, in the business of issuing public key certificates acting in the
capacity of a certificate authority for a period of five years from the date of
such formation.
The Company believes that the principal competitive factors affecting the
market for enterprise network and data security products include technical
features, ease of use, quality/reliability, level of security, customer service
and support, distribution channels and price. Although the Company believes that
its products currently compete favorably with respect to such factors, there can
be no assurance that the Company can maintain its competitive position against
current and potential competitors, especially those with significantly greater
financial, marketing, service, support, technical and other competitive
resources.
PROPRIETARY RIGHTS
The Company relies on a combination of patent, trade secret, copyright and
trademark laws, software licenses, nondisclosure agreements and technical
measures to establish and protect its proprietary technology. The Company
generally enters into confidentiality and/or license agreements with its
employees and distributors as well as with its customers and potential customers
seeking
16
17
proprietary information, and limits access to and distribution of its software,
documentation and other proprietary information. Despite these precautions, it
may be possible for unauthorized third parties to copy aspects of the Company's
products or to obtain and use information that the Company regards as
proprietary.
The Company's 15 issued U. S. patents expire at various dates ranging from
2005 to 2016. Upon expiration of the Company's patents, competitors may develop
and sell products based on technologies similar or equivalent to those currently
covered by the Company's patents. A patent developed at the Massachusetts
Institute of Technology and licensed to RSA (the "RSA/MIT Patent"), the claims
of which cover significant elements of RSA's products, will expire on September
20, 2000, which may enable competitors to thereafter market competing products
which previously would have infringed the RSA/MIT Patent. In addition, two
patents covering fundamental encryption technology developed by Stanford
University and licensed to RSA expired in 1997. As a result of the expiration of
these Stanford patents, competitors may develop and sell products based on
technologies covered by such patents, including products that may be positioned
as competitive with products covered by the RSA/MIT Patent, thereby adversely
impacting sales of RSA's products. There can be no assurance that any patent
owned or held by the Company or its licensers will not be invalidated,
circumvented, challenged or terminated; that any of the Company's pending or
future patent applications will be within the scope of claims sought by the
Company, if at all, or that the steps taken by the Company to protect its rights
will be adequate to prevent misappropriation of the Company's technology or to
preclude competitors from developing products with features similar to the
Company's products. Further, there can be no assurance that others will not
develop technologies that are similar or superior to the Company's technology or
duplicate the Company's technology. In addition, the laws of certain countries
in which the Company's products are or may be developed or sold may not protect
the Company's products and intellectual property rights to the same extent as
the laws of the United States. The inability of the Company to protect its
intellectual property adequately could have a material adverse effect on its
financial condition and results of operations.
17
18
GOVERNMENT REGULATION AND EXPORT CONTROLS
All of the Company's products are subject to export controls under U.S. law
and applicable foreign government restrictions. The Company believes it has
obtained necessary approvals for the export of the products it currently
exports. There can be no assurance, however, that the list of products and
countries for which export approval is required, and the regulatory policies
with respect thereto, will not be revised from time to time or that the Company
will be able to obtain necessary regulatory approvals for the export of future
products. The inability of the Company to obtain required approvals under these
regulations could adversely affect the ability of the Company to make
international sales.
Exports of RSA's encryption products, or third-party products bundled with
the encryption technology of RSA, are expected to continue to be restricted by
the United States and various foreign governments. All cryptographic products
need export licenses from either the U.S. State Department, acting under the
authority of the International Traffic in Arms Regulation, or the U.S. Commerce
Department, acting under the authority of the Export Administration Regulations.
The U.S. government generally limits the export of software with encryption
capabilities to mass marketed software with limited key sizes, which
significantly constrains the security effectiveness of RSA products available
for export. There can be no assurance that the U.S. government will ease its
export restrictions on encryption technology in any significant manner in the
near future. As a result, RSA may be at a disadvantage in competing for
international sales compared to companies located outside the United States that
are not subject to such restrictions.
EMPLOYEES
At December 31, 1997, the Company employed 610 employees. Of these employees,
187 were involved in research and development; 281 in sales, marketing and
customer support; 63 in production and information technology; and 79 in
administration and finance. No employees are covered by any collective
bargaining agreements. The Company believes that its relationships with its
employees are good.
