Item 1A. Risk Factors
An investment in our Class A common stock involves a high degree of risk. You should carefully consider these risk factors, together with all of the other information included in this Annual Report on Form 10-K, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes, before deciding whether to invest in our Class A common stock. The risks and uncertainties described below may not be the only ones we face. If any of the risks actually occur, our business, financial condition, results of operations, cash flows and prospects could be adversely affected. In that event, the market price of our Class A common stock could decline, and you could lose part or all of your investment.
Risk Factor Summary
Our business is subject to a number of risks, including those outside of our control, that may adversely affect our business, financial condition, results of operations, cash flows and prospects. These risks are discussed more fully below and include, but are not limited to:
Risks Related to Our Business and Industry
• Our limited operating history including history of losses;
• We have experienced rapid growth in recent periods and could experience difficulties managing our future growth;
• Our long-term focus on growth;
• Our ability to attract new customers and retain our existing customers;
• Failure to effectively develop and expand our sales and marketing capabilities or maintain successful relationships with our channel partners;
• Our exposure to risks related to international operations and plans for future international expansion;
• A network, systems or data security incident may allow unauthorized access to our network, systems or data or our customer’s data;
• Our reliance upon Software-as-a-Service, or “SaaS”, technologies from third parties to operate our business;
• The delayed reflection of new sales in our results due to recognizing revenue over the term of our customer contracts;
• The application of or changes in complex accounting rules;
• We must maintain an effective system of internal controls over our financial reporting in order to produce timely and accurate financial statements and comply with applicable regulations;
• The requirements of being a public company may strain our resources and divert management’s attention;
Risks Related to Our Platform and Products
• Our ability to develop or acquire new products and/or provide successful updates, enhancements and features to our technology;
• Interruptions or delays in the services provided by third-party data centers or internet service providers;
• Failure of our platform and/or our products to perform properly;
Risks Related to Our Intellectual Property
• An exposure to an infringement claim or a claim that results in a significant damage award;
• Our ability to protect our proprietary rights;
• Usage of open source software in our products;
• Usage of third party technology and software in our platform and products;
Risks Related to Government Regulations and Taxation
• Our failure to comply with evolving data privacy and other data related laws and requirements;
• Our failure to comply with laws and regulations, including governmental export and import controls, economic sanctions or anti-boycott laws;
• Adverse changes in tax laws or regulations in the various jurisdictions where we are subject to taxation;
Governance Risks and Risks Related to Ownership of Our Class A Common Stock
• The dual-class structure of our common stock, which has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO;
• The volatility of the market price of our Class A common stock;
• We have no intention of paying dividends in the foreseeable future;
• Potential dilution to our existing stockholders due to the issuance of additional stock in connection with financings, acquisitions, investments, or our equity incentive and employee stock purchase plans;
Risks Related to Macroeconomic Conditions
• Adverse economic conditions or reduced IT security spending; and
• The unpredictability of the impact of the COVID-19 pandemic.
Risks Related to Our Business and Industry
We have a limited operating history, which makes it difficult to forecast our revenue and evaluate our business and future prospects.
We have been in existence since 2010 and much of our growth has occurred in recent periods. As a result of our limited operating history, our ability to forecast our future results of operations and model future growth is limited and subject to a number of uncertainties. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly changing industries. Accordingly, we may be unable to prepare accurate internal financial forecasts or replace anticipated revenue that we do not receive as a result of these risks and uncertainties, and our results of operations in future reporting periods may be below the expectations of investors. If we do not address these risks successfully, our results of operations could differ materially from our estimates and forecasts or the expectations of investors, causing our business to suffer and our stock price to decline.
We have a history of losses and may not be able to achieve or sustain profitability in the future.
We have incurred net losses in all annual periods since our inception, and we expect we will continue to incur net losses for the foreseeable future. We experienced net losses of $11.8 million, $2.4 million, and $124.3 million for the years ended December 31, 2021, 2020, and 2019, respectively, and as of December 31, 2021, we had an accumulated deficit of $173.1 million. Because the market for our platform and products has not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase significantly over the next several years, as we continue to hire additional personnel,
particularly in sales and marketing, expand our operations and infrastructure, both domestically and internationally, and continue to develop our platform and products. In addition to the expected costs to grow our business, we also expect to incur significant additional legal, accounting and other expenses as a newly public company. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.
We have experienced rapid growth in recent periods, and if we do not manage our future growth, our business and results of operations will be adversely affected.
We have experienced rapid growth in recent periods and we expect to continue to invest broadly across our organization to support our growth. Although we have experienced rapid growth historically, we may not sustain our current growth rates nor can we assure you that our investments to support our growth will be successful. The growth and expansion of our business will require us to invest significant financial and operational resources and will require the continuous dedication of our management team. We have encountered and will continue to encounter risks and difficulties frequently experienced by rapidly growing companies in evolving industries, including market acceptance of our platform and products, adding new customers, intense competition and our ability to manage our costs and operating expenses. Our future success will depend in part on our ability to manage our growth effectively, and if we fail to do so, our ability to ensure uninterrupted operation of our platform and products, comply with the rules and regulations applicable to our business and adequately address competitive challenges could be impaired. Any of the foregoing could affect our business, financial condition and results of operations.
We believe our long-term value as a company will be greater if we focus on growth, which may negatively impact our profitability in the near term.
Part of our business strategy is to primarily focus on our long-term growth. As a result, our profitability may be lower in the near term than it would be if our strategy were to maximize short-term profitability. Significant expenditures on sales and marketing efforts, growing our platform and products and expanding our research and development, each of which we intend to continue to invest in, may not ultimately grow our business or cause long-term profitability. If we are ultimately unable to achieve profitability at the level anticipated by industry or financial analysts and our stockholders, our stock price may decline.
If we do not expand our current customer base by attracting new customers and retaining our existing customers our business, financial condition and results of operations could be harmed.
Since our customers tend to adopt our platform across their entire organization, to increase our revenue and achieve and maintain profitability, we must expand our customer base by attracting new customers and retaining our existing customers. To attract new customers, we must drive a broader awareness of the pervasive risks of social engineering. We will continue to invest in our inside sales force complemented by a channel strategy designed to increase brand awareness and to enable us to reach new territories and acquire new customers. Numerous factors, however, may impede our ability to acquire new customers, including our failure to recruit talented sales and marketing personnel and to retain and motivate our current sales and marketing personnel, to develop or expand relationships with effective channel partners and managed service providers, or MSPs, to successfully deploy products for new customers, to provide quality customer support once deployed and to execute on our marketing strategies.
Further, our customers have no obligation to renew their subscriptions for our platform and products after the expiration of their contractual period, which is typically one to three years, and in the normal course of business, some customers have elected not to renew. In addition, our customers may renew for fewer products, renew for shorter contract lengths or switch to a lower-cost subscription. If our customers do not renew their subscriptions, we could incur impairment losses related to our deferred contract acquisition costs. It is difficult to accurately predict long-term customer retention because of our varied customer base and given the length of our subscription contracts. Our customer retention and expansion may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our products, our customer support, our prices and pricing plans, our customers’
spending levels, mergers and acquisitions involving our customers, competition and deteriorating general economic conditions.
Failure to effectively develop and expand our sales and marketing capabilities or maintain successful relationships with our channel partners could harm our ability to increase our customer base and achieve broader market acceptance of our products.
Our ability to increase our customer base and achieve broader market acceptance of our platform and products will depend to a significant extent on our ability to expand our sales and marketing operations and to maintain successful relationships with our channel partners. We plan to continue expanding our direct inside sales force and engaging additional channel partners, both domestically and internationally. This expansion will require us to invest significant financial and other resources and our business will be harmed if our efforts do not generate a corresponding increase in revenue. We may not achieve anticipated revenue growth from expanding our direct sales force if we are unable to hire and develop talented direct inside sales personnel, if our new direct inside sales personnel are unable to achieve desired productivity levels in a reasonable period of time or if we are unable to retain our existing direct inside sales personnel.
In order to grow our business, we anticipate that we will continue to depend on our relationships with our channel partners who we rely on, in addition to our direct sales force, to sell and support our products. We utilize channel partners to efficiently increase the scale of our marketing and sales efforts and increase our market penetration to customers who we otherwise might not reach on our own. Our agreements with our channel partners are generally non-exclusive, meaning our channel partners may offer customers competitive products from different companies, and generally allow the channel partner to terminate its agreements with us for any reason upon 30 days’ notice. For example, some of our channel partners also sell or provide integration and administration services for our competitors’ products, and if such channel partners devote greater resources to marketing, reselling and supporting competing products, this could harm our business, financial condition and results of operations. If our channel partners do not effectively market and sell our products, choose to use greater efforts to market and sell their own products or those of others or fail to meet the needs of our customers, our ability to grow our business, sell our products and maintain our reputation may be affected. The of key channel partners, our possible to replace them or the to recruit additional channel partners could materially and affect our results of operations. If we are to maintain our relationships with these channel partners, our business, financial condition, results of operations or cash flows could be affected.
