Attached files

file filename
EX-32.2 - EX-32.2 - IMPERVA INCimpv-ex322_6.htm
EX-32.1 - EX-32.1 - IMPERVA INCimpv-ex321_14.htm
EX-31.2 - EX-31.2 - IMPERVA INCimpv-ex312_8.htm
EX-31.1 - EX-31.1 - IMPERVA INCimpv-ex311_9.htm
EX-23.1 - CONSENT OF ERNST & YOUNG LLP - IMPERVA INCimpv-ex231_13.htm
EX-21.1 - SUBSIDIARIES - IMPERVA INCimpv-ex211_1079.htm
EX-10.17 - 2017 BONUS PLAN - IMPERVA INCimpv-ex1017_1080.htm

 

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

 

Form 10-K

 

(Mark One)

ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

For the Fiscal Year Ended December 31, 2016

OR

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

Commission file number: 001-35338

 

Imperva, Inc.

(Exact name of registrant as specified in its charter)

 

 

Delaware

 

03-0460133

(State or Other Jurisdiction of

Incorporation or Organization)

 

(I.R.S. Employer

Identification No.)

3400 Bridge Parkway

Redwood Shores, California 94065

(Address of Principal Executive Offices, including Zip Code)

(650) 345-9000

(Registrant’s Telephone Number, including Area Code)

Securities registered pursuant to Section 12(b) of the Act:

 

Title of Each Class

 

Name of Each Exchange on Which Registered

Common Stock, par value $0.0001 per share

 

The NASDAQ Stock Market LLC

Securities registered pursuant to Section 12(g) of the Act:

None

(Title of Class)

 

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.    Yes      No  

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act.    Yes      No  

Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.    Yes      No  

Indicate by check mark whether the registrant has submitted electronically and posted on its corporate Web site, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§ 232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files).    Yes      No  

Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K (§ 229.405) is not contained herein, and will not be contained, to the best of registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K.  

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, or a smaller reporting company. See the definitions of “large accelerated filer,” “accelerated filer” and “smaller reporting company” in Rule 12b-2 of the Exchange Act. (Check one):

 

Large accelerated filer

Accelerated filer

 

 

 

 

Non-accelerated filer

  (Do not check if a smaller reporting company)

Smaller reporting company

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Act).    Yes      No  

The aggregate market value of voting and non-voting common equity held by non-affiliates of the registrant as of June 30, 2016 (the last business day of the registrant’s most recently completed second fiscal quarter), based upon the closing price of the common stock reported by the New York Stock Exchange on such date, was approximately $1,390 million. Shares of common stock held by each executive officer and director of the registrant have been excluded in that such persons may be deemed to be affiliates. This determination of affiliate status is not necessarily a conclusive determination for other purposes.

The number of outstanding shares of the registrant’s common stock as of February 15, 2017 was 33,395,393.

 

 

 

 


2016 ANNUAL REPORT ON FORM 10-K

TABLE OF CONTENTS

 

 

 

Page

PART I

 

Item 1.

Business

1

Item 1A.

Risk Factors

9

Item 1B.

Unresolved Staff Comments

28

Item 2.

Properties

28

Item 3.

Legal Proceedings

28

Item 4.

Mine Safety Disclosures

29

 

 

PART II

 

Item 5.

Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

30

Item 6.

Selected Financial Data

33

Item 7.

Management’s Discussion and Analysis of Financial Condition and Results of Operations

35

Item 7A.

Quantitative and Qualitative Disclosures About Market Risk

55

Item 8.

Financial Statements and Supplementary Data

56

Item 9.

Changes in and Disagreements with Accountants on Accounting and Financial Disclosure

93

Item 9A.

Controls and Procedures

93

Item 9B.

Other Information

94

 

 

PART III

 

Item 10.

Directors, Executive Officers and Corporate Governance

95

Item 11.

Executive Compensation

95

Item 12.

Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters

95

Item 13.

Certain Relationships and Related Transactions, and Director Independence

95

Item 14.

Principal Accountant Fees and Services

95

 

 

PART IV

 

Item 15.

Exhibits and Financial Statement Schedules

95

Signatures

96

 

 

Documents Incorporated by Reference

 

Portions of the definitive proxy statement for our 2017 Annual Meeting of Stockholders are incorporated by reference in Part III of this Form 10-K.  We intend to file the definitive proxy statement with the Securities and Exchange Commission, or SEC, within 120 days of the year ended December 31, 2016.

 

Forward Looking Statements

The information in this Annual Report on Form 10-K contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, or the Securities Act, and Section 21E of the Securities Exchange Act of 1934, as amended, or the Exchange Act. Such statements are based upon current expectations that involve risks and uncertainties. Any statements contained herein that are not statements of historical facts may be deemed to be forward-looking statements. Words such as “may,” “will,” “should,” “could,” “estimate,” “predict,” “potential,” “continue,” “strategy,” “believe,” “anticipate,” “plan,” “expect,” “intend” and similar expressions or variations are intended to identify forward-looking statements. Our actual results and the timing of certain events may differ significantly from the results discussed in the forward-looking statements. Factors that might cause or contribute to such differences include, but are not limited to, those discussed elsewhere in this Annual Report on Form 10-K in the section titled “Risk Factors” and the risks discussed in our other filings with the SEC. We undertake no obligation to publicly release any revisions to the forward-looking statements after the date of this Annual Report on Form 10-K.

 

 

 

 


 

PART I

Item 1. Business

Overview

We are a leader in cyber-security solutions that protect business-critical data and applications, whether in the cloud or on premises. As organizations worldwide undergo digital transformation, their day-to-day operations are increasingly dependent upon their application and data portfolios. Extortion and theft by cybercriminals, using an evolving array of sophisticated attacks, continuously threaten these applications and data. Organizations are facing numerous challenges in providing the visibility and control required to protect business-critical applications and data from these attacks. Adoption of new technologies and architectures, such as mobile applications, web applications and big data, increases the complexity of, opens access to, and increases the vulnerability of business-critical data and applications. The increasing use of virtualization technologies and cloud delivery models, including unsanctioned, employee-adopted applications, known as “shadow IT,” is forcing organizations to operate outside of the traditional security model. Additionally, organizations must comply with complex regulatory standards enacted to protect their systems and data. We believe that these challenges are driving the need for cyber-security solutions that protect applications and data, whether in the cloud or on premises.

Our cyber-security solutions directly protect the business-critical data and applications that are being attacked, and are designed to fill the gaps left by existing endpoint and network or perimeter security solutions. Our Imperva SecureSphere platform provides database, file and web application security across various physical and virtual systems in data centers, including those in traditional on-premise data centers as well as in private, public and hybrid cloud computing environments. Our Imperva Incapsula product line provides cloud-based website security, denial of service protection and performance solutions that do not require software or hardware changes. Our Imperva CounterBreach product line uses machine learning to analyze how users access data and to spotlight data breach activity. In addition, our cloud offerings are designed to protect against the unique threats created as enterprises increasingly shift to deploying their applications and storing their data in the cloud to take advantage of the flexibility and cost-efficiency offered by cloud-based solutions.

On December 15, 2016, we acquired specified assets and liabilities of Camouflage Software, Inc., or Camouflage, for approximately $4.5 million in cash and hired nearly all of Camouflage’s employees. Based in St. John’s, Newfoundland and Labrador, Canada, Camouflage provides data discovery and data masking tools to protect sensitive and critical data. Prior to the asset purchase, we had announced a technology alliance with Camouflage in May 2016 that allowed us to sell the Camouflage solution to our customers. For more information on the Camouflage acquisition see Note 3 to the Notes to Consolidated Financial Statements.

As of December 31, 2016, Imperva had over 5,200 end user customers in more than 100 countries. For purposes of this end user customer count, we are referring to end user customers who purchased through our direct sales force or channel partners. In addition, our solutions are used to protect thousands of organizations through cloud-based deployments with our Software-as-a-Service (“SaaS”) customers and managed security service providers (“MSSPs”) and hosting partners. We primarily sell our products and services through our network of approximately 270 channel partners worldwide, including both distributors and resellers, which provide sales and support leverage to our sales organization. As of December 31, 2016, we had approximately 993 employees, including 319 employees in research and development. We generated revenue of $264.5 million in 2016, an increase of 12.9% over the $234.3 million in revenue we generated in 2015. Net loss attributable to our stockholders was $70.3 million in 2016 as compared to $48.9 million in 2015.  

On February 23, 2017, we completed the sale of our Skyfence cloud access security broker business to Forcepoint LLC for approximately $40 million. For more information about the sale of the Skyfence business see Note 18 to the Notes to Consolidated Financial Statements on subsequent events.

Our Strategy

Our goal is to extend our leadership position in the cyber-security market. Key elements of our growth strategy include:

 

Enhance and extend our leadership position through technological and product innovation. We intend to continue to invest in product upgrades and product line extensions as well as the development of new products and services that address emerging cyber-security and regulatory compliance requirements to maintain our technological advantages. We also intend to continue to invest in advanced threat research and increase our threat intelligence leadership as well as to continue our research and development efforts in cyber-security for cloud computing environments.

1


 

 

Continue to pursue cyber-security opportunities as businesses adopt cloud computing. Our solutions are used to protect thousands of organizations through cloud-based deployments with our SaaS customers, MSSPs and hosting partners. We intend to continue to focus on capturing the expected increases in spending on securing business-critical applications and data as enterprises pursue cloud computing initiatives for both external and internal facing applications. We intend to develop and expand our relationships with MSSPs and data center hosting providers, and to increase sales to SaaS providers.  

 

Increase awareness of the importance of cyber-security and drive adoption of our solution. We believe the market for cyber-security is in its early stages and growing rapidly. We plan to continue to increase market awareness of the benefits of our cyber-security solutions and to invest in our brand to further extend our leadership in the cyber-security market. For example, we plan to continue to invest in a broad range of marketing programs that help connect us with potential buyers along paid, earned, shared and owned channels. To further this goal, we plan to leverage online and offline advertising initiatives, targeted event participation, global public relations efforts, direct marketing, web events and participation in social media channels, such as LinkedIn, Facebook and Twitter.

 

Drive increased sales to our existing customer base. We intend to drive increased sales of our suite of cyber-security offerings within our existing customer base by deepening and broadening deployment of our offerings. Many of our customers initially deploy our solution for a limited portion of their business-critical applications and data, providing us with significant opportunities to sell them more of our products. This strategy has proved successful, as more than 52% of our revenue in 2016 was derived from repeat sales to existing customers. In addition, as a leading provider of cyber-security solutions, we believe we are well positioned to benefit as our customers expand the scope of their cyber-security and compliance initiatives both in the cloud and on premises. As of December 31, 2016, approximately 26% of our customers have purchased more than one of our SecureSphere offerings.

 

Increase our sales in the mid-market and small and medium-sized business (“SMB”) market. We believe there is a significant opportunity to provide cyber-security solutions to smaller businesses as they continue to face increasing security threats and more complex compliance mandates. We plan to continue to grow our business with mid-market enterprises and SMBs by expanding our distribution channels and our cloud-based offerings.

 

Pursue strategic opportunities. We intend to pursue targeted acquisition and partnership opportunities to continue to broaden our technology and offerings to better enable organizations to protect applications and data on premise and in the cloud.

Cloud and On-Premise Products

Our products include our Imperva SecureSphere platform, Imperva CounterBreach and Imperva Camouflage for enterprise data centers, and our Imperva Incapsula offering for cloud-based security services.

Our SecureSphere, CounterBreach and Camouflage product lines secure business-critical applications and data in physical and virtual data centers from hackers and malicious insiders, and provide an accelerated and cost-effective route to address regulatory compliance and establish a repeatable process for data risk management. Our SecureSphere products are built on a common modular platform, which includes a single operating system and common code base. All of our SecureSphere products can be managed either individually as stand-alone appliances or collectively from our SecureSphere MX Management Server. Our SecureSphere MX Management Server provides a single, centralized point for aggregating and managing SecureSphere security policies, real-time monitoring, logging, auditing and compliance reporting, customizable reporting and in-depth analytics. With the SecureSphere MX Management Server, administrators can simultaneously manage our database, file and web security products from a single console. CounterBreach uses machine learning to analyze how users access structured data, unstructured data, and data in the cloud in order to spotlight dangerous data access and use.  Camouflage data masking discovers where sensitive data resides and prioritizes what data should be masked.

Our Payment Card Industry (“PCI”) certified Incapsula service is purpose-built to deliver cloud-based Website Security, Distributed Denial of Service (“DDoS”) Protection and Load Balancing and Failover, all of which are fully integrated with, and built on top of, a global Content Delivery Network. Our Incapsula service is designed to be easy to deploy and accessible to businesses of all sizes that want to maximize the security, speed and availability of their websites. Without needing to purchase or install any hardware or software to use our Incapsula service, we estimate that most customers can set up our Incapsula service in less than ten minutes. Our customers typically begin using our Incapsula service by changing their website’s Domain Name System setting to route traffic to the Incapsula network. The global network of Incapsula servers apply security and optimization solutions to traffic on our customers’ websites according to the Incapsula service options they purchase. The screened, filtered and optimized traffic is then routed by the Incapsula network to the customer’s websites.

2


 

We sell our SecureSphere products primarily using perpetual software licenses installed on hardware appliances or virtual appliances. We sell our cloud-based products and services using subscription-based pricing plans. We also sell our ThreatRadar services as separate add-on, subscription services to our SecureSphere appliances.

We organize our product lines into customer-focused capability areas based on their ability to protect applications or data against attacks.

Application Protection

 

SecureSphere Products

 

 

 

 

 

SecureSphere Web Application Firewall: Protects business-critical web applications and data

 

We believe that our SecureSphere Web Application Firewall (“WAF”) is one of the industry’s leading solutions for protecting web assets from application attacks. Our SecureSphere WAF protects our customers’ business-critical applications and data from large scale cyber-attacks, adapts to evolving threats to protect against data breaches and enables compliance with regulatory requirements. Based on the feature and traffic capacity requirements of our customers, our web application security products can be deployed as a physical or virtual appliance. Key capabilities of our SecureSphere WAF include dynamic identification of legitimate web application usage, fortification of web defenses with research-driven intelligence on current threats from the Imperva Defense Center (“IDC”), alerts and requests blocking as well as virtual patching of application vulnerabilities.

 

 

 

ThreatRadar Products

 

 

 

 

 

ThreatRadar: Provides reputation and crowdsourced security intelligence services

 

ThreatRadar Reputation Services recognizes attack sources and dynamically adjusts web security policies within our SecureSphere WAF to provide protection against attacks.

 

 

 

 

 

ThreatRadar Community Defense, a part of ThreatRadar Reputation Services, delivers crowd-based threat intelligence to SecureSphere WAF. ThreatRadar Community Defense gathers attack data from SecureSphere deployments around the world and uses algorithms to translate this data into attack patterns, policies and reputation data.

 

 

 

 

 

ThreatRadar Bot Protection Services uses a client classification engine to analyze and classify incoming website traffic, and to distinguish between human and bot traffic. It also identifies good and bad bots and classifies traffic by browser type. The intelligence it collects during this process is then used by SecureSphere to drive WAF policy enforcement.

 

 

 

 

 

ThreatRadar Account Takeover Protection protects web application accounts from being compromised by cybercriminals. The product combines awareness of credentials known to be compromised, knowledge of login device reputation and risk, detection of credential stuffing and dictionary attacks against passwords, and analysis of behavior across multiple devices and accounts to identify account takeover attempts and compromised accounts, protecting against hackers before they gain access to protected web applications and services.

 

 

 

3


 

Incapsula Products

 

 

 

 

 

Incapsula Website Security: Blocks attacks against web applications to promote website safety and availability

 

Incapsula Website Security is a PCI-certified service with advanced bot detection and mitigation. It protects websites and applications against application layer hacking attempts and blocks scrapers, vulnerability scanners and content spammers that overload servers and steal content. Our cloud-based approach, coupled with crowdsourcing techniques, enables us to anonymously harness real data from our customer base to better understand the global attack landscape and continually improve security.

 

 

 

Incapsula Content Delivery Network: Optimizes website performance

 

Incapsula Content Delivery Network (“CDN”) is a globally distributed network of data centers that delivers full site acceleration through intelligent caching and content optimization tools. The CDN is application-aware and dynamically profiles website resources and identifies cacheable, dynamic and static content, including content that other CDNs consider uncacheable.

 

 

 

Incapsula DDoS Protection: Safeguards networks, applications and DNS servers from volumetric and protocol-based DDoS attacks

 

Incapsula reroutes traffic through the Incapsula network, and subjects it to progressively more stringent layers of protection. Using sophisticated security rules and challenges, Incapsula is able to identify and filter out DDoS attack traffic, while allowing legitimate traffic to flow unhindered to protected applications such as websites, email, and FTP.