RECENT EVENTS
On March 26, 1998 (the "Effective Date"), the Company completed the
acquisition (the "IDI Acquisition") of all of the outstanding capital stock of
Intrusion Detection Inc. ("IDI"), a New York corporation, pursuant to an
Agreement and Plan of Merger (the "Merger Agreement") by and among the Company,
IDI, Apple Acquisition Corp., a wholly owned subsidiary of the Company, and the
former stockholders of IDI (the "IDI Stockholders"). The purchase price for the
IDI Acquisition consisted of approximately 784,000 shares of common stock of the
Company. The Company used authorized but previously unissued shares of common
stock in connection with the acquisition. The IDI Acquisition will be accounted
for as a pooling-of-interests.
The Company and IDI also entered into an Escrow Agreement pursuant to which
approximately 78,400 shares of the common stock consideration will be held in
escrow to reimburse the Company in connection with any breaches of
representations, warranties or covenants by IDI and the IDI Stockholders in the
Merger Agreement. In addition, the Company and the IDI Stockholders entered into
a Registration Rights Agreement pursuant to which the Company has agreed to file
a Registration Statement on Form S-3, on or prior to the 15th business day
following the Effective Date, for the
18
19
purpose of registering under the Securities Act of 1933 the shares of Common
Stock of the Company issued to such stockholders pursuant to the Merger
Agreement.
IDI, based in New York, is a leading publisher of network security software
tools that help network officials manage enterprise-wide security more
effectively. The IDI products, Kane Security Analyst and Kane Security Monitor
are highly complementary to the Company's SecurSight family of plug-in
enterprise security solutions and address two critical solutions areas, network
security assessment and monitoring. The products are currently distributed both
directly and through distributors in the United States and through resellers in
20 countries and will also be available through the Company's direct sales
forces, as well as through SecurWorld channel partners.
ITEM 2. PROPERTIES
The Company's principal administrative, sales and marketing, research and
development and support facilities consist of approximately 107,000 square feet
of office space in Bedford, Massachusetts. The Company occupies these premises
under two leases expiring in August 2006. As of December 31, 1997, the annual
base rent for this facility was approximately $1,607,000. In support of its
field sales and support organization, the Company also leases facilities and
offices in 30 other locations in the United States, four locations in Canada and
one location in each of the United Kingdom, France, Germany, Norway, Singapore,
Hong Kong and Japan.
In November 1997, the Company entered into two noncancelable ten-year leases
expiring in 2008 for RSA offices in Redwood City, California. The Company plans
to occupy the first facility in March 1998. The first facility consists of
approximately 27,000 square feet of office space, and the annual base rent is
$1,010,000. The Company plans to occupy the second facility in June 1998. The
second facility consists of approximately 31,000 square feet of office space,
and the annual base rent is $912,000 with annual operating expenses of $245,000.
Both leases have rent escalation provisions covering years two through ten based
on the Consumer Price Index.
RSA also leases approximately 15,000 square feet of office space in Redwood
City, California under a lease expiring in October 1999. As of December 31,
1997, the annual base rent for this facility was approximately $418,000. RSA
also leases office space in Virginia and Japan.
DynaSoft leases approximately 13,000 square feet of office space in
Stockholm, Sweden under a lease expiring in March 1999. As of December 31, 1997,
the annual base rent for this facility was approximately $200,000. In support of
its field sales and support organization, DynaSoft also leases facilities and
offices in four other locations in the United States, Sweden and the United
Kingdom.
ITEM 3. LEGAL PROCEEDINGS
The Company is not a party to any litigation that it believes could have a
material adverse effect on the Company or its business.
ITEM 4. SUBMISSION OF MATTERS TO A VOTE OF SECURITY-HOLDERS
None.
