00013535382021FYTRUEP1YP3YP1Y00013535382021-01-012021-12-3100013535382021-06-30iso4217:USD00013535382022-03-25xbrli:shares00013535382021-12-3100013535382020-12-31iso4217:USDxbrli:shares00013535382020-01-012020-12-310001353538us-gaap:PreferredStockMember2019-12-310001353538us-gaap:CommonStockMember2019-12-310001353538us-gaap:AdditionalPaidInCapitalMember2019-12-310001353538us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-12-310001353538us-gaap:RetainedEarningsMember2019-12-3100013535382019-12-310001353538us-gaap:AdditionalPaidInCapitalMember2020-01-012020-12-310001353538us-gaap:RetainedEarningsMember2020-01-012020-12-310001353538us-gaap:AccumulatedOtherComprehensiveIncomeMember2020-01-012020-12-310001353538us-gaap:PreferredStockMember2020-12-310001353538us-gaap:CommonStockMember2020-12-310001353538us-gaap:AdditionalPaidInCapitalMember2020-12-310001353538us-gaap:AccumulatedOtherComprehensiveIncomeMember2020-12-310001353538us-gaap:RetainedEarningsMember2020-12-310001353538us-gaap:CommonStockMember2021-01-012021-12-310001353538us-gaap:AdditionalPaidInCapitalMember2021-01-012021-12-310001353538us-gaap:RetainedEarningsMember2021-01-012021-12-310001353538us-gaap:AccumulatedOtherComprehensiveIncomeMember2021-01-012021-12-310001353538us-gaap:PreferredStockMember2021-12-310001353538us-gaap:CommonStockMember2021-12-310001353538us-gaap:AdditionalPaidInCapitalMember2021-12-310001353538us-gaap:AccumulatedOtherComprehensiveIncomeMember2021-12-310001353538us-gaap:RetainedEarningsMember2021-12-310001353538apgt:BrainspaceCorporationMember2021-01-012021-12-310001353538apgt:AccountingForRevenueRecognitionMembersrt:RestatementAdjustmentMember2021-01-012021-12-310001353538apgt:AccountingForRevenueRecognitionMembersrt:RestatementAdjustmentMember2020-01-012020-12-310001353538apgt:AccountingForRevenueRecognitionMembersrt:RestatementAdjustmentMember2021-12-310001353538apgt:AccountingForRevenueRecognitionMembersrt:RestatementAdjustmentMember2020-12-310001353538apgt:AccountingForIncrementalCostContractWithCustomerMembersrt:RestatementAdjustmentMember2021-01-012021-12-310001353538apgt:AccountingForIncrementalCostContractWithCustomerMembersrt:RestatementAdjustmentMember2020-01-012020-12-310001353538apgt:AccountingForIncrementalCostContractWithCustomerMembersrt:RestatementAdjustmentMember2021-12-310001353538apgt:AccountingForIncrementalCostContractWithCustomerMembersrt:RestatementAdjustmentMember2020-12-310001353538srt:RestatementAdjustmentMember2021-01-012021-12-310001353538srt:RestatementAdjustmentMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2020-01-010001353538apgt:AccountingForRevenueRecognitionMemberus-gaap:SegmentContinuingOperationsMembersrt:RestatementAdjustmentMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2020-01-012021-12-310001353538apgt:AccountingForIncrementalCostContractWithCustomerMemberus-gaap:SegmentContinuingOperationsMembersrt:RestatementAdjustmentMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2020-01-012021-12-310001353538us-gaap:SegmentContinuingOperationsMembersrt:RestatementAdjustmentMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2020-01-012021-12-310001353538us-gaap:SegmentContinuingOperationsMembersrt:RestatementAdjustmentMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2021-12-310001353538apgt:AccountingForRevenueRecognitionMemberus-gaap:SegmentDiscontinuedOperationsMembersrt:RestatementAdjustmentMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2021-12-310001353538apgt:AccountingForIncrementalCostContractWithCustomerMemberus-gaap:SegmentDiscontinuedOperationsMembersrt:RestatementAdjustmentMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2021-12-310001353538us-gaap:SegmentDiscontinuedOperationsMembersrt:RestatementAdjustmentMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMemberapgt:AdjustmentToGainOnDisposalMember2021-12-310001353538us-gaap:SegmentDiscontinuedOperationsMembersrt:RestatementAdjustmentMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2021-12-310001353538srt:RestatementAdjustmentMembersrt:CumulativeEffectPeriodOfAdoptionAdjustmentMember2021-12-310001353538srt:RestatementAdjustmentMember2020-01-012020-12-310001353538srt:ScenarioPreviouslyReportedMember2021-12-310001353538srt:RestatementAdjustmentMember2021-12-310001353538srt:ScenarioPreviouslyReportedMember2020-12-310001353538srt:RestatementAdjustmentMember2020-12-310001353538srt:ScenarioPreviouslyReportedMember2021-01-012021-12-310001353538srt:ScenarioPreviouslyReportedMember2020-01-012020-12-310001353538srt:ScenarioPreviouslyReportedMember2019-12-310001353538srt:RestatementAdjustmentMember2019-12-310001353538apgt:CyxteraTechnologiesIncMember2019-12-312019-12-31xbrli:pure0001353538apgt:CyxteraTechnologiesIncMember2019-12-310001353538apgt:BrainspaceCorporationMember2020-12-172020-12-170001353538apgt:BrainspaceCorporationMember2020-12-17apgt:segment0001353538srt:MinimumMember2021-01-012021-12-310001353538srt:MaximumMember2021-01-012021-12-3100013535382021-10-122021-10-120001353538apgt:AdvisorMember2021-10-122021-10-120001353538apgt:HoldersOfNewtownCommonStockAndAdvisorMember2021-10-120001353538apgt:SISHoldingsMember2021-10-1200013535382021-10-120001353538us-gaap:SegmentContinuingOperationsMember2021-01-012021-12-310001353538us-gaap:SegmentContinuingOperationsMember2020-01-012020-12-310001353538us-gaap:SegmentDiscontinuedOperationsMember2021-01-012021-12-310001353538us-gaap:SegmentDiscontinuedOperationsMember2020-01-012020-12-310001353538apgt:FormerParentMember2017-05-010001353538apgt:FormerParentMember2020-01-012020-12-310001353538apgt:ManagementCompanyMember2021-01-012021-12-310001353538apgt:ManagementCompanyMember2020-01-012020-12-310001353538apgt:FormerParentAndManagementCompanyMemberapgt:PromissoryNotesMember2019-03-310001353538apgt:FormerParentAndManagementCompanyMemberapgt:PromissoryNotesMember2020-12-310001353538apgt:PromissoryNotesMember2021-01-012021-12-310001353538apgt:PromissoryNotesMember2020-01-012020-12-310001353538apgt:PromissoryNotesMemberapgt:FormerParentMember2021-02-082021-02-080001353538apgt:ManagementCompanyMemberapgt:PromissoryNotesMember2021-02-082021-02-080001353538apgt:ManagementCompanyMember2021-02-080001353538apgt:ManagementCompanyMember2021-02-082021-02-080001353538apgt:BrainspaceCorporationMember2021-01-202021-01-200001353538apgt:BrainspaceCorporationMember2021-01-200001353538apgt:BrainspaceCorporationMember2020-12-310001353538apgt:BrainspaceCorporationMember2020-01-012020-12-310001353538apgt:MultiYearSubscriptionTermBasedLicensesMember2021-01-012021-12-310001353538apgt:MultiYearSubscriptionTermBasedLicensesMember2020-01-012020-12-310001353538apgt:SingleYearSubscriptionTermBasedLicensesMember2021-01-012021-12-310001353538apgt:SingleYearSubscriptionTermBasedLicensesMember2020-01-012020-12-310001353538apgt:SubscriptionTermBasedLicensesMember2021-01-012021-12-310001353538apgt:SubscriptionTermBasedLicensesMember2020-01-012020-12-310001353538apgt:SubscriptionSaaSMember2021-01-012021-12-310001353538apgt:SubscriptionSaaSMember2020-01-012020-12-310001353538apgt:SupportAndMaintenanceMember2021-01-012021-12-310001353538apgt:SupportAndMaintenanceMember2020-01-012020-12-310001353538apgt:SubscriptionRevenueMember2021-01-012021-12-310001353538apgt:SubscriptionRevenueMember2020-01-012020-12-310001353538apgt:PerpetualLicensesMember2021-01-012021-12-310001353538apgt:PerpetualLicensesMember2020-01-012020-12-310001353538apgt:ServicesAndOtherMember2021-01-012021-12-310001353538apgt:ServicesAndOtherMember2020-01-012020-12-310001353538country:US2021-01-012021-12-310001353538country:US2020-01-012020-12-310001353538country:CO2021-01-012021-12-310001353538country:CO2020-01-012020-12-310001353538country:EC2021-01-012021-12-310001353538country:EC2020-01-012020-12-310001353538apgt:OtherGeographicalLocationsMember2021-01-012021-12-310001353538apgt:OtherGeographicalLocationsMember2020-01-012020-12-310001353538apgt:UnitedStatesAndCanadaMember2021-01-012021-12-310001353538apgt:UnitedStatesAndCanadaMember2020-01-012020-12-310001353538srt:LatinAmericaMember2021-01-012021-12