Our international operations and plans for future international expansion expose us to significant risks, and failure to manage those risks could adversely impact our business, financial condition and results of operations.
We derived 15.9%, 11.9%, and 9.7% of our total revenue from international customers for the years ended December 31, 2021, 2020 and 2019, respectively. We are continuing to adapt to and develop strategies to address international markets and our growth strategy includes expansion into various international jurisdictions, but there is no guarantee that such efforts will be successful. We expect that our international activities will continue to grow in the future, as we continue to pursue opportunities in international markets. These international operations will require significant management attention and financial resources and are subject to substantial risks, including but not limited to:
• greater difficulty in negotiating contracts with standard terms, enforcing contracts and managing collections and longer collection periods;
• higher costs of doing business internationally, including costs incurred in establishing and maintaining office space and equipment for our international operations;
• management communication and integration problems resulting from cultural and geographic dispersion;
• risks associated with trade restrictions and foreign legal requirements, including any importation, certification and localization of our platform and products that may be required in foreign countries;
• greater risk of unexpected changes in regulatory practices, tariffs and tax laws and treaties;
• compliance with anti-bribery laws;
• heightened risk of unfair or corrupt business practices and of improper or fraudulent sales arrangements;
• the uncertainty of protection for intellectual property rights in some countries;
• general economic and political conditions or events in these foreign markets, including, but not limited to, sanctioned countries, governments and industries around the world and other geopolitical uncertainty and instability, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the United States and other countries, and retaliatory actions taken by Russia in response to such sanctions;
• foreign exchange controls or tax regulations that might prevent us from repatriating cash earned outside the United States;
• double taxation of our international earnings and potentially adverse tax consequences due to changes in the tax laws of the United States or the foreign jurisdictions in which we operate;
• unexpected costs for the localization of our services, including translation into foreign languages and adaptation for local practices and regulatory requirements;
• requirements to comply with foreign privacy, data protection and information security laws and regulations, and the risks and costs of noncompliance;
• greater difficulty in identifying, attracting and retaining local qualified personnel, and the costs and expenses associated with such activities;
• greater difficulty identifying qualified channel partners and maintaining successful relationships with such partners; and
• differing employment practices and labor relations issues.
As we continue to develop and grow our business globally, our success will depend in large part on our ability to anticipate and effectively manage these risks. The expansion of our existing international operations and entry into additional international markets will require significant management attention and financial resources. Our failure to successfully manage our international operations and the associated risks could limit the future growth of our business.
A network, systems or data security incident may allow unauthorized access to our network, systems or data or our customers’ data, harm our reputation, create additional liability and adversely impact our financial results.
Increasingly, companies are subject to a wide variety of attacks on their networks and systems on an ongoing basis. These attacks include, but are not limited to, hacking, the use of phishing and other forms of social engineering, attempts to introduce malicious code (such as viruses, ransomware or other malware) into the systems and networks used in our business, employee or contractor error or intentional acts, including theft or misuse, denial of service or other brute force attacks, and sophisticated attacks perpetrated by nation-state and nation-state supported actors. Despite significant efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks, in particular, as the frequency and sophistication of cyberattacks increases. For example, cybersecurity researchers anticipate an increase in activity in connection with the Russia’s actions in Ukraine . The security measures we have integrated into our internal networks and systems, and into our platform and products may not function as expected or may not be sufficient to protect our internal networks, platform and products certain attacks. In addition, techniques used to or to obtain access to networks in which data is stored or through which data is transmitted change frequently and generally are not recognized until launched a target. As a result, we may be to anticipate these techniques or implement adequate measures to prevent an electronic into our networks or systems, access to, or of, or alteration, use or disclosure of data or other security or
incidents. We also may face difficulties or delays in identifying, remediating and responding to attacks and actual or perceived security breaches and incidents.
Third parties also may attempt to fraudulently induce employees or customers into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data, which could result in significant legal and financial exposure, the loss, alteration or compromise of our sensitive or otherwise critical business information, a loss of confidence in the security of our platform and products, interruptions or malfunctions in our operations, and, ultimately, harm to our future business prospects and revenue. As a well-known provider of products in the security awareness market, we may be a particularly attractive target for these and other forms of attacks. Further, with many of our employees and other personnel working remotely, the security risks we and our service providers face are heightened.
Our customers’ storage and use of data concerning, among others, their employees, contractors, customers and partners is essential to their use of our platform and products, which stores, transmits and processes customers’ proprietary information and personally identifiable information. If a security breach or incident compromising the security of customer data were to occur or to be perceived to occur, as a result of third-party action, employee or contractor error, malfeasance or otherwise, and the confidentiality, integrity or availability of our customers’ data was disrupted or believed to have been disrupted, we could face claims by and incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers. In addition, a network, systems or other security breach or incident, whether or not impacting or being perceived to impact the confidentiality, integrity or availability of our customers’ data, could result in the of customers and make it more to acquire new customers.
In addition, security breaches and incidents impacting our platform and products could result in a risk of loss, unavailability or unauthorized access to or alteration, use, disclosure, or other processing of information maintained on or processed by our platform and products, which, in turn, could lead to claims, litigation, governmental audits and investigations and possible liability, damage our relationships with our existing customers and have a negative impact on our ability to attract and retain new customers. These breaches or incidents or any perceived breach or incident, of our employees, contractors, networks or systems, in particular, because of our position as a security awareness company, may also confidence in our platform or products and result in to our reputation, publicity, of channel partners, customers and sales, increased costs to remedy any and . In addition, a security or impacting one of our key channel partners or independent software vendors could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack. If a high profile security or occurs with respect to another SaaS provider, our customers and potential customers may trust in the security of the SaaS business model generally, which could impact our ability to retain existing customers or attract new ones, potentially causing a impact on our business. Any of these outcomes could impact market acceptance of our products and could our business, financial condition and results of operations.
We may be required to expend significant capital and financial resources to protect against the foregoing threats and to alleviate problems caused by actual or perceived security breaches or incidents. While we maintain insurance that may cover certain liabilities relating to security breaches or incidents, subject to applicable deductibles and policy limitations, our insurance may be insufficient to cover all liabilities incurred, which could have a material adverse effect on our business, financial condition and results of operations. Additionally, we cannot be certain that insurance coverage will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim.
We rely upon SaaS technologies from third parties to operate our business, and interruptions or performance problems with these technologies may adversely affect our business, financial condition and results of operations.
We rely on hosted SaaS applications from third parties in order to operate critical functions of our business, including platform delivery, enterprise resource planning, customer relationship management, billing, project management and accounting and financial reporting. If these services become unavailable due to extended outages, interruptions or because they are no longer available on commercially reasonable terms, our expenses could
increase, our ability to manage finances could be interrupted and our processes for managing sales of our platform and products and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and implemented, all of which could adversely affect our business, financial condition and results of operations.
We recognize revenue from subscriptions over the term of our customer contracts, and as such, our reported revenue and related metrics may differ significantly in a given period, and our revenue in any period may not be indicative of our financial health and future performance.
A substantial majority of our revenue is recognized over the term of our customer contracts. As a result, much of the revenue we report each quarter is derived from contracts that we entered into with customers in prior periods. Consequently, a decline in new or renewed subscriptions in any quarter will not be fully reflected in revenue or other results of operations in that quarter but will negatively affect our revenue and other results of operations across future quarters. Any increases in the average term of subscriptions would result in revenue for those contracts being recognized over longer periods of time with less positive impact on our results of operations in the near term. Accordingly, our revenue in any given period may not be an accurate indicator of our financial health and future performance.
The market in which we participate is competitive, and if we do not compete effectively, our business, financial condition and results of operations could be harmed.
The market for our platform and products is rapidly evolving and fragmented, and we expect competition to increase in the future. Although we believe competitors who specifically attempt to manage the ongoing problem of social engineering are currently limited, a number of companies have developed, or are developing, products that currently are, or in the future may be, competitive with our offerings. For example, certain larger enterprise providers, such as Proofpoint, Mimecast and Cofense, all attempt to address human risk through a product offering that is often tied to other products and is not given a singular focus. Nevertheless, competition continues to increase in the market segments in which we operate, and we expect competition to further increase in the future. Larger competitors with more diverse product and service offerings may reduce the price of products or subscriptions that compete with ours or may bundle them with other products and subscriptions. These competitive pressures may cause our subscription prices to decline for a variety of reasons, including competitive pricing pressures, discounts, anticipation of the introduction of new products by competitors or promotional programs offered by us or our competitors. As a result, as competition in our market increases, it could result in increased pricing pressure, decreased revenue, increased sales and marketing expenses and loss of market share for us, any of which could adversely affect our business, financial condition and results of operations.
We may experience quarterly fluctuations in our results of operations due to a number of factors, including increasing variability in our sales cycles. These fluctuations make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations.