19
20
EXECUTIVE OFFICERS OF THE COMPANY
The executive officers of the Company and their respective ages are as
follows:
NAME AGE POSITION
- ---- --- --------
Charles R. Stuckey, Jr. ... 55 Chairman of the Board, President and Chief
Executive Officer
D. James Bidzos ........... 43 Executive Vice President and Director
Arthur W. Coviello, Jr .... 44 Executive Vice President, Chief Operating
Officer and Secretary
John Adams ................ 56 Senior Vice President, Engineering
Gary A. Rogers ............ 43 Senior Vice President, World Wide Sales
and Field Operations
W. David Power ............ 44 Senior Vice President, Marketing and
Corporate Development
Marian G. O'Leary ......... 43 Senior Vice President, Finance, Chief
Financial Officer and Treasurer
Linda E. Saris ............ 45 Vice President, Customer Support and
Operations and Chief Information Officer
Mr. Stuckey joined the Company as President in January 1987, was appointed
Chief Executive Officer and elected a director of the Company in March 1987 and
appointed Chairman of the Board in July 1996. From 1984 to January 1987, Mr.
Stuckey served as Vice President of Scientific Information Services, a systems
and commercial data service company and a division of Control Data Corporation.
Mr. Bidzos joined SDI as an Executive Vice President in July 1996. He joined
RSA in 1986 and has served as RSA's President and Chief Executive Officer and as
a director since 1988. Mr. Bidzos also is Chairman and a founder of VeriSign, a
company specializing in providing public-key certificates and related products
and services, and a founder of Terisa Systems, Inc., a company specializing in
security protocols for the World Wide Web that was recently acquired by SPYRUS,
Inc. He also is a director of the Electronic Privacy Information Center. Mr.
Bidzos became a director of SDI following the acquisition of RSA by SDI in July
1996.
Mr. Coviello joined the Company as Executive Vice President in September 1995
and was appointed Treasurer in October 1995 and Chief Operating Officer in
January 1997. From October 1995 to August 1997, Mr. Coviello also served as the
Company's Chief Financial Officer. From January 1994 to August 1995, Mr.
Coviello served as Chief Operating Officer and from March 1992 to January 1994,
Mr. Coviello served as Vice President, Finance and Administration, Chief
Financial Officer and Treasurer of CrossComm Corporation, a developer of
inter-networking products.
Dr. Adams joined the Company as Senior Vice President, Engineering in March
1996 after over twenty years of management, engineering and network service for
Digital Equipment Corporation ("Digital"). From 1976 to 1996, Dr. Adams served
in a number of positions with Digital, including Vice President and Technical
Director of Digital's Network Operating Systems Division from 1991 to 1996.
Prior to joining Digital, Dr. Adams served as a structural engineer for Mitchell
Systems.
Mr. Rogers joined the Company as Senior Vice President, World Wide Sales and
Field Operations in February 1997. From 1994 to 1996, Mr. Rogers served as Vice
President, International Sales and
20
21
Operations with Bay Networks, Inc. From 1992 to 1994, Mr. Rogers was Vice
President, Sales and Operations -- Europe with Wellfleet Communications, Inc., a
predecessor to Bay Networks, Inc. Prior to joining Wellfleet Communications,
Inc., Mr. Rogers served in a number of positions with several other
organizations including managerial-level sales and marketing positions.
Mr. Power joined the Company as Vice President, Marketing in November 1996
and was appointed Senior Vice President, Marketing and Corporate Development in
April 1997. In 1995 and 1996, Mr. Power was Vice President and General Manager
of the AT&T New Media Services division, which was combined with Industry.Net to
form Nets, Inc. From 1992 to 1995, Mr. Power served as Vice President and
General Manager for two Sun Microsystems business units: SunSoft PC Desktop
Integration Products and SunSelect. Before joining Sun Microsystems, Mr. Power
was a Vice President at Mercer Management Consulting, a marketing and strategic
consulting firm, from 1980 to 1992.
Ms. O'Leary joined the Company as Senior Vice President, Finance, Chief
Financial Officer and Treasurer in August 1997. From 1987 to 1997, Ms. O'Leary
held a number of positions with Digital, including Vice President, Finance for
the Systems Business Unit from 1994 to 1997. Prior to joining Digital, Ms.
O'Leary held several positions with General Electric Company including Senior
Vice President of Finance for GE Mortgage Insurance, a business unit of GE
Capital.
Ms. Saris joined the Company as Vice President, Finance and Operations,
Treasurer and Chief Financial Officer in June 1989, and has served as Vice
President, Customer Support and Operations since January 1997 and as Chief
Information Officer since August 1997. From October 1995 to January 1997, Ms.
Saris served as the Company's Vice President, Operations. From 1980 to 1989, Ms.
