1
- --------------------------------------------------------------------------------
- --------------------------------------------------------------------------------
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549
FORM 10-K
FOR ANNUAL AND TRANSITION REPORTS PURSUANT TO SECTIONS 13 OR
15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
[X] ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE
SECURITIES EXCHANGE ACT OF 1934
FOR THE FISCAL YEAR ENDED DECEMBER 31, 1998
OR
[ ] TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE
SECURITIES EXCHANGE ACT OF 1934
COMMISSION FILE NO. 000-25120
SECURITY DYNAMICS TECHNOLOGIES, INC.
(Exact name of registrant as specified in its charter)
DELAWARE 04-2916506
(State or other jurisdiction of (I.R.S. Employer
incorporation or organization) Identification No.)
36 CROSBY DRIVE 01730
BEDFORD, MASSACHUSETTS
(Address of principal executive offices) (Zip Code)
REGISTRANT'S TELEPHONE NUMBER, INCLUDING AREA CODE: (781) 301-5000
------------------------------
SECURITIES REGISTERED PURSUANT TO SECTION 12(b) OF THE ACT: NONE
SECURITIES REGISTERED PURSUANT TO SECTION 12(g) OF THE ACT:
COMMON STOCK, $.01 PAR VALUE
(Title of class)
- --------------------------------------------------------------------------------
- --------------------------------------------------------------------------------
2
Indicate by check mark whether the registrant: (1) has filed all reports
required to be filed by Section 13 or 15(d) of the Securities Exchange Act of
1934 during the preceding 12 months (or for such shorter period that the
registrant was required to file such reports), and (2) has been subject to such
filing requirements for the past 90 days. Yes [X] No [ ]
Indicate by check mark if disclosure of delinquent filers pursuant to Item
405 of Regulation S-K is not contained herein, and will not be contained, to the
best of registrant's knowledge, in definitive proxy or information statements
incorporated by reference in Part III of this Form 10-K or any amendment to this
Form 10-K.
The approximate aggregate market value of the Common Stock held by
non-affiliates of the registrant was $624,667,428 based on the last reported
sale price of the registrant's Common Stock on the Nasdaq National Market as of
the close of business on March 4, 1999. There were 39,182,097 shares of Common
Stock outstanding as of March 4, 1999.
DOCUMENTS INCORPORATED BY REFERENCE
PART OF FORM 10-K
DOCUMENT INTO WHICH INCORPORATED
-------- -----------------------
Portions of the Registrant's Items 6, 7, 7A & 8 of Part II
1998 Annual Report to Stockholders
Portions of the Registrant's Proxy Items 10, 11, 12 & 13 of Part III
Statement for the 1999 Annual Meeting
of Stockholders
This Annual Report on Form 10-K contains forward-looking statements within
the meaning of Section 21E of the Securities Exchange Act of 1934, as amended,
and Section 27A of the Securities Act of 1933, as amended. For this purpose, any
statements contained herein that are not statements of historical fact may be
deemed to be forward-looking statements. Without limiting the foregoing, the
words "believes," "anticipates," "plans," "expects" and similar expressions are
intended to identify forward-looking statements. The important factors discussed
under the caption "Certain Factors That May Affect Future Operating Results" in
the Company's 1998 Annual Report to Stockholders and incorporated herein by
reference, among others, could cause actual results to differ materially from
those indicated by forward-looking statements made herein and presented
elsewhere by management. Such forward-looking statements represent management's
current expectations and are inherently uncertain. Investors are warned that
actual results may differ from management's expectations.
Security Dynamics, SecurID, ACE/Server, SoftID, WebID and RSA SecurPC are
registered trademarks, and Keon and SecurSight are trademarks, of Security
Dynamics Technologies, Inc. RSA, RC2, RC4, RC5, BSAFE, JSAFE, TIPEM, BCERT and
S/MAIL are trademarks of RSA Data Security, Inc. BoKS is a trademark of DynaSoft
AB. All other trademarks or trade names referenced in this Annual Report on Form
10-K are the property of their respective owners.
2
3
PART I.
ITEM 1. BUSINESS
The Company is a leading provider of enterprise network and data security
solutions. The Company helps enable electronic business by providing
technologies, products and services that secure access to and protect
information in networks, systems, applications and Internet commerce
initiatives. The Company leverages its expertise in authentication management,
public key encryption and access control to help organizations in a range of
industries conduct business securely, protect corporate information assets and
facilitate business-to-business and electronic commerce. Historically, the
Company has delivered security solutions that provide secure remote access to
corporate networks. Through its family of enterprise security solutions
(formerly known as SecurSight), partnerships and acquisitions, the Company
intends to expand its addressable market by delivering solutions that provide
secure access to information wherever it resides in an enterprise. As used in
this Annual Report on Form 10-K, the term "the Company" refers to Security
Dynamics Technologies, Inc. ("SDI") and its subsidiaries.
INDUSTRY BACKGROUND
Historically, computer and enterprise network security has been the focus
of businesses engaged in security-conscious industries such as banking,
telecommunications, aerospace and defense. However, a number of factors have
contributed to an increased awareness of, and need for, enterprise security
solutions for companies that use and rely on network-based information
resources. These factors include the growing complexity of enterprise networks
and a shift in network security requirements driven by increased use of the
Internet and corporate intranets and extranets.
Enterprise computing has evolved over the past three decades from
host-based systems to a distributed model where individuals are accessing
corporate resources from virtually anywhere inside or outside of an
organization. Enterprise computing environments today consist of heterogeneous
computer resources coupled with converging public and private networks. As such,
they require comprehensive, flexible products and solutions that can be deployed
to a large number of users in a consistent, manageable and secure fashion.
In addition, the traditional security model of network perimeter defense is
being expanded in light of increased use of the Internet. The growth of the
Internet as a business tool has led to a rapid increase in corporate intranets,
where employees share information, and extranets, where companies share
information with their suppliers, partners and customers. Companies that have
traditionally relied solely on static password protection or on corporate
firewalls are now seeking to adopt more sophisticated, comprehensive security
strategies to protect corporate information assets and to conduct business
securely. Companies today require scaleable enterprise security solutions that
can be easily integrated, deployed and managed across complex, heterogeneous
enterprise environments.
Classes of Enterprise Network and Data Security
The Company believes that enterprise network and data security requirements
can be grouped into the following four classes: (i) user identification and
authentication; (ii) access control and privilege management; (iii) data
privacy, integrity and authentication (encryption); and (iv) security
administration and audit.
User Identification and Authentication. Reliable authentication of the
identity of users is necessary to prevent unauthorized access to computer and
network resources. There are three generally accepted methods of user
identification: (i) something secret the user knows, such as a word, phrase,
PIN, code or fact; (ii) something physical the user possesses, such as a key,
smart card, badge or other form of discrete "token," which is resistant to
counterfeiting, and (iii) something unique to the user, such as a fingerprint,
signature, retinal pattern, voice print or other measurable personal
characteristic or "biometric." The Company believes that the use of a two-factor
authentication system, combining two of the three generally accepted methods of
user identification, is required for reliable enterprise network and data
security.
3
4
Access Control and Privilege Management. One of the key challenges facing
organizations is the proliferation of passwords required for users to access
disparate operating systems, applications and databases. Products addressing
access control and privilege management must protect and manage access to
corporate information and applications and control user privileges at multiple
levels within the enterprise, including the network, application and data
levels. Single sign-on ("SSO") represents the ability to provide authenticated
users with transparent access to a variety of services, thereby improving user
productivity and reducing the frustration caused by users having to enter
multiple passwords. Early SSO solutions did not require authentication from a
security server; data centers could establish trust between two devices through
a direct connection in a static environment. With the growth in distributed
networks and the variety of operating systems and client/server applications,
reliable SSO now requires authentication, encryption and key exchange to ensure
secure communication between the desktop and the application. Together with
traditional SSO solutions, user authentication and application session
encryption capabilities make up a more complete solution called secure single
sign-on ("SSSO").
Data Privacy, Integrity and Authentication. In addition to authenticating
the identity of users and ensuring that only authorized users can access, view
or modify certain data, a comprehensive security solution must ensure that the
data transmitted over a network are not disclosed to unauthorized persons (data
privacy), have not been altered or compromised by unauthorized manipulation
(data integrity) and were actually transmitted by the purported sender (data
authentication). Such data privacy, integrity and authentication are provided by
encryption and data authentication technologies.