Our quarterly results of operations fluctuate as a result of a number of factors, many of which are outside of our control and may be difficult to predict, including, but not limited to:
• the level of demand for our platform and products;
• the timing and success of new product introductions by us or our competitors or any other change in the competitive landscape of our market;
• pricing pressure as a result of competition or otherwise;
• the length and predictability of our sales cycle;
• seasonal buying patterns for IT spending;
• errors in forecasting the demand for our products, which could lead to lower revenue, increased costs or both;
• increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;
• credit or other difficulties confronting our channel partners;
• adverse litigation judgments, settlements or other litigation-related costs;
• changes in the legislative or regulatory environment, including with respect to privacy, data protection and security and enforcement by government regulators, including fines, orders or consent decrees;
• system failures or actual or perceived security breaches;
• fluctuations in foreign currency exchange rates;
• costs related to the acquisition of businesses, talent, technologies or intellectual property, including potentially significant amortization costs and possible write-downs; and
• general economic conditions in either domestic or international markets, including geopolitical uncertainty and instability, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the United States and other countries, and retaliatory actions taken by Russia in response to such sanctions.
Any one or more of the factors above may result in significant fluctuations in our results of operations. As we continue to focus on sales to larger organizations, we expect our sales cycles to lengthen and become less predictable. You should not rely on our past results as an indicator of our future performance. The variability and unpredictability of our quarterly results of operations or other operating metrics could result in our failure to meet our expectations or those of analysts that cover us or investors with respect to revenue or other metrics for a particular period. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our Class A common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.
If we fail to maintain an effective system of internal controls over our financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
As a public company, we are subject to the reporting and corporate governance requirements of the Securities Exchange Act of 1934, as amended, or the Exchange Act, the listing requirements of Nasdaq and other applicable securities rules and regulations, including the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Wall Street Reform and Consumer Protection Act. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended and anticipate we will continue to expend significant resources, including accounting-related costs, and provide significant management oversight. Any failure to develop or maintain effective controls, or any difficulties encountered in their implementation or improvement, could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any to implement and maintain internal controls also could affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports that we will file with the SEC under Section 404 of the Sarbanes-Oxley Act.
We are not currently required to comply with the SEC rules that implement Section 404 of the Sarbanes-Oxley Act, and we are therefore not required to make a formal assessment of the effectiveness of our internal controls over financial reporting for that purpose. As a public company, we are required to comply with certain rules, which require management to certify financial and other information in our quarterly and annual reports and provide an annual management report on the effectiveness of our internal control over financial reporting commencing with our second Annual Report on Form 10-K. Additionally, our independent registered public accounting firm is not required to formally attest to the effectiveness of our internal control over financial reporting until after we are no
longer an emerging growth company. At such time, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed or operating. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the market price of our Class A common stock.
The requirements of being a public company may strain our resources and divert management’s attention.
As a public company, we are subject to the reporting and corporate governance requirements of the Exchange Act, the listing requirements of Nasdaq and other applicable securities rules and regulations. Among other things, the Exchange Act requires that we file annual, quarterly and current reports with respect to our business, financial condition and results of operations and maintain effective disclosure controls and procedures and internal control over financial reporting. Compliance with these rules and regulations will increase our legal and financial compliance costs, make some activities more difficult, time-consuming or costly and increase demand on our systems and resources, particularly after we are no longer an “emerging growth company” as defined in the Jumpstart Our Business Startups Act of 2012, or the JOBS Act. In addition, as a public company, we may be subject to stockholder activism, which can lead to additional substantial costs, distract management and impact the manner in which we operate our business in ways we cannot currently anticipate. As a result of disclosure of information in the filings required of a public company, our business, financial condition and results of operations will become more visible, which may result in threatened or actual litigation, including by competitors and other third parties. These new obligations and constituents will require significant attention from our senior management and could their attention away from the day-to-day management of our business, which could affect our business, financial condition, and results of operations.
We depend on our executive officers and other key employees, the loss of whom could adversely affect our business.
We believe that our success is substantially dependent on our ability to attract, retain and motivate the members of our management team and other key employees throughout our organization. Although we have entered into employment agreements with our leadership team, our employees, including our executive officers, work for us on an “at-will” basis, which means they may terminate their employment with us at any time. In particular, we depend on the services of Stu Sjouwerman, our founder and Chief Executive Officer, who is critical to our future vision and strategic direction. We rely on our leadership team in the areas of research and development, operations, security, marketing, sales, customer support and general and administrative functions. If Mr. Sjouwerman or one or more of our key employees or members of our management team resigns or otherwise ceases to provide us with their service, and if we fail to have in place and execute an effective succession plan for key executives, our business could be harmed.
In addition, because our future success is dependent on our ability to continue to refresh and enhance our library of differentiated security awareness content and expand our platform features, we are heavily dependent on our ability to attract and retain qualified personnel with the requisite background and industry experience to drive content creation and product development. As we expand our business domestically and globally, our continued success will also depend on our ability to attract and retain qualified content development personnel capable of creating localized, culturally relevant security awareness content, as well as to attract and retain qualified sales, marketing and operational personnel capable of supporting a larger and more diverse customer base. The loss of the services of a significant number of our content, technology or sales personnel could be disruptive to our content and product development efforts, which could harm our ability to retain existing customers and to expand our global customer base.
The nature of our business requires the application of complex accounting rules, including revenue and expense recognition rules, and any significant changes in current rules, or interpretations thereof, could affect our financial statements and results of operations.
The accounting rules and regulations that we must comply with are complex and subject to interpretation by the Financial Accounting Standards Board, or the FASB, the Securities and Exchange Commission, or the SEC, and various bodies formed to promulgate and interpret appropriate accounting principles. Recent actions and public
comments from the FASB and the SEC have been focused on the integrity of financial reporting and internal controls over financial reporting. Many companies’ accounting policies and practices are being subject to heightened scrutiny by regulators and the public. In addition, the accounting rules and regulations are continually changing in ways that could materially impact our financial statements. We cannot predict the impact of future changes to accounting principles or our accounting policies on our financial statements going forward, which could significantly affect our reported financial results and could affect the reporting of transactions completed before the announcement of the change. Further, if we were to change our critical accounting estimates, our results of operations could be significantly affected.
Any future litigation against us could be costly and time-consuming to defend.
We may become subject to legal proceedings and claims that arise in the ordinary course of business, such as claims brought by our customers in connection with commercial disputes or employment claims made by our current or former employees. Litigation might result in substantial costs and may divert management’s attention and resources, which might seriously harm our business, financial condition and results of operations. Insurance might not cover such claims, might not provide sufficient payments to cover all the costs to resolve one or more such claims and might not continue to be available on terms acceptable to us (including premium increases or the imposition of large deductible or co-insurance requirements). A claim brought against us that is uninsured or could result in costs, potentially our business, financial position and results of operations. In addition, we cannot be sure that our existing insurance coverage and coverage for and will continue to be available on acceptable terms or that our insurers will not coverage as to any future claim.
Acquisitions, strategic investments, partnerships, or alliances could be difficult to identify, pose integration challenges, divert the attention of management, disrupt our business, dilute stockholder value, and adversely affect our business, financial condition and results of operations.
We have in the past and may in the future seek to acquire or invest in businesses, joint ventures, products and platform capabilities, or technologies that we believe could complement or expand our platform and product offerings, enhance our technical capabilities, or otherwise offer growth opportunities. Any such acquisition or investment may divert the attention of management and cause us to incur various expenses in identifying, investigating and pursuing suitable opportunities, whether or not the transactions are completed, and may result in unforeseen operating difficulties and expenditures. Specifically, we may encounter difficulties integrating the businesses, technologies, platform and product capabilities, or operations of any acquired companies, particularly if the key personnel of an acquired company choose not to work for us, their software is not easily adapted to work with our platform, or we have difficulty retaining the customers of any acquired business due to changes in ownership, management or otherwise. Additionally, any such transactions that we are to complete may not result in the synergies or other benefits we had expected to , which could result in charges that could be substantial. In addition, we may not be to find and identify acquisition targets or business or be in entering into an agreement with any particular strategic partner. These transactions could also result in dilutive issuances of equity securities or the incurrence of debt, which could affect our results of operations. In addition, if the resulting business from such a transaction to meet our expectations, our business, financial condition and results of operations may be affected or we may be to unknown risks or liabilities.
We may need to raise additional capital to expand our operations and invest in new products, which capital may not be available on terms acceptable to us, or at all, and which could reduce our ability to compete and could harm our business.
While we expect that our existing cash and cash equivalents, cash provided by operating activities, available borrowings under our revolving line of credit, and unbilled amounts related to contracted non-cancelable subscription agreements, which are not reflected on the balance sheet, will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months, retaining or expanding our current levels of personnel and product offerings may require additional funds. Our failure to raise additional capital or generate the significant capital necessary to expand our operations, invest in new products or acquire complementary
businesses and technologies could reduce our ability to compete and could harm our business. Accordingly, we may need to engage in additional equity or debt financings to secure additional funds. If we raise additional equity financing, our stockholders may experience significant dilution of their ownership interests and the market price of our Class A common stock could decline. If we engage in debt financing, the holders of debt may have priority over the holders of our Class A common stock, and we may be required to accept terms that restrict our operations or our ability to incur additional indebtedness or to take other actions that would otherwise be in the interests of the debt holders. Any of the above could harm our business, financial condition and results of operations.