 

 

 

Incapsula Load Balancing: Balances web traffic load across multiple web servers

 

Incapsula Load Balancing provides layer 7 load balancing and failover as a service, so organizations can replace costly appliances with an enterprise-grade, cloud-based solution. The service supports in-datacenter and cross-datacenter high availability scenarios. It also provides real-time health monitoring to ensure that traffic is routed to a viable web server.

 

 

 

 

 

 

Data Protection

 

SecureSphere Products

 

 

 

 

 

SecureSphere Database Firewall and Database Activity Monitoring: Secures business-critical data in structured repositories

 

SecureSphere Database Firewall and Database Activity Monitoring secure business-critical data in structured repositories in the data center. They provide comprehensive visibility and control over structured business data repositories, including database data usage, vulnerabilities, and access rights and enable security, audit, risk and IT professionals to improve data security and address compliance requirements. SecureSphere can be deployed as a physical or virtual appliance, based on the feature and traffic capacity requirements of our customers. SecureSphere Database Firewall and Database activity monitoring protect relational and big data databases running on distributed platforms and IBM z/OS.

 

 

 

SecureSphere Database Assessment Server: Finds sensitive data and runs assessments

 

SecureSphere Database Assessment Server automates the process of discovering databases and sensitive business data on the network and performs a security assessment to identify risks to business-critical data. It identifies database vulnerabilities and measures compliance with industry standards and best practices using tests and assessment policies. By identifying where databases and sensitive data are located on the network, and which databases are vulnerable or misconfigured, Database Assessment Server helps organizations prioritize their database risk mitigation efforts.

 

 

 

4


 

SecureSphere User Rights Management for Databases:

Establishes automated access rights review process and demonstrates compliance

 

SecureSphere User Rights Management for Databases automatically aggregates user rights across heterogeneous databases. This enables organizations to establish an automated access rights review process, identify excessive user rights, and demonstrate compliance with regulations such as Sections 302 and 404 of the Sarbanes-Oxley Act of 2002 (“SOX”) and requirements 7 and 8.5 of the PCI Data Security Standards (“PCI DSS”).

 

 

 

SecureSphere File Firewall: Protects file access activity to ensure business-critical data and applications are secured

 

SecureSphere File Firewall secures unstructured data, including spreadsheets, presentation slides, word processing documents, videos and PDFs that contain business-critical data and applications that our customers store in unstructured repositories, such as file servers, content management repositories, network-attached storage and storage area network devices. It provides full visibility and control over unstructured business data repositories, including file ownership, usage and access rights, and enables security, audit, risk and IT professionals to improve file data security and address compliance requirements. SecureSphere File Firewall can be deployed as a physical or virtual appliance based on feature and traffic capacity requirements of our customers.

 

 

 

CounterBreach Product

 

 

 

 

 

CounterBreach:  Designed to protect enterprise data from theft and loss due to compromised, malicious and careless users

 

CounterBreach uses machine learning to analyze how users access data in order to spotlight dangerous data access and use. CounterBreach complements machine learning with non-invasive deception technology to identify compromised end-point devices. By dynamically learning normal data access patterns and then finding anomalies, CounterBreach proactively alerts IT teams to dangerous behavior.

 

CounterBreach provides a multi-layered solution that provides direct visibility into which users access what data, giving IT organizations insight into the ‘who,’ ‘what’ and ‘when’ of access to sensitive information; combines Imperva expertise in monitoring and protecting data with advanced machine learning to spotlight dangerous user data access activity and applies non-invasive deception techniques to identify compromised end-points.

 

 

 

Camouflage Product

 

 

 

 

 

Imperva Camouflage Data Masking: Creates realistic, functional data for development, testing, and training by disguising sensitive information while maintaining the characteristics of the original data.

 

Imperva Camouflage Data Masking is designed to reduce data breach risk by replacing sensitive data in non-production systems, including test and development systems or data warehouses and analytical data stores, with realistic fictional data. The fictional data maintains referential integrity and is statistically accurate enabling testing, analysis and business processes to operate normally. Imperva Camouflage data masking protects data from theft and helps ensure compliance with regulations governing data transfers and data protection.  

 

5


 

Technology

Our solutions include several proprietary technologies described below.

SecureSphere

 

Dynamic Profiling: Allows customers to create and monitor security policies based on actual application and database behavior, automatically recognizes valid application and database changes over time and automatically updates the profile according to these application and database changes.

 

Universal User Tracking: Helps customers achieve the primary requirements of any audit and security process by tracking the individual end user that accessed or modified business data, including web application user tracking, web to database user tracking, SQL connection user tracking and direct user tracking that collectively enable our solution to audit end users regardless of how they connect to the database.

 

Transparent Inspection: Provides application layer security without needing to intermediate web connections, allowing our solution to inspect traffic without compromising performance, latency or availability.

 

Correlated Attack Validation: Provides our customers with protection against malicious activity by analyzing multiple data points, tracking events over time and correlating disparate events to identify and block sophisticated attacks.

Incapsula

 

Client Classification Engine: Analyzes and classifies all incoming traffic to a website, distinguishes between human and bot traffic, identifies “good” and “bad” bots, and classifies traffic by browser type. While this technology was originally developed on the Incapsula service, we recently incorporated the technology into our ThreatRadar Bot Protection Services, which is a SecureSphere add-on service.

Camouflage

 

Data Masking System: Static masking software that creates realistic, fully functional data for development, testing and training by disguising sensitive information while maintaining the characteristics of the original data.

 

Data Masking across Multiple Systems: Allows masked data to be used across different technology platforms while maintaining the consistency of the data’s characteristics across those platforms.

Maintenance and Support

We offer our customers ongoing product support services for both hardware and software. These maintenance programs are typically sold to customers for one- to three-year terms at the time of the initial product sale and typically renew for successive one- to three-year periods. We offer premium levels of service which include advance replacement and greater call center availability. While some of our channel partners provide tier one support, including MSSPs and data center hosting providers, in most instances we provide tier one level support and above.

Our IDC updates are included with maintenance and support contracts. The service consists of a content delivery mechanism by which we can distribute product content enhancements to our customers. Our IDC update servers deliver various types of security content to our appliances deployed in the field without the need for our customers to install a software patch or upgrade. Examples of IDC updates include new security signatures and policies for our WAF, new database assessment tests for our discovery and assessment server and new audit policy functionality for our database products.

Professional Services and Training

Our professional services consultants assist our customers in the deployment and configuration of our products. These fee-based services, provided by our professional services consultants, include providing advice on deployment planning, network design, product configuration and implementation, automating and customizing reports and tuning policies and configuration of our products for the particular characteristics of the customer’s environment. Additionally, we provide our customers with fee-based, hands-on training classes for our solution that are offered regularly and in different parts of the world.

6


 

Customers

We provide products and services to a variety of customers worldwide, including some of the world’s largest banks, retailers, insurers, technology and telecommunication companies and hospitals, as well as U.S. and other national, state and local government agencies. As of December 31, 2016, Imperva had over 5,200 customers in more than 100 countries. In addition, our solutions are used to protect thousands of organizations through cloud-based deployments with our SaaS customers and our MSSPs and hosting partners.

In 2016 and 2015, we had one reseller that represented 13% and 18% of our total revenue respectively. In 2014, the Company did not have any reseller that represented 10% or more of the Company’s total revenue.  In 2016, 2015 and 2014, we generated approximately 63%, 67% and 59% of our revenue from customers in the Americas and approximately 37%, 33% and 41% from customers outside of the Americas, respectively. See Note 15 of “Notes to Consolidated Financial Statements” for information about segment disclosures and revenue by customer geographic regions.

Sales and Marketing

We believe that our hybrid sales model, which combines the leverage of a channel sales model with the account control of a direct sales model, has played an important role in our success to date. Our hybrid model employs a direct touch sales organization and an overlay channel sales team that actively assist our extensive network of channel partners throughout the sales process. We primarily sell our products and services to our customers through our channel partners, including distributors and resellers. In 2016, our channel partners originated over 50% of our sales and fulfilled almost 86% of our sales. Although our products are designed for turnkey deployment, they are highly customizable, which allows our channel partners to provide a variety of value added services to our customers. As of December 31, 2016, our network of channel partners included approximately 270 resellers and distributors worldwide, including leading security value added resellers and some of the world’s largest hosting companies.

Sales

We support the sales of our products and services with a team of experienced channel account managers, sales professionals and sales engineers who provide business planning, joint marketing strategy, and pre-sales and operational sales support. Our overlay channel team is responsible for managing relationships with our resellers, MSSPs and distributors. Our sales professionals are responsible for assisting channel partners in gaining and supporting key customer accounts and acting as liaisons between the end customers and our marketing and product development organizations. Our sales professionals and sales engineers also directly engage with customers to address their unique security and deployment requirements. We also have an inside sales team that is principally focused on lead generation for our reseller partners and regional sales professionals. To support our broadly dispersed global channel and customer base, we had, as of December 31, 2016, sales personnel in 23 countries. We plan to continue to invest in our sales organization to support our growth, including through increased sales through our channel partners.

Marketing

Our marketing strategy is focused on building brand awareness, driving customer demand for our security solutions and enabling both our direct and channel sales models. We execute this strategy by leveraging a combination of internal marketing professionals and a network of regional and global channel partners. Our internal marketing organization is responsible for building brand awareness, driving demand generation, supporting channel enablement and product marketing, and working with our business operations team to support channel marketing and sales support programs. We focus our resources on targeted, integrated activities that can be leveraged by partners worldwide to extend our reach. Our marketing efforts include public and analyst relations, online and offline awareness building and demand generation, seminars, tradeshows, webinars, digital and website marketing, building sales tools and collateral information regarding product awards and technical certifications and social media outreach, including our data security blog.

Research and Development

Our research and development efforts focus primarily on improving and enhancing our existing security products and services, as well as developing new products, features and functionality and conducting advanced security research. We conduct our research and development activities primarily in Israel, with small engineering teams in Redwood Shores, California; Austin, Texas; St. John’s, Newfoundland and Labrador, Canada and Kiev, Ukraine. We believe this provides us with access to some of the best engineering talent in the security industry. As of December 31, 2016, we had 319 employees dedicated to research and development, including our advanced security research group, the IDC.

When considering product improvements and enhancements, we communicate with our customers and partners who provide significant feedback for product development and innovation. We regularly release new versions of our products incorporating these

7


 

improvements and enhancements. Our research and development team works with our customer support group to resolve escalated support issues by providing consultation, bug fixes and patches. Our research and development team also provides technical assistance to our other departments, including to our sales team by overseeing product pilots for potential customers.

In addition to enhancing our products and services, our research and development organization includes our IDC team. We believe our IDC team is an important differentiator for us in the security marketplace. Our IDC team performs security analysis, tracks hackers and trends in the hacker community and undertakes vulnerability discovery, in addition to providing us with regulatory compliance expertise. IDC research combines extensive lab work with hands-on testing in real world environments to ensure that our products, through advanced data security technology, deliver up-to-date threat protection and leading compliance automation. Our IDC has discovered numerous commercial application vulnerabilities and has issued numerous security advisories, providing insight into both published and unpublished security threats to help commercial application and database vendors and security professionals. Our IDC’s “Hacker Intelligence Initiative” focuses on improving risk management by tracking hackers, developments in attack techniques and potential targets in known hacker forums and chat rooms.  In prior years, the IDC also issued a Web Application Attack Report that provided an in-depth view of the threat landscape for the year, including hacking trends, the latest cyber-crime business models and breach analysis by geography, industry and attack type.  The IDC’s research is also the foundation for many of our products, product features and services, including attack signature updates, database vulnerability assessments, pre-defined compliance reports and the engine and analysis behind our crowdsourced security intelligence service, ThreatRadar Community Defense. We deliver automated feeds from our IDC to our products in the field to ensure that our customers are always armed with the latest defenses against new threats, and the most recent regulatory compliance best practices.

Our research and development expense was $62.4 million, $53.4 million and $43.1 million in 2016, 2015 and 2014, respectively.

Intellectual Property

To protect our intellectual property, both domestically and abroad, we rely primarily on patent, trademark, copyright and trade secret laws. As of December 31, 2016, we had 33 issued patents and 15 pending patent applications in the United States. The claims for which we have sought patent protection relate primarily to methods, computer programs, devices and systems we have developed for our products. We also license software from third parties for integration into our products, including open source software and other software available on commercially reasonable terms.  Our industry is characterized by the existence of a large number of relevant patents and frequent claims and related litigation regarding patent and other intellectual property rights. For more information about risks related to our and third party intellectual property rights see the section entitled “Risk Factors—Risks Related to our Business— Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and substantially harm our business and operating results”; “—We rely on the availability of licenses to third-party software and other intellectual property, the loss of which could increase our costs and delay software shipments”; “—Some of our products contain “open source” software, and any failure to comply with the terms of one or more of these open source licenses could negatively affect our business”; and “—Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.”

Manufacturing and Suppliers

Our security hardware appliance products are manufactured to our specifications by Caswell, Inc., a Taiwanese original design manufacturer of network appliance hardware products. We have entered into non-exclusive contracts to purchase these hardware appliances from American Portwell Technology, Inc. (a wholly owned subsidiary of Portwell, Inc.), and Dan-el Technologies Ltd., which are value-added distributors of products manufactured by Caswell, Inc. These contracts will remain in effect until terminated by either party. Such contracts are terminable by us for any reason upon six months’ notice, by the value-added distributors upon nine months’ notice or by either party for an uncured material breach. We currently work with American Portwell Technology and provide the value-added distributors with rolling product demand forecasts, but our contracts contain no obligation for us to purchase any minimum amount of products. We submit purchase orders that describe the types and quantities of our products to be manufactured, the delivery dates and other delivery terms. American Portwell Technology receives the hardware appliances from the manufacturer, configures and installs our proprietary software on the appliances and then undertakes quality testing at their fulfillment centers. American Portwell Technology then ships our appliances directly to our distributors, resellers or customers or our logistics partner, Base Logistics BV. We hold inventory in American Portwell Technology’s fulfillment centers and in our logistics partner’s warehouses, in anticipation of orders for new appliances and to support our advance replacement program with new and repaired appliances. In addition, our contracts with our value-added distributors govern their use of our intellectual property and allocate the responsibilities for warranty repair, out of warranty repair and replacement costs with respect to damaged and defective products. We believe that having third parties manufacture, configure and test our products and provide a substantial portion of our logistics enables us to efficiently allocate capital, better adjust manufacturing volumes to meet changes in demand and more quickly deliver products, allowing us to focus resources on our core competencies.

8


 

The hardware components included in our products are sourced from various suppliers by our manufacturer and are principally industry standard parts and components that are available from multiple vendors. We have limited sources of supply for certain key components of our products, such as semiconductors, printed circuit boards and hard disk drives, which exposes us to the risk of component shortages or unavailability. For more information on risks related to product manufacturing and availability of components, see the section entitled “Risk Factors–Risks Related to Our Business–Delays or interruptions in the manufacturing and delivery of SecureSphere appliances by our sole source manufacturer may harm our business.”

Competition

The market for cyber-security solutions is intensely competitive and we expect competition to increase in the future. Our primary competitors by product area include:

 

Database security. International Business Machines Corporation, Intel Security group of Intel Corporation (formerly McAfee, Inc.) and Oracle Corporation

 

File security. Dell EMC Corporation, Symantec Corporation and Varonis Systems, Inc.

 

Web application security and DDoS. Akamai Technologies, Inc. and F5 Networks, Inc.

We believe that the principal competitive factors affecting the market for cyber-security solutions include breadth of product offerings, security effectiveness, manageability, reporting, technical features, performance, ease of use, price, professional services capabilities, distribution relationships and customer service and support. We believe that our solutions generally compete favorably with respect to such factors.

Employees

As of December 31, 2016, our total headcount was 993 employees, with 319 in research and development, 355 in sales and marketing, 110 in services and support, 82 in manufacturing operations and 127 in a general and administrative capacity. As of December 31, 2016, our headcount was 422 people in the United States, 449 in Israel and 122 in other countries. None of our employees is represented by a labor union with respect to his or her employment with us. We have not experienced any work stoppages, and we consider our relations with our employees to be good.