-310001353538srt:LatinAmericaMember2020-01-012020-12-310001353538us-gaap:EMEAMember2021-01-012021-12-310001353538us-gaap:EMEAMember2020-01-012020-12-310001353538srt:AsiaPacificMember2021-01-012021-12-310001353538srt:AsiaPacificMember2020-01-012020-12-310001353538us-gaap:GeographicConcentrationRiskMemberus-gaap:SalesRevenueNetMembercountry:US2021-01-012021-12-310001353538country:ECus-gaap:GeographicConcentrationRiskMemberus-gaap:SalesRevenueNetMember2021-01-012021-12-310001353538country:ECus-gaap:GeographicConcentrationRiskMemberus-gaap:SalesRevenueNetMember2020-01-012020-12-310001353538us-gaap:GeographicConcentrationRiskMemberus-gaap:SalesRevenueNetMembercountry:US2020-01-012020-12-310001353538us-gaap:GeographicConcentrationRiskMemberus-gaap:SalesRevenueNetMembercountry:CO2021-01-012021-12-310001353538us-gaap:GeographicConcentrationRiskMemberus-gaap:SalesRevenueNetMembercountry:CO2020-01-012020-12-3100013535382022-01-012021-12-310001353538us-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2021-12-310001353538us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMember2021-12-310001353538us-gaap:FairValueMeasurementsRecurringMemberus-gaap:FairValueInputsLevel3Member2021-12-310001353538us-gaap:FairValueMeasurementsRecurringMember2021-12-310001353538us-gaap:EmbeddedDerivativeFinancialInstrumentsMember2020-12-310001353538us-gaap:EmbeddedDerivativeFinancialInstrumentsMember2021-01-012021-12-310001353538us-gaap:EmbeddedDerivativeFinancialInstrumentsMember2021-12-310001353538apgt:ConvertibleSeniorNotesMemberus-gaap:ConvertibleDebtMemberus-gaap:MeasurementInputPriceVolatilityMember2021-12-310001353538apgt:ConvertibleSeniorNotesMemberapgt:MeasurementInputBondRateMemberus-gaap:ConvertibleDebtMember2021-12-310001353538apgt:ConvertibleSeniorNotesMember2021-01-012021-12-310001353538us-gaap:LeaseholdImprovementsMember2021-12-310001353538us-gaap:LeaseholdImprovementsMember2020-12-310001353538apgt:EquipmentAndFixturesMember2021-12-310001353538apgt:EquipmentAndFixturesMember2020-12-310001353538us-gaap:CustomerRelationshipsMembersrt:MinimumMember2021-01-012021-12-310001353538us-gaap:CustomerRelationshipsMembersrt:MaximumMember2021-01-012021-12-310001353538srt:MinimumMemberus-gaap:TrademarksAndTradeNamesMember2021-01-012021-12-310001353538srt:MaximumMemberus-gaap:TrademarksAndTradeNamesMember2021-01-012021-12-310001353538us-gaap:DevelopedTechnologyRightsMembersrt:MinimumMember2021-01-012021-12-310001353538us-gaap:DevelopedTechnologyRightsMembersrt:MaximumMember2021-01-012021-12-310001353538us-gaap:CustomerRelationshipsMember2021-12-310001353538us-gaap:CustomerRelationshipsMember2020-12-310001353538us-gaap:CustomerRelationshipsMember2021-01-012021-12-310001353538us-gaap:TrademarksAndTradeNamesMember2021-12-310001353538us-gaap:TrademarksAndTradeNamesMember2020-12-310001353538us-gaap:TrademarksAndTradeNamesMember2021-01-012021-12-310001353538us-gaap:DevelopedTechnologyRightsMember2021-12-310001353538us-gaap:DevelopedTechnologyRightsMember2020-12-310001353538us-gaap:DevelopedTechnologyRightsMember2021-01-012021-12-310001353538apgt:ConvertibleSeniorNotesMemberus-gaap:ConvertibleDebtMember2021-02-090001353538apgt:ConvertibleSeniorNotesMemberus-gaap:ConvertibleDebtMember2021-10-120001353538apgt:ConvertibleSeniorNotesMemberus-gaap:ConvertibleDebtMember2021-01-012021-12-310001353538us-gaap:SubsequentEventMemberapgt:ConvertibleSeniorNotesMemberus-gaap:ConvertibleDebtMember2022-02-090001353538us-gaap:SubsequentEventMemberapgt:ConvertibleSeniorNotesMemberus-gaap:ConvertibleDebtMember2022-02-092022-02-090001353538apgt:CashInterestPaymentsMemberapgt:ConvertibleSeniorNotesMemberus-gaap:ConvertibleDebtMember2021-12-310001353538apgt:PaidInKindInterestPaymentsMemberapgt:ConvertibleSeniorNotesMemberus-gaap:ConvertibleDebtMember2021-12-310001353538apgt:ConvertibleSeniorNotesMemberus-gaap:ConvertibleDebtMemberus-gaap:DebtInstrumentRedemptionPeriodOneMember2021-01-012021-12-310001353538apgt:ConvertibleSeniorNotesMemberus-gaap:DebtInstrumentRedemptionPeriodTwoMemberus-gaap:ConvertibleDebtMember2021-01-012021-12-310001353538apgt:ConvertibleSeniorNotesMemberus-gaap:ConvertibleDebtMember2021-12-310001353538apgt:ConvertibleSeniorNotesMember2021-12-310001353538us-gaap:LetterOfCreditMember2021-12-310001353538apgt:ClassBProfitInterestUnitsMember2017-05-310001353538apgt:ClassBProfitInterestUnitsMemberus-gaap:ShareBasedCompensationAwardTrancheOneMember2021-01-012021-12-310001353538apgt:ClassBProfitInterestUnitsMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2021-01-012021-12-310001353538apgt:ClassBProfitInterestUnitsMember2021-01-012021-12-310001353538apgt:ClassBProfitInterestUnitsMember2019-12-310001353538apgt:ClassBProfitInterestUnitsMember2020-01-012020-12-310001353538apgt:ClassBProfitInterestUnitsMember2020-12-310001353538apgt:ClassBProfitInterestUnitsMember2021-12-310001353538us-gaap:CostOfSalesMember2021-01-012021-12-310001353538us-gaap:CostOfSalesMember2020-01-012020-12-310001353538us-gaap:SellingAndMarketingExpenseMember2021-01-012021-12-310001353538us-gaap:SellingAndMarketingExpenseMember2020-01-012020-12-310001353538us-gaap:ResearchAndDevelopmentExpenseMember2021-01-012021-12-310001353538us-gaap:ResearchAndDevelopmentExpenseMember2020-01-012020-12-310001353538us-gaap:GeneralAndAdministrativeExpenseMember2021-01-012021-12-310001353538us-gaap:GeneralAndAdministrativeExpenseMember2020-01-012020-12-310001353538srt:MinimumMember2021-12-310001353538srt:MaximumMember2021-12-310001353538apgt:EmployerMatchTrancheOneMember2021-01-012021-12-310001353538apgt:EmployerMatchTrancheTwoMember2021-01-012021-12-310001353538apgt:EmployerMatchTrancheTwoMembersrt:MinimumMember2021-01-012021-12-310001353538apgt:EmployerMatchTrancheTwoMembersrt:MaximumMember2021-01-012021-12-310001353538apgt:OperatingLossCarryforwardExpirationPeriodYearOneMemberus-gaap:DomesticCountryMember2021-12-310001353538apgt:OperatingLossCarryforwardExpirationPeriodYearTwoMemberus-gaap:DomesticCountryMember2021-12-310001353538apgt:OperatingLossCarryforwardExpirationPeriodYearThreeMemberus-gaap:DomesticCountryMember2021-12-310001353538us-gaap:DomesticCountryMember2021-12-310001353538us-gaap:StateAndLocalJurisdictionMember2021-12-310001353538us-gaap:ForeignCountryMember2021-12-310001353538apgt:ReverseRecapitalizationAndPastAcquisitionsMember2021-12-310001353538country:US2021-12-310001353538country:CO2021-12-310001353538country:SE2021-12-310001353538apgt:OtherGeographicalLocationsMember2021-12-310001353538country:US2020-12-310001353538country:CO2020-12-310001353538country:SE2020-12-310001353538apgt:OtherGeographicalLocationsMember2020-12-310001353538us-gaap:GeographicConcentrationRiskMembercountry:COus-gaap:AssetsMember2020-01-012020-12-310001353538us-gaap:GeographicConcentrationRiskMembercountry:COus-gaap:AssetsMember2021-01-012021-12-310001353538us-gaap:GeographicConcentrationRiskMemberus-gaap:AssetsMembercountry:SE2020-01-012020-12-310001353538us-gaap:GeographicConcentrationRiskMembercountry:USus-gaap:AssetsMember2020-01-012020-12-310001353538us-gaap:GeographicConcentrationRiskMembercountry:USus-gaap:AssetsMember2021-01-012021-12-310001353538us-gaap:GeographicConcentrationRiskMemberus-gaap:AssetsMembercountry:SE2021-01-012021-12-310001353538apgt:CyxteraTechnologiesIncMember2021-12-31apgt:boardMember0001353538apgt:SISHoldingsMemberus-gaap:SubsequentEventMemberapgt:CyxteraTechnologiesIncMember2022-02-020001353538apgt:SaleOfCybersecurityProductsAndServicesMemberapgt:CyxteraTechnologiesIncMember2021-01-012021-12-310001353538apgt:SaleOfCybersecurityProductsAndServicesMemberapgt:CyxteraTechnologiesIncMember2020-01-012020-12-310001353538apgt:SaleOfCybersecurityProductsAndServicesMemberapgt:CyxteraTechnologiesIncMember2020-12-310001353538apgt:SaleOfCybersecurityProductsAndServicesMemberapgt:CyxteraTechnologiesIncMember2021-12-310001353538apgt:PurchaseOfDataCenterCoLocationAndCXDServicesMemberapgt:CyxteraTechnologiesIncMember2021-01-012021-12-310001353538apgt:PurchaseOfDataCenterCoLocationAndCXDServicesMemberapgt:CyxteraTechnologiesIncMember2020-01-012020-12-310001353538apgt:PurchaseOfDataCenterCoLocationAndCXDServicesMemberapgt:CyxteraTechnologiesIncMember2020-12-310001353538apgt:ChewyIncMember2021-12-310001353538apgt:ChewyIncMemberapgt:SaleOfCybersecurityProductsAndServicesMember2021-01-012021-12-310001353538apgt:ChewyIncMemberapgt:SaleOfCybersecurityProductsAndServicesMember2020-01-012020-12-310001353538apgt:ChewyIncMemberapgt:SaleOfCybersecurityProductsAndServicesMember2020-12-310001353538apgt:ChewyIncMemberapgt:SaleOfCybersecurityProductsAndServicesMember2021-12-310001353538apgt:SISHoldingsMemberapgt:CenturyLinkCommunicationsLLCMember2021-12-310001353538apgt:SaleOfCybersecurityProductsAndServicesMemberapgt:CenturyLinkCommunicationsLLCMember2021-01-012021-12-310001353538apgt:SaleOfCybersecurityProductsAndServicesMemberapgt:CenturyLinkCommunicationsLLCMember2020-01-012020-12-310001353538apgt:SaleOfCybersecurityProductsAndServicesMemberapgt:CenturyLinkCommunicationsLLCMember2021-12-310001353538apgt:SaleOfCybersecurityProductsAndServicesMemberapgt:CenturyLinkCommunicationsLLCMember2020-12-310001353538srt:ScenarioPreviouslyReportedMember2021-03-310001353538srt:ScenarioPreviouslyReportedMember2021-06-300001353538srt:ScenarioPreviouslyReportedMember2021-09-300001353538srt:RestatementAdjustmentMember2021-03-310001353538srt:RestatementAdjustmentMember2021-06-300001353538srt:RestatementAdjustmentMember2021-09-3000013535382021-03-3100013535382021-09-300001353538srt:ScenarioPreviouslyReportedMember2021-01-012021-03-310001353538srt:ScenarioPreviouslyReportedMember2021-04-012021-06-300001353538srt:ScenarioPreviouslyReportedMember2021-07-012021-09-300001353538srt:ScenarioPreviouslyReportedMember2021-10-012021-12-310001353538srt:RestatementAdjustmentMember2021-01-012021-03-310001353538srt:RestatementAdjustmentMember2021-04-012021-06-300001353538srt:RestatementAdjustmentMember2021-07-012021-09-300001353538srt:RestatementAdjustmentMember2021-10-012021-12-3100013535382021-01-012021-03-3100013535382021-04-012021-06-3000013535382021-07-012021-09-3000013535382021-10-012021-12-310001353538srt:ScenarioPreviouslyReportedMember2021-01-012021-06-300001353538srt:ScenarioPreviouslyReportedMember2021-01-012021-09-300001353538srt:RestatementAdjustmentMember2021-01-012021-06-300001353538srt:RestatementAdjustmentMember2021-01-012021-09-3000013535382021-01-012021-06-3000013535382021-01-012021-09-300001353538srt:ScenarioPreviouslyReportedMember2020-01-012020-03-310001353538srt:ScenarioPreviouslyReportedMember2020-04-012020-06-300001353538srt:ScenarioPreviouslyReportedMember2020-07-012020-09-300001353538srt:ScenarioPreviouslyReportedMember2020-10-012020-12-310001353538srt:RestatementAdjustmentMember2020-01-012020-03-310001353538srt:RestatementAdjustmentMember2020-04-012020-06-300001353538srt:RestatementAdjustmentMember2020-07-012020-09-300001353538srt:RestatementAdjustmentMember2020-10-012020-12-3100013535382020-01-012020-03-3100013535382020-04-012020-06-3000013535382020-07-012020-09-3000013535382020-10-012020-12-310001353538srt:ScenarioPreviouslyReportedMember2020-01-012020-06-300001353538srt:ScenarioPreviouslyReportedMember2020-01-012020-09-300001353538srt:RestatementAdjustmentMember2020-01-012020-06-300001353538srt:RestatementAdjustmentMember2020-01-012020-09-3000013535382020-01-012020-06-3000013535382020-01-012020-09-300001353538srt:ScenarioPreviouslyReportedMember2020-03-310001353538srt:RestatementAdjustmentMember2020-03-3100013535382020-03-310001353538srt:ScenarioPreviouslyReportedMember2020-06-300001353538srt:ScenarioPreviouslyReportedMember2020-09-300001353538srt:RestatementAdjustmentMember2020-06-300001353538srt:RestatementAdjustmentMember2020-09-3000013535382020-06-3000013535382020-09-300001353538us-gaap:SubsequentEventMemberus-gaap:RevolvingCreditFacilityMemberus-gaap:LineOfCreditMember2022-04-260001353538us-gaap:SubsequentEventMemberus-gaap:RevolvingCreditFacilityMemberus-gaap:LineOfCreditMember2022-12-202022-12-200001353538us-gaap:SubsequentEventMember2022-07-252022-07-250001353538us-gaap:SubsequentEventMember2022-07-012022-09-30
PART I
Item 1. Business
Mission Statement
Our mission is to empower and protect how people work and connect by enabling any user on any device to securely access any application, use any network or cloud and perform any transaction.
Overview
We believe we are defining a new category of Zero Trust access for enterprises and governments. Our Zero Trust platform is designed to protect against increasingly damaging breaches through innovative, identity-centric, context-aware solutions. Our pure-play focus on Zero Trust has enabled us to deliver the highest ranked current Zero Trust Network Access offering as determined by the Forrester New Wave™: Zero Trust Network Access, Q3 2021.
Legacy security platforms continue to fail. Secure access has always been essential to establishing trust between users and technologies. We believe that the Zero Trust framework secures all primary use cases including customer, employee, partner, cloud and Internet of Things (“IoT”). It is a framework for securing infrastructure and data for today’s modern digital environment. Legacy security models, such as virtual private network (“VPN”), give users unnecessarily wide, unrestricted and overprivileged network access. This enables attackers to move easily within organizations and cause tremendous damage. In contrast, Zero Trust is designed to transform security by granting users access to only those resources that are needed to do their job at a particular time and place. Zero Trust uniquely addresses the modern challenges of today’s business, including securing remote workers, controlling access to cloud environments, and defending against ransomware threats.
This new Zero Trust paradigm is needed today because enterprises are undergoing digital transformation as they seek to automate operations, generate new revenue streams, transition business models and deliver a seamless customer experience. Digital transformation, driven by growth in cloud computing, Software as a Service (“SaaS”), mobile devices, IoT, and similar technologies, as well as the increasing prevalence of remote work, has changed the nature of cybersecurity risks by proliferating the number of entry points to organizations’ networks. This is often referred to as “increasing the attack surface”. Simultaneously, the number and sophistication of cyberattacks have increased dramatically, as has their costs and frequency. This combination of more vulnerable networks and more malicious activity has created a cybersecurity crisis, changing the threat landscape organizations face. As a result, enterprises require security access solutions that proactively ensure the right user has authorized access to the right resources at the right time.
We have built a Zero Trust platform which, we believe, is a critical, central pillar of a modern cyber security architecture that will replace legacy perimeter-centric security solutions and is designed to address the current cybersecurity crisis. These legacy solutions are insufficient to secure organizations, their infrastructure and their data. By contrast, we believe that our Zero Trust solutions secure an enterprise’s exponentially increased attack surface, which occurs as a result of their digital transformation journey. We also offer digital threat protection and risk-based authentication tools to identify and eliminate attacks before they occur, across social media, phishing attacks, bogus websites, and malicious mobile apps.
Our solutions give our customers the ability to lower costs and increase efficiency, while improving compliance and providing security that is persistent, identity-centric and context-aware. Our platform enables enterprises to leverage existing investments in IT and security infrastructure. The subsequent cost savings and returns on investments include: leveraging existing network security controls to effectively apply policies, using a service desk business process to control network access and automating cloud security with a Zero Trust framework.