Our Revolving Credit Facility contains financial covenants and other restrictions on our actions that may limit our operational flexibility or otherwise adversely affect our results of operations.
The terms of our Revolving Credit Facility include a number of covenants that limit our ability and our subsidiaries’ ability to, among other things, incur additional indebtedness, grant liens, merge or consolidate with other companies or sell substantially all of our assets, pay dividends, make redemptions and repurchases of stock, make investments, loans and acquisitions, or engage in transactions with affiliates. These terms may restrict our current and future operations and could adversely affect our ability to finance our future operations or capital needs. In addition, complying with these covenants may make it more difficult for us to successfully execute our business strategy, including potential acquisitions, and compete against companies which are not subject to such restrictions.
A failure by us to comply with the covenants or payment requirements specified in our credit agreement could result in an event of default under the agreement, which would give the lenders the right to terminate their commitments to provide additional loans and to declare all borrowings outstanding, together with accrued and unpaid interest and fees, to be immediately due and payable. If debt under our Revolving Credit Facility were to be accelerated, we may not have sufficient cash or be able to borrow sufficient funds to refinance the debt or sell sufficient assets to repay the debt, which could immediately adversely affect our business, cash flows, results of operations, and financial condition. As of December 31, 2021, there were no amounts outstanding under the Revolving Credit Facility.
If we fail to enhance our brand cost-effectively, our ability to expand our customer base will be impaired and our business, financial condition and results of operations may suffer.
We believe that developing and maintaining awareness of our brand in a cost-effective manner is critical to achieving widespread acceptance of our existing and future products and is an important element in attracting new customers. Furthermore, we believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts and on our ability to provide reliable and useful products at competitive prices. In the past, our efforts to build our brand have involved significant expenses. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, or incur substantial expenses in an unsuccessful attempt to promote and maintain our brand, we may fail to attract new customers or retain our existing customers to the extent necessary to realize a sufficient return on our brand-building efforts, and our business, financial condition and results of operations could .
If we cannot maintain our company culture as we grow, we could lose the innovation, teamwork, passion and focus on execution that we believe contribute to our success and our business may be harmed.
We believe that our corporate culture has been a contributor to our success, which we believe fosters innovation, teamwork, passion and focus on building and marketing our platform and products. As we grow and develop the infrastructure of a public company, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could harm our future success, including our ability to retain and recruit personnel, innovate and operate effectively, attract new customers, retain existing customers and execute on our business strategy. Additionally, our productivity and the quality of our products may be adversely affected if we do not integrate and train our new employees quickly and effectively. Any of these effects could adversely affect our business, financial condition and results of operations.
Risks Related to Our Platform and Products
If we are not able to develop or acquire new products and/or provide successful updates, enhancements and features to our technology, our business, financial condition and results of operations could be adversely affected.
Our industry is marked by rapid technological developments and demand for new and enhanced products and features to address the evolving risks associated with social engineering. In particular, cybersecurity threats are becoming increasingly sophisticated and responsive to the new security measures designed to thwart them. If we fail to update our products, through internal development or acquisition, to address such threats, our business and reputation will suffer. Our ability to increase revenue depends in large part on our ability to develop compelling new products to sell to new customers and to cross-sell and upsell to our existing customer base. To do so, we must continue to invest in our technology and platform in order to create new adjacencies and use cases. The success of any new product developments, enhancements, or features that we introduce depends on several factors, including the timely completion, introduction and market acceptance of such enhancements, features or products and integration with our existing platform and products.
We may not be successful in either developing these modifications and enhancements or in bringing them to market in a timely fashion. Furthermore, modifications to existing technologies will increase our research and development expenses. If we are unable to successfully enhance our existing products to meet customer requirements, increase adoption and usage of our products or develop new products, enhancements and features, our business, financial condition and results of operations will be harmed.
Interruptions or delays in the services provided by third-party data centers or internet service providers could impair the delivery of our platform and products, expose us to litigation and negatively impact our relationships with customers, adversely affecting our business.
We host our platform using Amazon Web Services, or AWS, data centers, a provider of cloud infrastructure services, and, therefore, we are vulnerable to service interruptions at AWS, which could impact the ability of our customers to access our platform. All of our products reside on hardware in these locations. Our operations depend on protecting the virtual cloud infrastructure hosted in AWS by maintaining its configuration, architecture and interconnection specifications, as well as the information stored in these virtual data centers, which third-party internet service providers transmit. Although we have disaster recovery plans that utilize multiple AWS locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake, power loss, telecommunications failures, unauthorized intrusion, computer viruses and disabling devices, hacking and other security attacks, natural disasters, war, criminal acts, military actions, terrorist attacks and other similar events beyond our control could affect the security or availability of our platform and products. A AWS service affecting our platform and products for any reason could our reputation with current and potential customers, us to liability, cause us to customers or otherwise our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that the AWS services we use.
AWS enables us to order and reserve server capacity in varying amounts and sizes distributed across multiple regions. AWS provides us with computing and storage capacity pursuant to an agreement that continues until terminated by either party. AWS may terminate the agreement by providing 30 days prior written notice and may, in some cases, terminate the agreement immediately for cause upon notice. In addition, the failure of AWS data centers or third-party internet service providers to meet our capacity requirements could result in interruptions or delays in access to our platform and products or impede our ability to scale our operations. In the event that our AWS service agreements are terminated, or there is a lapse of service, interruption of internet service provider connectivity or damage to such facilities, we could experience in access to our platform and products as well as and additional expense in arranging new facilities and services.
If our platform and products fail to perform properly, our reputation could be adversely affected and our market share could decline, which could have a material adverse effect on our business, financial condition and results of operations.
Our platform and products are inherently complex and may contain material defects or errors. In the future we may experience website disruptions, outages and other performance problems. These problems may be caused by a variety of factors, including infrastructure changes, human or software errors or negligence, viruses, hacking and other security attacks, fraud, increased resource consumption from expansion or modification to our code and spikes in customer usage. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages and our operations infrastructure may fail to keep pace with increased sales, causing new customers to experience . We provide service level commitments under our customer contracts, under which we guarantee specified availability of our platform and products. If we to meet these contractual commitments, we could be obligated to provide credits for future service, or face contract with refunds of prepaid amounts related to unused subscriptions, which could our business, financial condition and results of operations. In light of our historical experience with meeting our service level commitments, we do not currently have any material liabilities accrued on our balance sheet for these commitments. Additionally, any in functionality or that cause in the availability of our platform and products could result in:
• loss or delayed market acceptance and sales;
• breach of warranty or other contractual claims for damages incurred by customers;
• loss of customers;
• diversion of development and customer service resources; and
• injury to our reputation;
any of which could have a material adverse effect on our business, financial condition and results of operations. In addition, the costs incurred in correcting any material defects or errors might be substantial.
Risks Related to Our Intellectual Property
Our results of operations may be harmed if we are subject to a protracted infringement claim or a claim that results in a significant damage award.
A key tenet of our security awareness platform and products is the ability for our customers to perform simulated social engineering attacks on their users as part of our comprehensive training program. These social engineering attacks, typically in the form of simulated phishing emails, often use actual third-party names, logos, marks and other content in order to enhance the effectiveness of the simulation. Although we do not believe that the use of such names, logos, marks and other content for our customers’ internal training purposes infringes upon the trademark rights or other intellectual property rights of others, some third parties have objected to such use in our training program. These third parties have sent requests or demands to remove their names, logos, marks and other content from our platform and products, alleging that such use infringes upon their trademark rights and copyrights, creates actionable claims under state law or causes consumer confusion resulting in harm to their goodwill or reputation.
From time to time, we also register domain names containing typos, third-party names or marks, or variations thereof, to be used in connection with our simulated phishing emails. We register these domain names to serve a limited and specific purpose, and similar to the above-referenced simulated phishing emails, we do not believe that the limited manner and purpose in which any such third-party names, marks and other content are used in the registered domain names infringes upon their trademark rights or intellectual property rights. Some third parties
have, however, sent a privacy service request or initiated a proceeding to cease use of and/or transfer the domain containing their name, mark or variations thereof, including intentional typos, that have been resolved. To date, we have taken a case-by-case approach and worked to resolve all brand-owner demands directly with the individual brand owners. Nonetheless, there is no assurance that legal actions will not result in the future from objecting brand owners.
Additionally, as our presence in the market expands, we may experience such requests or demands with increasing frequency. Any legal action, regardless of their merit, may: require us to expend significant financial resources and attention of management and other personnel; result in injunctions against us that prevent us from using third-party names, logos, marks and other content on our platform and products; or require us to pay monetary fees to third parties; and/or require transfer of the domain name registrations.