Saris served in a number of positions, including Senior Vice President and
General Manager and Vice President of Finance, with Clinical Data, Inc., a
medical technology and services company.
PART II
ITEM 5. MARKET FOR REGISTRANT'S COMMON EQUITY AND RELATED
STOCKHOLDER MATTERS
The Company's Common Stock has been trading on the Nasdaq National Market under
the symbol "SDTI" since the Company's initial public offering on December 14,
1994. The following table sets forth for the fiscal periods indicated the high
and low sales prices per share of Common Stock as reported on the Nasdaq
National Market and after giving effect to both of the Company's two-for-one
splits of its Common Stock in the form of stock dividends, which became
effective as of October 30, 1995 and November 15, 1996, respectively.
21
22
FISCAL 1996
-----------
HIGH LOW
---- ---
First Quarter $ 33.75 $ 21.25
Second Quarter 54.50 23.125
Third Quarter 48.375 25.625
Fourth Quarter 43.50 29.75
FISCAL 1997
-----------
HIGH LOW
---- ---
First Quarter $ 39.25 $ 21.00
Second Quarter 38.25 22.75
Third Quarter 44.375 32.625
Fourth Quarter 41.625 29.75
There were 290 stockholders of record of the Company's Common Stock as of
March 26, 1998.
The Company has never declared or paid any cash dividends on its capital
stock. The Company currently intends to retain earnings, if any, to support its
growth strategy and does not anticipate paying cash dividends in the foreseeable
future. Payment of future dividends, if any, will be at the discretion of the
Company's Board of Directors after taking into account various factors,
including the Company's financial condition, operating results, current and
anticipated cash needs and plans for expansion.
In October 1997, James K. Sims was elected to the Company's Board of
Directors as a Class III director, filling a vacancy created by the resignation
of Marino R. Polestra. In connection with his election, on November 6, 1997 Mr.
Sims purchased 25,000 shares of Common Stock from the Company at a purchase
price of $25.92 per share, representing 75% of the closing price of the Common
Stock on the Nasdaq National Market on the date of purchase, pursuant to a Stock
Purchase Agreement, dated November 6, 1997 (the "Sims Agreement"), by and
between the Company and Mr. Sims. The Sims Agreement provides that in the event
that Mr. Sims ceases to be a member of the Board of Directors of the Company,
for any reason or no reason, with or without cause, prior to November 6, 1998,
then Mr. Sims shall return to the Company a pro rata portion of the aggregate
discount on the shares purchased. The shares of Common Stock were issued and
sold to Mr. Sims in reliance on Section 4(2) of the Securities Act of 1933, as
amended, as a sale by the Company not involving a public offering. No
underwriters were involved with such issuance and sale of Common Stock.
ITEM 6. SELECTED FINANCIAL DATA
The information required by this item is contained under the caption
"Selected Consolidated Financial Data" appearing in the Company's 1997 Annual
Report to Stockholders (the "1997 Annual Report") and is incorporated herein by
this reference.
22
23
ITEM 7. MANAGEMENT'S DISCUSSION AND ANALYSIS OF FINANCIAL
CONDITION AND RESULTS OF OPERATIONS
The information required by this item is contained under the caption
"Management's Discussion and Analysis of Financial Condition and Results of
Operations" appearing in the 1997 Annual Report and is incorporated herein by
this reference.
ITEM 7A. QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK
Not applicable.
ITEM 8. FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA
The information required by this item is contained in the Consolidated
Financial Statements appearing in the 1997 Annual Report and is incorporated
herein by this reference.
ITEM 9. CHANGES IN AND DISAGREEMENTS WITH ACCOUNTANTS ON
ACCOUNTING AND FINANCIAL DISCLOSURE
Not applicable.
PART III
ITEM 10. DIRECTORS AND EXECUTIVE OFFICERS OF THE REGISTRANT
The information required by this item is contained in part under the caption
"Executive Officers of the Company" in PART I hereof, and the remainder is
contained in the Company's Proxy Statement for the Company's Annual Meeting of
Stockholders to be held on April 30, 1998 (the "1998 Proxy Statement") under the
captions "Proposal 1 - Election of Directors" and "Section 16(a) Beneficial
Ownership Reporting Compliance" and is incorporated herein by this reference.