Encryption. In traditional cryptography, known as secret key or symmetric
cryptography, the sender and receiver of a message know and use the same secret
keys. The sender uses the secret key to encrypt a message by transforming data
into a form unreadable by anyone without a secret decryption key. The receiver
uses the same secret key to decrypt the message by transforming the encrypted
data into the original readable message. A key is a value or series of bits used
by the cryptographic system to convert the original text into an encrypted text
or to decrypt the encrypted text back into the original text.
The principal problem with secret key cryptography is communicating the
secret key between the sender and receiver without anyone else discovering it.
If the sender and receiver are in separate physical locations, they must trust a
courier, a phone system or some other transmission medium to prevent the
disclosure of the secret key being communicated. Anyone who overhears or
intercepts the key in transit can later read, modify and forge messages
encrypted or authenticated using that key. Because all keys in a secret key
cryptosystem must remain secret, secret key cryptography often has difficulty
providing secure key management, especially in open systems like the Internet.
The concept of public key cryptography attempts to solve the key management
problem by giving each person a pair of keys, one called the public key and the
other called the private key. Each person's public key is published while the
private key is kept secret. The sender encrypts a message using the public key
of the intended recipient and communicates it via a public mode of
communication. If implemented properly, the message can only be decrypted with
the recipient's private key, which is in the sole possession of the intended
recipient. All communications involve only public keys, and no private key is
ever transmitted or shared. With public key cryptography, it is not necessary to
trust a communications channel to be secure against eavesdropping or betrayal.
In general, public key cryptography requires only that public keys be associated
with their users in a trusted manner, for instance, by maintaining the key in a
trusted directory and that the private key not be disclosed. Public key
cryptography, and the infrastructure needed to support its deployment in an
enterprise, has emerged as a key security requirement for organizations seeking
to protect data and applications.
Data Authentication. Data authentication is a process whereby the receiver
of a digital message can be confident of the identity of the sender and/or the
integrity of the message. In public key cryptosystems, authentication is enabled
by the use of digital signatures. Digital signatures play in the digital world a
function similar to that played by handwritten signatures for printed documents.
The signature is an authentic piece of data asserting that a named person wrote
or otherwise agreed to the document to which the signature is attached. The
recipient, as well as a third party, can verify both that the document
originated from the person
4
5
whose signature is attached and that the document has not been altered since it
was signed. Secure digital signatures may be used to refute a claim by the
signer of a document that it was forged.
Security Administration and Audit. With the growth of distributed
computing environments, including those utilizing the Internet, organizations
are increasingly concerned about various administrative issues relating to
network security, including the scalability of their security solutions and the
ability of the solutions to cover multiple geographic regions. Security
administration and audit solutions must also monitor user activity for purposes
of detection and deterrence and in order to ensure that the network or data have
not been compromised.
Enterprise Security
The Company believes that there is an emerging market for enterprise-wide
security solutions in several categories, including secure remote access via
dial-up and virtual private networks; secure access to corporate networks and
resources; secure access to applications, intranets and extranets; email
security; and platform security for desktops and UNIX hosts. These enterprise
security solutions must incorporate elements of all four classes of security and
address the need for: (i) ease of use; (ii) interoperability within
heterogeneous enterprise environments; (iii) scalability; (iv) integrated
network security administration; (v) integration with existing customer
applications; (vi) secure access to information, including secure remote access;
(vii) information privacy, integrity and authentication; and (viii) system
reliability and availability.
To date, most approaches to network security have been limited in scope and
have failed to address one or more of these requirements. The Company believes
that, in order to compete effectively in this market, network security vendors
must develop comprehensive network security services that can accommodate a
large number of local and remote users and integrate security management across
heterogeneous computing resources.
SECURITY DYNAMICS SOLUTION
Security Dynamics is a leading provider of enterprise network and data
security solutions. The Company's products help companies conduct business
securely, protect information assets and facilitate business-to-business and
business-to-consumer electronic commerce. The Company's solutions employ a
patent-protected combination of access control and privilege management
products, public key encryption technology and security administration software
to protect information wherever it resides in an enterprise.
A key element of the Company's strategy has been and continues to be the
expansion of its product offerings to address each of the four classes of
enterprise network and data security and deliver integrated solutions for
protecting information resources. Since its inception, the Company has focused
on the fundamental need for user identification and authentication with an
emphasis on solutions for secure remote access to enterprise networks. In
furtherance of its strategy to expand product offerings within the security
classes, in July 1996, the Company acquired RSA Data Security, Inc. ("RSA"), a
leader in cryptography, to address the need for data privacy, integrity and
authentication.
The Company's solutions have historically focused on addressing secure
remote access through: (i) SecurID tokens for user identification and
authentication; (ii) ACE/Server administration software; and (iii) ACE/Agent
code embedded in remote access devices such as remote access servers and
firewalls. The RSA SecurPC product and RSA encryption engines have contributed
to secure remote access by allowing customers to control access to the network
and by providing data privacy, integrity and authentication.
As businesses expand their networks to make use of the Internet, intranets
and extranets, companies have begun to realize that the internal network is
becoming more vulnerable and that there is a critical need for products and
services that allow system administrators to control user privileges at multiple
levels within an enterprise and encrypt information within an internal network.
Through its family of enterprise security solutions, the Company intends to
address these needs by moving beyond securing remote access to securing
information access, thereby providing security across an enterprise. The
Company's security solutions address three critical areas of an information
technology security infrastructure: (i) network and system security,
5
6
(ii) applications security and (iii) electronic commerce security. The Company's
principal product lines, ACE/Server, Keon and RSA BSAFE, as well as its SecurID
family of authentication devices, address these three security categories,
respectively.
In 1998, the Company launched the SecurSight architecture initiative
designed to assist in the development of systems and applications that
facilitate and control secure access to information. In support of the
SecurSight strategy, in July 1997, the Company acquired DynaSoft AB
("DynaSoft"), a leading vendor of platform-independent security solutions for
distributed client/server networks. The DynaSoft BoKS product family includes
technologies for access control and privilege management. In January 1999, the
Company introduced Keon, a family of public key infrastructure-based (PKI)
products designed to provide organizations with application security and
flexible electronic commerce solutions. As part of this introduction, the
Company renamed the DynaSoft BoKS product family "Keon." Today, the Company's
ACE/Server, SecurID, Keon and RSA BSAFE product lines are all delivered as part
of the SecurSight architecture.
SECURITY DYNAMICS STRATEGY
The Company's objective is to continue as a leading provider of enterprise
network and data security solutions. Key elements of the Company's strategy to
achieve this objective include the following:
- Deliver Enterprise Security Services. The Company's strategy has been
and continues to be to expand the depth and breadth of its product
offerings across the classes of enterprise network and data security to
meet the evolving requirements for the protection of its customers'
information assets. The Company plans to continue to develop and deliver
scaleable, reliable enterprise security solutions that enable companies
to conduct business securely, protect corporate information assets and
facilitate electronic commerce. For instance, the Company intends to
introduce or acquire products and technologies and form partnerships that
are expected to enable delivery of security services such as certificate
management and key management. In addition, through partnerships the
Company plans to expand its agent roster to include application-specific
agents and add additional authentication form factors, including smart
cards.
- Maintain Technological Leadership. The Company plans to continue to add
new capabilities and features to its enterprise network and data security
products to meet its customers' identification and authentication needs
within the context of evolving enterprise environments. The Company
maintains a leading role in basic cryptographic research, develops new
encryption technologies and maintains close working relationships with
leading academic centers and custom development teams.
- Expand Market Opportunities. The Company intends to expand its market
opportunities through strategic partnerships, industry initiatives and
marketing designed to heighten awareness of security issues. The Company
has strategic partnerships with more than 70 industry-leading vendors and
plans to continue to foster and leverage these partnerships and enter
into additional relationships with companies that can provide
complementary technologies for its SecurSight solutions. The Company also
seeks to heighten awareness regarding enterprise network and data
security issues through marketing programs such as the annual RSA Data
Security Conference.
- Expand Indirect Sales and Support Channel. The Company currently sells
its products through a direct sales force and through relationships with
a significant number of original equipment manufacturers ("OEMs"),
value-added resellers ("VARs") and distributors. The Company's
SecureWorld program is designed to develop and expand its indirect sales
and support channel through the establishment of two-tier distribution of
the Company's solutions. The Company believes that an expanded indirect
sales and support channel enables it to enter new markets and gain access
to a larger installed base of potential customers in a cost-effective
manner.