Available Information

Our Internet address is www.imperva.com. Our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K and any amendments to those reports are available on the Investor Relations section of our website free of charge, as soon as reasonably practicable after we electronically file such material with, or furnish it to, the SEC. The information found on our website is not part of this or any other report we file with or furnish to the SEC. The SEC also maintains an Internet website that contains reports, proxy and information statements and other information regarding registrants, such as Imperva, that file electronically with the SEC. The address of the website is www.sec.gov. In addition, you may read and copy any filing that we make with the SEC at the public reference room maintained by the SEC, located at 100 F Street, N.E., Washington, D.C. 20549. Please call the SEC at 1-800-SEC-0330 for further information about the public reference room.

 

Item 1A. Risk Factors

Risks Related to Our Business

We have a history of losses, we may not become profitable and our revenue growth may not continue.

We have incurred net losses in each fiscal year since our inception, including net losses attributable to our stockholders of $59.0 million in 2014, $48.9 million in 2015 and $70.3 million in 2016. As a result, we had an accumulated deficit of $276.8 million at December 31, 2016. We may not become profitable in the future if we fail to increase revenue and manage our expenses, or if we incur unanticipated liabilities. Revenue growth may slow or revenue may decline for a number of possible reasons, including slowing demand for our products or services, increasing competition, a decrease in the growth of, or decline in, our overall market, or our failure to capitalize on growth opportunities or introduce new products and services. In addition, we have incurred, and anticipate that we will continue to incur, significant legal, accounting and other expenses relating to being a public company. If our revenue does not increase at a rate to proportionally offset these expected increases in operating expense, our operating margins will suffer. Further, in future periods, our revenue could decline and, accordingly, we may not be able to achieve profitability and our losses may increase. Even if we do achieve profitability, we may not be able to sustain or increase profitability on a consistent basis. Any failure by us to achieve, maintain or increase profitability and continue our revenue growth could cause the price of our common stock to materially decline.

9


 

Our quarterly operating results are likely to vary significantly and to be unpredictable, which could cause the trading price of our stock to decline.

Our revenue and operating results could vary significantly from period to period as a result of a variety of factors, many of which are outside of our control. As a result, comparing our revenue and operating results on a period-to-period basis may not be meaningful, and you should not rely on our past results as an indication of our future performance. We may not be able to accurately predict our future revenue or results of operations. We base our current and future expense levels on our operating plans and sales forecasts, and our operating costs are relatively fixed in the short-term. As a result, we may not be able to reduce our costs sufficiently to compensate for an unexpected shortfall in revenue, and even a small shortfall in revenue could disproportionately and adversely affect financial results for that quarter. If our revenue or operating results fall below the expectations of investors or any securities analysts that cover our stock, the price of our common stock could decline substantially.

In addition to other risk factors listed in this section, factors that may individually or cumulatively affect our operating results from period to period include:

 

the level of demand for our products and services, and the timing of orders from our channel partners and customers;

 

the timing of sales and shipments of products during a quarter, which may depend on many factors such as inventory and logistics and our ability to ship new products on schedule and accurately forecast inventory requirements;

 

the mix of products sold, the mix of revenue between products and services, including subscription services, and the degree to which products and services are bundled and sold together for a package price;

 

the budgeting, procurement and work cycles of our customers, which may result in seasonal variation as our business and the market for solutions such as ours mature;

 

changes in customer renewal rates for our services;

 

general economic conditions, both domestically and in our foreign markets, and economic conditions specifically affecting industries in which our customers participate;

 

the timing of satisfying revenue recognition criteria for our sales, including shipping and delivery terms, particularly where we accrue the associated commission expense in a different period, which may be affected by the extent to which we bring on new resellers and distributors, and our ability to establish vendor-specific objective evidence of fair value, or VSOE, for new products and maintain VSOE for maintenance and services;

 

future accounting pronouncements or changes in our accounting policies; and

 

increases or decreases in our expenses caused by fluctuations in foreign currency exchange rates, since a significant portion of our expenses are incurred and paid in the Israeli shekel and other currencies besides the U.S. dollar.

Reliance on a concentration of shipments at the end of the quarter could cause our revenue to fall below expected levels, resulting in a decline in our stock price.

Historically, we have received a significant majority of a quarter’s sales orders and generated a significant majority of a quarter’s revenue during the last two weeks of the quarter. The fact that so many orders arrive at the end of a quarter means that our revenue may shift from one quarter to the next if we cannot fulfill all of the orders and satisfy all of the revenue recognition criteria under our accounting policies before the quarter ends.

This pattern is a result of customer buying habits and the efforts of our sales force and channel partners to meet or exceed quarterly quotas. If expected revenue at the end of any quarter is delayed because anticipated purchase orders fail to materialize, our logistics partners fail to ship or deliver products on time, we fail to manage our inventory properly, we fail to release new products on schedule, or for any other reason, then our revenue for that quarter could fall below our expectations or those of securities analysts and investors, resulting in a decline in our stock price.

We rely on third party channel partners to generate a significant portion, and to fulfill a substantial majority, of our revenue, and if we fail to expand and manage our distribution channels, our revenue could decline and our growth prospects could suffer.

Historically our channel partners have originated more than 45%, and fulfilled approximately 85% or more, of our revenue, and we expect that channel sales will represent a substantial portion of our revenue for the foreseeable future. Our ability to expand our distribution channels depends in part on our ability to educate our channel partners about our products and services, which are often complex. Our agreements with our channel partners are generally non-exclusive and many of our channel partners have more established relationships with our competitors. If our channel partners choose to place greater emphasis on products and services of

10


 

their own or those offered by our competitors, our ability to grow our business and sell our products may be adversely affected. If our channel partners do not effectively market and sell our products and services, or if they fail to meet the needs of our customers, then our ability to grow our business and sell our products may be adversely affected. The loss of one or more of our larger channel partners, who may cease marketing our products with limited or no notice, and our possible inability to replace them could adversely affect our sales. Our failure to recruit additional channel partners, or any reduction or delay in their sales of our products and services or conflicts between channel sales and our direct sales and marketing activities could materially and adversely affect our results of operations.

We face intense competition, especially from larger, better-known companies and we may lack sufficient financial or other resources to maintain or improve our competitive position.

The market for cyber-security products is intensely competitive and we expect competition to intensify in the future. Our competitors include companies such as Akamai Technologies, Inc., F5 Networks, Inc., International Business Machines Corporation (“IBM”), Intel Security group of Intel Corporation (“Intel”), Oracle Corporation (“Oracle”), Symantec Corporation and other point solution security vendors.

Many of our existing and potential competitors may have substantial competitive advantages such as:

 

greater name recognition and longer operating histories;

 

larger sales and marketing budgets and resources and the capacity to leverage their sales efforts and marketing expenditures across a broader portfolio of products;

 

broader, deeper or otherwise more well-established relationships with customers and potential customers;

 

broader distribution networks and more established relationships with distributors;

 

wider geographic presence;

 

access to larger customer bases;

 

greater customer support resources;

 

greater resources to make acquisitions;

 

greater resources to develop and introduce products that compete with our products;

 

lower labor and development costs; and

 

substantially greater financial, technical and other resources.

As a result, they may be able to adapt more quickly and effectively to new or emerging technologies and changing opportunities, standards or customer requirements. In addition, these companies could reduce the price of their competing products, resulting in intensified pricing pressures within the markets in which we compete. Further, some of our larger competitors have substantially broader product offerings and leverage their relationships based on other products or incorporate functionality into existing products in a manner that discourages customers from purchasing our products.

Our competitors may offer a bundled product offering, and our customers may elect to accept this offering from our competitors, even if it has more limited functionality than our product offering, instead of adding the additional appliances required to implement our offering. The consolidation in our industry, such as IBM’s acquisition of Guardium, Inc., Oracle’s acquisition of Secerno, Ltd. and Intel’s acquisition of McAfee, Inc., increases the likelihood of competition based on integration or bundling, particularly where our competitors’ products and offerings are effectively integrated, and we believe that consolidation in our industry may increase the competitive pressures we face on all our products and services. If we are unable to sufficiently differentiate our products and services from the integrated or bundled products of our competitors, such as by offering enhanced functionality, performance or value, we may see a decrease in demand for those products or services, which would adversely affect our business, operating results and financial condition. Further, it is possible that continued industry consolidation may impact customers’ perceptions of the viability of smaller or even medium-sized software firms and consequently customers’ willingness to purchase from firms of our size. Similarly, if customers seek to concentrate their software purchases in the product portfolios of a few large providers or have already deployed products that are similar to ours, we may be at a competitive disadvantage notwithstanding the superior performance that we believe our products and services can deliver. Larger competitors are also often in a better position to withstand any significant reduction in capital spending by customers, and will therefore not be as susceptible to economic downturns.

11


 

Many of our smaller competitors that specialize in providing protection from a single type of cyber-security threat may deliver these specialized cyber-security products to the market more quickly than we can or may introduce innovative new products or enhancements before we do. Conditions in our markets could change rapidly and significantly as a result of technological advancements.

We may not compete successfully against our current or potential competitors. Companies competing with us may introduce products that have greater performance or functionality, are easier to implement or use, or incorporate technological advances that we have not yet developed or implemented. Our current and potential competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their resources. In addition, companies competing with us may price their products more competitively than ours, or have an entirely different pricing or distribution model. Increased competition could result in fewer customer orders, price reductions, reduced operating margins and loss of market share. Further, we may be required to make substantial additional investments in research and development and marketing and sales in order to respond to such competitive threats, and we cannot assure you that we will be able to compete successfully in the future.

We operate in an evolving market that has not yet reached widespread adoption.  New or existing technologies that may be perceived to address the risks in novel ways could gain wide adoption and supplant some or all of our products and services, making analysis of trends or predictions about our business difficult and potentially weakening our sales and our financial results.

We operate in new, rapidly evolving categories in the security industry that focus on securing our customers’ business-critical data and applications. We offer database, file and web application security in an integrated, modular cyber-security solution and cloud-based offerings. Because we depend in part on the market’s acceptance of our products and customers may choose to acquire technologies that are not directly comparable to ours, it is difficult to evaluate trends that may affect our business, including how large the cyber-security market will be and what products customers will adopt. For example, organizations that use other security products, such as network firewalls, security information and event management products or data loss prevention solutions, may believe that these security solutions sufficiently protect access to sensitive data. Therefore, they may continue to devote their IT security budgets to these products and may not adopt our cyber-security solutions in addition to such products. If customers do not recognize the benefits that our cyber-security solutions offer in addition to other security products, then our revenue may not grow as anticipated or may decline, and our stock price could decline.

The introduction of products and services embodying new technologies could render some or all of our existing products and services obsolete or less attractive to customers. Other cyber-security technologies exist or could be developed in the future, and our business could be materially adversely affected if such technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all. Currently less than 30% of our customers have purchased more than one of our database, file and web security product families. Even if customers purchase our products, they may not make repeat purchases or purchase other elements of our SecureSphere product line or our Incapsula, CounterBreach and Camouflage product lines, which may be exacerbated by the rapid evolution of our market. If we are unable to sell additional products from multiple product families to our customers, then our revenue may not grow as anticipated or may decline, and our stock price could decline. If we fail to keep up with technological changes or to convince our customers and potential customers of the value of our solutions even in light of new technologies, our business, financial condition and results of operations could be materially and adversely affected.

In addition, because of our rapidly evolving market, any predictions about our revenue in future periods may not be as accurate as they would be if we operated in a more established market.

If we do not successfully anticipate market needs and opportunities or changes in the legal, regulatory and industry standard landscape and make timely enhancements to our products and develop new products that meet those needs, we may not be able to compete effectively and our ability to generate revenue will suffer.

The cyber-security market is characterized by rapid technological advances, changes in customer requirements, including changes driven by legal, regulatory and self-regulatory compliance mandates, frequent new product introductions and enhancements and evolving industry standards in computer hardware and software technology. Customers and industry analysts expect speedy introduction of software and new functionality to respond to new threats, requirements and risks and we may be unable to meet these expectations. As a result, we must continually improve our products and introduce new solutions in response to changes in operating systems, application software, computer and communications hardware, networking software, data center architectures, programming tools and computer language technology. Moreover, the technology in our products is especially complex because it needs to effectively identify and respond to methods of attack and theft, while minimizing the impact on network, database, file system and web application performance. In addition, our products must successfully interoperate with products from other vendors.

12


 

We cannot guarantee that we will be able to anticipate future market needs and opportunities or be able to develop product enhancements or new products to meet such needs or opportunities in a timely manner or at all. Since developing new products or new versions of, or add-ons to, existing products is complex, the timetable for their commercial release is difficult to predict and may vary from our historical experience, which could result in delays in their introduction from anticipated or announced release dates. We may not offer updates as rapidly as new threats affect our customers or our newly developed products or enhancements may have defects, errors or failures. If we do not quickly respond to the rapidly changing and rigorous needs of our customers by developing and introducing on a timely basis new and effective products, upgrades and services that can respond adequately to new security threats, our competitive position, business and growth prospects will be harmed.

Even if we are able to anticipate, develop and commercially introduce enhancements and new products, there can be no assurance that we will be successful in developing sufficient market awareness of them or that such enhancements or new products will achieve widespread market acceptance. Diversifying our product offerings will require significant investment and planning, will bring us more directly into competition with software providers that may be better established or have greater resources than we do, will require additional investments of time and resources in the development and training of our channel and strategic partners and will entail a significant risk of failure.

Further, one factor that drives demand for our products and services is the legal, regulatory and industry standard framework in which our customers operate, which we expect will continue to be a factor for the foreseeable future. For example, many of our customers purchase our web application security products to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council (the “PCI Council”), which apply to companies that process or store credit card information. Laws, regulations and industry standards are subject to drastic changes that, particularly in the case of industry standards, may arrive with little or no notice, and these could either help or hurt the demand for our products. If we are unable to adapt our products and services to changing regulatory standards in a timely manner, or if our products fail to assist our customers with their compliance initiatives, our customers may lose confidence in our products and could switch to competing solutions. In addition, if regulations and standards related to cyber-security are changed in a manner that makes them less onerous, our customers may view government and industry regulatory compliance as less critical to their businesses, and our customers may purchase fewer of our products and services, or none at all. In either case, our sales and financial results would suffer.

Real or perceived errors, failures or bugs in our products, particularly those that result in our customers experiencing security breaches, could adversely affect our reputation and business could be harmed.

Our products and services are very complex and have contained and may contain undetected defects or errors, especially when first introduced or when new versions are released. Defects in our products may impede or block network traffic or cause our products or services to fail to help secure business-critical data and applications. Defects in our products may lead to product returns and require us to implement design changes or software updates. Any defects or errors in our products, or the perception of such defects or errors, could result in:

 

expenditure of significant financial and product development resources in efforts to analyze, correct, eliminate or work around errors or defects;

 

loss of existing or potential customers or channel partners;

 

delayed or lost revenue;

 

delay or failure to attain market acceptance;

 

delay in the development or release of new products or services;

 

negative publicity, which will harm our reputation;

 

warranty claims against us, which could result in an increase in our provision for doubtful accounts;

 

an increase in collection cycles for accounts receivable or the expense and risk of litigation; and

 

harm to our results of operations.

Data thieves are sophisticated, often affiliated with organized crime and operate large scale and complex automated attacks. In addition, their techniques change frequently and generally are not recognized until launched against a target. If we fail to identify and respond to new and complex methods of attack and to update our products to detect or prevent such threats in time to protect our customers’ business-critical data and applications, our business and reputation will suffer.

In addition, many of our customers use our products in applications that are critical to their businesses and may have a greater sensitivity to defects in our products than to defects in other, less critical, software products. An actual or perceived security breach or

13


 

theft of the business-critical data of one of our customers, regardless of whether the breach is attributable to the failure of our products or services, could adversely affect the market’s perception of our security products. Despite our best efforts, there is no guarantee that our products will be free of flaws or vulnerabilities, and, even if we discover these weaknesses, we may be unable to correct them promptly, if at all. Our customers may also misuse our products, which could result in a breach or theft of business-critical data.

Although we have limitation of liability provisions in our standard terms and conditions of sale, they may not fully or effectively protect us from claims as a result of federal, state or local laws or ordinances or unfavorable judicial decisions in the United States or other countries. The sale and support of our products also entail the risk of product liability claims. We maintain insurance to protect against certain claims associated with the use of our products, but our insurance coverage may not adequately cover all claims asserted against us, or cover only a portion of such claims. In addition, even claims that ultimately are unsuccessful could result in our expenditure of funds in litigation and divert management’s time and other resources.

False detection of security breaches or false identification of malicious sources could adversely affect our business.