Officers are elected on an annual basis and serve at the discretion of the
Board of Directors.
ITEM 11. EXECUTIVE COMPENSATION
The information required by this item is contained under the captions
"Director Compensation," "Compensation of Executive Officers" and "Compensation
Committee Interlocks and Insider Participation" in the 1998 Proxy Statement and
is incorporated herein by this reference.
ITEM 12. SECURITY OWNERSHIP OF CERTAIN BENEFICIAL
OWNERS AND MANAGEMENT
The information required by this item is contained under the caption "Stock
Ownership of Certain Beneficial Owners and Management" in the 1998 Proxy
Statement and is incorporated herein by this reference.
23
24
ITEM 13. CERTAIN RELATIONSHIPS AND RELATED TRANSACTIONS
None.
PART IV
ITEM 14. EXHIBITS, FINANCIAL STATEMENT SCHEDULES
AND REPORTS ON FORM 8-K
(a) Documents filed as a part of this Form 10-K:
1. Financial Statements. The Consolidated Financial Statements
are included in the 1997 Annual Report, portions of which are filed as an
exhibit to this Annual Report on Form 10-K. The Consolidated Financial
Statements include:
Independent Advisors' Report
Consolidated Balance Sheets
Consolidated Statements of Income
Consolidated Statements of Stockholders' Equity
Consolidated Statements of Cash Flows
Notes to Consolidated Financial Statements
2. Financial Statement Schedules. Financial Statement Schedule II,
"Valuation and Qualifying Accounts" and the Reports of Deloitte & Touche LLP
and Ernst & Young LLP, immediately following the "Exhibit Index" are filed as
part of this Annual Report on Form 10-K.
3. Exhibits. The Exhibits listed in the Exhibit Index immediately
preceding such Exhibits are filed as part of this Annual Report on Form 10-K.
(b) Reports on Form 8-K:
On December 17, 1997, the Company filed a Current Report on Form
8-K, dated December 16, 1997, for the purposes of filing under Item 5 (Other
Events) the Company's Selected Consolidated Financial Data, Management's
Discussion and Analysis of Financial Conditions and Results of Operations and
Consolidated Financial Statements of the Company as of December 31, 1995 and
1996 and June 30, 1996 (unaudited) and for the years ended December 31, 1994,
1995 and 1996 and the six months ended June 30, 1996 and 1997 (unaudited).
24
25
SIGNATURES
Pursuant to the requirements of Section 13 or 15(d) of the Securities
Exchange Act of 1934, the Registrant has duly caused this report to be signed on
its behalf by the undersigned, thereunto duly authorized.
SECURITY DYNAMICS TECHNOLOGIES, INC.
By:/s/ CHARLES R. STUCKEY, JR.
---------------------------------
Charles R. Stuckey, Jr.
Chairman, President and Chief Executive Officer
Date: March 31, 1998
Pursuant to the requirements of the Securities Exchange Act of 1934, this
report has been signed below by the following persons on behalf of the
Registrant and in the capacities and on the dates indicated.