Expand International Presence. The Company believes that international
markets present a large, relatively new market for enterprise network and data
security products. Sales outside the United States were approximately 27.6% in
1996, 30.9% in 1997 and 34.6% in 1998. The Company plans to continue to expand
its
6
7
business outside North America through the hiring of sales personnel, the
establishment of additional distribution arrangements, primarily in Europe and
Asia, and the development of local presence in key markets.
PRODUCTS
Historically, organizations have focused primarily on protecting remote
access into corporate networks. The Company has addressed this need through its
line of SecurID and ACE/Server authentication products. Today, as public and
private networks merge, organizations are increasingly interested in protecting
not just access to networks, but to the mission-critical applications and
electronic commerce initiatives that drive their businesses. The Company's core
product and solution offerings are continually evolving to address the following
three critical areas of an information technology security infrastructure:
- Network and Systems Security -- The Company delivers a range of products
and solutions that help organizations assess, enforce and monitor
security for their corporate networks and operating systems. With
offerings spanning user authentication, intrusion detection and desktop
encryption, the Company provides customers with a comprehensive family of
tools and services to address their network and systems security needs.
- Applications Security -- The Company helps organizations protect vital
data stored across mission-critical, enterprise applications by providing
a strong level of application security to protect against both internal
and external threats and unauthorized access to sensitive information.
- Electronic Commerce ("eCommerce") Security -- The Company is expanding
the market for software components that secure electronic data. The
Company is focused on meeting customer needs for secure applications and
solutions in the Internet, consumer and enterprise markets with
state-of-the-art security software components and products.
CORE PRODUCT LINES
The Company delivers a range of products and technologies that help
companies and third-party developers secure their computing environments. The
Company's core competencies can be found in its three major product lines:
ACE/Server and SecurID
The Company's ACE/Server and SecurID solutions provide centralized, strong,
two-factor authentication services for enterprise networks and operating
systems, ensuring that only authorized users gain access to network files,
applications and communications. Supporting a range of authentication devices,
including SecurID tokens, smart cards and software tokens, these solutions
create a barrier against unauthorized access, protecting network and data
resources from potentially devastating accidental or malicious intrusion.
The Company's SecurID user identification and authentication products
combine two methods of user identification - something secret the user knows (a
"PIN") and something the user possesses (the SecurID token). To gain access to a
protected resource, a user enters his or her PIN and the token code
automatically computed and displayed on the liquid crystal display ("LCD") of
the user's SecurID token. The PIN and the token code together form the user's
"PASSCODE." With a valid PASSCODE, the authorized user is identified,
authenticated and granted access to appropriate information resources.
Each SecurID token contains the Company's proprietary algorithm and is
programmed with a secret, randomly generated seed number which is unique to the
token. The algorithm uses the seed number and Greenwich Mean Time to produce a
sequence of token codes at set intervals (typically every 60 seconds). The
Company's ACE/Server software uses the same algorithm, seed number and Greenwich
Mean Time to generate a token code corresponding to the token code generated by
the user's SecurID token.
7
8
Keon
Keon is a family of products based on the Company's public key technology
and application security solution, BoKS. Keon software enhances security for
applications by providing authorized applications access and encrypted
communications through the use of digital certificates, as well as by supporting
strong, two-factor user authentication. Keon technology simplifies user
management and authorized applications access by providing a single
administrative console for access to all public key-based applications, and by
providing end users with single sign-on to all public key-based applications.
The Keon family of products also include agents that allow existing
client/server applications to be upgraded to take advantage of public key-based
security. The Keon product line contains offerings for both enterprise customers
who need turn-key solutions, and for enterprise customers and developers who
want to build their own standards-based, native PKI applications or take
advantage of them. The Company currently offers a SecurID smart card for Keon,
and plans to support all SecurID authenticators, including hardware and soft
tokens, in future releases of Keon software.
Keon components include:
- Keon Security Server, currently available for UNIX, provides centralized
security administration, user management and access control. Keon
Security Server facilitates single sign-on across supported applications
and scales for use in large deployments.
- Keon Desktop, currently available for Windows NT and 95, provides desktop
file encryption, manages single sign-on and user credentials at the
desktop, and delivers services for securing email, Web browsers and
access to applications.
- Keon Agents are installed on protected application servers and create the
authenticated, secure connection from the desktop to the application
server.
- Keon Agent SDK (software developers kit) provides developers with the
ability to build Agents for in-house applications.
- Keon Unix Platform Security, available for a wide variety of popular UNIX
OS versions, enhances and makes consistent user access policies to the
UNIX operating system.
- Keon Certificate Server provides a powerful and flexible system for
issuing and managing digital certificates.
- Cryptographic Software Development Components allow enterprise and
commercial software developers to use high-level APIs to incorporate
public key security options into applications they build without
requiring that they become low-level experts in encryption. These
components consist of the RSA BSAFE product line.
RSA BSAFE Encryption
The Company develops and markets platform-independent crypto-security
components and development tools that enable third-party developers to
incorporate security into a wide variety of applications. The Company's
encryption components are used to secure applications for electronic commerce
and services over the Internet and intranets, enterprise security,
entertainment, wireless communications, delivery of digital information over
cable and other uses. The award-winning RSA BSAFE product line includes:
- RSA BSAFE Crypto-C, a popular cryptography component;
- RSA BSAFE Crypto-J, state-of-the-art cryptographic software designed for
Java developers;
- RSA BSAFE Cert-C, X.509 certificate processing toolkit;
- RSA BSAFE S/MIME-C toolkit for adding security to messaging applications;
and
- RSA BSAFE SSL-C, a protocol product which enables secure point-to-point
communications over the Internet.
- RSA BSAFE SSL-J, Java-based protocol product which enables secure
point-to-point communications over the Internet.
The Company believes that its RSA RC series of symmetric, or secret key,
encryption technologies are among the highest performing and most secure
techniques of their class available to encrypt electronic data.
8
9
RC2 and RC4 are designed to handle block and streaming data types, respectively,
and are designed to provide for easy adjustment of key size for exportability as
well as high performance without specialized hardware.
ADDITIONAL PRODUCT LINES
Kane Security Analyst and Kane Security Monitor
The Company's family of Kane Security solutions helps organizations perform
analyses of their security systems and monitor systems for suspicious
activities. Kane Security Analyst is a front-line analysis tool that is designed
to perform security assessments and report security exposures. Kane Security
Monitor software is a real-time intrusion detection system that filters through
security and audit data to identify unauthorized activities. The Company
acquired the Kane product family as part of its acquisition of Intrusion
Detection, Inc. ("IDI") in March 1998.
RSA SecurPC
RSA SecurPC is a powerful, easy-to-use file encryption software based on
the Company's leading RSA encryption technologies that protects data stored in
laptop and desktop computer files. In particular, RSA SecurPC software is
designed to help enforce security for Windows-based systems by protecting vital
files against theft, hackers and industrial espionage.
Pricing
Subject to volume discounts and other licensing terms and conditions, the
suggested U.S. list prices for the Company's products range as follows: SecurID
tokens from $34 to $86 per token; ACE/Server software products from $3,950 to
$940,000; RSA encryption engine and toolkit licenses from $25,000 to $50,000;
and Keon products from $80 to $300 per user for Keon Desktop and from $1,250 to
$3,100 per server for Keon Manager. The Company continually reviews and adjusts
its product pricing policies in light of factors such as relative value,
industry standards and demand.