Our cyber-security products may falsely detect threats that do not actually exist. For example, our ThreatRadar Reputation Services product relies on information on attack sources aggregated from third-party data providers who monitor global malicious activity originating from anonymous proxies, specific IP addresses, botnets and phishing sites. If the information from these data providers is inaccurate, the potential for false positives increases. These false positives, while typical in the industry, may affect the perceived reliability of our products and may therefore adversely impact market acceptance of our products. If our products and services restrict access to important databases, files or applications based on falsely identifying users or traffic as an attack or otherwise unauthorized, then our customers’ businesses could be adversely effected. Any such false identification of users or traffic could result in negative publicity, loss of customers and sales, increased costs to remedy any problem and costly litigation.

Our success in acquiring and integrating other businesses, products or technologies could impact our financial position.

In order to remain competitive, we may seek to acquire additional businesses, products or technologies, any of which could be material to our business, operating results and financial condition. For example, we acquired assets from Camouflage Software Inc. in December 2016, Tomium Software, LLC in January 2014, acquired Skyfence Networks Ltd. (“Skyfence”) in February 2014 and acquired the remaining portion of Incapsula that we did not already own in March 2014. The environment for acquisitions in the markets in which we operate is very competitive and acquisition candidate purchase prices will likely exceed what we would prefer to pay, but may be required to pay in order to make an acquisition. Furthermore, we may not find suitable acquisition candidates, and acquisitions we complete may be difficult to successfully integrate into our overall business. Achieving the anticipated benefits of future acquisitions will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner.

Acquisitions involve many risks, including the following:

 

an acquisition may negatively impact our results of operations because it:

 

may require us to incur charges and substantial debt or liabilities,

 

may cause adverse tax consequences, substantial depreciation or deferred compensation charges,

 

may result in acquired in-process research and development expenses or in the future may require the amortization, write-down or impairment of amounts related to deferred compensation, goodwill and other intangible assets, or

 

may not generate sufficient financial return to offset acquisition costs;

 

we may encounter difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel or operations of any company that we acquire, particularly if key personnel of the acquired company decide not to work for us;

 

an acquisition and integration process is complex, expensive and time consuming, and may disrupt our ongoing business, divert resources, increase our expenses and distract our management;

 

an acquisition may result in a delay or reduction of customer purchases for both us and the company acquired due to customer uncertainty about continuity and effectiveness of service from either company;

 

we may encounter difficulties in, or may be unable to, successfully sell any acquired products;

14


 

 

we may obtain unanticipated or unknown liabilities or become exposed to unanticipated risks in connection with any acquisition; and

 

an acquisition may involve the entry into geographic or business markets in which we have little or no prior experience.

If we are unable to effectively execute acquisitions, our business, financial condition and results of operations could be adversely affected.

From time to time, we may seek to divest or wind down portions of our business, both acquired or otherwise, that are no longer core to the business, which could materially affect our cash flows and results of operations.

On February 23, 2017, we completed the sale of the assets of our Skyfence business to Forcepoint LLC. The disposition of the Skyfence assets or any other future dispositions we make may involve risks and uncertainties, including our ability to sell these businesses on terms acceptable to us, or at all. Any such dispositions could result in disruption to other parts of our business, potential loss of employees or customers, exposure to unanticipated liabilities or result in ongoing obligations and liabilities to us following any such divestiture. For example, in connection with a disposition, we may enter into transition services agreements or other strategic relationships, including long-term research and development arrangements, sales arrangements or agree to provide certain indemnities to the purchaser in any such transaction, which may result in additional expense and may adversely affect our financial condition and results of operations. In addition, dispositions may include the transfer or division of technology and/or the licensing of certain IP rights to third party purchasers, which could limit our IP rights or our ability to assert our IP rights against such purchasers or other third parties.

Our business and operations experienced rapid growth in 2015 and slowed growth in 2016.  If we do not appropriately manage any future growth, or are unable to improve our systems and processes, our operating results will be negatively affected.

We have experienced volatile growth over the last several years. We grew from 723 employees as of December 31, 2014 to 923 employees as of December 31, 2015 to 993 employees as of December 31, 2016. This growth has placed, and will continue to place, a strain on our employees, management systems and other resources. Managing our growth has required, and will continue to require, significant expenditures and allocation of valuable management resources. We rely heavily on information technology systems to help manage critical functions, such as order processing, revenue recognition, financial forecasts and inventory and supply chain management. To manage any future growth effectively, we must continue to improve our information technology and financial infrastructure, operating and administrative systems and controls, and continue to manage headcount, capital and processes in an efficient manner. We may not be able to successfully implement improvements to these systems and processes in a timely manner.

In addition, we rely heavily on hosted SaaS technologies from third parties in order to operate critical functions of our business, including enterprise resource planning services from NetSuite Inc. and customer relationship management services from salesforce.com, inc. If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our products and services and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated; all of which could harm our business. Also, our systems and processes may not prevent or detect all errors, omissions or fraud. Our failure to improve our systems and processes, or their failure to operate in the intended manner, may result in our inability to manage the growth of our business and to accurately forecast our revenue, expenses and earnings, or to prevent certain losses. Our productivity and the quality of our products and services may also be adversely affected if we do not integrate and train our new employees quickly and effectively. Any future growth would add complexity to our organization and require effective coordination across our organization. If we fail to achieve the necessary level of efficiency in our organization as it grows or otherwise fail to manage any future growth effectively, we could incur increased costs, and experience a loss of customer and investor confidence in our internal systems and processes, any of which could result in harm to our business, results of operations and financial condition.

If we are unable to hire, retain and motivate qualified personnel, our business would suffer.

We depend on the continued contributions of our senior management and other key employees to execute on our business plan, and to identify and pursue new opportunities and product innovations. The loss of services of senior management or other key employees, particularly Anthony Bettencourt, our Chairman, President and Chief Executive Officer, and Amichai Shulman, one of our founders and our Chief Technology Officer, could significantly delay or prevent the achievement of our development and strategic objectives.

Our future success depends, in part, on our ability to continue to attract and retain highly skilled technical, managerial, finance and other personnel, particularly in our sales and marketing, research and development and professional service departments. Any of

15


 

our employees may terminate their employment at any time. Competition for highly skilled personnel is frequently intense, globally for sales personnel, as well as in the San Francisco Bay Area and in Tel Aviv, Israel, the locations in which we have a substantial presence and need for highly-skilled personnel. We may be unable to attract and retain suitably qualified individuals who are capable of meeting our growing technical, operational and managerial requirements, on a timely basis or at all, and we may be required to pay increased compensation in order to do so. If we are unable to attract and retain the qualified personnel we need to succeed, our business will suffer.

Volatility or lack of performance in our stock price may also affect our ability to attract and retain our key employees. Employees may be more likely to leave us if the shares or RSUs they hold have declined in value or if the exercise prices of the options that they hold exceed the market price of our common stock. If we are unable to retain our employees, our business, operating results and financial condition will be harmed.

Actions that we are taking to restructure our business may be costly and may not be as effective as anticipated.

In November 2016, we announced a restructuring plan and cost reduction initiatives to reduce expenses, streamline the organization, and reallocate resources to align more closely with future business needs. As a result of these actions, we incurred additional costs that have the effect of reducing operating margins. We cannot be sure that the cost reduction and streamlining initiatives will be achieved or as successful in reducing our overall expenses as we expect or that additional costs will not offset any such reductions or streamlining. If we are unable to realize the expected outcomes from the restructuring efforts, if our operating costs are higher than we expect or if we do not maintain adequate control of our costs and expenses, our business and operating results may be harmed.

Delays or interruptions in the manufacturing and delivery of SecureSphere appliances by our sole source manufacturer may harm our business.

Our hardware appliances are built by a single manufacturer. Our reliance on a sole manufacturer, particularly a foreign manufacturer, involves several risks, including a potential inability to obtain an adequate supply of appliances and limited control over pricing, quality and timely delivery of products. In addition, replacing this manufacturer may be difficult and could result in an inability or delay in obtaining products. As a result, we may be unable to fulfill customer orders and our operating results may fluctuate from period to period, particularly if a disruption occurs near the end of a fiscal period.

Our manufacturer’s ability to timely manufacture and ship our appliances in large quantities depends on a variety of factors. The manufacturer relies on a limited number of sources for the supply of functional components, such as semiconductors, printed circuit boards and hard disk drives. Functional component supply shortages or delays could prevent or delay the manufacture and shipment of appliances and, in the event of shortages or delays, we may not be able to procure alternative functional components on similar pricing terms, if at all. In addition, contractual restrictions or claims for infringement of intellectual property rights may restrict our manufacturer’s use of certain components. These restrictions or claims may require our manufacturer to utilize alternative components or obtain additional licenses or technologies, and may impede its ability to manufacture and deliver appliances on a timely or cost-effective basis. If at some point, the manufacturer is no longer financially viable, we may lose our source of supply with little or no notice or recourse. Further, even if quality products are timely manufactured, delays in shipping may occur, resulting in delayed satisfaction of a primary revenue recognition criterion.

In the event of an interruption from this manufacturer or any quality control issues with this manufacturer, we may be unable to develop alternate or secondary sources in a timely manner. If we are unable to procure our appliances in quantities sufficient to meet our requirements, we will not be able to deliver products to our channel partners and customers, which would materially and adversely affect present and future sales.

A failure to manage excess inventories or inventory shortages could result in decreased revenue and gross margins and harm our business.

We purchase products from our manufacturing partner outside of, and in advance of, reseller or customer orders and hold our products in inventory. If we fail to accurately predict demand and as a result our manufacturer maintains insufficient hardware or component inventory or excess inventory, we may be unable to timely deliver products to our distributors or customers or may have substantial inventory expense. Because our channel partners do not purchase our products in advance of customer orders, our difficulty in accurately forecasting demand for our hardware products may be exacerbated. There is a risk we may incorrectly forecast demand and may be unable to sell excess products ordered from our manufacturing partner. Inventory levels in excess of customer demand may result in inventory write-downs, and the sale of excess inventory at discounted prices could significantly impair our brand image and have an adverse effect on our financial condition and results of operations.

16


 

Conversely, if we underestimate demand for our products or if our manufacturing partner fails to supply products we require in a timely manner, we may experience inventory shortages. Inventory shortages might delay shipments to resellers, distributors and customers or cause us to lose sales. Further, as the size of individual orders increases, the risk that we may be unable to deliver unforecasted orders also increases, particularly near the end of quarterly periods. These shortages may diminish the loyalty of our channel partners or customers.

The difficulty in forecasting demand also makes it difficult to estimate our future financial condition and results of operations from period to period. A failure to accurately predict the level of demand for our products could adversely affect our net revenue and net income, and we are unlikely to forecast such effects with any certainty in advance.

We have operations outside of the United States and a significant portion of our customers and suppliers are located outside of the United States, which subjects us to a number of risks associated with conducting international operations.

We market and sell our products throughout the world and have personnel in many parts of the world. In addition, we have sales offices and research and development facilities outside the United States and we conduct, and expect to continue to conduct, a significant amount of our business with companies that are located outside the United States, particularly in Israel, Asia and Europe. We also source our components for our products and deliver our services from various geographical regions. Therefore, we are subject to risks associated with having international sales and worldwide operations, including:

 

challenges caused by distance, language, cultural and ethical differences and the competitive environment;

 

multiple and conflicting laws and regulations, including complications due to unexpected changes in these laws and regulations;

 

trade and foreign exchange restrictions;

 

foreign currency exchange fluctuations and foreign exchange controls;

 

economic, social or political instability in foreign markets;

 

greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;

 

changes in regulatory requirements;

 

difficulties and costs of staffing and managing foreign operations or relationships with channel partners;

 

the uncertainty and limitation of protection for intellectual property rights in some countries;

 

costs of complying with U.S. and foreign laws and regulations, including import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our products in certain foreign markets, and the risks and costs of non-compliance or complaints of non-compliance;

 

heightened risks of unethical, unfair or corrupt business practices, actual or claimed, in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;

 

the potential that our operations in the U.S. may limit the acceptability of our products to some foreign customers, and that our international sourcing and operations may limit the acceptability of our products to some U.S. customers;

 

the potential for acts of terrorism, hostilities or war;

 

management communication and integration problems resulting from cultural differences and geographic dispersion; and

 

multiple and possibly overlapping tax structures.

Our product and service sales may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Failure to comply with these regulations could adversely affect our business. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and services and could have a material adverse effect on our business and results of operations.

17


 

A portion of our revenue is generated by sales to government entities and such sales are subject to a number of challenges and risks.

Sales to U.S. and foreign federal, state and local governmental agency customers have accounted for approximately 15% of our bookings for the year ended December 31, 2014, 13% for the year ended December 31, 2015 and 11% of our bookings for the year ended December 31, 2016, and sales to government entities may increase. Sales into government entities are subject to a number of risks. Selling to government entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that we will complete a sale. Accordingly:

 

changes in fiscal or contracting policies or decreases and uncertainties in available government funding;

 

changes in government programs or applicable requirements;

 

the adoption of new laws or regulations or changes to existing laws or regulations;

 

changes in political or social attitudes with respect to security issues; and

 

potential delays or changes in the government appropriations process, including actions such as spending freezes implemented to address political or fiscal policy concerns,

could cause governments and governmental agencies to delay or refrain from purchasing our products and services in the future or otherwise have an adverse effect on our business, financial condition and results of operations.

Most of our sales to government entities have been made indirectly through our channel partners. Government entities may have contractual or other legal rights to terminate contracts with our distributors and resellers for convenience or due to a default, and any such termination may adversely impact our results of operations.

In addition, for purchases by the U.S. federal government, we must comply with laws and regulations relating to U.S. federal government contracting, which affect how we and our channel partners do business in connection with U.S. federal agencies. These laws and regulations may impose added costs on our business, and failure to comply with these or other applicable regulations and requirements, including non-compliance in the past, could lead to claims for damages from our channel partners, penalties, termination of contracts and suspension or debarment from government contracting for a period of time. Any such damages, penalties, disruption or limitation in our ability to do business with the U.S. federal government may adversely impact our results of operations.

Our business in countries with a history of corruption and transactions with foreign governments increase the risks associated with our international activities.

As we operate and sell internationally, we are subject to the U.S. Foreign Corrupt Practices Act, or the FCPA, and other laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental customers in countries known to experience corruption, particularly certain emerging countries in Africa, East Asia, Eastern Europe, South America and the Middle East. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, sales agents or channel partners that could be in violation of various anti-corruption laws, even though these parties may not be under our control. While we have implemented safeguards to prevent these practices by our employees, consultants, sales agents and channel partners, our existing safeguards and any future improvements may prove to be less than effective, and our employees, consultants, sales agents or channel partners may engage in conduct for which we might be held responsible. Violations of the FCPA may result in severe criminal or civil sanctions, including suspension or debarment from U.S. government contracting, and we may be subject to other liabilities, which could negatively affect our business, operating results and financial condition.

We rely significantly on revenue from maintenance and support which may decline and, because we recognize revenue from such services over the term of the relevant service period, downturns or upturns in sales are not immediately reflected in full in our operating results.

Our maintenance and support revenue accounted for 33% of our total revenue for 2014, 28% of our total revenue for 2015 and 30% of our total revenue for 2016. Sales of new maintenance and support contracts or renewal of such services contracts may decline or fluctuate as a result of a number of factors, including customers’ level of satisfaction with our products and services, the prices of our products and services, the prices of products and services offered by our competitors or reductions in our customers’ spending levels. If our sales of new or renewal services contracts decline, our revenue or revenue growth may decline and our business will suffer. In addition, we recognize service revenue ratably over the term of the relevant service period, which is usually one to three years. As a result, much of the revenue we report each quarter is the recognition of deferred revenue from services contracts entered into during previous quarters. Consequently, a decline in new or renewal services contracts in any one quarter will not be fully

18


 

reflected in revenue in that quarter, but will negatively affect our revenue in future quarters. Accordingly, the effect of significant downturns in new or renewal sales of our services would not be reflected in full in our results of operations until future periods.

If we are unable to increase sales to large customers, our results of operations may suffer.

We continuously seek to increase sales of our products to large enterprises, managed security service providers (“MSSPs”), cloud hosting providers and government entities. Sales to large enterprises, MSSPs, cloud hosting providers and government entities involve risks that may not be present, or are present to a lesser extent, in sales to small and mid-sized entities. These risks include:

 

preexisting relationships with larger, entrenched providers of security solutions who have access to key decision makers within the organization and who also have the ability to bundle competing products with a broader product offering;

 

increased purchasing power and leverage held by large customers in negotiating contractual arrangements with us;

 

more stringent requirements in our support service contracts, including stricter support response times, and increased penalties for any failure to meet support requirements; and

 

longer sales cycles, including lengthening of sales cycles due to competitive pressures or the evaluation by customers of both our cloud security solutions from Incapsula and our on-premise products as potential alternatives, and the associated risk that substantial time and resources may be spent on a potential customer who elects not to purchase our products and services.