We are pioneering Zero Trust access across all environments, including public cloud, private cloud, multi-cloud, on-premises or permutations of all of the above and believe its rapid adoption signals the early stages of a long-term shift away from legacy perimeter-centric security solutions. We believe our purpose-built capabilities address the hybrid, cloud, and on-premises network security markets, which Gartner estimates is approximately a combined $39 billion market opportunity in 2021, expected to grow at a 14% compound annual growth rate (“CAGR”) to reach approximately $57 billion by 2024. We also believe a subset of our capabilities address the Fraud Detection and Prevention (“FDP”) market, which, according to Global Market Insights, was a $20 billion market in 2018 and is expected to grow at a 23% CAGR from 2019-2025.
Our leadership in Zero Trust has also been recognized by third party research firms. In September 2021, Forrester, the firm that originally coined the term “Zero Trust,” named us a leader in their Forrester New Wave™ for Zero Trust Network Access report. The report highlighted our ability to address cloud, on-premises and hybrid IT models, noting that Appgate “Software Defined Perimeter”, or SDP, “is the best fit for companies that need high security and a self-hosted option. Appgate offers its Zero Trust Network Access (“ZTNA”) as a SaaS, but also as a self-hosted option for enterprises and agencies that need it.” Separately in September 2020, Forrester also named us a leader in the Forrester Wave™ Zero Trust eXtended Ecosystem report. The report noted that Appgate serves mega-enterprises and Department of Defense (“DoD”) customers, which we believe is a testament to our capabilities and positions us well to benefit from the rising demand for Zero Trust solutions.
We believe our solutions address the complex needs of global enterprises and governments. Our go-to-market strategy consists of both direct sales and indirect channel partners. Currently, we serve over 650 organizations across approximately 80 countries, including domestic and international government agencies and Fortune 500 enterprises that include at least one of the top-fifteen largest companies by revenue in each of the defense contracting, telecommunications, systems integrator, and oil and gas sectors.
We sell our solutions primarily through a recurring revenue license model or subscription, and employ a ‘land and expand’ strategy to generate incremental revenue through the addition of new users and the sale of additional products. We believe the success of our strategy is validated by our strong dollar-based net retention rates. Our dollar based net retention rates were 114% and 105% at December 31, 2021 and 2020, respectively. Our annual recurring revenue (“ARR”) was $31.1 million and $22.5 million at December 31, 2021 and 2020, respectively. Our number of customers generating over $100,000 ARR increased 50% from December 31, 2020 to December 31, 2021, driven by elevated C-suite and board level dialogue and customer prioritization of a Zero Trust posture. See “Item 7—Management’s Discussion and Analysis of Financial Condition and Results of Operations—Key Business Metrics” for additional information regarding ARR.
We have achieved significant growth in recent periods, with our revenue increasing from $33.2 million for the year ended December 31, 2020 to $43.0 million for the year ended December 31, 2021, an increase of 30%. We continue to invest in growing our business and, as a result, we incurred net losses from continuing operations before income taxes of $52.5 million for the year ended December 31, 2020 and $136.4 million for the year ended December 31, 2021.
Industry Background
Digital Transformation has Upended Traditional IT Architectures and Environments
Rapidly accelerating digitization has transformed traditional IT architectures, and organizations are confronting the need—indeed the requirement—to transform their business models and environments from legacy, standalone, static systems, and applications, to more dynamic, cloud-native, distributed solutions. For decades, IT environments were defined by company-owned devices operating on company-owned or controlled infrastructure and networks. However, the explosion of the internet, rise of cloud computing, and the proliferation of workloads and mobile devices has upended the legacy IT infrastructure model.
•Proliferation of the cloud and the rise of “as-a-service” solutions. Organizations have embraced cloud-based “as-a-service” delivery models to empower employees and customers and increase the speed of deployment. According to Gartner, more than 75% of organizations will be using a multi-cloud approach by 2021, and IDC forecasts the global public cloud services market to grow to approximately $809 billion in 2025 from $385 billion in 2021. These types of environments have massively increased the complexity of IT infrastructure and expanded the scope of the corporate network. This is especially true as enterprises increasingly adopt powerful but complex Infrastructure and Platform as a service (IaaS and PaaS) for the development and deployment of custom and mission-critical business applications.
•Work from anywhere and bring your own device (“BYOD”). Organizations now expect their workers to securely move from place-to-place and device-to-device without losing productivity. These same workers are also now encouraged, and often expected, to use their own devices for work-related activities. The work from anywhere, BYOD culture, with employees accessing corporate applications on their personal laptops, tablets, and smartphones, has accelerated over a number of years and now appears permanent. Businesses have been forced to adjust their IT environments in response to these trends and are faced with employee devices that lack the level of
control and security of company-owned devices. As a result, the corporate network has been extended well beyond the secure boundaries of a corporate office, leaving it significantly more exposed to cyberthreats.
•Connected devices and the internet of things (“IoT”). From mobile devices to cameras and sensors, the number of devices on a corporate network has multiplied exponentially over the last few years and is expected to continue growing rapidly due to new technologies such as 5G, and to the business and technical benefits delivered by these new technologies and tools. According to a 2020 Cisco white paper, the number of connected devices is expected to reach 29.3 billion by 2023, up from 18.4 billion in 2018. This trend has served to significantly increase the attack surface.
Cybersecurity Threats and Impact Multiplying
The evolution of IT environments coupled with motivated and sophisticated hackers has increased the risk of cybersecurity attacks. Lateral network movement, ransomware, and insecure remote access are resulting in a higher number of attacks of worsening severity with a lengthened time to detection. Cybersecurity Ventures predicted that in 2021, a ransomware attack will occur every 11 seconds, four times more frequently than in 2016.
•Expanded attack surfaces. As IT environments have evolved, the adoption of hybrid, multi-cloud, BYOD, and IoT, as well as the massive shift to remote work, has altered the nature of cybersecurity risks by growing exponentially the number of entry points to organizations’ networks. With each new user, connection, device, or online interaction, the attack surface, the scope of network vulnerabilities, and the likelihood of network infiltration all increase. The increased attack surface also serves as a source of increased complexity for enterprise defenders. To date, traditional security tools and strategies have not kept up with this increased complexity.
•Lateral movement. Once a hacker penetrates a network, their ability to move laterally allows them to travel extensively throughout the network, increasing the volume of data they are able to compromise, and increasing the risk that more sensitive data is exposed. The ability to move laterally and remain undetected for long periods of time in the network is one of the leading drivers behind the high costs of breaches. The 2020 “SolarWinds” attack, which affected as many as 425 of the Fortune 500 and all branches of the US military, highlights the ability of an attacker to leverage lateral movement after breaching an organization’s network. The original breach occurred sometime between March and June of 2020, when clients of SolarWinds downloaded a software update that was infected with malicious code. The perpetrators were then able to move laterally within the networks of these organizations, remaining undetected by traditional perimeter-based network security solutions until December of 2020, providing the hackers with ample time to gather sensitive data and install more malware. In addition to threats caused by external actors, insider threats, typically coming from employees or third-party contractors, also pose a growing security threat to organizations. According to IBM, non-malicious insiders caused 23% of organizational data breaches in 2020. Insider breaches, malicious or inadvertent, are expensive, with an average cost of $3 million per breach in 2020.
•Sophisticated adversaries. Today’s hackers are highly skilled, often backed by well-funded militaries, intelligence services, or criminal organizations and motivated by some combination of financial, criminal, and terrorist objectives. They can launch complex attacks, often executed over multiple steps, starting with an initial breach of the corporate network followed by lateral movement, slowly escalating their privileges to access increasingly critical and proprietary data.
The combination of more vulnerable networks and more malicious activity has created a cybersecurity crisis for organizations. According to Cybersecurity Ventures, cybersecurity breaches are expected to cause a record $6 trillion in aggregate damages in 2021 alone. Cybersecurity breaches can also have a significant impact on society beyond the direct financial costs. This is illustrated by the recent Colonial Pipeline ransomware attack, which resulted in fuel shortages and spikes in gasoline prices across a number of U.S. states, and by the spike in cyberattacks on health care systems during the pandemic, impacting patient care.
Traditional Cybersecurity Tools are Limited in Protecting Against Today’s Threats
Traditional cybersecurity tools are failing to meet the challenge of modern IT environments due to inherent weaknesses in their structure and design philosophy.
•Implicit trust at the center of traditional perimeter-centric security model. Traditional cybersecurity tools are largely perimeter-centric, focused on securing the boundary between a private network and the public internet. This model is built on the notion of implicit trust, which is the assumption that traffic originating from within a private network does not represent a risk. This critical characteristic allows for lateral movement, giving infiltrators the ability to remain undetected as they move across a network, causing widespread and costly damage. According to IBM, the average breach in 2021 took 212 days to detect and another 75 days to contain, giving an attacker plenty of time to cause significant financial and reputational damage to an organization. While this perimeter-centric approach worked historically when enterprise networks had fewer points of entry, today’s IT environments and distributed workloads have softened the network perimeter, blunting the effectiveness of the perimeter-centric security model.