9
10
STRATEGIC PARTNERS
To enhance its enterprise network and data security solutions, the Company
has established relationships with more than 70 vendors of remote access
products, Internet firewalls, network and applications software and virtual
private network ("VPN") products. Most of these vendors integrate the Company's
client software into one or more of their products to provide compatibility
between their product offerings and the Company's ACE/Server software. Other
vendors build call routines, software hooks or APIs into their products to
provide compatibility with the Company's ACE/Server software. The Company has
also entered into strategic relationships with vendors that share technical
information with the Company to enable it to develop products which will be
interoperable with the vendors' products. The Company's strategic partners
include the following:
VPN REMOTE ACCESS RADIUS SERVERS INTERNET FIREWALLS NETWORK AND APPLICATIONS
--- ------------- -------------- ------------------ ------------------------
3COM 3COM 3COM Alta Vista Apple
AltaVista Access Beyond Ascend ANS Atlantic Systems
Communications Group
Altiga Apple Computer Cisco Ascend BDM International
Communications
Ascend Ascend Funk Software Axent CCT
Communications Communications
Aventail Attachmate NextCom Check Point Cisco Systems
Check Point Bin Tec Nortel Networks Cisco Systems Citrix Systems
Compatible Systems Cabletron Systems PFU Ltd CyberGuard CyberSAFE
Fortress Cisco Systems Shiva (Intel) IBM Data General
Indus River Differential
InfoExpress Citrix Systems Soliton Systems K.K. Internet Dynamics EnCommerce
Internet Devices Compaq Milkyway Networks Gradient
Network Associate Computer Security NEC Technologies Lyrix Systems
Products Network Associates
Network TeleSystemss Digi International Secure Computing Microsoft
Nortel Networks Dynatech Network
Communications Sun Microsystems Information
Red Creek Technologic Technology
Semaphore Emulex V-ONE Novell
Shiva (Intel) Funk Software Oracle
Gandalf Ottawa Telephony
Sun Microsystems Technologies Group
TimeStep Hewlett-Packard Platinum
V-ONE IBM Process Software
VPNet HTK Progress Software
Kasten Chase Snare Networks
Lantronix Unisys
Microsoft WorldTalk
Mulilink
Nortel Networks
Novell
Perle Systems
RAScom
Shiva (Intel)
Xplex Networks
SALES AND MARKETING
The Company has established a multi-channel distribution and sales network
to serve the enterprise network and data security market. The Company sells and
licenses its products directly to end users through its direct sales force and
indirectly through a network of OEMs, VARs and distributors. In addition, the
Company supports its direct and indirect sales efforts through strategic
marketing relationships and public relations programs, trade shows and other
marketing activities. In October 1997, the Company announced the SecurWorld
program designed to enhance its indirect channel through the establishment of
two-tier distribution.
10
11
The Company's direct sales staff focuses on major accounts, provides
technical advice and support with respect to the Company's products and works
closely with the Company's customers, OEMs, VARs and distributors. As of
December 31, 1998, the Company's direct sales organization consisted of 282
sales, marketing and technical support personnel located throughout the world.
The Company also markets, sells and licenses its products indirectly
through its SecurWorld network OEMs, VARs and distributors. As of December 31,
1998, the Company had relationships with approximately 600 OEMs, VARs and
distributors.
In support of its sales efforts, the Company conducts sales training
courses, comprehensive targeted marketing programs including direct mail, public
relations, advertising, seminars, trade shows and telemarketing and ongoing
customer and third-party communications programs. The Company also seeks to
stimulate interest in enterprise network and data security through its public
relations program, speaking engagements, white papers, technical notes and other
publications.
The Company has entered into strategic marketing relationships with various
vendors of operating systems and network operating systems, remote access
products, Internet-related products and application software. The Company has
also entered into strategic relationships with vendors that share technical
information with the Company to enable it to develop products which will be
interoperable with the vendors' products. The Company has developed a separate
program, the SecurID Ready strategic partner program, to market the
compatibility between the vendors' products and the Company's ACE/Server
software. The end-user customers of all of these vendors must purchase tokens
and license ACE/Server software directly from the Company. The Company believes
that these relationships help the Company and its customers to expand their
enterprise network coverage and assist the Company in increasing its installed
customer base and SecurID token usage.
To enhance demand for its products, the Company has participated in the
development of various industry-specific protocols that rely on its RSA
cryptographic data security technologies. The Company also hosts its own annual
industry conference, the RSA Conference, and participates in others to increase
demand for its products. Through its RSA Laboratories division, the Company
maintains a leading role in basic cryptographic research, develops new
encryption technologies and maintains close working relations with leading
academic centers and customer development teams.
CUSTOMERS
As of December 31, 1998, the Company had sold or licensed more than 4,600
ACE/Server products and over 4,000,000 SecurID tokens to more than 3,500
customers worldwide. Historically, the Company's principal customers have been
in the telecommunications, pharmaceutical, financial and healthcare industries
as well as academic institutions, research laboratories and government
organizations. These customers are generally sophisticated and knowledgeable
purchasers of security systems and work with highly confidential information.
The Company believes that as corporate networks proliferate and become more
complex, the number of industries concerned with system security and access to
information will grow.
As of December 31, 1998, the Company had licensed its RSA encryption engine
and patent technology to more than 400 OEMs that typically incorporate the
encryption technology into their products. The Company's RSA encryption
technology is embedded in current versions of Microsoft Windows NT, Netscape
Navigator, Quicken by Intuit, Lotus Notes and numerous other products. The
Company also licenses its RSA encryption technology directly to customers for
incorporation into customers' business, financial and electronic commerce
networks. The Company's RSA technologies are part of existing and proposed
standards for the Internet and World Wide Web, ITU, ISO, ANSI and IEEE.
As of December 31, 1998, the Company had sold or licensed its BoKS systems,
now known as "Keon," to more than 130 customers worldwide, representing more
than 110,000 users.
No customer accounted for more than 5% of the Company's total revenue in
1996, 1997 or 1998.
11
12
CUSTOMER SERVICE AND SUPPORT
The Company maintains a customer support help desk and technical support
organization at its headquarters in Bedford, Massachusetts and at other
locations throughout the world and offers telephone support for certain of its
products 24 hours a day, seven days a week. The Company continues to add
advanced technical support and professional service personnel to its staff to
address anticipated additional demands arising from the deployment of the
Company's security solutions into larger and more complex user environments. The
Company also has field technical support personnel who work directly with the
Company's direct sales force, distributors and customers. The Company's had 80
customer service and support employees world-wide as of December 31, 1998.
The Company's standard practice is to provide a warranty on all SecurID
tokens for the customer-selected programmed life of the token and to replace any
damaged tokens (other than tokens damaged by a user's negligence or alteration)
free of charge. The Company generally sells each of its other products to
customers with a warranty for specified periods. After the expiration of the
applicable warranty period, customers may elect to purchase a maintenance
contract for 12-month renewable periods. Under these contracts, the Company
agrees to provide (i) corrections for documented program errors; (ii) version
upgrades for both software and, if applicable, firmware; and (iii) telephone
consultation.
PRODUCT DEVELOPMENT
The Company's product development efforts are focused on enhancing the
functionality, reliability, performance and flexibility of its existing
products. The Company is developing technology to enhance the administrative
capabilities and scalability of its ACE/Server products and to increase
interoperability with additional network operating systems and directory
services. The Company also is developing tools to assist customers, strategic
marketing partners and other third-party integrators in integrating the
Company's products with custom and other third-party network or system
applications.
The Company plans to increase its competitive position by developing
standards, protocols and applications that address the needs of specific market
segments and build on its RSA proprietary technology. In the latter case, the
Company may choose to partner with other parties to develop and/or market the
products. The Company is currently developing enhanced RSA toolkits to enable
emerging new applications. Each of these value-added toolkits is being designed
to address the needs of a specific market segment.
In addition to enhancing its existing products, the Company continues to
identify and prioritize various technologies for potential future product
offerings. The Company may develop these products internally or enter into
arrangements to license or acquire products or technologies from third parties.
There can be no assurance, however, that the Company will be successful in
enhancing or developing existing products or identifying and successfully
acquiring new technologies.
As of December 31, 1998, the Company's product development staff consisted
of 235 full-time employees engaged in engineering and development including
software and hardware engineering, testing and quality assurance and technical
documentation. The Company also engages outside contractors where appropriate to
supplement the Company's in-house expertise or expedite projects based on
customer or market demand. Research and development expenses, including
purchased research and development expenses, were $13.7 million in 1996, $27.2
million in 1997 and $32.0 million in 1998.
MANUFACTURING AND SUPPLIERS
Manufacturing
SecurID Tokens. The Company contracts for the manufacture of its SecurID
tokens with two suppliers in the United States, only one of which, Pemstar,
Inc., has been qualified to manufacture the Company's SecurID key fob. The
Company has generally been able to obtain adequate supplies of SecurID tokens in
a timely manner and believes that alternate vendors can be identified if current
vendors are unable to fulfill its needs. However, delays or failure to identify
alternate vendors, if required, or a reduction or interruption in
12
13
supply or a significant increase in the manufacturing costs could adversely
affect the Company's financial condition or results of operations and could
impact customer relations.
RSA SecurPC and ACE/Server Software Products. The Company's RSA SecurPC and
ACE/Server software products are distributed on standard magnetic diskettes,
compact disks and tapes together with printed documentation. The Company
contracts with media duplication subcontractors for the majority of its media
duplication. The Company has the capability to do all media duplication
in-house, but limits its use to small production runs such as beta programs.