In addition, product purchases by large enterprises, MSSPs, cloud hosting providers and government entities are frequently subject to budget constraints, multiple approvals, and unplanned administrative, processing and other delays. Further, large enterprises, MSSPs, cloud hosting providers and government entities typically have longer implementation cycles; require greater product functionality and scalability and a broader range of services; demand that vendors take on a larger share of risks; sometimes require acceptance provisions that can lead to a delay in revenue recognition; and expect greater payment flexibility from vendors. Additionally, the ongoing increase in the number of security vendors competing for these entities’ business, who in some cases use overlapping or confusing messaging, may combine with these factors to extend the sales cycles for our products and services. All these factors can add risk to doing business with these customers. If our sales expectations for large customers do not materialize in a particular quarter or at all, then our business, financial condition and results of operations could be materially and adversely affected.

If our existing and potential customers migrate to hosted, cloud-based data centers that do not deploy our products, our revenue could suffer.

The majority of our current sales are made through a model in which our channel partners sell our cyber-security solutions to large enterprise customers that operate their own data centers and have the ability to choose the cyber-security solutions and configurations to fit their environment. If our large enterprise customers and potential customers choose to outsource the hosting of their data centers to large, multi-tenancy hosting providers like Rackspace Hosting, Inc., Amazon Web Services (“AWS”) and Savvis, Inc. (dba CenturyLink Technology Solutions), they may not be able to choose what cyber-security solutions are deployed in these hosted environments, and our current sales model may not be effective. Although we work with large hosting services providers, like Rackspace Hosting, Inc., AWS and Savvis, Inc., to integrate our cyber-security solutions into their hosting environments so that our solutions may be offered to their hosting customers, we cannot guarantee that all such hosting service providers will adopt our solutions, offer them as a choice to their customers or promote our solutions over those of our competitors. Even if these large hosting services providers integrate our cyber-security solutions into their hosting environments and promote our solutions, they may be able to negotiate larger discounts than individual enterprise customers and, consequently, the average selling price of our products may decrease and our revenue would suffer. Alternatively, they may offer services based on our competitors’ products at lower cost or bundled with other services that we do not offer, and their customers may choose those services even if they would otherwise choose our products if making a decision on a stand-alone basis.

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.

Our functional and reporting currency is the U.S. dollar and we generate a majority of our revenue in U.S. dollars. However, in 2014, 2015 and 2016, we incurred approximately 32%, 27% and 38%, respectively, of our expenses outside of the United States in foreign currencies, primarily the Israeli shekel, principally with respect to salaries and related personnel expenses associated with our Israeli operations. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future. We expect that a majority of our revenue will continue to be generated in U.S. dollars for the foreseeable future and that a significant portion of our expenses, including personnel costs, as well as capital and

19


 

operating expenditures, will continue to be denominated in Israeli shekels. Our results of operations may be adversely affected by foreign exchange fluctuations.

We use forward foreign exchange contracts to hedge or mitigate the effect of changes in foreign exchange rates on our operating expenses denominated in certain foreign currencies. However, this strategy cannot eliminate our exposure to foreign exchange rate fluctuations and involves costs and risks of its own, such as cash expenditures, ongoing management time and expertise, external costs to implement the strategy and potential accounting implications. Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets.

Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and substantially harm our business and operating results.

Patent and other intellectual property disputes are common in the IT security industry. Some companies in the IT security industry, including some of our competitors, own large numbers of patents, copyrights, trademarks and trade secrets, which they may use to assert claims against us. This disparity between our patent portfolio and the patent portfolios of our most significant competitors may increase the risk that they may sue us for patent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, there are patent holding companies or other patent owners who are solely or primarily in the business of building portfolios of patents and asserting them against operating companies, often with little merit, and who have no relevant product revenue so that potential assertions of our patents (and potential patents) against such companies may provide little or no deterrence. Third parties have asserted and may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us. For example, in May 2010, F5 Networks, Inc., an IT infrastructure company that competes with us in the web application firewall market, filed a lawsuit against us alleging patent infringement. In September 2010, we filed a counterclaim alleging patent infringement by F5 Networks, Inc. In February 2011, we entered into a settlement and license agreement with F5 Networks, Inc., which dismissed the litigation. Third parties may also assert such claims against our customers or channel partners whom we typically indemnify against claims that our products infringe, misappropriate or otherwise violate the intellectual property rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Also, to the extent we hire personnel from competitors, we may be subject to allegations that they have been improperly solicited or have divulged proprietary or other confidential information.

We cannot assure you that we are not infringing or otherwise violating any third-party intellectual property rights. Further, any claim of infringement, misappropriation or other violation of intellectual property rights by a third party, even those without merit, could be asserted against us, cause us to incur substantial costs defending against the claim and could distract our management from our business. An adverse outcome of an IP dispute may require us to pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights; cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others; expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology, which may not be successful; enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights; and indemnify our customers and partners. Royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, or may require significant royalty payments and other expenditures. In addition, some licenses may be non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Any of these events could seriously harm our business, financial condition and results of operations.

We rely on the availability of licenses to third-party software and other intellectual property, the loss of which could increase our costs and delay software shipments.

Many of our products and services include software or other intellectual property licensed from third parties, and we also use software and other intellectual property licensed from third parties in our business. This exposes us to risks over which we may have little or no control. For example, a licensor may have errors or defects in its products that harm our business, may have difficulties keeping up with technological changes or may stop supporting the software or other intellectual property that it licenses to us. Also, it will be necessary in the future to renew licenses, expand the scope of existing licenses or seek new licenses, relating to various aspects of these products and services, or otherwise relating to our business, which may result in increased license fees. In addition, a direct or indirect licensor may assert that we or our customers are in breach of the terms of a license, which could, among other things, give such licensor the right to terminate a license or seek damages from us, or both. Moreover, the inclusion in our products and services of software or other intellectual property licensed from third parties on a nonexclusive basis could limit our ability to differentiate our products from those of our competitors.

Licensed software may not continue to be available on commercially reasonable terms, or at all. While we believe that there are currently adequate replacements for third-party software, any loss of the right to use any of this software could result in delays in producing or delivering our software until equivalent technology is identified and integrated, which delays could harm our business. Our

20


 

business would be disrupted if any of the software we license from others or functional equivalents of this software were either no longer available to us or no longer offered to us on commercially reasonable terms. In either case, we would be required to either redesign our products to function with software available from other parties or to develop these components ourselves, which would result in increased costs and could result in delays in our product shipments and the release of new product offerings. Furthermore, we might be forced to limit the features available in our current or future products. If we fail to maintain or renegotiate any of these software licenses, we could face significant delays and diversion of resources in attempting to license and integrate a functional equivalent of the software. Any of these events could have a material adverse effect on our business, financial condition and results of operations.

Some of our products contain “open source” software, and any failure to comply with the terms of one or more of these open source licenses could negatively affect our business.

Certain of our products are distributed with software licensed under “open source” licenses. Some of these licenses contain requirements that we make available source code for modifications or derivative works we create based upon the open source software, and that we license these modifications or derivative works under the terms of a particular open source license or subject to certain license requirements. If we combine our proprietary software with open source software in a certain manner, we could, under certain provisions of the open source licenses, be required to release the source code of our proprietary software. In addition to risks related to license requirements, usage of open source software can subject us to greater risks than use of third-party commercial software, as licensors of open source software generally do not provide warranties or any indemnification for infringement of third party intellectual property rights. We have established processes to help alleviate these risks, including a review process for screening requests from our development organization for the use of open source software, but we cannot be sure that all open source software is submitted for approval prior to use in our products. In addition, open source license terms may be ambiguous and many of the risks associated with use of open source software cannot be eliminated, and could, if not properly addressed, negatively affect our business. If we were found to have inappropriately used open source software, we might be required to re-engineer our products, to release proprietary source code, to discontinue the sale of our products in the event re-engineering could not be accomplished on a timely basis or to take other remedial action that may divert resources away from our development efforts, any of which could adversely affect our business, operating results and financial condition. Disclosing the source code of our proprietary software could make it easier for malicious third parties to discover vulnerabilities in our cyber-security products and allow our competitors to create similar products with decreased development effort and time. Any of these events could have a material adverse effect on our reputation, business, financial condition and results of operations.

Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.

Our success depends, in part, on our ability to protect proprietary methods and technologies that we develop under the intellectual property laws of the United States and other countries, so that we can prevent others from using our inventions and proprietary information. We attempt to protect our intellectual property under patent, trademark, copyright and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection. If we fail to protect our intellectual property rights adequately, our competitors might gain access to our technology, and our business might be harmed. In addition, defending our intellectual property rights might entail significant expenses. Any of our patents, copyrights, trademarks or other intellectual property rights may be challenged by others or invalidated through administrative process or litigation. Imperva and its subsidiaries had 33 issued patents and 15 patent applications pending as of December 31, 2016 in the United States. Our issued patents, which are limited in number compared to some of our competitors, may not provide us with any competitive advantages or may be challenged by third parties, and our patent applications may never be granted at all. Additionally, the process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner. Further, for strategic and other reasons we may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. Even if issued, there can be no assurance that our patents will adequately protect our intellectual property, as the legal standards relating to the validity, enforceability and scope of protection of patent and other intellectual property rights are uncertain.

Any patents that are issued may subsequently be invalidated or otherwise limited, enabling other companies to better develop products that compete with ours, which could adversely affect our competitive business position, business prospects and financial condition. In addition, issuance of a patent does not guarantee that we have a right to practice the patented invention. Patent applications in the United States are typically not published until 18 months after filing, or in some cases not at all, and publications of discoveries in industry-related literature lag behind actual discoveries. We cannot be certain that we were the first to make the inventions claimed in our issued patents or pending patent applications or otherwise used in our products, that we were the first to file for protection in our patent applications, or that third parties do not have blocking patents that could be used to prevent us from marketing or practicing our patented products or technology. Effective patent, trademark, copyright and trade secret protection may not be available to us in every country in which our products and services are available. The laws of some foreign countries may not be as protective of intellectual property rights as those in the United States, and mechanisms for enforcement of intellectual property

21


 

rights may be inadequate. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon or misappropriating our intellectual property.

We might be required to spend significant resources to monitor and protect our intellectual property rights. We may initiate claims or litigation against third parties for infringement of our proprietary rights or to establish the validity of our proprietary rights. Any litigation, whether or not it is resolved in our favor, could result in significant expense to us and divert the efforts of our technical and management personnel, which may adversely affect our business, operating results and financial condition.

We may become subject to claims for remuneration or royalties for assigned service invention rights by our Israeli employees, which could result in litigation and adversely affect our business.

We have entered into assignment of invention agreements with our Israeli employees pursuant to which such individuals agree to assign to us all rights to any inventions created in the scope of their employment or engagement with us. A significant portion of our intellectual property has been developed by our Israeli employees in the course of their employment for us. Under the Israeli Patents Law, 5727-1967 (the “Patents Law”), inventions conceived by an employee during the scope of his or her employment with a company are regarded as “service inventions,” which belong to the employer, absent a specific agreement between the employee and employer giving the employee service invention rights. The Patents Law also provides that if there is no such agreement between an employer and an employee, the Israeli Compensation and Royalties Committee (the “Committee”), a body constituted under the Patents Law, shall determine whether the employee is entitled to remuneration for his or her inventions. The Committee has previously held that employees may be entitled to remuneration for intellectual property that they develop during their service for a company despite their explicit waiver of such right. In a recent decision, however, the Committee overturned its position and upheld that an employee’s waiver of his right to remuneration is valid and binding. The plaintiff in this last case filed a petition with the Israeli Supreme Court requesting to remand the case to the Committee for a second review, but the Israeli Supreme Court decided on July 8, 2015 that the Committee acted within its administrative authority and that it would not intervene in the Committee’s decision. Even though the recent decision still stands, the Committee’s inconsistency raises doubt as to the outcome in different sets of circumstances. Thus, although our Israeli employees have agreed to assign to us service invention rights, we may face claims demanding remuneration in consideration for assigned inventions. As a consequence of such claims, we could be required to pay additional remuneration or royalties to our current and/or former Israeli employees, or be forced to litigate such claims, which could negatively affect our business.

Confidentiality agreements with partners, employees, consultants and others may not adequately prevent disclosure of trade secrets and other proprietary information.

In order to protect our proprietary technology, processes and methods, we rely in part on confidentiality agreements and other restrictions with our customers, partners, employees, consultants and others. These agreements may not effectively prevent disclosure of confidential information and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. Despite our efforts to protect our proprietary technology, processes and methods, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. We may be unable to determine the extent of any unauthorized use or infringement of our products, technologies or intellectual property rights. In addition, others may independently develop identical or substantially similar technology and in these cases we would not be able to assert any trade secret rights against those parties. Moreover, policing unauthorized use of our technologies, products and intellectual property is difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where mechanisms for enforcement of intellectual property rights may be weak. Costly and time-consuming litigation could be necessary to enforce and determine the scope of our proprietary rights, and failure to obtain or maintain trade secret protection could adversely affect our competitive business position.

We are subject to governmental export and import controls that could subject us to liability or impair our ability to compete in international markets.

Our business activities are subject to various restrictions under U.S. export controls and trade and economic sanctions laws, including the U.S. Commerce Department’s Export Administration Regulations and economic and trade sanctions regulations maintained by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). If we fail to comply with these laws and regulations, we could be subject to civil or criminal penalties and reputational harm. U.S. export control laws and economic sanctions laws also prohibit certain transactions with U.S. embargoed or sanctioned countries, governments, persons and entities.

Many of our products incorporate encryption technology and may be exported outside the U.S. only if we obtain an export license or qualify for an export license exception. Compliance with applicable regulatory requirements regarding the export of our products may prevent our customers with international operations from deploying our products throughout their global systems or, in some cases, prevent the export of our products to some countries altogether. Further, various countries regulate the import of

22


 

encryption technology and appliance-based products and have enacted laws that could limit our ability to distribute products, could create delays in the introduction of our products in those countries or could limit our customers’ ability to implement our products in those countries.

U.S. export control laws and economic sanctions prohibit the shipment of certain products to U.S. embargoed or sanctioned countries, governments and persons. While we and our channel partners take precautions to prevent our products from being shipped to, downloaded or accessed by U.S. sanctions targets, our products could be shipped to, downloaded or accessed by persons located in countries that are the subject of U.S. embargoes despite our efforts. Any such shipment or access could have negative consequences, including government investigations, penalties and reputational harm. For example, in 2015, we discovered that some of our free downloadable software evaluation products may have been downloaded by a limited number of persons located in countries that are the subject of U.S. embargoes. We terminated the unauthorized accounts, filed an initial disclosure with the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) and with OFAC and filed final reports with BIS and OFAC on September 2, 2015 and September 22, 2015, respectively. We have implemented new screening measures designed to prevent users in embargoed countries and prohibited persons from purchasing, downloading or accessing our free downloadable evaluation software or other products or services. OFAC issued a cautionary letter on October 14, 2015 as a final enforcement response to the apparent violations and did not impose any monetary penalties. BIS issued a warning letter on October 5, 2016 in response to the apparent violations and closed the matter, having determined not to take any further action.  Even though we take precautions to prevent transactions with U.S. sanctions targets, any such precautions, or any new precautions we may implement in the future, may be ineffective. Similar future circumstances or violations may result in more burdensome remedies including material penalties. As a result, there is risk that in the future we could provide our products to or permit our products to be downloaded or accessed by such targets despite these precautions. This could result in negative consequences to us, including government investigations, penalties and reputational harm.

In the future, there may be changes in our products or changes in export and import regulations or economic sanctions. Similarly, there may be shifts in the enforcement or scope of existing regulations or restrictions or changes in the countries, governments, persons or technologies targeted by such regulations and restrictions. Such changes and shifts may create delays in the introduction and sale of our products in international markets, could result in decreased use of our products or, in some cases, prevent the sale of our products to certain countries, governments or persons altogether, including by current customers or potential customers. Any such limitation, delay, restriction or reduction could adversely affect our business, financial condition, results of operations and prospects.

Conditions in Israel may limit our ability to develop and sell our products. This could result in a decline in revenue.

Our principal research and development facilities are located in Israel. Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring countries, as well as incidents of civil unrest, and a number of state and non-state actors have publicly committed to its destruction. Political, economic and military conditions in Israel could directly affect our operations. We could be adversely affected by any major hostilities involving Israel, including acts of terrorism or any other hostilities involving or threatening Israel, the interruption or curtailment of trade between Israel and its trading partners, a significant increase in inflation or a significant downturn in the economic or financial condition of Israel. Any on-going or future violence between Israel and the Palestinians, including a resumption of the conflict in Gaza, armed conflicts, terrorist activities, tension along the Israeli borders or with other countries in the region, including Iran, or political instability in the region could disrupt international trading activities in Israel and may materially and negatively affect our business and could harm our results of operations.