Signature Title Date
/s/ CHARLES R. STUCKEY, JR. Chairman, President and March 31, 1998
- -------------------------- Chief Executive Officer
Charles R. Stuckey, Jr. (Principal Executive Officer)
/s/ MARIAN G. O'LEARY Senior Vice President, March 31, 1998
- --------------------- Finance, Chief Financial
Marian G. O'Leary Officer and Treasurer
(Principal Financial and
Accounting Officer)
Director March 31, 1998
- -------------------
D. James Bidzos
Director March 31, 1998
- ----------------------
Richard L. Earnest
/s/ JOSEPH B. LASSITER, III Director March 31, 1998
- ---------------------------
Joseph B. Lassiter, III
/s/ GEORGE M. MIDDLEMAS Director March 31, 1998
- -----------------------
George M. Middlemas
Director March 31, 1998
- -----------------------
Sanford M. Sherizen
Director March 31, 1998
- -----------------
James K. Sims
25
26
EXHIBIT INDEX
-------------
EXHIBIT
NO. DESCRIPTION
--- -----------
*2.1 Stock Purchase Agreement by and among the Registrant, DynaSoft AB
and the stockholders of DynaSoft named on Schedule I thereto, dated
July 12, 1997, is incorporated herein by reference to Exhibit 2.1
to the Registrant's Current Report on Form 8-K, dated
July 15, 1997 (File No. 0-25120) (the "Form 8-K")
*2.2 Stock Purchase Agreement by and among the Registrant, DynaSoft AB
and the stockholders of DynaSoft named on Schedule I thereto, dated
July 15, 1997, is incorporated herein by reference to
Exhibit 2.2 to the Form 8-K
*2.3 Stock Purchase Agreement by and among the Registrant, DynaSoft AB
and the stockholders of DynaSoft named on Schedule I thereto, dated
July 15, 1997, is incorporated herein by reference to
Exhibit 2.3 to the Form 8-K
*2.4 Stock Purchase Agreement by and between the Registrant and Ian
Anderson, dated July 15, 1997, is incorporated herein by
reference to Exhibit 2.4 to the Form 8-K
*2.5 Stock Purchase Agreement by and between the Registrant and Joakim
Borell, dated July 15, 1997, is incorporated herein by reference to
Exhibit 2.5 to the Form 8-K
*2.6 Stock Purchase Agreement by and between the Registrant and Jean
Paul Link, dated July 15, 1997, is incorporated herein by
reference to Exhibit 2.6 to the Form 8-K
*2.7 Stock Purchase Agreement by and between the Registrant and Sten
Sorenson, dated July 15, 1997, is incorporated herein by reference
to Exhibit 2.7 to the Form 8-K
*3.1 Third Restated Certificate of Incorporation, as amended, of the
Registrant (filed as Exhibit 3 to the Registrant's Quarterly Report
on Form 10-Q for the Quarter Ended September 30, 1996 and
incorporated herein by reference)
*3.2 Amended and Restated By-Laws, as amended, of the Registrant (filed
as Exhibit 3.3 to the Registrant's Registration Statement on Form
S-1 (File No. 33-85606) (the "Form S-1") and incorporated
herein by reference)
*4 Specimen Certificate for shares of Common Stock, $.01 par value, of
the Registrant (filed as Exhibit 4.1 to the Form S-1 and
incorporated herein by reference)
*#10.1 1986 Stock Option Plan, as amended (filed as Exhibit 10.1 to the
Form S-1 and incorporated herein by reference)
*#10.2 1994 Stock Option Plan, as amended, is incorporated herein by
reference to Exhibit 10.2 to the Registrant's Annual Report on Form
10-K for the Year Ended December 31, 1996 (File No. 0-25120)
(the "Form 10-K")
26
27
*#10.3 1994 Director Stock Option Plan, as amended, is incorporated *#10.3
herein by reference to Exhibit 10.3 to the Form 10-K
*#10.4 1994 Employee Stock Purchase Plan, as amended, is incorporated
herein by reference to Exhibit 10.4 to the Form 10-K
#10.5 Employment Agreement between the Registrant and Charles R.
Stuckey, Jr., dated as of November 1, 1997
*#10.6 Employment Agreement, dated as of April 14, 1996, as amended, among
the Registrant, RSA and D. James Bidzos (filed as Exhibit 10.18 to
the Registrant's Registration Statement on Form S-4 (File No.
333-7265) (the "Form S-4") and incorporated herein by reference)
*#10.7 Letter Agreement between the Registrant and Arthur W. Coviello,
Jr., dated as of August 21, 1995 (filed as Exhibit 10 to the
Registrant's Quarterly Report on Form 10-Q for the Quarter Ended
September 30, 1995 and incorporated herein by reference
*#10.8 Letter Agreement between the Registrant and Linda E. Saris,
dated as of May 1, 1989 (filed as Exhibit 10.7 to the Form S-1
and incorporated herein by reference)
*10.9 Amended and Restated Registration Rights Agreement, dated as of
September 7, 1988, as amended, among the Registrant and certain
stockholders of the Registrant (filed as Exhibit 10.11 to the
Form S-1 and incorporated herein by reference)
*10.10 Amendment to Amended and Restated Registration Rights Agreement,
dated as of October 31, 1995, among the Registrant and certain
stockholders of the Registrant (filed as Exhibit 10.19 to the
Registrant's Registration Statement on Form S-1 (File No.