Suppliers
Although the Company generally uses standard parts and components for its
products, certain components are currently available only from a single source
or from limited sources. For example, the microprocessor chips contained in the
Company's SecurID tokens are currently purchased only from Sanyo Electric Co.,
Ltd., a Japanese computer chip manufacturer, and the lithium batteries contained
in the Company's SecurID tokens are purchased from Gould Electronics, a supplier
located in the United States. The inability to obtain sufficient sole or limited
source components as required or to obtain or develop alternative sources at
competitive prices and quality if and as required in the future, could result in
delays in product shipments or increase the Company's material costs either of
which would adversely affect the Company's financial condition or results of
operations.
The Company believes that it would take approximately six months to
identify and commence production of suitable replacements for the microprocessor
chip or lithium battery used in the Company's SecurID tokens. The Company
attempts to maintain a three-month supply of SecurID tokens in inventory.
COMPETITION
The market for enterprise network and data security products is highly
competitive and subject to rapid technological change. The Company believes that
competition in this market is likely to intensify as a result of increasing
demand for security products. The Company currently experiences competition from
a number of sources, including (i) software operating systems suppliers and
application software vendors that incorporate a single-factor static password
security system into their products; (ii) token-based password generator vendors
promoting challenge/response technology; (iii) smart card security device
vendors; (iv) biometric security device vendors; (v) public key infrastructure
and cryptographic software firms; and (vi) Application access providers. In some
cases, these vendors also support the Company's products and those of its
competitors. The Company may also face competition from these and other parties
in the future that develop enterprise network and data security products based
upon approaches similar to or different from those employed by the Company
including operating system or network suppliers not currently offering
competitive enterprise-wide security products. There can be no assurance that
the market for enterprise network and data security products will not ultimately
be dominated by approaches other than the approaches marketed by the Company.
The Company has agreed, in connection with the April 1995 formation of VeriSign,
Inc. ("VeriSign"), not to engage, directly or indirectly, in the business of
issuing public key certificates acting in the capacity of a certificate
authority for a period of five years from the date of such formation.
The Company believes that the principal competitive factors affecting the
market for enterprise network and data security products include technical
features, ease of use, quality/reliability, level of security, customer service
and support, distribution channels and price. Although the Company believes that
its products currently compete favorably with respect to such factors, there can
be no assurance that the Company can maintain its competitive position against
current and potential competitors, especially those with significantly greater
financial, marketing, service, support, technical and other competitive
resources.
PROPRIETARY RIGHTS
The Company relies on a combination of patent, trade secret, copyright and
trademark laws, software licenses, nondisclosure agreements and technical
measures to establish and protect its proprietary technology. The Company
generally enters into confidentiality and/or license agreements with its
employees and
13
14
distributors as well as with its customers and potential customers seeking
proprietary information, and limits access to and distribution of its software,
documentation and other proprietary information. Despite these precautions, it
may be possible for unauthorized third parties to copy aspects of the Company's
products or to obtain and use information that the Company regards as
proprietary.
The Company's 18 issued U.S. patents expire at various dates ranging from
2005 to 2017. The Company's 34 foreign patents expire at various dates between
2006 to 2015. In addition, the Company has filed patent applications on
inventions embodied in new technologies developed by the Company. There can be
no assurance that any of these applications will result in an issued patent.
Upon expiration of the Company's patents, competitors may develop and sell
products based on technologies similar or equivalent to those currently covered
by the Company's patents. A patent developed at the Massachusetts Institute of
Technology and licensed to the Company (the "RSA/MIT Patent"), the claims of
which cover significant elements of the Company's RSA products, will expire on
September 20, 2000, which may enable competitors to thereafter market competing
products which previously would have infringed the RSA/MIT Patent. There can be
no assurance that any patent owned or held by the Company or its licensers will
not be invalidated, circumvented, challenged or terminated, that any of the
Company's pending or future patent applications will be within the scope of
claims sought by the Company, if at all, or that the steps taken by the Company
to protect its rights will be adequate to prevent misappropriation of the
Company's technology or to preclude competitors from developing products with
features similar to the Company's products. Further, there can be no assurance
that others will not develop technologies that are similar or superior to the
Company's technology or duplicate the Company's technology. In addition, the
laws of certain countries in which the Company's products are or may be
developed or sold may not protect the Company's products and intellectual
property rights to the same extent as the laws of the United States. The
inability of the Company to protect its intellectual property adequately could
have a material adverse effect on its financial condition and results of
operations.
The Company has registered, or is seeking to register, its trademarks and
servicemarks in countries where the Company has sold its products. There can be
no assurance that any such trademark application currently pending will not be
opposed by a third party.
GOVERNMENT REGULATION AND EXPORT CONTROLS
All of the Company's products are subject to U.S. export control laws and
applicable foreign government import, export, and/or use restrictions. Minimal
U.S. export restrictions apply to all products, whether or not they perform
encryption. Current U.S. export regulations require export licenses, or at least
a one-time technical review, before most encryption products may be exported to
countries other than Canada. The Company believes that it has obtained necessary
approvals for the export of the products it currently exports. There can be no
assurance, however, that the list of products and countries requiring Government
approvals and the applicable regulatory policies will not be revised from time
to time or that the Company will be able to obtain necessary regulatory
approvals for the export of future products. The inability of the Company to
obtain required approvals under these regulations could adversely affect the
ability of the Company to make international sales.
Exports of RSA's encryption products, or third-party products bundled with
RSA encryption technology, are expected to continue to be restricted by the
United States and various foreign governments. Exports of commercial encryption
products are regulated by the Export Administration Regulations of the U.S.
Commerce Department, while exports of encryption products designed or adapted
for military use require export licenses under the International Traffic in Arms
Regulations of the U.S. State Department. Until recently, the U.S. government
generally prohibited exports of encryption products with key lengths of greater
than 40 bits. Under new regulations issued in 1996 and 1998, commercial
encryption products with key lengths of up to 56 bits may be widely exported
after a one-time technical review by the U.S. Commerce Department. "Key
recovery" encryption products which enable authorized law enforcement agencies
to obtain readable text without the knowledge or cooperation of the end-user may
be exported, regardless of key length, after a one-time technical review.
Certain non-recovery products of any key length are eligible for export to
limited classes of end-users in certain countries, following a one-time
technical review and subject to various post-shipment reporting requirements;
eligible recipients include subsidiaries of U.S. companies, banks and financial
14
15
institutions, health and medical organizations, and online merchants. Other
non-recovery encryption products may be exported to other countries and
end-users under special Encryption Licensing Arrangements or individual export
licenses which may be issued at the discretion of the U.S. Commerce Department.
These regulations may be modified at any time, and there can be no assurance
that RSA will be authorized to export encryption products from the United States
in the future. As a result, RSA may be at a disadvantage in competing for
international sales compared to companies located outside the United States that
are not subject to such restrictions.
In the fourth quarter of 1998, the Company established a subsidiary in
Australia which developed a protocol-level encryption technology known as "SSL"
without using any export-controlled U.S.-origin encryption technologies or
software and without "technical assistance" from any U.S. persons. Accordingly,
the Company obtained a written opinion from the U.S. Commerce Department that
this technology is not subject to the jurisdiction of the U.S. export laws. The
technology, however, is subject to the export laws of Australia, and the Company
has received a one-year license from the Australian Government to export object
code versions of the SSL technology to specified countries, including the United
States. In order to remain outside of U.S. export control jurisdiction, the
Company has implemented policies and procedures to ensure that U.S. personnel
working for the Company do not inadvertently provide technical assistance to the
Company's Australian subsidiary which is developing future versions of the SSL
technology. However, there can be no assurance that the U.S. government will not
deem the SSL technology to be subject to U.S. export laws in the future, or that
the applicable Australian export restrictions will not be modified in the
future, or that the Company will continue to receive the required Australian
export authorizations.
EMPLOYEES
At December 31, 1998, the Company employed 764 employees. Of these
employees, 235 were involved in research and development; 282 in sales and
marketing, 80 in customer service and support; 98 in production and information
technology; and 69 in administration, human resources and finance. No employees
are covered by any collective bargaining agreements. The Company believes that
its relationships with its employees are good.
RECENT EVENTS
In the first quarter of 1999, the Company commenced consolidation of
certain operations in order to promote operational efficiency. The Company
expects to incur costs, mostly in the first quarter of 1999 and primarily
severance and facilities exit costs, of between $5.0 million and $7.0 million in
connection with this effort.