•Outdated tools are siloed and lack context awareness. Traditional security tools such as VPNs, firewall equipment, and network access control (“NAC”) equipment are outdated, siloed, have well-known and widely exploited vulnerabilities, and are unable to properly secure a modern IT environment. These tools employ an outdated model of a single network perimeter entry point and broad network access privileges. VPNs inherently have a “coarse-grained” access control model, granting or denying users access to broad sections of the network, and lack context-aware, fine-grained security permissions, resulting in increased severity of any breach.
•Cybersecurity defenses are overly complex. Organizations often deploy numerous cybersecurity tools from various vendors, reactively deploying new tools in response to emerging threats. This has left many organizations with a patchwork cybersecurity model consisting of a mix of tools from a range of vendors, typically with poor integration and communication among tools, lacking an integrated cybersecurity solution with a unified control point. The resulting complexity makes it challenging for IT professionals to manage the tools effectively and offers poor visibility into potential vulnerabilities and breaches. The need for a new paradigm and approach to cybersecurity is crucial to protect organizations from adversaries and to avoid costly network breaches.
Cybersecurity Defense is Shifting to a Context-Aware, Dynamic Security Model
Zero Trust represents a paradigm shift in cybersecurity. It moves from the legacy static, network-based, perimeter-centric security model to a dynamic, context-aware model based on users, identities, applications, and business processes. The foundation of the Zero Trust model is the idea that no person, device, or application should be implicitly trusted, and that the entire extended network represents an attack surface.
Why Zero Trust Framework Works
•Eliminates the need for implicit trust. Zero Trust eliminates the need for the implicit trust that is often granted based on physical or network location, and instead requires that all access be identity-driven and earned via dynamic attributes and strong authentication.
•Context-aware and secure access privileges. The Zero Trust model grants users access only to specific and required resources unlike the traditional security model designed on the premise of implicit trust where users are given overprivileged access and can move laterally within a network. Users are continuously monitored, and if their context or device changes, network access can be revised accordingly or revoked entirely. This approach represents a paradigm shift in the cybersecurity posture, increasing organizational resiliency when facing attacks and better equipping them to isolate and limit the impact of any network breach.
Zero Trust framework has emerged as the clear answer to today’s cybersecurity threats. Following the “SolarWinds” attack, the National Institute of Standards and Technology (“NIST”), the National Security Agency (“NSA”) and the Cybersecurity and Infrastructure Security Agency (“CISA”) released guidance recommending a Zero Trust framework. Subsequently, in May 2021, President Joe Biden issued an Executive Order explicitly calling for the adoption of a Zero Trust Architecture by the federal government to improve the nation’s response to “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” The federal government continues to lead the industry in setting standards with the September 2021 release of a Zero Trust maturity model and Zero Trust strategy documents.
With an increasingly threatening landscape, to ensure security every organization and government in the world will need to update their traditional cybersecurity tools with a solution that is able to stand up to today’s threats. We believe that the Zero Trust framework has established itself as that solution and represents the next generation cybersecurity solution.
Our Solutions
We provide identity-centric and context-aware Zero Trust access solutions that ensure security and compliance across all environments, including on-premises, hybrid, and cloud-native. We also offer a digital threat protection and risk-based authentication and comprehensive risk management tool designed to identify and eliminate attacks before they occur, across social media, phishing attacks, bogus websites, and malicious mobile apps. The following combination of software and services are increasingly the central pillar of our customers’ cybersecurity architecture:
•Appgate Software-Defined Perimeter (“SDP”). Appgate SDP, leveraging unified access policies that are simple to understand and write, is designed to ensure trusted network access for users across all devices and IT environments, whether on-premises, hybrid or cloud-based. Unlike legacy solutions where users manually and constantly switch VPN tunnels to establish secure connections, SDP users connect once and gain access only to authorized applications across a heterogeneous and distributed IT landscape. SDP defends our customers’ networks from wrongful access and continuously monitors for changes in user behavior once a connection is made. In order to prevent lateral movement from unauthorized users, the network remains invisible, exposing no ports, until a user is authenticated and connected. Once authenticated and on the network, SDP employs the principles of “least-privileged access,” granting limited access, only to the extent required. Access is conditional and based on multiple factors, and if SDP detects changes during the online session, the user can be denied access in part or in full. The most common Appgate SDP use cases include VPN replacement for remote access, securing cloud access, supporting cloud migrations, securely providing third-party access, secure Development and Operations (“DevOps”), and integrating Merger & Acquisition (“M&A”) assets into a secure network environment.
•Risk-Based Authentication (“RBA”). RBA offers an intelligent and contextually aware approach to authenticating users and approving transactions without friction. Legacy password-only solutions are a weak authentication measure that unintentionally creates friction for enterprise customers. By contrast, our RBA approach uses real-time behavioral risk assessments, context-based authentication and machine learning, all designed to protect individuals against targeted attacks. Transactions and user behavior are continuously monitored to qualify the risk on any channel. Should the RBA solution determine the person attempting to access their account is illegitimate, transactions can be blocked or challenged in real-time, preventing account takeover.
•Digital Threat Protection (“DTP”). Our DTP solution is designed to combat external threats targeting consumers across social, mobile and the dark web, including phishing links, malicious mobile apps, and fraudulent websites. DTP continuously monitors activity, provides early-stage warnings, orchestrates takedowns and can proactively stop attacks before damage is done, often before intended victims are aware.
•Threat Advisory Services. Our Threat Advisory Services are designed to proactively identify vulnerabilities and validate defenses using a combination of advanced penetration testing, adversary simulation and other customized services. We use highly sophisticated, bespoke processes based on the individual needs of our customers to simulate nation-state-level and other complex attacks. These engagements help organizations test and validate the security investments they’ve made and act as an opportunity to implement our software solutions based on remediation recommendations as we help our customers accelerate their Zero Trust journey. Threat Advisory Services are an important tool in our pursuit to future proof our customers’ defenses against malicious activity, as they allow us to gain real-time information from our services engagements to stay up to date on evolving cybersecurity threats. We leverage this data to inform our software technology roadmap, helping us effectively address our customers’ expanding security needs.
Key Benefits
Our platform based on Zero Trust principles is scalable, integrates with disparate security and non-security solutions and operates in any complex IT environment. Our platform empowers organizations to undertake their digital transformation journey and enables development and operations teams to collaborate, quickly build and improve applications and drive business performance. Key benefits of our solutions include:
•Enhanced network security based on Zero Trust. As a pioneer, leader, and one of the earliest proponents of Zero Trust, we have built and honed a pure-play platform based on Zero Trust principles to facilitate secure interactions for organizations, users, and their devices. Our solutions use the principles of Zero Trust to strengthen network security, making it harder for adversaries to attack a network. Additionally, if a breach occurs, an attacker’s lateral movement is restricted so the attacker can be identified and swiftly contained, potentially limiting overall damage and exposure.
•Effective across all environments. Organizations require infrastructure to support on-premises, hybrid, cloud, IoT, BYOD, and other disparate platforms. Our identity-centric and context-aware solution dynamically adjusts to changes in user behavior across all interconnected environments. Many organizations have a patchwork of products that are often poorly integrated, creating additional complexity, security gaps, and administrative burden, creating an opportunity for our solutions. We believe we were among the first to identify the need for and deliver an enterprise class, software-based, unifying solution that dynamically works across all environments to become an organization’s executive team’s cyber-defense partner.
•Greater flexibility for customers and their users. Our solutions offer fast, secure, direct connections from any location, enabling increasingly popular remote workforce models. Unlike perimeter-based approaches, our SDP platform uses a dynamic identity-centric policy model to connect users from any device in any location. While remote workforce models typically expand security risk, our security architecture is designed to ensure that increased workforce mobility does not create incremental vulnerable access points.
•Strong integration capabilities. Our solutions can be deployed alongside existing security systems and across the entire IT environment. We utilize what we believe is the broadest set of APIs for Zero Trust in the industry to enable our products to coordinate and communicate with other IT systems and improve the interoperability with existing security infrastructure. Through integration with our Zero Trust security solution, customers have the potential to extend both the reach and value of their existing security and non-security tools. We believe this value proposition enables a faster purchasing decision and differs from “next generation” security solutions that require an overhaul of a customer’s existing security system architecture.
•Lower total cost of ownership. Adoption of our user-friendly software solutions frequently leads to improved operational efficiency for organizations. A recent Nemertes survey of our customers concluded that all respondents reported improvements in one or more key operational metrics, including average user provisioning time, average number of staff required for user provisioning, average login time, number of security incidents and trouble tickets and number of concurrent users, after adopting our solutions.
•Simplified and more effective security model. We allow system administrators to create a single set of access policies that can be used uniformly across multiple disparate environments, increasing ease of use, operational efficiency, and security. This is in sharp contrast to not only traditionally siloed products, such as VPNs and NACs, but also many other ZTNA providers, who utilize static versus dynamic security rules, or who cannot secure access for on-premises users.