33-98818) and incorporated herein by reference)
*#10.11 Stock Restriction Agreement between the Registrant and Richard L.
Earnest, dated October 25, 1994 (filed as Exhibit 10.13 to the
Form S-1 and incorporated herein by reference)
*+10.12 Terms and Conditions of Purchase, dated January 1, 1994, between
the Registrant and Gould Electronics (filed as Exhibit 10.15 to
the Form S-1 and incorporated herein by reference)
*+10.13 Letter, dated October 12, 1994, from Sanyo Electric Co., LTD. to
the Registrant (filed as Exhibit 10.16 to the Form S-1 and
incorporated herein by reference)
*+10.14 Agreement between the Registrant and Progress Software
Corporation, dated December 1994 (filed as Exhibit 10.17 to the
Form S-1 and incorporated herein by reference)
27
28
*10.15 Indenture of Lease, dated as of March 11, 1996, between the
Registrant and Beacon Properties, L.P. (filed as Exhibit 10.17 to
the Form S-4 and incorporated herein by reference)
*10.16 Stockholder Agreement, dated as of April 14, 1996, among the
Registrant, RSA and Addison Fischer (filed as Exhibit 10.19 to
the Form S-4 and incorporated herein by reference)
*10.17 Stockholder Agreement, dated as of April 14, 1996, among the
Registrant, RSA and D. James Bidzos (filed as Exhibit 10.20 to
the Form S-4 and incorporated herein by reference)
*10.18 Stockholder Agreement, dated as of April 14, 1996, among the
Registrant, RSA and Ronald Rivest (filed as Exhibit 10.21 to the
Form S-4 and incorporated herein by reference)
*#10.19 Amendment No. 3 to 1994 Stock Option Plan, as amended, is
incorporated herein by reference to Exhibit 10.1 to the
Registrant's Quarterly Report on Form 10-Q for the Quarter Ended
June 30, 1997 (File No. 0-25120) (the "Form 10-Q")
*10.20 First Amendment to Lease, dated as of May 10, 1997, between the
Registrant and Beacon Properties, L.P. is incorporated herein by
reference to Exhibit 10.2 to the Form 10-Q
*+10.21 Second Amendment to Progress Software Application Partner
Agreement, dated as of November 29, 1995, between the Registrant
and Progress Software Corporation is incorporated herein by
reference to Exhibit 10.3 to the Form 10-Q
*+10.22 Third Amendment to Progress Software Application Partner Agreement,
dated as of November 15, 1996, between the Registrant and Progress
Software Corporation is incorporated herein by reference to Exhibit
10.4 to the Form 10-Q
*10.23 Registration Rights Agreement by and among the Registrant and the
parties named on Schedule I thereto, dated July 15, 1997, is
incorporated herein by reference to Exhibit 10.1 to the Form 8-K
10.24 Stock Purchase Agreement, dated as of November 6, 1997, between
the Registrant and James K. Sims
11 Computation of Income per Common Share
13 Portions of the Registrant's 1997 Annual Report to Stockholders
(which is not deemed to be "filed" except to the extent that
portions thereof are expressly incorporated by reference in this
Annual Report on Form 10-K)
21 Subsidiaries of the Registrant
28
29
23.1 Consent of Deloitte & Touche LLP, Independent Auditors
23.2 Consent of Ernst & Young LLP, Independent Auditors
27.1 Restated Financial Data Schedule for the year ended December 31,
1995
27.2 Restated Financial Data Schedule for the three months ended March
31, 1996
27.3 Restated Financial Data Schedule for the six months ended June
30, 1996
27.4 Restated Financial Data Schedule for the nine months ended
September 30, 1996
27.5 Restated Financial Data Schedule for the year ended December 31,
1996
27.6 Restated Financial Data Schedule for the three months ended March
31, 1997
27.7 Restated Financial Data Schedule for the six months ended June
30, 1997
27.8 Restated Financial Data Schedule for the nine months ended
September 30, 1997
27.9 Financial Data Schedule for the year ended December 31, 1997
- -------------------
* Incorporated herein by reference.
+ Confidential treatment previously granted by the Securities and Exchange
Commission as to certain portions.
# Management contract or compensatory plan or arrangement filed in response to
Item 14(a)(3) of the instructions to Form 10-K.