ITEM 2. PROPERTIES
The Company's principal administrative, sales and marketing, research and
development and support facilities are located in Bedford, Massachusetts under
non-cancelable ten year leases expiring in August 2008. The facilities aggregate
approximately 183,000 square feet of office space, and the annual base rents
aggregate approximately $3.0 million including certain operating expenses. The
Company also leases facilities for research and development and sales and
marketing in San Mateo, California under non-cancelable ten-year leases expiring
in 2008. The facilities aggregate approximately 58,000 square feet of office
space, and the annual base rents aggregate approximately $2.0 million including
certain operating expenses. Annual rent escalation provisions for all of theses
leases are based on the Consumer Price Index. The Company also leases facilities
for administration, field sales and customer support throughout the United
States, Canada, Asia, and Europe at annual base rents aggregating approximately
$1.4 million.
In connection with the consolidation of certain operations commenced in
January 1999, the Company is actively seeking to sublet a total of approximately
50,000 square feet of facilities at various locations. The successful sublet of
these facilities will reduce the Company's rental payment obligations by
approximately $0.1 million per month.
15
16
ITEM 3. LEGAL PROCEEDINGS
The Company and certain of its directors and officers are defendants in
Fitzer v. Security Dynamics Technologies, Inc., Charles R. Stuckey, Jr., D.
James Bidzos, Arthur W. Coviello, Jr., John Adams, Marian G. O'Leary and Linda
B. Saris, Civil Action No. 98-CV-12496-WGY, a purported class action lawsuit
filed on December 11, 1998 in the United States District Court for the District
of Massachusetts (the "Complaint"). The plaintiff subsequently dismissed without
prejudice claims against Ms. Saris. The plaintiff claims to represent all
purchasers of the Company's Common Stock during the period from September 30,
1997 through July 15, 1998, and seeks unspecified damages on their behalf. The
plaintiff alleges that the defendants misled the investing public concerning
demand for the Company's products, the strengths of its technologies, and
certain trends in the Company's business. The plaintiff and certain others have
moved to be appointed as lead plaintiff and to appoint lead counsel. No response
has been made to the Complaint by agreement with the plaintiff. The lead
plaintiff chosen by the Court is expected to file an amended complaint, to which
the defendants will respond. The Company intends to contest the lawsuit
vigorously. Although the amounts claimed may be substantial, the Company cannot
predict the ultimate outcome or estimate the potential loss, if any, related to
the lawsuit. The Company believes that the disposition of this matter will not
have a material adverse effect on the Company's consolidated financial position.
However, the adverse resolution of the lawsuit could materially affect the
Company's results of operations or liquidity in any one annual or quarterly
reporting period.
On November 2, 1998 the Company commenced litigation in a patent
infringement lawsuit filed in the United States District Court for the District
of Massachusetts against VASCO Data Security, Inc. ("VASCO"). The suit alleges
that VASCO's Digipass token products infringe certain of the Company's patents.
The Company seeks monetary damages for such infringement and injunctive relief.
In connection with this litigation, VASCO has filed counterclaims against the
Company seeking a declaratory judgement of noninfringement and invalidation of
the Company's patents at issue and alleging that the Company's infringement suit
against VASCO represents a breach of contract between the parties.
On January 6, 1999, the Company commenced litigation in a patent
infringement lawsuit filed in the United States District Court for the District
of Massachusetts against VASCO. The suit alleges that VASCO's RSA cards and RSA
chips products infringe the RSA/MIT Patent. The Company seeks monetary damages
for such infringement and injunctive relief. In connection with this litigation,
VASCO has filed counterclaims against the Company seeking a declaratory
judgement of non-infringement and invalidation of the patent at issue, and
alleging that the Company's suit against VASCO represents a violation of
antitrust laws.
ITEM 4. SUBMISSION OF MATTERS TO A VOTE OF SECURITY-HOLDERS
None.
16
17
EXECUTIVE OFFICERS OF THE COMPANY
The Company's executive officers are:
NAME AGE POSITION
- ---- --- --------
Charles R. Stuckey, Jr............... 56 Chairman of the Board and Chief Executive Officer
Arthur W. Coviello, Jr............... 45 President and Director
John Adams........................... 57 Senior Vice President, Engineering
Marian G. O'Leary.................... 44 Senior Vice President, Finance, Chief Financial Officer
and Treasurer
Linda E. Saris....................... 46 Senior Vice President, Customer Support and Operations
Scott Schnell........................ 41 Senior Vice President, Marketing
Margaret K. Seif..................... 38 Vice President, General Counsel and Secretary
Mr. Stuckey has served as Chief Executive Officer and a member of the Board
of Directors of the Company since March 1987. He has served as Chairman of the
Board since July 1996. From January 1987 to March 1999, Mr. Stuckey served as
President of the Company.
Mr. Coviello joined the Company as Executive Vice President in September
1995 and was appointed Chief Operating Officer in January 1997 and President in
March 1999. Mr. Coviello was also elected to the Board of Directors in March
1999. From October 1995 to August 1997, Mr. Coviello also served as the
Company's Chief Financial Officer and Treasurer. Prior to joining the Company,
Mr. Coviello served in various capacities with CrossComm Corporation, a
developer of inter-networking products, including Chief Operating Officer and
Chief Financial Officer.
Dr. Adams joined the Company as Senior Vice President, Engineering in March
1996 after over twenty years of management, engineering and network service for
Digital Equipment Corporation ("Digital"). From 1976 to 1996, Dr. Adams served
in a number of positions with Digital, including Vice President and Technical
Director of Digital's Network Operating Systems Division from 1991 to 1996.
Ms. O'Leary joined the Company as Senior Vice President, Finance, Chief
Financial Officer and Treasurer in August 1997. From 1987 to 1997, Ms. O'Leary
held a number of positions with Digital, including Vice President, Finance for
the Systems Business Unit from 1994 to 1997.
Ms. Saris joined the Company as Vice President, Finance and Operations,
Treasurer and Chief Financial Officer in June 1989, and has served as Senior
Vice President, Customer Support and Operations since July 1998 and as Chief
Information Officer since August 1997. From January 1997 to July 1998, Ms. Saris
served as Vice President, Customer Support and Operations of the Company. From
October 1995 to January 1997, Ms. Saris served as the Company's Vice President,
Operations.
Mr. Schnell joined RSA as Vice President of Marketing in 1996, and was
appointed Senior Vice President, Marketing of the Company in July 1998. Prior to
joining RSA, Mr. Schnell spent 15 years in product and strategic marketing
positions at leading technology and consulting firms, including Apple Computer,
Photonics Corp and McKinsey and Company.
Ms. Seif joined the Company as General Counsel in March 1998, and was
appointed Vice President and Secretary in June 1998. From 1996 to 1998, Ms. Seif
was Vice President and General Counsel of Firefly Network, Inc., a personal
information software company. Prior to joining Firefly Network, Ms. Seif was
Vice President - Legal Affairs, of the AT&T New Media Services division from
1994 to 1996.
17
18
PART II
ITEM 5. MARKET FOR REGISTRANT'S COMMON EQUITY AND RELATED STOCKHOLDER
MATTERS
The Company's Common Stock has been trading on the Nasdaq National Market
under the symbol "SDTI" since the Company's initial public offering on December
14, 1994. The following table sets forth for the fiscal periods indicated the
high and low sales prices per share of Common Stock as reported on the Nasdaq
National Market.
HIGH LOW
---- ----
1997
First Quarter............................................... $39 1/4 $21
Second Quarter.............................................. $38 1/4 $22 3/4
Third Quarter............................................... $44 3/8 $32 5/8
Fourth Quarter.............................................. $41 5/8 $29 3/4
HIGH LOW
---- ----
1998
First Quarter............................................... $42 1/8 $29 1/2
Second Quarter.............................................. $42 3/4 $15 1/8
Third Quarter............................................... $20 3/4 $ 9 3/8
Fourth Quarter.............................................. $23 1/2 $ 5 7/16
There were 319 stockholders of record of the Company's Common Stock as of
March 4, 1999.
The Company has never declared or paid any cash dividends on its capital
stock. The Company currently intends to retain earnings, if any, to support its
growth strategy and does not anticipate paying cash dividends in the foreseeable
future. Payment of future dividends, if any, will be at the discretion of the
Company's Board of Directors after taking into account various factors,
including the Company's financial condition, operating results, current and
anticipated cash needs and plans for expansion.