Furthermore, because any legal action would likely involve novel questions of law regarding simulated phishing activities for which there is very little or no precedent to date, and, because the outcomes of any such actions may depend on questions of laws that vary from state to state, the outcomes of any such legal actions are uncertain and may ultimately vary widely based on the jurisdictions in which actions are brought. Any such outcomes may adversely impact our relationship with our customers, including prompting them to discontinue their business relationship with us. From time to time, third parties have asserted, or may assert, claims of infringement, misappropriation or other violations of intellectual property rights against us or our customers, with whom our agreements may obligate us to indemnify against these claims. Successful of by a third party may prevent us from offering certain products or features, or require us to develop alternate non- technology, which may require significant time, during which we may be: to continue offering the affected products or solutions; required to obtain a license that may not be available on reasonable terms, or at all; or to pay substantial , royalties, or other fees. The occurrence of any of these results may also materially affect our business, financial condition and results of operations.
If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate reduced revenue and incur costly litigation to protect our rights.
Our success is dependent, in part, upon protecting our proprietary information and technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual restrictions to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Despite the precautions we have implemented, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of certain jurisdictions and foreign countries. Further, the laws of some countries do not protect proprietary rights to the same extent as the laws of the United States or the mechanisms for enforcement of intellectual property rights in some foreign countries may be . To the extent we expand our international activities, our exposure to the use of our products and proprietary information may increase. Accordingly, our efforts, we may be to prevent third parties from upon or our technology and intellectual property.
We rely in part on trade secrets, proprietary know-how and other confidential information to maintain our competitive position. Although we enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances, no assurance can be given that these agreements will be effective in controlling access to, and distribution of, our products and proprietary information. Further, these agreements do not prevent our competitors from independently developing technologies that may be substantially equivalent or superior to our products.
To protect our intellectual property rights, we may be required to spend significant resources to monitor and protect these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation may be costly, time consuming and distracting to management and may result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our
intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, may delay further sales, introductions of new products or implementation of existing products; may impair the functionality of our products; or may result in our substituting inferior or more costly technologies into our products that may injure our reputation. In addition, we may be required to license additional technology from third parties to develop and market new products, and we cannot assure customers we will be able to license that technology on commercially reasonable terms, or at all, and our to license this technology may our ability to compete.
We use open source software in our products, which could negatively affect our ability to offer our products and subject us to litigation or other actions.
We use open source software in our products and may use more open source software in the future. From time to time, there have been claims challenging the ownership of open source software against companies that incorporate open source software into their products. However, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses may be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, potentially resulting in negative effects on our business, financial condition and results of operations or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with certain open source software in a certain manner, we may, under their specific terms and conditions, be required to release the source code of our proprietary software to the public. This would allow our competitors to create similar products with less development effort and time. If we use open source software, or if the license terms for open source software that we use should change, we may be required to re-engineer our products, incur additional costs, the sale of some or all of our products or take other remedial actions.
In addition to risks related to open source software license requirements, usage of open source software may lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or assurances of title or controls as to the origin of the software. Many of the risks associated with usage of open source software, such as the lack of warranties or assurances of title, cannot be eliminated, and could, if not properly addressed, negatively affect our business. We have established processes to help alleviate these risks, including a review process for screening requests from our development organizations for the use of open source software, but we cannot guarantee that all of our use of open source software is in a manner that is consistent with our current policies and procedures, or will not subject us to liability.
We incorporate technology from third parties into our platform and products, and our inability to obtain or maintain rights to the technology could harm our business.
We license software and other technology from third parties that incorporate into, or integrate with, our platform and products. We cannot be certain that our licensors are not infringing on the intellectual property rights of third parties or that our licensors have sufficient rights to the licensed intellectual property in all jurisdictions in which we may offer our platform and products. In addition, many licenses are non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Some of our agreements with our licensors may be terminated for convenience by them, or otherwise provide for a limited term. If we are unable to continue to license any of this technology for any reason, our ability to develop and offer our platform and products containing such technology may be negatively impacted. Similarly, if we are unable to license necessary technology from third parties now or in the future, we may be forced to acquire or develop an alternative technology, which we may be unable to do in a commercially feasible manner, or at all, and we may be required to use alternative technology of lower quality or performance standards. This may limit or our ability to offer new or competitive products and increase our costs of production. As a result, our business and results of operations may be significantly . Additionally, as part of our longer-term strategy, we plan to open our platform and products to third-party developers and applications to further extend their functionality. We cannot be certain that such efforts to grow our business will be .
Risks Related to Governmental Regulations and Taxation
Complying with evolving privacy and other data related laws and requirements may be expensive and force us to make adverse changes to our business, and failure to comply with such laws and requirements could result in substantial harm to our business.
Laws and regulations governing data privacy and protection, information security, the use of the Internet as a commercial medium, the use of data in artificial intelligence and machine learning and data sovereignty requirements are rapidly evolving, extensive, complex and include inconsistencies and uncertainties. Examples of recent and anticipated developments that have or could impact our business include the following:
• The General Data Protection Regulation, or GDPR, took effect in May 2018 and established several requirements applicable to the handling of personal data of individuals in the European Economic Area, or EEA. The GDPR is wide-ranging in scope and imposes numerous requirements on companies that process personal data, including imposing accountability obligations requiring data controllers and processors to maintain a record of their data processing and implement policies and procedures as part of its mandated privacy governance framework. It also requires data controllers to be transparent and disclose to data subjects how their personal data will be used; establishes rights for individuals with respect to their personal data, including rights of access and deletion in certain circumstances; imposes limitations on retention of personal data; establishes data breach notification requirements; and sets standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities.
• The GDPR and substantially equivalent legislation in the United Kingdom, or UK, also imposes strict rules applied to the transfer of personal data out of the EEA, Switzerland and the UK to third countries deemed to lack adequate privacy protections (including the United States), unless an appropriate safeguard is implemented, such as the Standard Contractual Clauses, or SCCs, approved by the European Commission, or a derogation applies. The Court of Justice of the European Union, or CJEU, deemed the SCCs valid in July 2020. However, the CJEU ruled that transfers made pursuant to the SCCs and other alternative transfer mechanisms must be analyzed on a case-by-case basis to ensure European Union, or EU, standards of data protection are met in the jurisdiction where the data importer is based, and concerns remain about the potential for the SCCs and other mechanisms to face additional challenges. European regulators have issued guidance following the CJEU ruling that imposes significant new requirements on transferring data outside the EEA and Switzerland, including under an approved transfer mechanism. On June 4, 2021, the European Commission issued new SCCs that account for the CJEU’s decision and other developments, which need to be put in place for new contracts involving the transfer of personal data from the EEA and Switzerland to a third country as of September 27, 2021. Complying with these obligations and applicable guidance could be expensive and time consuming, may require us to modify our data handling policies and procedures and undertake additional measures, including new contractual negotiations, and may ultimately prevent or restrict us from transferring personal data outside the EEA and the UK, which could cause significant business .
• The EU has proposed the Regulation on Privacy and Electronic Communications, or ePrivacy Regulation, which, if adopted, would impose new obligations on the use of personal data in the context of electronic communications, particularly with respect to online tracking technologies and direct marketing.
• In January 2020, the UK formally left the EU. The UK’s withdrawal from the EU, commonly referred to as “Brexit,” became effective December 31, 2020. The UK has implemented legislation that implements and complements the GDPR, and which provides for the implementation of GDPR requirements, including those related to cross-border data transfer. In June 2021, the European Commission announced a decision of “adequacy” concluding that the UK ensures an equivalent level of data protection to the GDPR, which provides some relief regarding the legality of continued personal data flows from the EEA to the UK. Some uncertainty remains, however, as this adequacy determination must be renewed after four years and may be modified or revoked in the interim. Further, on February 2, 2022, the UK’s Information Commissioner’s Office issued new standard contractual clauses to support personal data transfers out of the UK. If approved by the UK Parliament, these standard contractual clauses will become effective March 21, 2022. We cannot
predict how UK data protection laws or regulations may develop in the longer term, including those relating to data transfers. We may be required to take steps to ensure the lawfulness of our data transfers and otherwise to address UK data protection law.
• In January 2020, the California Consumer Privacy Act, or CCPA, took effect, providing California residents increased privacy rights and protections, including the ability to opt out of sales of their personal information. The CCPA went into effect in January 2020 and became enforceable by the California Attorney General in July 2020. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and afford such consumers new rights with respect to their personal information, including the right to request deletion of their personal information, the right to receive the personal information on record for them, the right to know what categories of personal information generally are maintained about them, as well as the right to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation.
• California voters also approved a new privacy law, the California Privacy Rights Act, or CPRA, in the November 3, 2020 election. Effective January 1, 2023, the CPRA imposes additional obligations on covered companies and will significantly modify the CCPA, including by expanding consumers’ rights with respect to certain sensitive personal information. The CPRA also creates a new state agency that will have authority to implement and enforce the CCPA and the CPRA. The effects of the CCPA and the CPRA are significant. They increase our potential exposure to regulatory enforcement and/or litigation and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply. Other U.S. states are considering, and in certain cases have adopted, similar laws. For example, in March 2021, Virginia enacted the Virginia Consumer Data Protection Act, and in July 2021, Colorado enacted the Colorado Privacy Act. These both are comprehensive privacy statutes that will become effective in 2023 and share similarities with the CCPA, the CPRA and legislation proposed in other states. Recently proposed and enacted state privacy legislation beyond the CCPA and CPRA may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies.