29
30
INDEPENDENT AUDITORS' REPORT
To the Board of Directors and Stockholders of
Security Dynamics Technologies, Inc. and Subsidiaries:
We have audited the consolidated financial statements of Security Dynamics
Technologies, Inc. (the "Company") as of December 31, 1997 and 1996, and for
each of the three years in the period ended December 31, 1997, and have issued
our report thereon dated March 20, 1998 (which report expresses an unqualified
opinion and includes explanatory paragraphs referring to the restatement of the
consolidated financial statements for a pooling of interests in 1997 and a
change in the Company's method of accounting for option grants requiring
stockholder approval in 1996). Such financial statements and report are included
in your 1997 Annual Report to Stockholders and are incorporated herein by
reference.
Our audits also included the consolidated financial statement schedule of the
Company, listed in Item 14. (a) 2. This consolidated financial statement
schedule is the responsibility of the Company's management. Our responsibility
is to express an opinion based on our audits. The consolidated financial
statement schedule gives retroactive effect to the acquisition of DynaSoft AB,
which has been accounted for as a pooling of interests as described in Note 2 of
notes to the consolidated financial statements. We did not audit the
consolidated financial statement schedule of RSA Data Security, Inc. for 1995.
That financial statement schedule was audited by other auditors whose report has
been furnished to us, and our opinion, insofar as it relates to the amounts
included for RSA Data Security, Inc. for 1995, is based solely on the report of
such other auditors.
In our opinion, based on our audits and the report of the other auditors, such
consolidated financial statement schedule, when considered in relation to the
basic consolidated financial statements taken as a whole, present fairly in all
material respects the information set forth therein.
Deloitte & Touche LLP
Boston, Massachusetts
March 20, 1998
31
Report of Ernst & Young LLP, Independent Auditors
To the Board of Directors
RSA Data Security, Inc.
We have audited the consolidated statements of operations, shareholders' equity
and cash flows of RSA Data Security, Inc. for the year ended December 31, 1995
(none of which are presented separately herein). Our audits also included the
financial statement schedule of RSA Data Security, Inc. (not presented
separately herein) listed in the Index at Item 14(a). These financial statements
and schedule are the responsibility of the Company's management. Our
responsibility is to express an opinion on these financial statements and
schedule based on our audits.
We conducted our audit in accordance with generally accepted auditing standards.
Those standards require that we plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free of material
misstatement. An audit includes examining, on a test basis, evidence supporting
the amounts and disclosures in the financial statements. An audit includes
assessing the accounting principles used and significant estimates made by
management, as well as evaluating the overall financial statement presentation.
We believe that our audit provides a reasonable basis for our opinion.
In our opinion, the financial statements referred to above present fairly, in
all material respects, the consolidated results of operations and cash flows of
RSA Data Security, Inc. for the year ended December 31, 1995 in conformity with
generally accepted accounting principles. Also, in our opinion, the related
financial statement schedule, when considered in relation to the basic financial
statements taken as a whole, presents fairly, in all material respects, the
information set forth therein.
Ernst & Young LLP
Palo Alto, California
April 8, 1996
32
SCHEDULE II
SECURITY DYNAMICS TECHNOLOGIES, INC.
AND SUBSIDIARIES
VALUATION AND QUALIFYING ACCOUNTS
- --------------------------------------------------------------------------------
(IN THOUSANDS)
BALANCE
AT CHARGED
BEGINNING TO COSTS BALANCE
OF AND AT END
PERIOD EXPENSES DEDUCTIONS OF PERIOD
ALLOWANCE FOR
DOUBTFUL
ACCOUNTS (1):
For the year ended $ 527 $ 249 $ 34 $ 742
December 31, 1997
For the year ended 724 223 420 527
December 31, 1996
For the year ended 416 541 233 724
December 31, 1995
ACCRUED WARRANTY
COSTS (1):
For the year ended $ 105 $ - $ - $ 105
December 31, 1997
For the year ended 105 128 128 105
December 31, 1996
For the year ended 105 64 64 105
December 31, 1995
(1) Results for all periods prior to July 15, 1997 and July 26, 1996 have been
restated for the acquisitions of DynaSoft AB and RSA Data Security, Inc.,
respectively, each of which have been accounted for as poolings of
interests.