ITEM 6. SELECTED FINANCIAL DATA
The information required by this item is contained under the caption
"Selected Consolidated Financial Data" appearing in the Company's 1998 Annual
Report to Stockholders (the "1998 Annual Report") and is incorporated herein by
this reference.
ITEM 7. MANAGEMENT'S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND
RESULTS OF OPERATIONS
The information required by this item is contained under the caption
"Management's Discussion and Analysis of Financial Condition and Results of
Operations" appearing in the 1998 Annual Report and is incorporated herein by
this reference.
ITEM 7A. QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK
The information required by this item is contained under the caption
"Market Risk" appearing in the 1998 Annual Report and is incorporated herein by
this reference.
18
19
ITEM 8. FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA
The information required by this item is contained in the Consolidated
Financial Statements appearing in the 1998 Annual Report and is incorporated
herein by this reference.
ITEM 9. CHANGES IN AND DISAGREEMENTS WITH ACCOUNTANTS ON ACCOUNTING AND
FINANCIAL DISCLOSURE
Not applicable.
PART III
ITEM 10. DIRECTORS AND EXECUTIVE OFFICERS OF THE REGISTRANT
The information required by this item is contained in part under the
caption "Executive Officers of the Company" in Part I hereof, and the remainder
is contained in the Company's Proxy Statement for the Company's Annual Meeting
of Stockholders to be held on April 22, 1999 (the "1999 Proxy Statement") under
the captions "Proposal 1 -- Election of Directors" and "Section 16(a) Beneficial
Ownership Reporting Compliance" and is incorporated herein by this reference.
Officers are elected on an annual basis and serve at the discretion of the
Board of Directors.
ITEM 11. EXECUTIVE COMPENSATION
The information required by this item is contained under the captions
"Director Compensation" and "Compensation of Executive Officers" in the 1999
Proxy Statement and is incorporated herein by this reference.
ITEM 12. SECURITY OWNERSHIP OF CERTAIN BENEFICIAL OWNERS AND MANAGEMENT
The information required by this item is contained under the caption "Stock
Ownership of Certain Beneficial Owners and Management" in the 1999 Proxy
Statement and is incorporated herein by this reference.
ITEM 13. CERTAIN RELATIONSHIPS AND RELATED TRANSACTIONS
The information required by this item is contained under the caption
"Certain Relationships and Related Transactions" in the 1999 Proxy Statement and
is incorporated herein by reference.
19
20
PART IV
ITEM 14. EXHIBITS, FINANCIAL STATEMENT SCHEDULES AND REPORTS ON FORM 8-K
(a) Documents filed as a part of this Form 10-K:
1. Financial Statements. The Consolidated Financial Statements are
included in the 1998 Annual Report, portions of which are filed as an exhibit to
this Annual Report on Form 10-K. The Consolidated Financial Statements include:
Independent Auditors' Report
Consolidated Balance Sheets
Consolidated Statements of Income
Consolidated Statements of Stockholders' Equity
Consolidated Statements of Cash Flows
Notes to Consolidated Financial Statements
2. Financial Statement Schedules. Financial Statement Schedule II,
"Valuation and Qualifying Accounts" and the Report of Deloitte & Touche LLP
immediately following the "Exhibit Index" are filed as part of this Annual
Report on Form 10-K.
3. Exhibits. The Exhibits listed in the Exhibit Index immediately
preceding such Exhibits are filed as part of this Annual Report on Form 10-K.
(b) Reports on Form 8-K:
On October 13, 1998, the Company filed a Current Report on Form 8-K, dated
October 12, 1998, to report under Item 5 (Other Events) the Company's financial
results for the third quarter of 1998 and the authorization of the Company's
stock repurchase program. No financial statements were required to be filed with
such report.
On December 11, 1998, the Company filed a Current Report on Form 8-K, dated
December 11, 1998, to report under Item 5 (Other Events) the purported class
action lawsuit against the Company and certain of its officers and directors. No
financial statements were required to be filed with such report.
20
21
SIGNATURES
Pursuant to the requirements of Section 13 or 15(d) of the Securities
Exchange Act of 1934, the Registrant has duly caused this report to be signed on
its behalf by the undersigned, thereunto duly authorized.
SECURITY DYNAMICS TECHNOLOGIES, INC.
BY: /s/ CHARLES R. STUCKEY, JR.
------------------------------------
CHARLES R. STUCKEY, JR.
CHAIRMAN OF THE BOARD AND CHIEF
EXECUTIVE OFFICER
Date: March 30, 1999
Pursuant to the requirements of the Securities Exchange Act of 1934, this
report has been signed below by the following persons on behalf of the
Registrant and in the capacities and on the dates indicated.
SIGNATURE TITLE DATE
- --------- ----- ----
/s/ CHARLES R. STUCKEY, JR. Chairman of the Board and Chief March 30, 1999
- --------------------------------------------------- Executive Officer (Principal
CHARLES R. STUCKEY, JR. Executive Officer)
/s/ MARIAN G. O'LEARY Senior Vice President, Finance, Chief March 30, 1999
- --------------------------------------------------- Financial Officer and Treasurer
MARIAN G. O'LEARY (Principal Financial and Accounting
Officer)
/s/ D. JAMES BIDZOS Vice Chairman of the Board March 30, 1999
- ---------------------------------------------------
D. JAMES BIDZOS
/s/ ARTHUR W. COVIELLO, JR. President and Director March 30, 1999
- ---------------------------------------------------
ARTHUR W. COVIELLO, JR.
/s/ RICHARD L. EARNEST Director March 30, 1999
- ---------------------------------------------------
RICHARD L. EARNEST
/s/ TAHER ELGAMAL Director March 30, 1999
- ---------------------------------------------------
TAHER ELGAMAL
/s/ JOSEPH B. LASSITER, III Director March 30, 1999
- ---------------------------------------------------
JOSEPH B. LASSITER, III
/s/ GEORGE M. MIDDLEMAS Director March 30, 1999
- ---------------------------------------------------
GEORGE M. MIDDLEMAS
/s/ JAMES K. SIMS Director March 30, 1999
- ---------------------------------------------------
JAMES K. SIMS
21
22
EXHIBIT INDEX
2 Agreement and Plan of Merger by and among the Registrant,
Intrusion Detection Inc., Apple Acquisition Corp., Robert
Kane and Lillian Kane, dated March 26, 1998, is incorporated
herein by reference to Exhibit 2.1 to the Registrant's
Current Report on Form 8-K, dated March 26, 1998
3.1 Third Restated Certificate of Incorporation, as amended, of
the Registrant is incorporated herein by reference to
Exhibit 3 to the Registrant's Quarterly Report on Form 10-Q
for the Quarter Ended June 30, 1996
3.2 Amended and Restated By-Laws, as amended, of the Registrant
is incorporated herein by reference to Exhibit 3.3 to the
Registrant's Registration Statement on Form S-1 (File No.
33-85606) (the "Form S-1")
4 Specimen Certificate for shares of Common Stock, $.01 par
value per share, of the Registrant is incorporated herein by
reference to Exhibit 4.1 to the Form S-1
*10.1 1986 Stock Option Plan, as amended, is incorporated herein
by reference to Exhibit 10.1 to the Form S-1
*10.2 1994 Stock Option Plan, as amended, is incorporated herein
by reference to Exhibit 10.2 to the Registrant's Annual
Report on Form 10-K for the Year Ended December 31, 1996
*10.3 Amendment No. 3 to 1994 Stock Option Plan, as amended, is
incorporated herein by reference to Exhibit 10.1 to the
Registrant's Quarterly Report on Form 10-Q for the Quarter
Ended June 30, 1997
*10.4 Amendment No. 4 to 1994 Stock Option Plan, as amended, is
incorporated herein by reference to Exhibit 10.3 to the
Registrant's Quarterly Report on Form 10-Q for the Quarter
Ended March 31, 1998
*10.5 1994 Stock Option Plan, as amended -- 1998 Restatement is
incorporated herein by reference to Annex A to the
Registrant's Definitive Schedule 14A filed April 1, 1998
*10.6 1994 Director Stock Option Plan, as amended, is incorporated
herein by reference to Exhibit 10.3 to the Registrant's
Annual Report on Form 10-K for the Year Ended December 31,
1996
*10.7 1998 Deferred Compensation Plan is incorporated herein by
reference to Exhibit 10.4 to the Registrant's Quarterly
Report on Form 10-Q for the Quarter Ended March 31, 1998
*10.8 Employment Agreement between the Registrant and Charles R.