Certain countries, as well as certain companies and organizations, continue to participate in a boycott of Israeli firms, firms with large Israeli operations and others doing business with Israel and Israeli companies. In addition, such boycott, restrictive laws, policies or practices may change over time in unpredictable ways, and could, individually or in the aggregate, have a material adverse effect on our business in the future.

Some of our employees in Israel are obligated to perform annual military reserve duty in the Israel Defense Forces, depending on their age and position in the armed forces. Furthermore, they may be called to active reserve duty at any time under emergency circumstances for extended periods of time. For example, in 2014, approximately 51 of our employees in Israel were called for active reserve duty, each serving for an average of approximately two weeks. Our operations could be disrupted by the absence, for a significant period, of one or more of our executive officers or key employees due to military service, and any significant disruption in our operations could harm our business.

Our internal network system and website may be subject to intentional disruption that could adversely impact our reputation and future sales.

Because we are a leading provider of cyber-security products, hackers and others may try to access our data or compromise our systems. Similarly, experienced computer programmers may attempt to penetrate our network security or the security of our website

23


 

and cause interruptions of our services. Because the techniques used by such computer programmers to access or sabotage networks change frequently and may not be recognized until launched against a target, we may be unable to anticipate these techniques. The theft and/or unauthorized use or publication of our trade secrets and other confidential business information as a result of such an event could adversely affect our competitive position, reputation, brand and future sales of our products, and could impair our ability to operate our business, including our ability to provide subscription or maintenance and support services to our customers. We could suffer monetary and other losses and reputational harm in the event of such incidents.

Outages, interruptions or delays in hosting services could impair the delivery of our cloud-based security services and harm our business.

We operate infrastructure that supports our ThreatRadar and Security Operations Center (“SOC”) services and use third party hosting facilities for certain ThreatRadar services. Despite precautions taken within our own internal network and at these third party facilities, the occurrence of a natural disaster or an act of terrorism or other unanticipated problems could result in lengthy interruptions in our services.

The cloud-based security services that we provide through our subsidiary, Incapsula, are operated from a network of third party facilities that host the software and systems that operate these security services. Any damage to, or failure of, our internal systems or systems at third party hosting facilities could result in outages or interruptions in our cloud-based services. Outages or interruptions in our cloud-based security services may cause our customers and potential customers to believe our cloud-based security services are unreliable or suffer from perceived vulnerabilities, cause us to issue credits or pay penalties, cause customers to terminate their subscriptions and adversely affect our renewal rates and our ability to attract new customers, ultimately harming our business and revenue.  Our Incapsula service has experienced outages in the past and we may continue to experience such outages in the future.

Changes in our provision for income taxes or adverse outcomes resulting from examination of our income tax returns could adversely affect our results.

We are subject to income taxation in the United States and numerous foreign jurisdictions. Determining our provision for income taxes requires significant management judgment. In addition, our provision for income taxes is subject to volatility and could be adversely affected by many factors, including, among other things, changes to our operating or holding structure, changes in the amounts of earnings in jurisdictions with differing statutory tax rates, changes in the valuation of deferred tax assets and liabilities and changes in tax laws. We are subject to ongoing tax examinations in various jurisdictions. Tax authorities may disagree with our intercompany charges, cross-jurisdictional transfer pricing, determinations regarding the inclusion of stock-based compensation expense as part of a cost-plus arrangement or other matters and assess additional taxes. While we regularly assess the likely outcomes of these examinations to determine the adequacy of our provision for income taxes, there can be no assurance that the outcomes of such examinations will not have a material impact on our operating results and cash flows.

Significant judgment is required to determine the recognition and measurement attributes prescribed in Accounting Standards Codification (“ASC”) 740-25 (formerly referred to as Financial Interpretation No. 48, “Accounting for Uncertainty in Income Taxes-an interpretation of FASB Statement No. 109”). In addition, ASC 740-25 applies to all income tax positions, including the potential recovery of previously paid taxes, which if settled unfavorably could adversely impact our provision for income taxes or additional paid-in capital. In addition, we are subject to the continuous examination of our income tax returns by the U.S. Internal Revenue Service and other tax authorities. We regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our provision for income taxes. There can be no assurance that the outcomes from these continuous examinations will not have an adverse effect on our results of operations.

Our ability to use our net operating loss carryforwards may be subject to limitations and may result in increased future tax liability to us.

Generally, a change of more than 50% in the ownership of a corporation’s stock, by value, over a three-year period constitutes an ownership change for U.S. federal and applicable state income tax purposes. An ownership change may limit a company’s ability to use its net operating loss carryforwards attributable to the period prior to such change. We have not performed a detailed analysis to determine whether an ownership change under Section 382 of the Internal Revenue Code of 1986, as amended, has occurred after each of our previous private placements of preferred stock or after the issuance of shares of common stock in connection with our initial public offering and follow-on public offering. In the event we have undergone an ownership change under Section 382, if we earn net taxable income, our ability to use our pre-change net operating loss carryforwards to offset U.S. federal taxable income may become subject to limitations, which could potentially result in increased future tax liability to us.

24


 

Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by manmade problems such as terrorism.

A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our business, financial condition and results of operations. Our corporate headquarters are located in the San Francisco Bay Area, a region known for seismic activity, on land reclaimed from the bay that is susceptible to high liquefaction risk in the event of an earthquake. In addition, natural disasters could affect our manufacturing vendors or logistics providers’ ability to perform services such as manufacturing products on a timely basis and assisting with shipments on a timely basis. In the event our service providers’ information technology systems or manufacturing or logistics abilities are hindered by any of the events discussed above, shipments could be delayed, resulting in missing financial targets, such as revenue and shipment targets, for a particular quarter. Further, if a natural disaster occurs in a region from which we derive a significant portion of our revenue, customers in that region may delay or forego purchases of our products, which may materially and adversely impact our results of operations for a particular period. In addition, acts of terrorism could cause disruptions in our business or the business of our manufacturer, logistics providers, partners, customers or the economy as a whole. Given our typical concentration of sales at each quarter end, any disruption in the business of our manufacturer, logistics providers, partners or customers that impacts sales at the end of our quarter could have a significant adverse impact on our quarterly results. All of the aforementioned risks may be augmented if the business continuity plans for us and our suppliers prove to be inadequate. To the extent that any of the above results in delays or cancellations of customer orders, or the delay in the manufacture, deployment or shipment of our products, our business, financial condition and results of operations would be adversely affected.

Risks Related to Ownership of our Common Stock

If we fail to maintain an effective system of disclosure controls and procedures and internal controls over financial reporting, our ability to produce accurate financial statements or comply with applicable regulations could be impaired.

As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), and the rules and regulations of the NASDAQ Stock Market LLC. We expect that the requirements of these rules and regulations will continue to increase our legal, accounting and financial compliance costs, make some activities more difficult, time-consuming and costly and place strains on our personnel, systems and resources.

The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. We are continuing to develop and refine our disclosure controls and other procedures that are designed to ensure that information required to be disclosed by us in the reports that we file with the SEC is recorded, processed, summarized and reported within the time periods specified in SEC’s rules and forms. Our current controls and any new controls that we develop may become inadequate because of changes in conditions, and the degree of compliance with the policies or procedures may deteriorate. In addition, weaknesses in our internal controls over financial reporting may be discovered in the future. Our filings with the SEC are subject to periodic review by the SEC, and our auditors are subject to periodic inspection by the Public Company Accounting Oversight Board. Any failure to maintain effective controls over financial reporting, any difficulties encountered in the implementation of additional controls or the improvement of existing controls, or any issues that emerge as a result of regulatory review, could harm our operating results or cause us to fail to meet our reporting obligations and may result in a revision or restatement of our prior period financial statements. Any failure to maintain effective internal controls also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in our annual reports filed with the SEC under Section 404 of the Sarbanes-Oxley Act. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our common stock.

For example, in connection with the review of our unaudited interim condensed consolidated financial statements in our Form 10-Q filed with the SEC on November 7, 2014, management, including our Chief Executive Officer and Chief Financial Officer, assessed the effectiveness of our disclosure controls and procedures as of September 30, 2014. Based on that assessment, management concluded that our disclosure controls and procedures were not effective as of September 30, 2014, because of a material weakness in internal control over financial reporting related to insufficient oversight and review controls to ensure the proper determination of stock-based compensation expense for certain complex equity awards that were not issued in the ordinary course. While these control deficiencies were remediated, we continue to identify risks and make improvements to our internal controls and we cannot assure you that additional material weaknesses in our internal control over financial reporting will not be identified in the future.

In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended significant resources, and anticipate that we will continue to add personnel and provide significant management oversight, which involve substantial accounting-related costs. Any failure to maintain the adequacy of our internal controls, or consequent inability to produce accurate financial statements on a timely basis, could increase our operating costs and could materially impair our ability to operate our business. In the event that we are not able to continue to demonstrate compliance

25


 

with Section 404 of the Sarbanes-Oxley Act in a timely manner, that our internal controls are perceived as inadequate or that we are unable to produce timely or accurate financial statements, investors may lose confidence in our operating results and our stock price could decline. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NASDAQ Global Select Market.

We also have implemented elements of a disaster recovery/business continuity plan for our accounting and related information technology systems but we have not yet implemented a complete disaster recovery/business continuity plan that covers all of our operations. If the elements that we have developed and plan to develop in the future prove inadequate in the circumstances of a particular disaster or other business continuity event, our ability to maintain timely accounting and reporting may be materially impaired.

Market volatility may affect our stock price and the value of your investment

The trading prices of the securities of technology companies generally, and of our stock in particular, have been highly volatile. The market price of our common stock may fluctuate significantly in response to a number of factors, most of which we cannot predict or control, including:

 

announcements of new products, services or technologies, commercial relationships, acquisitions, dispositions, strategic partnerships, joint ventures, capital commitments or other events by us or our competitors;

 

fluctuations in operating performance and in stock market prices and trading volumes of securities of other technology companies generally, or those in our industry in particular;

 

general market conditions and overall price and volume fluctuations in U.S. equity markets;

 

actual or anticipated variations in our operating results, or the operating results of our competitors;

 

the financial and other projections we may provide to the public, any changes in these projections or our failure to meet these projections or changes in our financial guidance or securities analysts’ estimates of our financial performance;

 

failure of securities analysts to maintain coverage of us, changes in financial or other estimates by any securities analysts who follow us, or our failure to meet these estimates or the expectations of our investors;

 

ratings or other changes by any securities analysts who follow our company or our industry;

 

announcements of restructurings, reductions in force, departure of key employees and/or consolidation of operations;

 

sales or purchases of large blocks of our common stock, including by our executive officers, directors, significant stockholders and activist stockholders;

 

rumors and market speculation involving Imperva or other companies in our industry; and

 

lawsuits threatened or filed against us and changing legal or regulatory developments in the United States and other countries.

In addition, the stock market in general, and the NASDAQ Stock Market in particular, have experienced substantial price and volume volatility that is often seemingly unrelated to the operating performance of particular companies. These broad market fluctuations or factors affecting us more specifically may cause the trading price of our common stock to decline. In the past, securities class action litigation has often been brought against a company after a period of volatility in the market price of its common stock.

We face risks related to securities litigation that could result in significant legal expenses and settlement or damage awards.

We are currently and may in the future become subject to claims and litigation alleging violations of the securities laws or similar claims, which could harm our business and require us to incur significant costs. For example, on April 11, 2014, a purported stockholder class action lawsuit was filed in the United States District Court for the Northern District of California against us and certain of our officers alleging that defendants made false and misleading statements and purporting to assert claims for violations of the federal securities laws, and seeking unspecified compensatory damages and other relief. Regardless of the outcome, this matter or future litigation may require significant attention from management and could result in significant legal expenses, settlement costs or damage awards that could have a material impact on our financial position, results of operations and cash flows.

26


 

If securities or industry analysts do not publish research or publish inaccurate or unfavorable research about our business, our stock price and trading volume could decline.

The trading market for our common stock will depend in part on the research and reports that securities or industry analysts publish about us or our industry. If we do not establish and maintain adequate research coverage or if one or more of the analysts who covers us downgrades our stock or publishes inaccurate or unfavorable research about our business, our stock price would likely decline. If one or more of these analysts ceases coverage of our company or fails to publish reports on us regularly, demand for our stock could decrease, which could cause our stock price and trading volume to decline.

We do not intend to pay dividends on our common stock so any returns will be limited to the value of our stock.

We have never declared or paid any cash dividend on our common stock. We currently anticipate that we will retain future earnings for the development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to stockholders will therefore be limited to the value of their stock.

Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us, which may be beneficial to our stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management.

Provisions in our restated certificate of incorporation and amended and restated bylaws may delay or prevent an acquisition of us or a change in our management. These provisions include:

 

authorizing “blank check” preferred stock, which could be issued by the board without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt;

 

a classified board of directors whose members can be dismissed only for cause;

 

the prohibition on actions by written consent of our stockholders;

 

the limitation on who may call a special meeting of stockholders;

 

the establishment of stock ownership and advance notice requirements for stockholders who intend to submit proposals to be acted upon at stockholder meetings, including nominations of persons for election to our board of directors; and

 

the requirement that at least 75% of our outstanding capital stock must approve any amendment of the foregoing second through fifth provisions.

In addition, because we are incorporated in Delaware, we are governed by the provisions of the anti-takeover provisions of the Delaware General Corporation Law, which may discourage, delay or prevent a change in control by prohibiting us from engaging in a business combination with an interested stockholder for a period of three years after the person becomes an interested stockholder, even if a change of control would be beneficial to our existing stockholders. Although we believe these provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to negotiate with our board of directors, they would apply even if an offer rejected by our board were considered beneficial by some stockholders. In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management.

The announcement that we have concluded our review of strategic alternatives and will remain a standalone company may create uncertainty about our prospects.

On August 4, 2016, we announced that we retained advisors to assist us in a comprehensive review of strategic alternatives and on November 3, 2016, we announced that we had concluded the review process.  The process did not result in a transaction or any other specific strategic action, but did result in a restructuring plan that was also announced.  These announcements may create uncertainty about our prospects as a standalone entity, and may lead to a perception of instability, irrespective of the actual circumstances, which may be exploited by our competitors, cause concern to our current or potential customers and partners, and make it more difficult to attract and retain qualified personnel. Such issues or perceptions, may negatively impact our business, disrupt our operations and divert the attention of management and our employees, all of which could materially and adversely affect our operations and operating results. In addition, our stock price may experience periods of increased volatility as a result of prolonged rumors and speculation about our business. Further, while we have concluded the review of strategic alternatives, it is possible that a strategic transaction or other type of strategic action may arise in the future.

27


 

Our business could be negatively affected by stockholder activism, which could impact the trading price and volatility of our common stock.   

An activist investor, Elliott Associates, L.P., and its affiliates, took an ownership position in our common stock in June 2016 and disclosed in a Schedule 13D that it economically owns approximately 7% of our common stock (with additional economic exposure through derivatives of approximately 4% of our common stock) and expressing an intent to engage in substantive discussions with our management, our Board of Directors and others relating to strategic and operational opportunities for us that it believes would meaningfully increase value to our stockholders. Responding to actions by an activist stockholder, such as public proposals and requests for special meetings, potential nominations of candidates for election to our board of directors, requests to pursue a strategic combination or other transaction, or other special requests, can be costly and time-consuming, disrupt our operations and divert the attention of management and our employees. Additionally, perceived uncertainties as to our future direction or changes to the composition of our board may be exploited by our competitors, cause concern to our current or potential customers and partners, and make it more difficult to attract and retain qualified personnel. Such uncertainties may adversely impact our business and future financial results. In addition, our stock price may experience periods of increased volatility as a result of stockholder activism, including in reaction to any future acquisition or disposition of our common stock by Elliott or other activists.

Item 1B. Unresolved Staff Comments

Not applicable.