Global governments are considering implementing regulations that would restrict cross-border data processing. Additionally, global governments are considering regulating artificial intelligence, machine learning and other technologies. These and other similar legal and regulatory developments could contribute to legal and economic uncertainty, affect how we design, market, sell and operate our platform and products, how our customers process and share data, how we process, transfer and use data, which could negatively impact demand for our platform and products. We may incur substantial costs to comply with such laws and regulations, to meet the demands of our customers relating to their own compliance with applicable laws and regulations and to establish and maintain internal policies, self-certifications, and third-party certifications supporting our compliance programs. Our customers may bind us to certain obligations pursuant to the GDPR or other laws or regulations relating to privacy, data protection or information security, and we may be or become bound by other contractual obligations relating to privacy, data protection or information security. We may be required to expend substantial resources to comply with these obligations. In addition, any actual or perceived non-compliance with applicable laws, regulations, policies, certifications or contractual or other actual or asserted obligations could result in proceedings, investigations or claims against us by regulatory authorities, customers or others, to reputational , significant , costs and . For example, if regulators assert that we have to comply with the GDPR or the UK’s legislation implementing the GDPR, we may be subject to of up to EUR 20 million (or GBP 17.5 million) or 4% of our worldwide annual revenue, whichever is , as well as potential data processing restrictions. Authorities have shown a willingness to impose significant and issue orders the processing of personal data on non-compliant businesses. Moreover, individuals can claim resulting from of the GDPR and other European and UK data protection laws. The GDPR also introduces the right for non-profit organizations to bring on behalf of data subjects. In addition to the foregoing, an actual or
breach of the GDPR or other applicable laws, regulations or other actual or asserted obligations related to privacy, data protection or information security could result in regulatory investigations, reputational damage, orders to change our use of data, enforcement notices, or potential civil claims including class action type litigation. All of these impacts could have a material adverse effect on our business, financial condition and results of operations.
We publish privacy policies and other documentation regarding our collection, processing, use and disclosure of personal information, credit card information or other confidential information. Although we endeavor to comply with applicable laws and regulations relating to privacy, data protection, and information security, and our related policies, certifications, representations and documentation, we may at times fail to do so or may be perceived to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving or maintaining compliance if our employees or service providers fail to comply with our policies, certifications, representations and documentation. Such actual or perceived failures can subject us to potential claims, litigation and international, local, state and federal action if they are found or alleged to be deceptive, unfair or to our actual practices.
We also collect information about cyber threats from open sources, intermediaries and third parties that we make available to our customers in our industry publications. While we have implemented certain procedures to facilitate compliance with applicable laws and regulations in connection with the collection of this information, we cannot assure you that these procedures have been effective or that we, or third parties, many of whom we do not control, have complied with all laws or regulations in this regard. Failure by our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties to comply with applicable laws and regulations in the collection of this information also could have negative consequences to us, including reputational harm, government investigations and penalties. Although we take precautions to prevent our information collection practices and services from being provided in violation of such laws, our information collection practices and services may have been in the past, and could in the future be, provided in of such laws.
We are subject to laws and regulations, including governmental export and import controls, sanctions, anti-boycott regulations and anti-corruption laws that could impair our ability to compete in our markets and subject us to liability if we are not in full compliance with applicable laws.
We are subject to laws and regulations, including governmental export controls, that could subject us to liability or impair our ability to compete in our markets. Our products are subject to U.S. export controls, including the U.S. Department of Commerce’s Export Administration Regulations, and we and our employees, representatives, contractors, agents, intermediaries and other third parties are also subject to various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Furthermore, U.S. export control laws and economic sanctions prohibit the export and provision of certain cloud-based solutions to, and other transactions and dealings with, countries, governments, entities and persons targeted by U.S. sanctions.
In connection with our March 1, 2021 acquisition of MediaPro Holdings, LLC, we identified potential violations related to limited dealings by MediaPro Holdings, LLC in 2016 with Sudatel, a Sudanese telecommunications and internet service provider. As a condition of closing, MediaPro Holdings, LLC filed voluntary self-disclosures with the Office of Foreign Assets Control (“OFAC”) and the Office of Antiboycott Compliance (“OAC”). OFAC issued us a cautionary letter but did not pursue any penalties or take enforcement action. As of the date of this Annual Report on Form 10-K, the OAC case is pending. Although we have technical controls, policies and procedures in place designed to ensure our compliance, there is no guarantee that we will not inadvertently provide our products and services, including our publicly available online free tools, to persons targeted by U.S. sanctions, despite our reasonable efforts to prevent it.
If we or our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties fail to comply with these laws and regulations, we could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may also be adversely affected through reputational harm, loss of access to certain markets, government investigations or otherwise. Obtaining the necessary authorizations including any required license for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities.
Various countries regulate the export and import of certain encryption technology, including through export and import permit and license requirements, and have enacted laws that could limit our ability to distribute our products
or could limit our customers’ ability to implement our products in those countries. Changes in our products or changes in export and import regulations may create delays in the introduction of our products into international markets, prevent our customers with international operations from deploying our products globally or, in some cases, prevent the export or import of our products to certain countries, governments, entities or persons altogether. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations or change in the countries, governments, entities or persons or technologies targeted by such regulations could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations.
We are also subject to the FCPA, Bribery Act and other anti-corruption, anti-bribery, anti-money laundering and similar laws in the United States and other countries in which we conduct activities. Anti-corruption and anti-bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees, agents, intermediaries and other third parties from promising, authorizing, making or offering improper payments or other benefits to government officials and others in the private sector. We leverage third parties, including intermediaries, agents and channel partners, to conduct our business in the United States and abroad to sell subscriptions to our products and to collect information about cyber threats. We and these third parties may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of these third-party business partners and intermediaries, our employees, representatives, contractors, channel partners, agents, intermediaries and other third parties, even if we do not explicitly authorize such activities. While we have policies and procedures to address compliance with the FCPA, Act and other anti-, sanctions, anti-, anti-money and similar laws, we cannot you that they will be , or that all of our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties have taken, or will not take, actions in of our policies and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase. with these laws could subject us to , or civil sanctions, settlements, , of export privileges, or from U.S. government contracts, other enforcement actions, of profits, significant , , other civil and or , whistleblower , media coverage and other consequences. Any , actions or sanctions could our reputation, business, financial condition and results of operations.
Failure to comply with laws and regulations applicable to our business could subject us to fines and penalties.
Our business is subject to regulation by various federal, state, local and foreign governmental agencies, including, but not limited to, agencies responsible for monitoring and enforcing privacy, data protection and information security laws and regulations, employment and labor laws, workplace safety, product safety, environmental laws, consumer protection laws, anti-bribery laws, import and export controls, economic sanctions, federal securities laws and tax laws and regulations. In certain jurisdictions, these regulatory requirements may be more stringent than in the United States. Actual or alleged noncompliance by us, our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties with applicable regulations or requirements could subject us to:
• investigations, enforcement actions and sanctions;
• mandatory changes to our platform, products or business practices;
• disgorgement of profits, fines and damages;
• civil and criminal penalties or injunctions;
• claims for damages by our customers or channel partners;
• termination of contracts;
• loss of intellectual property rights; and
• temporary or permanent debarment from sales to government organizations.
In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. If any governmental sanctions or enforcement actions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, financial condition and results of operations could be adversely affected.
In addition, we endeavor to properly classify employees as exempt versus non-exempt under applicable law. Although there are no pending or threatened material claims or investigations against us asserting that some employees are improperly classified as exempt, the possibility exists that some of our current or former employees could have been incorrectly classified as exempt employees.
Sales to government entities are subject to a number of challenges and risks.
A number of our customers are U.S., state or foreign government entities. Such entities may demand contract terms that are less favorable than standard arrangements with private sector customers and may have statutory, contractual or other legal rights to terminate contracts with us or our partners for convenience or for other reasons. Generally, the laws, regulations and policies that govern our ability to contract with government customers impose added costs on our business, and failure by us, our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties to comply with applicable regulations and requirements could lead to claims for damages, penalties, termination of contracts, loss of exclusive rights in our intellectual property and temporary suspension or permanent debarment from government contracting. Any such damages, , or in our ability to do business with the public sector could result in reduced sales of our products, reputational , and other sanctions, any of which could our reputation, business, financial condition and results of operations.
In addition, as a vendor for government entities, we must comply with laws, regulations and policies governing such governmental bodies, including those related to their cybersecurity practices. For example, the State of California Office of Information Security Phishing Exercise Standard (SIMM 5320-A), released in October 2020, established specific requirements for California state entities and agencies to coordinate phishing exercises with the California Department of Technology Office of Information Security and the California Cybersecurity Integration Center and other requirements for execution. Other states and jurisdictions may adopt versions of this standard or consider other new cybersecurity or data protection measures in the future, imposing additional compliance burdens on us and our customers.