Stuckey, Jr., dated as of November 1, 1997, is incorporated
herein by reference to Exhibit 10.5 to the Registrant's
Annual Report on Form 10-K for the Year Ended December 31,
1997
*10.9 Letter Agreement between the Registrant and Arthur W.
Coviello, Jr., dated as of August 21, 1995, is incorporated
herein by reference to Exhibit 10 to the Registrant's
Quarterly Report on Form 10-Q for the Quarter Ended
September 30, 1995
*10.10 Letter Agreement between the Registrant and Linda E. Saris,
dated as of May 1, 1989, is incorporated herein by reference
to Exhibit 10.7 to the Form S-1
*10.11 Form of Management Employment Agreement is incorporated
herein by reference to Exhibit 10.1 to the Registrant's
Quarterly Report on Form 10-Q for the Quarter Ended
September 30, 1998
10.12 Amended and Restated Registration Rights Agreement, dated as
of September 7, 1988, as amended, among the Registrant and
certain stockholders of the Registrant, is incorporated
herein by reference to Exhibit 10.11 to the Form S-1
10.13 Amendment to Amended and Restated Registration Rights
Agreement, dated as of October 31, 1995, among the
Registrant and certain stockholders of the Registrant, is
incorporated herein by reference to Exhibit 10.19 to the
Registrant's Registration Statement on Form S-1 (File No.
33-98818)
10.14 Registration Rights Agreement by and among the Registrant
and the parties named on Schedule I thereto, dated July 15,
1997, is incorporated herein by reference to Exhibit 10.1 to
the Registrant's Current Report on Form 8-K, dated July 15,
1997
22
23
10.15 Registration Rights Agreement by and among the Registrant,
Robert Kane and Lillian Kane, dated March 26, 1998, is
incorporated herein by reference to Exhibit 10.1 to the
Registrant's Current Report on Form 8-K, dated March 26,
1998
10.16 Stock Purchase Agreement, dated as of November 6, 1997,
between the Registrant and James K. Sims, is incorporated
herein by reference to Exhibit 10.24 to the Registrant's
Annual Report on Form 10-K for the Year Ended December 31,
1997
+10.17 Terms and Conditions of Purchase, dated January 1, 1994,
between the Registrant and Gould Electronics is incorporated
herein by reference to Exhibit 10.15 to the Form S-1
+10.18 Letter, dated October 12, 1994, from Sanyo Electric Co.,
LTD. to the Registrant is incorporated herein by reference
to Exhibit 10.16 to the Form S-1
+10.19 Progress Software Application Partner Agreement between the
Registrant and Progress Software Corporation, dated December
5, 1994, as amended, is incorporated herein by reference to
Exhibit 10.17 to the Form S-1
+10.20 Second Amendment to Progress Software Application Partner
Agreement, dated as of November 29, 1995, between the
Registrant and Progress Software Corporation is incorporated
herein by reference to Exhibit 10.13 to the Registrant's
Quarterly Report on Form 10-Q for the Quarter Ended June 30,
1997
+10.21 Third Amendment to Progress Software Application Partner
Agreement, dated as of November 15, 1996, between the
Registrant and Progress Software Corporation is incorporated
herein by reference to Exhibit 10.14 to the Registrant's
Quarterly Report on Form 10-Q for the Quarter Ended June 30,
1997
+10.22 Fourth Amendment to Progress Software Application Partner
Agreement, dated as of April 1, 1998, between the Registrant
and Progress Software Corporation, is incorporated herein by
reference to Exhibit 10.18 to the Registrant's Quarterly
Report on Form 10-Q for the Quarter Ended June 30, 1998
10.23 Indenture of Lease, dated as of March 11, 1996, between the
Registrant and Beacon Properties, L.P. is incorporated
herein by reference to Exhibit 10.17 to the Registrant's
Registration Statement on Form S-4 (File No. 333-7265)
10.24 Rider to Indenture of Lease, dated as of March 11, 1996
between the Registrant and Beacon Properties, L.P., is
incorporated herein by reference to Exhibit 10.6 to the
Registrant's Quarterly Report on Form 10-Q for the Quarter
Ended March 31, 1998
10.25 First Amendment to Lease, dated as of May 10, 1997, between
the Registrant and Beacon Properties, L.P. is incorporated
herein by reference to Exhibit 10.2 to the Registrant's
Quarterly Report on Form 10-Q for the Quarter Ended June 30,
1997
10.26 Second Amendment to Lease, dated as of April 8, 1998, by and
between the Registrant and EOP -- Crosby Corporate Center,
L.L.C., is incorporated herein by reference to Exhibit 10.5
to the Registrant's Quarterly Report on Form 10-Q for the
Quarter Ended March 31, 1998
10.27 Lease Agreement, dated as of August 15, 1997, by and between
the Registrant and Peninsula Office Park Associates, L.P.,
is incorporated herein by reference to Exhibit 10.7 to the
Registrant's Quarterly Report on Form 10-Q for the Quarter
Ended March 31, 1998
10.28 Lease Agreement, dated as of December 19, 1997, by and
between the Registrant and Peninsula Office Park Associates,
L.P., is incorporated herein by reference to Exhibit 10.8 to
the Registrant's Quarterly Report on Form 10-Q for the
Quarter Ended March 31, 1998
10.29 Master Development and License Agreement, dated September
30, 1997, between the Registrant and VeriSign, Inc.
("VeriSign") is incorporated herein by reference to Exhibit
10.19 to VeriSign's Registration Statement on Form S-1 (File
No. 333-40789)
10.30 Amendment Number One to Master Development and License
Agreement dated as of December 31, 1998 between the
Registrant and VeriSign is incorporated herein by reference
to Exhibit 10.30 to VeriSign's Registration Statement on
Form S-1 (File No. 333-70121)
11 Computation of Income per Common Share
23
24
13 Portions of the Registrant's 1998 Annual Report to
Stockholders (which is not deemed to be "filed" except to
the extent that portions thereof are expressly incorporated
by reference in this Annual Report on Form 10-K)
21 Subsidiaries of the Registrant
23 Consent of Deloitte & Touche LLP, Independent Auditors
27 Financial Data Schedule for the year ended December 31, 1998
- ---------------
* Management contract or compensatory plan or arrangement filed in response to
Item 14(a)(3) of the instructions to Form 10-K.
+ Confidential treatment previously granted by the Securities and Exchange
Commission as to certain portions.
24
25
SCHEDULE II
SECURITY DYNAMICS TECHNOLOGIES, INC. AND SUBSIDIARIES
VALUATION AND QUALIFYING ACCOUNTS
(IN THOUSANDS)
BALANCE AT CHARGED TO BALANCE AT
BEGINNING OF COSTS AND END OF
PERIOD EXPENSES DEDUCTIONS PERIOD
------------ ---------- ---------- ----------
ALLOWANCE FOR DOUBTFUL ACCOUNTS
For the year ended December 31, 1998............ $852 $122 $264 $710
For the year ended December 31, 1997............ 537 349 34 852
For the year ended December 31, 1996............ 734 223 420 537
ACCRUED WARRANTY COSTS
For the year ended December 31, 1998............ $105 $ -- $ -- $105
For the year ended December 31, 1997............ 105 -- -- 105
For the year ended December 31, 1996............ $105 $128 $128 $105
25
26
INDEPENDENT AUDITORS' REPORT
To the Board of Directors and Stockholders of
Security Dynamics Technologies, Inc. and Subsidiaries:
We have audited the consolidated financial statements of Security Dynamics
Technologies, Inc. (the "Company") as of December 31, 1997 and 1998, and for
each of the three years in the period ended December 31, 1998, and have issued
our report thereon dated January 27, 1999 (which report expresses an unqualified
opinion and includes explanatory paragraphs referring to the restatement of the
consolidated financial statements for a pooling of interests in 1998 and a
change in the Company's method of accounting for option grants requiring
stockholder approval in 1996); such consolidated financial statements and report
are included in the 1998 Annual Report to stockholders and are incorporated
herein by reference.
Our audits also included the consolidated financial statement schedule of
the Company listed in Item 14 (a) 2. of this Annual Report. This consolidated
financial statement schedule is the responsibility of the Company's management.
Our responsibility is to express an opinion based on our audits. In our opinion,
such consolidated financial statement schedule, when considered in relation to
the basic consolidated financial statements taken as a whole, presents fairly in
all material respects the information set forth therein.
/s/ DELOITTE & TOUCHE LLP
Boston, Massachusetts
January 27, 1999
26