Item 2. Properties

Our corporate headquarters are located in Redwood Shores, California in an office consisting of approximately 82,000 square feet.  This includes 8,404 sq. ft. that was added pursuant to the Fourth and Sixth amendments to the lease for this office and for which the lease period commenced on March 1, 2016. The lease for our corporate headquarters expires in December 2020. Our offices in Texas, where we employ sales, support, research and development and professional services employees, consist of approximately 17,134 square feet and the leases for these offices expire in January 2018 and in April 2021. Our office in Tel Aviv, Israel, where we employ our SecureSphere research and development team, consists of approximately 8,417 square meters (approximately 90,600 square feet). The lease for 937 square meters (approximately 10,000 square feet) of this office expires in December 2016 and the lease for the remainder of the office expires in January 2027.  The majority of our Incapsula team is in offices in Rehovot, Israel that consist of 2,900 square meters (approximately 31,200 square feet).  The lease for a portion of the office space expires in January 2022 and the lease for the remainder of the space expires in May 2025.  We also have a number of sales offices around the world.  We believe that our facilities are suitable to meet our needs for the foreseeable future; however, we will continue to seek additional space as needed to accommodate our growth.

Item 3. Legal Proceedings

From time to time, we may be subject to legal proceedings and claims in the ordinary course of business.

On April 11, 2014, a purported shareholder class action lawsuit was filed in the United States District Court for the Northern District of California against us and certain of our current and former officers. On August 7, 2014, the Court entered an order appointing lead plaintiff and counsel for the purported class. The lead plaintiff filed an amended complaint on October 10, 2014. The lawsuit named us and certain of our current and former officers and purported to bring suit on behalf of those investors who purchased our publicly traded securities between May 2, 2013 and April 9, 2014. The plaintiff alleged that defendants made false and misleading statements about our operations and business and financial results and purported to assert claims for violations of the federal securities laws. The amended complaint sought unspecified compensatory damages, interest thereon, costs incurred in the action and equitable/injunctive or other relief. On January 6, 2015, defendants filed a motion to dismiss the amended complaint. On September 17, 2015, the Court granted defendants’ motion to dismiss with leave to amend. The lead plaintiff filed an amended complaint on January 13, 2016, again naming the same current and former officers, alleging false and misleading statements about our operations and business and financial results, and seeking the same relief.  On February 10, 2016, defendants filed a motion to dismiss the amended complaint. On May 16, 2016, the Court granted the motion in part and denied the motion in part.  On September 7, 2016, defendants filed their operative answer to the amended complaint. On October 19, 2016, plaintiff filed a motion for class certification.

In addition, we have received, and may in the future continue to receive, claims from third parties asserting, among other things, infringement of their intellectual property rights. Future litigation may be necessary to defend ourselves, our channel partners and our customers by determining the scope, enforceability and validity of third-party proprietary rights or to establish our proprietary rights.

Further, the ultimate outcome of any litigation is uncertain and, regardless of outcome, litigation can have an adverse impact on us because of defense costs, potential negative publicity, diversion of management resources and other factors. Accordingly, there can

28


 

be no assurance that existing or future legal proceedings arising in the ordinary course of business or otherwise will not have a material adverse effect on our business, consolidated financial position, results of operations or cash flows.

Item 4. Mine Safety Disclosures

Not applicable.

 

 

29


 

PART II

 

 

Item 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

Market Information for Common Stock

Our common stock was listed on the New York Stock Exchange under the symbol “IMPV” from our IPO in November 2011 to December 12, 2016.  Since December 13, 2016, it has been listed on the NASDAQ Stock Market. The following table sets forth, for the periods indicated, the high and low intra-day prices for our common stock as reported on the New York Stock Exchange or the NASDAQ Stock Market, as applicable.

 

Fiscal 2015

 

High

 

 

Low

 

First Quarter

 

$

51.19

 

 

$

38.20

 

Second Quarter

 

$

69.01

 

 

$

40.74

 

Third Quarter

 

$

74.00

 

 

$

53.54

 

Fourth Quarter

 

$

77.99

 

 

$

57.08

 

 

 

 

 

 

 

 

 

 

Fiscal 2016

 

High

 

 

Low

 

First Quarter

 

$

61.29

 

 

$

33.92

 

Second Quarter

 

$

51.26

 

 

$

33.27

 

Third Quarter

 

$

53.71

 

 

$

42.58

 

Fourth Quarter

 

$

54.22

 

 

$

35.10

 

 

 

 

 

 

 

 

 

 

Fiscal 2017

 

High

 

 

Low

 

First Quarter (through February 15, 2017)

 

$

46.75

 

 

$

37.45

 

 

Stockholders

As of February 15, 2017, we had 31 record holders of our common stock.

Dividend Policy

We have never declared or paid cash dividends on our common stock. We currently intend to retain any future earnings and do not expect to pay any dividends in the foreseeable future. Any determination to pay dividends in the future will be at the discretion of our board of directors and will be dependent on a number of factors, including our earnings, capital requirements and overall financial conditions.

30


 

Stock Price Performance Graph

The following graph shows a comparison from December 31, 2011 through December 31, 2016 of the cumulative total return for an investment of $100 (and the reinvestment of dividends) in our common stock, the NYSE Composite Index and the S&P Information Technology Index. Such returns are based on historical results and are not intended to suggest future performance.  Our common stock was listed on the New York Stock Exchange from November 2011 to December 12, 2016.  Since December 13, 2016, it has been listed on the NASDAQ Stock Market.  In future years, we will compare our common stock to a NASDAQ composite index.  

 

 

 

 

12/11

 

 

12/12

 

 

12/13

 

 

12/14

 

 

12/15

 

12/16

Imperva Inc.

 

 

100.00

 

 

 

90.58

 

 

 

138.26

 

 

 

142.00

 

 

181.87

 

110.31

NYSE Composite

 

 

100.00

 

 

 

115.99

 

 

 

146.47

 

 

 

156.36

 

 

149.97

 

167.87

S&P Information Technology

 

 

100.00

 

 

 

114.82

 

 

 

147.47

 

 

 

177.13

 

 

187.63

 

213.61

 

The above information under the heading “Stock Price Performance Graph” shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and shall not be incorporated by reference into any registration statement or other document filed by us with the Securities and Exchange Commission, whether made before or after the date of this Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific reference in such filing.

31


 

Use of Proceeds from Public Offering of Common Stock

The Form S-1 Registration Statement (Registration No. 333-175008) relating to our IPO was declared effective by the SEC on November 8, 2011. The net proceeds to us of our IPO after deducting $6.9 million of underwriters’ discounts and $5.8 million of offering expenses were $86.2 million. Since the IPO, we have invested approximately $29.4 million of the net proceeds as follows: in January 2012, we invested $3.5 million in Incapsula, our majority owned subsidiary, and received in exchange an additional 4,375,000 shares of Incapsula’s Series A-1 Preferred Stock; in October 2013, we loaned $1.1 million to Incapsula at a rate of 2% per annum with a maturity date of December 31, 2014; in January 2014, we paid approximately $4.7 million in cash as part of the consideration in connection with our purchase of certain assets and liabilities of Tomium; in February 2014, we paid $8.6 million in cash, and in February 2016 released an additional $7.6 million, as part of the consideration in connection with the acquisition of Skyfence; and in December 2016, we paid approximately $3.9 million in cash as consideration for our purchase of certain assets and liabilities of Camouflage Software.  We expect to use the remaining net IPO proceeds for working capital and general corporate purposes, including acquisitions. Although we may also use a portion of the net proceeds for acquisition of complementary businesses, technologies or other assets, we have no present understandings, commitments or agreements to enter into any acquisitions.

Our management will retain broad discretion in the allocation and use of the net proceeds of our IPO, and investors will be relying on the judgment of our management regarding the application of the net proceeds. Pending specific utilization of the net proceeds as described above, we have invested the net proceeds of the offering in short-term, interest-bearing obligations. The goal with respect to the investment of the net proceeds will be capital preservation and liquidity so that such funds are readily available to fund our operations.

 

 

32


 

Item 6. Selected Financial Data

The following selected consolidated financial data should be read in conjunction with “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10-K. The selected financial data in this section is not intended to replace the financial statements and is qualified in its entirety by the consolidated financial statements and related notes thereto included elsewhere in this Annual Report on Form 10-K. Our historical results of operations are not necessarily indicative of results to be expected for any future period.

 

 

 

Years Ended December 31,

 

 

 

2016

 

 

2015

 

 

2014

 

 

2013

 

 

2012

 

 

 

(dollars in thousands, except per share amounts)

 

Consolidated Statement of Operations Data:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Net revenue:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Products and license

 

$

86,798

 

 

$

107,563

 

 

$

74,299

 

 

$

72,153

 

 

$

59,490

 

Services

 

 

177,657

 

 

 

126,735

 

 

 

89,711

 

 

 

65,606

 

 

 

44,745

 

Total net revenue

 

 

264,455

 

 

 

234,298

 

 

 

164,010

 

 

 

137,759

 

 

 

104,235

 

Cost of revenue:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Products and license

 

 

9,525

 

 

 

10,947

 

 

 

9,248

 

 

 

8,756

 

 

 

8,530

 

Services

 

 

44,307

 

 

 

36,633

 

 

 

27,335

 

 

 

20,940

 

 

 

13,374

 

Total cost of revenue1

 

 

53,832

 

 

 

47,580

 

 

 

36,583

 

 

 

29,696

 

 

 

21,904

 

Gross profit

 

 

210,623

 

 

 

186,718

 

 

 

127,427

 

 

 

108,063

 

 

 

82,331

 

Operating expenses:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Research and development1

 

 

62,402

 

 

 

53,376

 

 

 

43,052

 

 

 

27,556

 

 

 

20,555

 

Sales and marketing1

 

 

156,465

 

 

 

136,292

 

 

 

106,382

 

 

 

81,500

 

 

 

53,509

 

General and administrative1

 

 

51,260

 

 

 

43,440

 

 

 

34,499

 

 

 

24,436

 

 

 

15,371

 

Restructuring charges

 

 

8,118

 

 

 

 

 

 

 

 

 

 

 

 

 

Amortization of purchased intangibles

 

 

1,408

 

 

 

1,408

 

 

 

1,269

 

 

 

 

 

 

 

Total operating expenses

 

 

279,653

 

 

 

234,516

 

 

 

185,202

 

 

 

133,492

 

 

 

89,435

 

Loss from operations

 

 

(69,030

)

 

 

(47,798

)

 

 

(57,775

)

 

 

(25,429

)

 

 

(7,104

)

Other income (expense), net

 

 

(77

)

 

 

(402

)

 

 

(220

)

 

 

(125

)

 

 

(243

)

Loss before provision for income taxes

 

 

(69,107

)

 

 

(48,200

)

 

 

(57,995

)

 

 

(25,554

)

 

 

(7,347

)

Provision for income taxes

 

 

1,172

 

 

 

682

 

 

 

1,181

 

 

 

777

 

 

 

545

 

Net loss

 

 

(70,279

)

 

 

(48,882

)

 

 

(59,176

)

 

 

(26,331

)

 

 

(7,892

)

Loss attributable to non - controlling interest

 

 

 

 

 

-

 

 

 

213

 

 

 

1,153

 

 

 

505

 

Net loss attributable to Imperva, Inc. stockholders

 

$

(70,279

)

 

$

(48,882

)

 

$

(58,963

)

 

$

(25,178

)

 

$

(7,387

)

Net loss per share of common stock attributable to Imperva, Inc.

   stockholders, basic and diluted2

 

$

(2.18

)

 

$

(1.64

)

 

$

(2.28

)

 

$

(1.04

)

 

$

(0.32

)

Shares used in computing net loss per share of common stock,

   basis and diluted2

 

 

32,284

 

 

 

29,849

 

 

 

25,806

 

 

 

24,300

 

 

 

22,916

 

 

1

Includes stock-based compensation as follows (in thousands):

 

 

 

Years Ended December 31,

 

 

 

2016

 

 

2015

 

 

2014

 

 

2013

 

 

2012

 

Cost of revenue

 

$

4,664

 

 

$

3,862

 

 

$

2,058

 

 

$

1,440

 

 

$

469

 

Research and development

 

 

14,711

 

 

 

13,831

 

 

 

8,799

 

 

 

3,660

 

 

 

1,227

 

Sales and marketing

 

 

20,510

 

 

 

16,717

 

 

 

13,558

 

 

 

8,537

 

 

 

2,543

 

General and administrative

 

 

17,131

 

 

 

16,554

 

 

 

12,858

 

 

 

8,857

 

 

 

1,729

 

Restructuring charges

 

 

5,859

 

 

 

-

 

 

 

-

 

 

 

-

 

 

 

-

 

 

33


 

2

Please see Note 17 to our audited consolidated financial statements for an explanation of the calculations of our basic and diluted net loss per share of common stock.

 

 

 

Years Ended December 31,

 

 

 

2016

 

 

2015

 

 

2014

 

 

2013

 

 

2012

 

 

 

(in thousands)

 

Consolidated Balance Sheet Data:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Cash and cash equivalents and short-term investments

 

$

261,092

 

 

$

264,807

 

 

$

109,720

 

 

$

115,085

 

 

$

102,327

 

Working capital

 

$

194,149

 

 

$

214,173

 

 

$

78,244

 

 

$

103,214

 

 

$

92,796

 

Total assets

 

$

408,819

 

 

$

397,669

 

 

$

220,645

 

 

$

176,491

 

 

$

153,957

 

Deferred revenue, current and long-term

 

$

130,471

 

 

$

106,657

 

 

$

81,175

 

 

$

63,052

 

 

$

46,291

 

Non - controlling interest

 

$

-

 

 

$

-

 

 

$

-

 

 

$

(2,614

)

 

$

(1,104

)

Total stockholders' equity

 

$

231,963

 

 

$

240,201

 

 

$

97,243

 

 

$

86,222

 

 

$

84,231

 

 

 

34


 

Item 7. MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS

The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our “Selected Consolidated Financial Data” and consolidated financial statements and notes thereto included elsewhere in this Annual Report on Form 10-K. This Annual Report on Form 10-K contains “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended (the “Securities Act”), and Section 21E of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). These statements are often identified by the use of words such as “may,” “will,” “expect,” “believe,” “anticipate,” “intend,” “could,” “estimate,” or “continue,” and similar expressions or variations. These statements are based on the beliefs and assumptions of our management based on information currently available to management. Such forward-looking statements are subject to risks, uncertainties and other factors that could cause actual results and the timing of certain events to differ materially from future results expressed or implied by such forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, those identified herein, and those discussed in the section titled “Risk Factors,” set forth in Item 1A of this Annual Report on Form 10-K and in our other SEC filings. You should review these risk factors for a more complete understanding of the risks associated with an investment in our securities. We disclaim any obligation to update any forward-looking statements to reflect events or circumstances after the date of such statements.

Overview

We were incorporated as a Delaware corporation in 2002 with the vision of protecting high-value applications and data assets within the enterprise. Since that time we have been investing in our cyber-security solutions to meet the rapidly evolving demands of customers. We shipped our initial web application security and data security products in 2002. In 2006, we expanded our database security product to include compliance features. In 2010, we launched our file security offering. In addition, in 2010, we launched our cloud-based initiatives with ThreatRadar. In 2011, we introduced our cloud-based offering for mid-market enterprises and small and medium-sized businesses (“SMB”) that we provide through Incapsula, Inc., which was majority owned by Imperva until March 2014 when we acquired the remaining portion of Incapsula that we did not already own in order to more fully integrate their operations with ours. In January 2014, we acquired certain assets and liabilities of Tomium Software, LLC to accelerate our mainframe data security solutions. In February 2014, we acquired Skyfence Networks Ltd. to further our ability to secure cloud and Software as a Service (“SaaS”) applications. In December 2016, we acquired certain assets and liabilities of Camouflage Software, Inc., to further our data masking, security and compliance solutions in the cloud and on-premises. In February 2017, we sold the assets of the Skyfence business to Forcepoint LLC. We intend to continue pursuing cloud-based SaaS security offerings.  

Our research and development efforts are focused primarily on improving and enhancing our existing cyber-security solutions and services, as well as developing new products and services and conducting advanced security research. We conduct most of our research and development activities in Israel, and we believe this provides us with access to some of the best engineering talent in the security industry. As of December 31, 2016, we had 319 employees dedicated to research and development, including our advanced security research group, the Imperva Defense Center (“IDC”). Our research and development expense was $62.4 million, $53.4 million, and $43.1 million for the years ended December 31, 2016, 2015 and 2014, respectively.

We derive our revenue from sales and licenses of our products and sales of our services. Products and license revenue is generated primarily from sales of perpetual software licenses installed on hardware appliances or virtual appliances for our SecureSphere product line. Services revenue consists of maintenance and support, professional services and training and subscriptions. A majority of our revenue is derived from customers in the Americas region. In 2016, 62.5% of our total revenue was generated from the Americas, 19.2% from Europe, Middle East and Africa (“EMEA”) and 18.3% from Asia Pacific (“APAC”).