Delaware law and provisions in our amended and restated certificate of incorporation and amended and restated bylaws could make a merger, tender offer or proxy contest difficult, thereby depressing the market price of our Class A common stock.
Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may make the acquisition of our company more difficult, including the following:
• our board of directors is classified into three classes of directors with staggered three-year terms, and directors are only able to be removed from office for cause;
• certain amendments to our amended and restated certificate of incorporation require the approval of at least 66-2/3% of the voting power of the outstanding shares of our stock entitled to vote generally in the election of directors, voting together as a single class;
• our dual class common stock structure provides pre-IPO stockholders with the ability to significantly influence the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the shares of our outstanding capital stock;
• our stockholders are only able to take action at a meeting of stockholders and are not able to take action by written consent for any matter;
• our amended and restated certificate of incorporation does not provide for cumulative voting;
• vacancies on our board of directors may be filled only by our board of directors and not by stockholders;
• a special meeting of our stockholders may only be called by the chairperson of our board of directors, our Chief Executive Officer or a majority of our board of directors;
• certain litigation against us can only be brought in Delaware;
• our amended and restated certificate of incorporation authorizes undesignated preferred stock, the terms of which may be established and shares of which may be issued without further action by our stockholders; and
• advance notice procedures apply for stockholders to nominate candidates for election as directors or to bring matters before an annual meeting of stockholders.
In addition, while we have opted out of Section 203 of the Delaware General Corporation Law, or the DGCL, our amended and restated certificate of incorporation contains similar provisions providing that we may not engage in certain “business combinations” with any “interested stockholder” for a three year period following the time that the stockholder became an interested stockholder, unless:
• prior to such time, our board of directors approved either the business combination or the transaction that resulted in the stockholder becoming an interested stockholder;
• upon consummation of the transaction that resulted in the stockholder becoming an interested stockholder, the interested stockholder owned at least 85% of the votes of our voting stock outstanding at the time the transaction commenced, excluding certain shares; or
• at or subsequent to that time, the business combination is approved by our board of directors and by the affirmative vote of holders of at least 66-2/3% of the votes of our outstanding voting stock that is not owned by the interested stockholder.
Generally, a “business combination” includes a merger, asset or stock sale or other transaction resulting in a financial benefit to the interested stockholder. Subject to certain exceptions, an “interested stockholder” is a person who, together with that person’s affiliates and associates, owns, or within the previous three years owned, 15% or more of the votes of our outstanding voting stock. For purposes of this provision, “voting stock” means any class or series of stock entitled to vote generally in the election of directors. Our amended and restated certificate of incorporation provides that any interested stockholder who became an interested stockholder prior to our IPO and Mr. Sjouwerman and any of their respective direct or indirect designated transferees (other than in certain market transfers and gifts) and any group of which such persons are a party do not constitute “interested stockholders” for purposes of this provision.
Under certain circumstances, this provision will make it more difficult for a person who would be an “interested stockholder” to effect various business combinations with our company for a three year period. This provision may encourage companies interested in acquiring us to negotiate in advance with our board of directors because the stockholder approval requirement would be avoided if our board of directors approves either the business combination or the transaction that results in the stockholder becoming an interested stockholder. These provisions also may have the effect of preventing changes in our board of directors and may make it more difficult to accomplish transactions that stockholders may otherwise deem to be in their best interests.
These provisions, alone or together, could discourage, delay or prevent a transaction involving a change in control of our company. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors of their choosing and to cause us to take other corporate actions they desire, any of which, under certain circumstances, could limit the opportunity for our stockholders to receive a premium for their shares of our Class A common stock, and could also affect the price that some investors are willing to pay for our Class A common stock.
Our amended and restated bylaws designate a state or federal court located within the State of Delaware and the federal district courts of the United States as the exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers or employees.
Our amended and restated bylaws provide that, unless we consent in writing to the selection of an alternative forum, to the fullest extent permitted by law, the sole and exclusive forum for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (iii) any action arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws, or (iv) any other action asserting a claim that is governed by the internal affairs doctrine shall be the Court of Chancery of the State of Delaware (or, if the Court of Chancery does not have jurisdiction, the federal district court for the District of Delaware), in all cases subject to the court having jurisdiction over indispensable parties named as defendants. Our amended and restated bylaws further provide that the federal district courts of the United States will be the exclusive forum for resolving any asserting a cause of action arising under the Securities Act of 1933, as amended, or the Securities Act.
Any person or entity purchasing or otherwise acquiring any interest in any of our securities shall be deemed to have notice of and consented to this provision. This exclusive forum provision may limit a stockholder’s ability to bring a claim in a judicial forum of its choosing for disputes with us or our directors, officers or other employees, which may discourage lawsuits against us and our directors, officers and other employees. This exclusive forum provision will not apply to any causes of action arising under the Securities Act or the Exchange Act or any other claim for which the federal courts have exclusive jurisdiction. Further, the enforceability of similar choice of forum provisions in other companies’ charter documents has been challenged in legal proceedings, and it is possible that a court could find these types of provisions to be inapplicable or unenforceable. For example, the Court of Chancery of the State of Delaware recently determined that a provision stating that U.S. federal district courts are the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act is not enforceable. However, this decision may be reviewed and ultimately by the Delaware Supreme Court. If a court were to find either forum provision in our amended and bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the in other jurisdictions, which could our results of operations.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
As of December 31, 2021, we had U.S. federal and state net operating loss carryforwards of $59.6 million and $41.8 million, respectively, and we had a U.S. federal research and development credit carryforward of $2.7 million. Realization of these net operating loss and research and development credit carryforwards depends on future income, and there is a risk that our existing carryforwards could expire unused and be unavailable to offset future income tax liabilities, which could adversely affect our results of operations.
In addition, under Sections 382 and 383 of the Internal Revenue Code, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in ownership by “5 percent shareholders” over a rolling three-year period, the corporation’s ability to use its pre-change net operating loss carryovers and other pre-change tax attributes, such as research and development credits, to offset its post-change income or taxes may be limited. We may experience ownership changes in the future as a result of shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change net operating loss carryforwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us.
Changes in tax laws or regulations in the various tax jurisdictions we are subject to that are applied adversely to us or our customers could increase the costs of our products and harm our business.
New income, sales, use or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time. Those enactments could harm our domestic and international business operations, and our business and financial performance. Further, existing tax laws, statutes, rules, regulations or ordinances could be interpreted, changed,
modified or applied adversely to us. These events could require us or our customers to pay additional tax amounts on a prospective or retroactive basis, as well as require us or our customers to pay fines and/or penalties and interest for past amounts deemed to be due. Additionally, new, changed, modified or newly interpreted or applied tax laws could increase our customers’ and our compliance, operating and other costs, as well as the costs of our products. Further, these events could decrease the capital we have available to operate our business. Any or all of these events could harm our business, financial condition and results of operations.
Our business may be subject to additional obligations to collect and remit sales tax and other taxes, and we may be subject to tax liability for past sales. Any successful action by state, foreign or other authorities to collect additional or past sales tax could harm our business.
States and some local taxing jurisdictions have differing rules and regulations governing sales and use taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our platform and products in various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as state tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. Liability for past taxes may also include substantial interest and penalty charges. Any successful action by state, foreign or other authorities to compel us to collect and remit sales, use or other taxes, either retroactively, prospectively or both, could harm our business, financial condition and results of operations.
We are a multinational organization faced with increasingly complex tax issues in many jurisdictions, and we could be obligated to pay additional taxes in various jurisdictions.
As a multinational organization, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents, which could have a material adverse effect on our liquidity and results of operations. Furthermore, one or more jurisdictions in which we do not believe we are currently subject to tax payment, withholding or filing requirements could assert that we are subject to such requirements. Any of these claims or assertions could have a material impact on us and our financial condition and results of operations.
Governance Risks Related to Ownership of Our Class A Common Stock
The dual-class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our initial public offering (IPO), which will limit your ability to influence the outcome of important transactions, including a change in control.
Our Class B common stock has ten votes per share, and our Class A common stock, has one vote per share. Because of the ten-to-one voting ratio between our Class B common stock and Class A common stock, as of December 31, 2021 the holders of our Class B common stock collectively held approximately 94.2% of the combined voting power of our outstanding capital and will therefore, if acting together, be able to control all matters submitted to our stockholders for approval until the earlier of the fifth anniversary of the filing and effectiveness of our amended and restated certificate of incorporation or the affirmative vote of the holders of 66-2/3% of the voting power of our outstanding Class B common stock. This concentrated control will limit or preclude a potential investor’s ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets or other major corporate transactions requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.
Future transfers by holders of shares of our Class B common stock will generally result in those shares converting to Class A common stock, subject to limited exceptions, including but not limited to, transfers effected for estate planning purposes and transfers among affiliates, to the extent the transferee continues to remain an affiliate. The conversion of Class B common stock to Class A common stock will have the effect, over time, of
increasing the relative voting power of those individual holders of Class B common stock who retain their shares in the long term.
The market price of our Class A common stock may be volatile, and you could lose all or part of your investment.