•Seamless end user experience. We provide automatic, dynamic access without having to frequently engage with the end user or disrupt workflow processes. Users are authenticated the same way regardless of where they are located or what device they are using. This approach differs from, and can be a replacement for, inflexible tools like VPNs and static multi-factor authentication systems, which often require users to re-authenticate themselves routinely, frustrating users.
•Complex fraud prevention. We offer consumer-facing organizations a comprehensive set of solutions based on Zero Trust principles to prevent fraud. Powered by machine learning and behavioral analytics designed to identify and prevent fraudulent activities, we assess risk based on user behavior to authenticate connections. Our proprietary technology is focused on detecting and deactivating targeted external threats which utilize phishing links, malicious mobile apps, or fraudulent websites. We continuously analyze and monitor an array of digital channels to identify threats, and execute site take-downs, often before intended victims are aware. Finally, we provide rich insights on potential victims, so organizations can be better prepared to stop future complex fraud campaigns.
Competitive Strengths
Our competitive strengths include:
•Pioneering Zero Trust solutions delivering next generation IT security. Our Zero Trust solutions are purpose-built to meet the needs of modern organizations, whose IT infrastructures are transforming with the adoption of containerized, cloud, SaaS, mobile, IoT, and remote work environments. Our solutions are designed from the ground up on Zero Trust principles to function and integrate across all IT environments, which has the potential to make them more effective at securing IT infrastructures as compared to repurposed legacy solutions. Our solutions allow system administrators to create a single set of policies that can be applied uniformly across multiple environments, reducing the risk of errors. We believe our primary focus on Zero Trust has enabled us to build an industry leading solution.
•Industry leading reputation. Our SDP product was named a “Leader” in the Forrester New Wave™ for Zero Trust Network Access (Q3 2021) and, as of March 25, 2022, received 4.7 out of 5 stars from customer reviews on Gartner Peer Insights. Appgate was also recognized by Forrester in their “New Tech: Zero Trust Network Access, 2021” report, as a mature or “Late-Stage” vendor, indicating significant company tenure, number of customers, employees, and funding level as compared to our peers. Our RBA solution was named a “Leader” in Quadrant Solutions’ SPARK Matrix™: Risk Based Authentication, 2021 report. We believe these high-profile recognitions received from trusted industry experts have elevated our reputation with existing and prospective customers.
•Highly scalable ‘land and expand’ go-to-market (“GTM”) strategy driving C-Suite engagement. We leverage a ‘land and expand’ GTM strategy that can scale rapidly as we demonstrate value to customers and achieve broader deployment across their infrastructure. We deploy an integrated technical sales approach complemented by channel partners, such as Lumen, Optiv, Presidio, Guidepoint Security, DXC, TechMatrix, SageNet, Q2, Alkami, GBM, CLM and Kite, which helps us meet the needs of our expanding customer base. This GTM approach is turbocharged by our battle-tested sales engineering team, which can help demonstrate the value of our solutions to stakeholders outside of the IT organization. We believe that cybersecurity has become a key business issue for executives, not just an area of concern for IT professionals; our ability to elevate conversations to a strategic level and secure buy-in from all stakeholders is a critical differentiator, unlocking broader deployment of our solutions.
•Strong customer focus. We are a trusted, long-term, strategic partner to our customers. On a recent Nemertes survey of our customers, 100% of respondents said Appgate accelerated their digital transformation, and of those implementing Appgate SDP, our importance to their strategy ranked 9.5 out of 10. These strong customer satisfaction metrics stem from our customer success team’s close collaboration with clients throughout their journey as a customer, communicating frequently with them through quarterly business reviews, supporting them as novel issues and use cases arise, and constantly seeking feedback to drive improvement in our solutions. We also established a Customer Advisory Board, which provides an open dialogue with customers to ensure that we prioritize, understand, and adapt to their changing needs. Our current customer base includes at least one of the top-fifteen largest companies by revenue in each of the defense contracting, telecommunications, systems integrator and oil and gas sectors, validating our customer-focused strategy.
•Seamless API-based integration. Our solutions offer feature-rich, easy-to-use APIs that allow for integration with existing solutions, which enables our customers to drive more value from their in-place solutions. Our APIs facilitate quick deployment alongside existing security solutions, from which threat data and context can be extracted, and are used to enrich our risk scoring and authentication decisions. We continue to partner with other cybersecurity vendors, such as Crowdstrike and others, to deepen the abilities of our API integrations.
•Deep management strength with extensive cybersecurity experience. Our seasoned executives were among the earliest pioneers in Zero Trust security. Our senior management team has extensive expertise in the cybersecurity industry with deep knowledge of the markets in which we operate. With an average of over 20 years of experience in the enterprise technology and cybersecurity space, our highly accomplished management team demonstrate a historical track record of success and are devoted to the continued growth and success of our business.
Our Opportunity
As organizations reshape their IT infrastructure around hybrid, multi-cloud, SaaS, mobility, IoT, BYOD, containerized workloads, and with remote working environments and cyber threats rising rapidly, the need for a new security model is increasingly mission-critical for many enterprises. Zero Trust security is emerging as the leading next generation security model and we believe we are a pioneer in this transforming industry and are well-positioned to capitalize on the market opportunity.
•Hybrid, multi-cloud, and on-premises network security. Gartner estimates this aggregate market as approximately $39 billion in 2021, expected to grow at a 14% CAGR to approximately $57 billion by 2024. According to 451 Research, as of 2020 approximately 58% of organizations are utilizing or plan to utilize a hybrid IT environment. Our SDP platform is designed to ensure trusted access for all corporate users across all environments.
•VPN replacement. Gartner predicts that 60% of enterprises will phase out their remote access VPN in favor of ZTNA by 2023. Our SDP platform offers secure VPN replacement across all environments including hybrid, multi-cloud, and on-premises.
•Secure Access Service Edge (“SASE”). SASE refers to integrated security and network solutions that secure IT environments. According to Gartner, the global SASE market is projected to grow at a CAGR of 36% reaching almost $15 billion by 2025. We believe that ZTNA is the most critical element of SASE given its role in regulating network access, and our SDP platform is a recognized leader in ZTNA.
•Fraud Detection and Prevention (“FDP”). Organization and individuals face a growing set of active and targeted phishing campaigns, as well as increased use of malicious websites and mobile apps for criminal purposes. The growth in these threats is underpinned by continued expansion of online banking, e-commerce, and Peer-to-Peer (“P2P”) payment applications. According to Fortune Business Insights, the FDP market is estimated at approximately $27 billion in 2021 and is projected to reach approximately $142 billion by 2028, representing a 26.7% CAGR. Ensuring that their customers aren’t deceived by fraudulent websites, phishing campaigns, or mobile apps is critical to businesses’ reputations, and our RBA and DTP solutions are designed to address these threats and we believe are critical tools in the FDP ecosystem. Illustrating the imminent need for fraud prevention, the Federal Trade Commission reported that Americans lost over $3 billion to fraud in 2020.
We believe we are well-positioned to capitalize on the market opportunity to displace legacy network security solutions, which are ill-equipped to effectively secure cloud or hybrid IT environments, and the use of which increases entry points for adversaries and the risk of network breaches.
Growth Strategies
Key elements of our growth strategy include:
•Continue to grow customer base. We believe our solutions are well positioned to serve not only large, security-conscious organizations with complex, hybrid IT environments, but also medium and small sized customers. We believe scaling our sales team and increasing our investment in channels and strategic partners will fuel our customer base growth.
•Increase adoption within our existing customers. We utilize a ‘land and expand’ strategy through which we expand existing customer accounts by adding new use cases or more users, including third-party users and contractors. We expect many of our existing SDP customers to use our network of other software and services, driving growth.
•Continue to innovate and enhance our offerings. We plan to continue to expand our Zero Trust platform and capabilities to develop new products and add new modules in existing offerings to address additional use cases. As a pioneer in Zero Trust access solutions and cybersecurity defense, we are continuing to invest in the platform, and are launching solutions, in additional high growth cases, such as Zero Trust for cloud and IoT. We invested approximately 25% of our revenue in research and development during the year ended December 31, 2021 and maintain a robust product and technology roadmap. Our roadmap incorporates customer feedback which gives us
confidence that we will be able to monetize our development efforts as we seek to offer highly scalable, flexible, and user-friendly products to address a variety of high-impact use cases.
•Grow our global footprint. We currently have customers in approximately 80 countries and have offices in 8 countries, reflecting the importance of our global footprint and our success building an international presence. For the year ended December 31, 2021, international sales represented approximately 52% of our revenue. We believe global demand for our offerings will continue to increase as international organizations further embrace Zero Trust access solutions in response to evolving cybersecurity threats and sophisticated adversaries. While we expect our international markets to continue to grow, we anticipate the growth in North America to outpace that of international markets.