We market and sell our products through a hybrid sales model, which combines a direct touch sales organization and an overlay channel sales team that actively assist our extensive network of channel partners throughout the sales process. We also provide our channel partners with marketing assistance, technical training and support. We primarily sell our products and services through our channel partners, including distributors and resellers, which sell to end-user customers, who we refer to in this Annual Report on Form 10-K as our customers. We have a network of approximately 270 channel partners worldwide, including both resellers and distributors. In 2016, our channel partners originated over 50%, and fulfilled almost 86%, of our sales. We work with many of the world’s leading security value-added resellers, and our partners include some of the largest hosting companies for cloud-based deployments.

As of December 31, 2016, Imperva had over 5,200 customers in more than 100 countries. In addition, our solutions are used to protect thousands of organizations through cloud-based deployments with our Software-as-a-Service (“SaaS”) customers and our managed security service provider (“MSSP”) and hosting partners.

35


 

Our net revenue has increased in each of the last three years, growing from $164.0 million in 2014 to $234.3 million in 2015 to $264.5 million in 2016. We have incurred net losses attributable to our stockholders of $59.0 million, $48.9 million and $70.3 million in 2014, 2015 and 2016, respectively. As of December 31, 2016, we had an accumulated deficit of $276.8 million.

Opportunities, Challenges and Risks

We believe that the growth of our business and our future success are dependent upon many factors, including our ability to maintain our technology leadership, improve our sales and marketing, address the needs of smaller enterprises and compete effectively in the marketplace for cyber-security solutions. While each of these areas presents significant opportunities for us, they also pose important challenges and risks that we must successfully address in order to sustain the growth of our business and improve our results of operations.

Maintain Technology Leadership. As a result of the rise in sophisticated attacks by hackers and malicious insiders, the difficulty in complying with regulations governing business data and the growing complexity of, and open access to, data centers, we believe that enterprises are struggling to provide visibility and control over high-value business applications and data assets that they need to protect. In addition, organizations are increasingly taking advantage of cloud-based services and virtualization technologies, and these new technologies and architectures are increasing the complexity of, and accessibility to, the data center. We believe these challenges are driving the need for a new protection layer positioned closely around the applications and data assets in the data center. We expect that as enterprises recognize the growing risk to high-value business data and the need to comply with increasing regulatory compliance mandates, their spending will increase on solutions designed to control and protect such data. We believe that traditional security and compliance products do not address the evolving needs of enterprises or do not do so adequately, and that this presents us with a large market opportunity. To capitalize on this opportunity, we have introduced and expect that in the future we will need to continue to introduce innovations to our broad business security solutions, including solutions to address cyber-security opportunities that arise as enterprises pursue cloud computing initiatives. We cannot assure you that our products will achieve widespread market acceptance or that we will properly anticipate future customer needs. Moreover, if our products do not satisfy evolving customer requirements, we will not capture the increase in spending that we expect will result from enterprises seeking to secure data across various systems in the data center.

Invest in Sales and Marketing. In order to capitalize on the anticipated increase in spending in the cyber-security market, we will need to continue to invest significant resources to further strengthen our existing relationships with channel partners, extend our global network by adding new channel partners and grow our sales and marketing team. Any investments that we make in our sales and marketing will occur in advance of our experiencing any benefits from such investments, and so it may be difficult for us to determine if we are efficiently allocating our resources in this area. We cannot assure you that the investments that we intend to make to strengthen our sales and marketing efforts will enable us to capitalize on the expected increase in spending in the cyber-security market or result in an increase in revenue or an improvement in our results of operations.

Address Needs of Smaller Enterprises. As market awareness of the benefits of a comprehensive cyber-security solution increases, we believe there is a significant opportunity to provide cyber-security solutions to smaller enterprises as they confront increasing security threats and compliance mandates. To capitalize on this opportunity, we intend to increase our business with mid-market enterprises and SMBs by expanding our cloud-based service offerings and our distribution channel. We have made, and may in the future continue to make, significant investments in our cloud-based security products to address the business security needs of mid-market enterprises and SMBs. If our cloud-based security products, which are relatively new, fail to gain broad acceptance with mid-market enterprises and SMBs, our revenue growth, results of operations and competitive position in our industry could suffer.

Compete Effectively. We operate in an intensely competitive market that has witnessed significant consolidation in recent years with large companies acquiring many of our competitors. We track our success rate in competitive sales opportunities against certain competitors, some of which generate higher revenues and have greater market capitalizations than we do, and many of which are more established or have greater name recognition within our industry. Based upon our internal tracking of the results of such competitive sales opportunities, we believe that we have historically competed favorably against our larger competitors, and that we have a proven track record of successfully competing against such larger competitors. Nonetheless, some of our larger competitors have numerous advantages, including, but not limited to, greater financial resources, broader product offerings and more established relationships with channel partners and customers. If we are unable to compete effectively for a share of the business security market, our business, results of operations and financial condition could be materially and adversely affected.

To date, we have incurred, and continue to incur, losses from operations and net losses. However, we believe that our existing cash, cash equivalents and short-term investments will be sufficient to meet our working capital and capital expenditure needs for at least the next 12 months. Further, we expect that, if we successfully execute our business plan and strategy, our loss from operations and our net losses will decline, and that we will reach profitability. Should we need additional cash in the future, we may enter into one or more lines of credit or raise funds through the sale of equity securities.

36


 

Key Metrics of Our Business

We monitor the key financial metrics discussed below to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies.

Net Revenue. We measure our net revenue to assess the acceptance of our products from our customers, our growth in the markets we serve and to help us establish our strategic and operating plans for future periods. We discuss the components of our net revenue in “—Financial Overview— Net Revenue” below.

Gross Margin. We monitor our gross margin to assess the impact on our current and forecasted financial results from any changes to the pricing and mix of products we are selling to our customers.

Loss from Operations. We track our loss from operations to assess how effectively we are planning and monitoring our operations as well as controlling our operational costs, which are primarily driven by headcount.

Cash, Cash Equivalents and Short-term Investments. We evaluate the level of our cash, cash equivalents and short-term investments to ensure we have sufficient liquidity to fund our operations, including the development of future products and product enhancements and the expansion into new sales channels and territories.

Number of Customers. We believe our customer count is a key indicator of our market penetration, the productivity of our sales organization and the value that our products bring to our customer base. We also believe our existing customers represent significant future revenue opportunities for us.

We discuss for the periods presented revenue, gross margin, the components of loss from operations and number of customers further below under “—Segments” and “—Results of Operations”, as applicable, and we discuss our cash and cash equivalents under “—Liquidity and Capital Resources.”

We also believe that deferred revenue and cash flow from operations are key financial metrics for our business. The components of deferred revenue and cash flow from operations, as well as our rationale for monitoring these metrics, are discussed immediately below this table:

 

 

 

Years ended (or as of December 31)

 

 

 

2016

 

 

2015

 

 

2014

 

 

 

(in thousands, except number of

customers and percentages)

 

Net revenue

 

$

264,455

 

 

$

234,298

 

 

$

164,010

 

Gross margin

 

 

79.6

%

 

 

79.7

%

 

 

77.7

%

Loss from operations

 

$

(69,030

)

 

$

(47,798

)

 

$

(57,775

)

Total deferred revenue

 

$

130,471

 

 

$

106,657

 

 

$

81,175

 

Cash, cash equivalents and short-term investments

 

$

261,092

 

 

$

264,807

 

 

$

109,720

 

Net cash provided by operations

 

$

22,494

 

 

$

23,867

 

 

$

4,126

 

Number of customers

 

 

5,291

 

 

 

4,541

 

 

 

3,785

 

 

Deferred Revenue

Our deferred revenue consists of amounts that have been invoiced but that have not yet been recognized as revenue. The majority of our deferred revenue balance consists of the unrecognized portion of services revenue from maintenance and support, and subscription contracts. We monitor our deferred revenue balance because it represents a significant portion of revenue to be recognized in future periods. We also assess the increase in our deferred revenue balance plus revenue we recognized in a particular period as a measure of our sales activity for that period. While the change in our deferred revenue and revenue recognized in a given period comprise the majority of our sales activity during that period, they do not constitute the entire sales activity during the period. Our total sales activity also includes sales of products and services for which we have not yet met the criteria to recognize revenue or add such amounts to our deferred revenue balance. Revenue and deferred revenue from these transactions is recognized or recorded in future periods when we have met the required criteria. We discuss for the periods presented deferred revenue further below under “—Results of Operations.”

37


 

Net Cash Provided by Operations

We monitor cash flow from operations as a measure of our overall business performance. Our cash flow from operations is driven primarily by sales of our products and licenses and, to a lesser extent, from up-front payments from customers under maintenance and support contracts. Our primary uses of cash in operating activities are for personnel-related expenditures, costs of acquiring the hardware used for our appliances, sales, marketing and promotional expenses and costs related to our facilities. Monitoring cash flow from operations enables us to analyze our financial performance without the non-cash effects of certain items such as depreciation and amortization and stock-based compensation expenses, thereby allowing us to better understand and manage the cash needs of our business.

Segments

Operating segments are components of an enterprise for which separate financial information is available and is evaluated regularly by our chief operating decision maker in deciding how to allocate resources and in assessing performance. Our chief operating decision maker is the Chief Executive Officer.

We operate our business in one operating segment, which is the development, marketing, sales, service and support of cyber-security solutions that protect business critical data and applications, whether in the cloud or on premises.

Financial Overview

Net Revenue

We derive our revenue from sales and licenses of our products and sales of our services. As discussed further in “—Critical Accounting Policies and Estimates—Revenue Recognition” below, revenue is recognized when persuasive evidence of an arrangement exists, delivery has occurred, the price is fixed or determinable and collection is probable.

Our net revenue is comprised of the following:

 

Products and License Revenue—Product and license revenue is generated from sales of perpetual software licenses installed on hardware appliances or virtual appliances for our SecureSphere product line. Our SecureSphere product line consists of database security, file security and web application security. We offer multiple hardware appliance versions that accompany our software, each with different throughput capacities. Perpetual software license revenue is generated from sales of our appliances, licenses for additional users and add-on software modules. We also generate a small amount of hardware revenue from sales of spares or replacement appliances, demonstration units, third-party OEM units and accessories.

 

Services Revenue—Services revenue consists of maintenance and support, professional services and training and subscriptions. Maintenance and support revenue is generated from support services that are bundled with appliances and add-on software modules. There are three levels of maintenance and support—Standard, Enhanced and Premium—and these are usually offered through agreements for one to three-year terms. Maintenance and support includes major and minor when-and-if available software updates; customer care, which includes our designated support engineer and Imperva resident engineer programs; content updates from our advanced security research group, the IDC, and hardware replacement. Professional services revenue consists of fees we earn related to implementation and consulting services we provide our customers. Training services revenue consists of fees we earn related to training customers and partners on the use of our products. Subscription revenue is generated from sales of our cloud-based services. We expect that the services revenue from maintenance and support contracts will continue to grow along with the increase in the size of our installed base. We also expect subscription revenue will increase as our cloud-based services continue to increase.

A majority of our products and services are sold to customers in the United States, however, a significant portion of our revenue is generated from international sales. See Note 15 of “Notes to Consolidated Financial Statements” for a discussion of our financial information by geographic region. Our revenue by geographic region is as follows (in thousands):

 

 

 

Years ended December 31,

 

 

 

2016

 

 

2015

 

 

2014

 

United States

 

$

143,607

 

 

$

141,225

 

 

$

87,155

 

EMEA

 

 

50,838

 

 

 

47,429

 

 

 

39,579

 

APAC

 

 

48,391

 

 

 

30,180

 

 

 

27,798

 

Other

 

 

21,619

 

 

 

15,464

 

 

 

9,478

 

Total net revenue

 

$

264,455

 

 

$

234,298

 

 

$

164,010

 

38


 

 

Cost of Revenue

Our total cost of revenue is comprised of the following:

 

Cost of Products and License Revenue—Cost of products and license revenue is comprised primarily of third-party hardware costs and royalty fees. Our cost of products and license revenue also includes personnel costs related to our operations team, shipping costs and write-offs for excess and obsolete inventory.

 

Cost of Services Revenue—Cost of services revenue is primarily comprised of personnel costs of our technical support team, our professional consulting services and training teams and our Security Operations Center (“SOC”) team. Cost of services revenue also includes facilities costs, subscription fees and depreciation. We expect that our cost of services revenue will increase in absolute dollars as we increase our headcount.

Operating Expenses

Our operating expenses consist of research and development, sales and marketing, general and administrative expenses, restructuring charges and amortization of acquired intangible assets. Personnel costs are the most significant component of our operating expenses and consist of wages, benefits and bonuses and, with regard to the sales and marketing expense, sales commissions. Personnel costs also include stock-based compensation. We expect personnel costs to continue to increase in absolute dollars as we hire new employees to continue to grow our business.

Research and Development

Our research and development is focused on maintaining and improving our existing products and on new product development. A majority of our research and development expenses are comprised of personnel costs including stock-based compensation, and, to a lesser extent, facility costs, hardware prototype costs, laboratory expenses and depreciation. We expense research and development costs as incurred. We expect our research and development expenses to increase in absolute dollars as we continue to enhance our existing products and develop new products and services that address the emerging market for business security and regulatory compliance.

Sales and Marketing

Sales and marketing expense is the largest component of our operating expenses and consists primarily of personnel costs, including commissions, stock-based compensation and travel expenses. Sales and marketing expenses also include costs related to marketing and promotional activities, third-party referral fees and, to a lesser extent, facilities costs and depreciation. We expect our sales and marketing expenses to increase in absolute dollars as we expand our sales and marketing efforts worldwide.

General and Administrative

General and administrative expense consists primarily of personnel costs, including stock-based compensation, as well as professional fees, facilities costs and depreciation. General and administrative personnel costs include our executive, finance, purchasing, order entry, human resources, information technology and legal functions. Our professional fees consist primarily of accounting, external legal, information technology and other consulting costs.

Restructuring charges

In October 2016, we initiated a business restructuring plan to reduce sales, marketing and general and administrative expenses through reductions in headcount and spending generally. The expenses incurred primarily consisted of employee severance charges and other termination-related costs. We do not expect to incur significant additional restructuring costs associated with this plan in future periods. We did not incur any expenses related to restructuring activities in 2015 and 2014.

Amortization of Acquired Intangible Assets

Amortization of acquired intangible assets consists of amortization of intangible assets from the acquisitions of Skyfence and Tomium that occurred in the first quarter of 2014 and Camouflage in the fourth quarter of 2016.

39


 

Other Income (Expense), net

Other income (expense), net is comprised of the following items:

 

Interest Income—Interest income consists of interest earned on our cash, cash equivalents and short-term investments. We expect interest income will vary each reporting period depending on our average investment balances during the period and market interest rates.

 

Interest Expense—Interest expense consists of interest accrued or paid on debt obligations.

 

Foreign Currency Forward Contract Gains (Losses)—Foreign currency forward contract gains and losses pertain to the ineffective portion of derivative instruments designated as hedges that we have entered into primarily to manage our exposure to the variability in expected future expenses resulting from changes in foreign currency exchange rates. We do not use derivative financial instruments for speculative or trading purposes.

 

Foreign Currency Exchange Gains (Losses)—Foreign currency exchange gains and losses relate to transactions denominated in currencies other than the U.S. Dollar.

Provision for Income Taxes

We operate in several income tax jurisdictions and are subject to income taxes in each country or jurisdiction in which we conduct business including the United States and Israel. Earnings from our non-U.S. activities are subject to local country income tax and may be subject to U.S. income tax if such earnings are distributed to the U.S. To date, we have incurred net losses and have recorded insignificant U.S. federal income tax expense. Our income tax expense to date relates primarily to foreign income taxes, mainly from our Israeli and United Kingdom activities, and to a lesser extent, state income taxes.

40


 

Results of Operations

The following table is a summary of our consolidated statements of operations in dollars and as a percentage of our total net revenue. We have derived the data for the years ended December 31, 2016, 2015 and 2014 from our audited consolidated financial statements included elsewhere in this Annual Report on Form 10-K.

 

 

 

Years Ended December 31,

 

 

 

2016

 

 

2015

 

 

2014

 

 

 

Amount

 

 

% of Net

Revenue

 

 

Amount

 

 

% of Net

Revenue

 

 

Amount

 

 

% of Net

Revenue

 

 

 

(dollars in thousands)

 

Statement of Operations Data:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Net revenue:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Products and license

 

$

86,798

 

 

 

32.8

 

 

$

107,563

 

 

 

46.0

 

 

$

74,299

 

 

 

45.3

 

Services:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Maintenance and support

 

 

80,007

 

 

 

30.3

 

 

 

66,380

 

 

 

28.3

 

 

 

54,795