The market price of our Class A common stock could be subject to fluctuations in response to various factors, some of which are beyond our control and could cause you to lose all or part of your investment in our Class A common stock. Factors that could cause fluctuations in the market price of our Class A common stock include the following:
• price and volume fluctuations in the overall stock market from time to time;
• volatility in the market prices and trading volumes of technology stocks;
• changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
• sales of shares of our Class A common stock by us or our stockholders;
• failure of securities analysts to maintain coverage of us, changes in financial estimates by securities analysts who follow our company or our failure to meet these estimates or the expectations of investors;
• the financial projections we may provide to the public, any changes in those projections or our failure to meet those projections;
• announcements by us or our competitors of new offerings or platform features;
• the public’s reaction to our press releases, other public announcements and filings with the SEC;
• rumors and market speculation involving us or other companies in our industry;
• short selling of our Class A common stock or related derivative securities;
• actual or anticipated changes or fluctuations in our results of operations;
• actual or anticipated developments in our business, our competitors’ businesses or the competitive landscape generally;
• announced or completed acquisitions of businesses, offerings or technologies by us or our competitors;
• developments or disputes concerning our intellectual property or other proprietary rights;
• litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors;
• new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
• system failures or actual or perceived privacy or security incidents;
• changes in accounting standards, policies, guidelines, interpretations or principles;
• any significant change in our management; and
• general economic conditions and slow or negative growth of our markets.
In addition, the stock market has experienced substantial price and volume volatility that is often seemingly unrelated to the operating performance of particular companies. These broad market fluctuations may cause the trading price of our Class A common stock to decline. Furthermore, the trading price of our Class A common stock may be adversely affected by third-parties trying to drive down the price. In addition, in the past, following periods of volatility in the overall market and the market price of a particular company’s securities, securities class action
litigation has often been instituted against these companies. This litigation, if instituted against us, would result in substantial costs and a diversion of our management’s attention and resources.
We are an “emerging growth company” and we cannot be certain if the reduced disclosure requirements applicable to emerging growth companies will make our Class A common stock less attractive to investors.
For so long as we remain an “emerging growth company” as defined in the JOBS Act, we may take advantage of certain exemptions from various requirements that are applicable to public companies that are not “emerging growth companies,” including, but not limited to, not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements and exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved. We may take advantage of these exemptions until we are no longer an emerging growth company. We would cease to be an emerging growth company upon the earliest to occur of: (i) the first fiscal year following the fifth anniversary of our initial public offering; (ii) the first fiscal year after our annual gross revenue is $1.07 billion or more; (iii) the date on which we have, during the previous three-year period, issued more than $1.0 billion in non-convertible debt securities; or (iv) the date we qualify as a “large accelerated filer,” which means the end of any fiscal year in which the market value of our Class A common stock held by non-affiliates exceeded $700.0 million as of the end of the second quarter of that fiscal year. We cannot predict if investors will find our Class A common stock less because we may rely on these exemptions. If some investors find our Class A common stock less as a result, there may be a less active trading market for our Class A common stock and our stock price may be more .
If securities or industry analysts do not publish research or publish inaccurate or unfavorable research about us, our business or our market, or if they change their recommendations regarding our Class A common stock adversely, the market price and trading volume of our Class A common stock could decline.
The trading market for our Class A common stock depends, in part, on the research and reports that securities or industry analysts publish about us, our business, our market or our competitors. The analysts’ estimates are based upon their own opinions and are often different from our estimates or expectations. If any of the analysts who cover us change their recommendation regarding our Class A common stock adversely, provide more favorable relative recommendations about our competitors or publish inaccurate or unfavorable research about our business, the price of our securities would likely decline. If few securities analysts commence coverage of us, or if one or more of these analysts cease coverage of us or fail to publish reports on us regularly, we could lose visibility in the financial markets and demand for our securities could decrease, which could cause the price and trading volume of our Class A common stock to decline.
We do not intend to pay dividends for the foreseeable future.
We currently intend to retain any future earnings to finance the operation and expansion of our business, and we do not expect to declare or pay any dividends in the foreseeable future. In addition, our Revolving Credit Facility contains restrictions on our ability to pay dividends. As a result, stockholders must rely on sales of their Class A common stock after price appreciation as the only way to realize any future gains on their investment.
The issuance of additional stock in connection with financings, acquisitions, investments, our equity incentive plans or otherwise will dilute all other stockholders.
Our amended and restated certificate of incorporation authorizes us to issue up to 1,000,000,000 shares of Class A common stock, up to 500,000,000 shares of Class B common stock and up to 100,000,000 shares of preferred stock with such rights and preferences as may be determined by our board of directors. Subject to compliance with applicable rules and regulations, we may issue shares of Class A common stock or securities convertible into shares of our Class A common stock from time to time in connection with a financing, acquisition, investment, our equity incentive plans, or otherwise. Any such issuance could result in substantial dilution to our existing stockholders and cause the market price of our Class A common stock to decline.
We cannot predict the impact our dual class structure may have on the market price of our Class A common stock.
We cannot predict whether our dual class structure will result in a lower or more volatile market price of our Class A common stock or in adverse publicity or other adverse consequences. For example, certain index providers have restrictions on including companies with multiple-class share structures in certain of their indexes. In July 2017, FTSE Russell and Standard & Poor’s announced that they would cease to allow most newly public companies utilizing dual or multi-class capital structures to be included in their indices. Affected indices include the Russell 2000 and the S&P 500, S&P MidCap 400 and S&P SmallCap 600, which together make up the S&P Composite 1500. Under these policies, our dual class capital structure would make us ineligible for inclusion in certain indices, and as a result, mutual funds, exchange-traded funds and other investment vehicles that attempt to passively track those indices will not be investing in our stock. Because of our dual class structure, we will likely be excluded from certain of these indexes and we cannot assure you that other stock indexes will not take similar actions. Given the sustained flow of investment funds into passive strategies that seek to track certain indexes, exclusion from stock indexes would likely investment by many of these funds and could make our Class A common stock less to other investors. As a result, the market price of our Class A common stock could be affected.
Risks Related to Macroeconomic Conditions
Adverse economic conditions and reduced IT security spending may adversely impact our revenue and profitability.
Our operations and performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on IT networking and security solutions. Our business depends on the overall demand for these solutions and on the economic health and general willingness of our current and prospective customers to purchase our platform and products. Weak economic conditions, including conditions resulting from financial and credit market fluctuations, changes in economic policy, trade uncertainty, including changes in tariffs, sanctions, international treaties and other trade restrictions, the occurrence of a natural disaster or global public health crisis, or armed conflicts, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the U.S. and other countries, and retaliatory actions taken by Russia in response to such sanctions, and a reduction in IT security spending could materially and adversely affect our business, financial condition and results of operations in a number of ways, including by reducing sales, lengthening sales cycles and lowering prices for our platform and products.
We are unable to predict with certainty the extent to which the global COVID-19 pandemic may continue to impact our business, financial condition or results of operations.
The ongoing COVID-19 pandemic and efforts to mitigate its impact have caused social and economic disruption and financial market volatility. Concerns over the ultimate economic impact of COVID-19 have caused and may continue to cause extreme volatility in financial and other capital markets, which may adversely affect our stock price and our ability to access capital markets in the future.
We believe that the conditions caused by the pandemic have not significantly affected demand for our platform and products; therefore, although the COVID-19 pandemic has caused us to experience, in some cases, longer sales cycles and an increase in certain prospective and current customers seeking lower prices or other more favorable contract terms, we do not believe these developments have been substantial enough to cause a significantly negative impact on our results of operations. Additionally, we have not seen significant negative impacts on collections of accounts receivable or attrition rates of our customers. Conversely, the long term work-from-home policies, which have stemmed from the COVID-19 pandemic, have resulted in employees accessing their companies’ systems remotely, which has increased cybersecurity, privacy and data protection risks for these companies and may lead to heightened interest in our platform and products. There is no assurance that the levels of interest, demand and use of our platform and products will continue or will not decrease in the future. Any such decrease could have an adverse effect on our growth and the success of our platform and products.
We may face exposure to foreign currency exchange rate fluctuations.
Today, our international contracts are sometimes denominated in local currencies; however, the majority of our international costs are denominated in local currencies. Over time, an increasing portion of our international contracts may be denominated in local currencies. Therefore, fluctuations in the value of the U.S. dollar and foreign currencies may affect our results of operations when translated into U.S. dollars. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.
Catastrophic events may disrupt our business.
Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce and the global economy, and thus could harm our business. We have a large employee presence in Clearwater, Florida and the east coast of the United States is often subject to seasonal hurricanes. In the event of a major hurricane, earthquake or other catastrophic event such as fire, power loss, telecommunications failure, cyber-attack, acts of war, including Russia’s actions in Ukraine, or terrorist attack, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our application development, lengthy interruptions in our products, breaches of data security and , alteration or compromise of data, all of which could our business, financial condition and results of operations. In addition, the insurance we maintain may not be adequate to cover our resulting from or other business .