•Expand our channel and product partnerships. Our Zero Trust solutions are highly complementary to a number of other cybersecurity products, and as such, we have built a number of highly strategic product and go-to-market partnerships. Our products are easy to deploy and can be distributed by value-added resellers and service providers. We have strong channel partnerships with Lumen, Optiv, Presidio, Guidepoint Security, DXC, TechMatrix, SageNet, Q2, Alkami, GBM, CLM, and Kite, among others and work closely with federal systems integrators such as Raytheon, Northrop Grumman, and ManTech, each of whom are building out solutions around our products for wider distribution. We also continue to work with technology alliance partners to offer integrated solutions to our customers. For example, Appgate recently entered a partnership with CrowdStrike, integrating our Appgate SDP solution, with the CrowdStrike Falcon Zero Trust Assessment (ZTA) capability of CrowdStrike Falcon Insight EDR. This flexible, scalable integration provides a frictionless path for accelerating enterprise Zero Trust journeys. It will help organizations achieve intelligence-aware and dynamic secure access policy enforcement — reducing their attack surface and mitigating lateral movement on their networks. CrowdStrike Falcon ZTA expands Zero Trust beyond authentication to enable Appgate’s detection, alerting and enforcement of risk-based access policies driven by device health and compliance checks. The solution monitors more than 120 unique endpoint settings to deliver partners a device security posture assessment, allowing them to build powerful and granular security policies.
•Expand our presence with U.S. federal governments and governments around the world. With NIST, the White House, and other agencies endorsing the adoption of Zero Trust, we expect to have ample opportunities to leverage our early and continued success with the Department of Defense and Department of Homeland Security and to build trust with other government agencies and departments. Our SDP solution was the first SDP product to be Common Criteria Certified, which is the international “gold standard” for Information Technology security. Common Criteria is recognized by approximately 30 nations and was developed by the United States, United Kingdom, Canada, France, Germany, and the Netherlands. Appgate has government customers across the world. In addition, we are expanding our SLED (State, Local, Education) sales team to capitalize on the momentum of Zero Trust in this sector. Approximately 67% of state CIOs said introducing or expanding a zero-trust framework would be a focus in the next two to three years, according to a recent National Association of State Chief Information Officers survey.
Our Technology and Architecture
Appgate’s cybersecurity solutions empower and protect how people work and connect. Our solutions are designed to enhance security, limit the ability of attackers to succeed, and minimize damage in the event of a breach. We recognize that IT, business, and security infrastructures are complex and can act as impediments to innovation, security, efficiency, and effectiveness. Organizations need security solutions that can be easily and effectively deployed and integrated into their existing environments.
Our solutions are designed with customer integration and customer success in mind, and this philosophy has influenced our technology architecture. We believe that customers should retain the choice of where and how to deploy their security infrastructure, enforce access, and route traffic. As such, we have designed and built our solutions to support secure access to the cloud and on-premises.
Appgate SDP
Our flagship Zero Trust Network Access solution, Appgate SDP, is designed to secure enterprise environments by applying the core principles of Zero Trust. Using Appgate SDP, our customers have successfully achieved enterprise Zero Trust security, at scale and with speed, integrated into their IT and security teams, business processes, and technologies. With
Appgate SDP, enterprises can eliminate weak and ineffective components of their security architecture (such as VPNs), while integrating with and obtaining more value from the remaining components (such as Identity Management and IT Service Management).
Appgate SDP is designed to provide enterprise-class ZTNA capabilities, providing a highly resilient system with no single point of failure, and near wire speed throughput. Its distributed architecture makes SDP easy to scale and deploy across any network infrastructure, including hardware, software, virtual, and cloud. It enables complete customer control over deployment topologies and location of policy enforcement points. Its secure multi-tunnel approach is designed with users at the center, dynamically creating a session-based micro-perimeter dedicated to each user — what we term a “segment of one”. This allows for an efficient, secure, and resilient connection to the permitted set of enterprise resources. This compares favorably to traditional security and remote access solutions, which often force user traffic to traverse a vendor cloud or enterprise WAN, resulting in poor performance, limited scalability, and the perpetuation of a weak security model. In addition to controlling access to enterprise resources through Zero Trust policy enforcement points, the Appgate SDP system itself is cloaked and invisible to unauthorized users, utilizing a cryptographic mechanism termed Single-Packet Authorization (SPA). SPA is designed to ensure that legitimate users can securely access resources from any location, without exposing any attack surface to malicious actors.
The Appgate SDP architecture is fully aligned with the NIST Zero Trust model, which contains the following fundamental principles:
•No implicit trust. There is no inherent trust or access granted to assets or user accounts based solely on their physical or network location — the model instead assumes a network has already been breached.
•Authentication and authorization required before access is granted. Authentication and authorization are discrete functions performed before any access to an enterprise resource is permitted. This applies to users, servers and devices.
•Minimal attack surface (principle of least privilege). All users, devices, and networks only permit access to the minimal set of resources, and only for authenticated and authorized users. This applies to all users (remote and on-premises), all devices (enterprise-issued and BYOD), and all resource types (on-premises, cloud-based, physical, or virtual). The system, and all enterprise resources, are cloaked and invisible to all unauthorized actors.
•Dynamic, identity-centric policies. The focus is on protecting specific resources (assets, services, workflows, network accounts, etc.), not broad network segments. Access policies dynamically evaluate user, device, network, and resource attributes to make decisions about whether access should be permitted at any given point in time.
Deployment Architecture
The Appgate SDP deployment architecture is comprised of the following five elements.
A.Client. The user of a resource (described below). In the typical Appgate SDP use case, the client is an organization’s employee seeking to access an application from a PC or mobile device.
B.Controller. Effectively the brain of the system, the controller houses the enterprise policy model (the rules used to determine which users should have access to which resources), aggregates the information required to enforce the enterprise policy model, and then makes an authentication and authorization decision.
C.Gateway. Policy enforcement points that restrict access to resources until a client is authorized.
D.Enterprise Systems. Sources of information about a user and context used to make authentication and authorization decisions.
E.Resource. Any application, server, network, IoT device, containerized workload, etc. that can be located in any cloud or on-premises environment.
A conceptional depiction and description of the Appgate SDP deployment architecture are as follows:
1.The Client first connects to the Controller.
2.The Controller begins by authenticating the user with the enterprise identity provided. It then aggregates all relevant data from the Enterprise Systems, including information about both (a) the user’s identity, location, and device security posture and (b) contextual information from the organization’s network, security, and business process systems. The Controller then uses this information to determine which resources the user should have access to at that particular time and place.
3.The Controller generates and sends a live entitlement token to the user. An entitlement token is an electronic credential that indicates which resources a user should have access to. The entitlement token is “live” because it can change based on changes in context.
4.The Client creates an encrypted tunnel to a Gateway and sends the live entitlement token to the Gateway for validation.
5.The Gateway creates a logical “segment of one” to connect the Client to the specific resource(s) to which the Client has been granted access.
6.The system continuously evaluates context and changes entitlements based on changes to context. For example, if a user disconnects their laptop from a docking station, the system will detect the change from a hard-wired network connection to a public Wi-Fi connection. Or, if an enterprise Endpoint Detection and Response (EDR) system detects anomalous activity from a user’s device, it can inform Appgate SDP. In both cases, Appgate SDP will re-evaluate user access based on this changed context.
The components of the Appgate SDP platform itself, the Controllers and Gateways, utilize a cryptographic mechanism to cloak themselves from unauthorized users. This mechanism is designed to ensure that these components can be accessed by legitimate users located anywhere, while remaining resilient and inaccessible to unauthorized use or malicious actors.
In addition, Appgate SDP’s architecture is designed to ensure that customers retain the ability to choose how and where their network traffic is routed (some customers use Appgate SDP as an SD-WAN replacement as a result), and how and where to deploy Gateways. Gateways are distributed across their organizations’ environments, protecting both on-premises and cloud-based environments. Similarly, the distributed nature of the Appgate SDP system provides a unified access control model for all users (both remote and on-premises) for all resources, using a single policy model and a single platform. As a result, customers benefit by being able to decommission ineffective siloed and legacy security technologies (such as VPNs and NACs), replacing them with a modern Zero Trust platform.
Deployment Options
Appgate SDP supports a wide variety of deployment models and access methods designed to provide for ongoing customer satisfaction. Customers may choose to deploy entirely in a self-hosted and self-managed model, or they may utilize the Appgate-hosted cloud-based model, to take advantage of its simpler deployment and management. U.S. government entities can deploy via a FedRAMP Joint Authorization Board (JAB)-approved environment.
In addition to the many types of resources that need securing, organizations also have a wide variety of end-user populations and types, and the Appgate SDP platform provides an industry-leading set of access methods. Users can access Appgate SDP-protected resources via installed client software, through a clientless web portal, or through a network-based connector service. Likewise, Appgate SDP adeptly meets complex enterprise and government agency networking needs, including dynamic and policy-based control of network segmentation, routing, and name resolution. Appgate SDP is designed to deliver superior security while also improving the end user experience and reducing administrative burdens.
Digital Threat Protection
Our Digital Threat Protection (“DTP”) solution offers visibility and comprehensive fraud risk management to identify and eliminate attacks before they occur. DTP is designed to evaluate fraud risk across social media, phishing attacks, bogus websites, and malicious mobile apps. Its curated threat intelligence and continuous threat monitoring provides protection throughout the fraud risk lifecycle. Additionally, DTP provides business leaders with valuable proactive detection, mitigation, and reporting functionality for their end-users.
DTP combats external threats by detecting fraud risk lurking online, continuously monitoring brand-centric activity, and taking swift action to halt attacks before significant damage occurs, often before the intended victims are even aware of the attack.
•Phishing. Our DTP solution monitors customer websites as well as newly registered domains, DNS entries, and links posted on social media sites, looking for similar domains or clones of legitimate sites that may be phishing sites. This monitoring extends to mobile app stores, where DTP can detect rogue mobile apps designed to deceive users. We also offer Victim Insights, a unique and differentiated feature which utilizes an encrypted key to identify users and compromised credentials, enabling rapid and precise responses.
•Dark web monitoring. Our DTP solution protects against attacks originating from the dark web by identifying employee credentials that have been breached and are circulating on the dark web and mitigating the effects of targeted threats by reporting risk exposure to ensure quick action against exposed data.
•Sophisticated attacks. Our DTP solution is designed to identify and immobilize sophisticated threats, such as web injections and credential grabbing on transactional websites, without requiring software installation on user devices. It provides detection of unauthorized changes executed against the content of a company’s website and features built-in analytical systems, which evaluate users’ sessions to identify indicia of fraud that indicate potential breach of users accounts by cybercriminals.
Our DTP solution is deployed in our cloud-hosted environment, ensuring that customers have a high degree of confidence in its availability and scalability. It is monitored and operated by our 24x7 Security Operations Center (“SOC”) team, who detect and respond to fraud risk events in near real-time. By combining automated analysis of detected fraud attempts with skilled SOC operators, DTP customers benefit from automated monitoring and manual follow-up, including threat analysis and verification, and initiation of malicious site takedowns with relevant parties, including ISPs, registrars, and mobile app operators.
The SOC team also guides customers through recommended remediation steps within their enterprise systems. These services are facilitated through our web-application online portal, which allows customers to see the results of our efforts in real-time. This portal includes ticketing functionality, providing customers with details of identified threats including employee credentials harvested and IP address and domain details exposed; the portal also allows customers to request support from the SOC agents. Threat tracking maps and social media feeds are also available to customers if they want to examine DTP’s raw data feeds.
Risk-Based Authentication
Our Risk-Based Authentication (“RBA”) solution combines advanced authentication techniques, such as multi-factor authentication, and behavioral analytics based on machine learning and AI algorithms. This helps customers model and monitor risk with dynamic and flexible rules and to authorize transactions and prevent fraud for institutions. For example, RBA enables financial institutions to detect and take action on risky transactions more accurately, while reducing frictions facing end users. RBA enables authentication through push technologies, SMS text, One-Time-Passwords, email verification two-step responses, and QR code enrollment, allowing end user customization based on individual preferences.
Our RBA solution offers our customers flexible deployment options. It can be deployed wholly into customer environments for local integration or into an Appgate-managed cloud environment for simpler deployment and management, as illustrated in the below diagram. RBA also features a risk orchestration tool running on the back end to enable simplified integration of multiple solutions and to map conditional workflows, enabling authentication challenges through device identification when fraud risk is determined by our transaction anomaly detection solution. Our behavioral biometrics and device analytics also provide a level of authentication and can tie into step-up authentication methods as required.
Our Customers
We serve over 650 customers globally including Fortune 500 enterprises and governments entities such as the U.S. Departments of Defense and Homeland Security. Although our solutions can deliver value to organizations across industries, we see particular strong interest from companies in the following sectors: financial services, manufacturing, energy, media & entertainment, technology, telecommunications, consumer goods and services, and the public sector. We serve at least one of the top-fifteen largest companies in each of the defense contracting, telecommunications, systems integrator and oil and gas sectors. As of March 25, 2022, our customers independently ranked us 4.7/5.0 stars on Gartner Peer Insights, a peer-driven ratings and reviews platform for enterprise IT solutions and services covering over 300+ technology markets and 3,000+ vendors.
Our Customer Advisory Board further strengthens our customer relationships. It is comprised of more than 10 of our most strategic customers and provides quarterly feedback on our solutions. This feedback, received primarily from technologists involved in the purchase, implementation, and ongoing management of our solutions, helps guide our product innovation and provides validation of our strategies. Our Customer Advisory Board members are also among our strongest advocates and frequently provide referrals to prospective customers.
No customer (including, for the avoidance of doubt, resellers and managed service providers) contributed more than 10% of our revenue for the years ended December 31, 2020 and 2021.
Customer Case Studies
The customer examples below illustrate how customers from different industries benefit from our solutions and how our solutions can be utilized to solve various problems. As described above in “—Our Customers,” none of the below customers contributed more than 10% of our revenue for the years ended December 31, 2020 and 2021.
Bancolombia
Situation: Grupo Bancolombia is the largest financial bank in Colombia with subsidiaries across Central and South America. They need to protect their more than 15 million customers from fraud.
Solution: Bancolombia uses Appgate’s RBA authentication framework as a key component of its fraud prevention strategy. RBA provides the bank with strong authentication capabilities for its customers across multiple transaction channels. On average, Appgate supports more than 108 million authentication requests a month. Bancolombia also uses Appgate RBA’s transaction monitoring capability which detects transaction anomalies based on user behavior and automatically reacts to changing fraud patterns, and Detect Safe Browsing to block online and mobile threats in real time and take action before an attack occurs.
Chewy
Situation: Chewy’s mission is to be the most trusted and convenient online destination for pet parents (and partners), everywhere. The company believes that it is the preeminent online source for pet products, supplies, and prescriptions due to its broad selection of high-quality products, which it offers at competitive prices and delivers with an exceptional level of care and a personal touch. Chewy continually develops innovative ways for its customers to engage with it, and partners with approximately 2,500 of the best and most trusted brands in the pet industry, to bring a high-bar, customer-centric experience to its customers. Chewy began their use of Appgate SDP to better secure infrastructure access by privileged users in the IT and security teams. They then expanded to secure remote developer access to AWS resources, driven by the COVID-19 pandemic shift to work-from-home that exposed weaknesses and shortcomings of their traditional VPN tool.
Solution: Chewy selected us as its preferred cybersecurity partner due to both our high-quality software, as well as our agility and ability to scale with its rapidly growing business. At the beginning of the COVID-19 pandemic, Chewy partnered with us to rapidly implement our SDP solution to authenticate and authorize remote network access for Chewy’s team members. After a successful initial deployment, Chewy selected our SDP solution for its Zero Trust implementation, enabling secure and seamless work-from-anywhere for its employees.
DXC
Situation: DXC is a leading end-to-end IT services company, with $25 billion in annual revenue and over 140,000 employees across 70 countries. DXC needed to provide its employees and customers with seamless remote access to DXC’s corporate network and applications, including provisioning of access to different resources based on each user’s entitlement rules and device compliance status. It was critical for network traffic to be routed on the most efficient path to individual applications and network endpoints, with multiple concurrent connections when necessary. Additionally, DXC had sold significant IP address space to Microsoft and Amazon Web Services (“AWS”), resulting in significant IP conflicts that needed to be resolved.
Solution: DXC selected our SDP solution to replace its traditional VPNs from multiple vendors. This allowed the company to move all of its users off of its corporate network, retiring multiprotocol label switching (“MPLS”) and private networking resources and transitioning to ZTNA-based network infrastructure. This provided not only a higher level of network security, but also the ability to retire traditional network resources, leading to significant cost savings. DXC is also heavily leveraging Appgate SDP’s DNS forwarding capability, addressing the massive IP overlap that DXC faced due to significant M&A activity.
Fifth Third Bank
Situation: Fifth Third Bank, National Association is a subsidiary of Fifth Third Bancorp and one of the largest banks in the United States, with 20,000 employees and, as of December 31, 2021, operating 1,117 banking centers and 2,322 Fifth Third branded automated teller machines across 11 states. Under its Technology Leadership initiative, Fifth Third recognized the opportunity to enhance its IT infrastructure and embarked on a strategic Zero Trust initiative and investment in cloud solutions.
Solution: Fifth Third Bank selected Appgate as its partner and purchased 3,000 SDP licenses in the second quarter of 2020. Once recognizing the value of our solution, Fifth Third purchased additional licenses furthering its goal of having our SDP solution deployed on every device remotely accessing its network. Fifth Third plans to direct its focus to on-premises users.
We believe Fifth Third’s adoption of our solution demonstrates our successful ‘land and expand’ approach, and our proven success around linear scalability, programmability and extensibility.
Financial Industry Regulatory Authority (FINRA)
Situation: The Financial Industry Regulatory Authority (FINRA) is a government-authorized not-for-profit organization that oversees U.S. broker-dealers to protect investors and ensure market integrity. They regulate all equity and option trades in U.S. markets and process peak volumes of 135-155 billion market events daily across more than 150 applications.
Solution: FINRA selected Appgate because it enables them to use dynamic resolvers to retrieve per-user workload information. With more than 1,500 users, they were able to enforce identity-centric access with strong, context-sensitive authentication.
Nequi
Situation: Nequi is the first neobank in Colombia. They have a 100% digital financial platform and more than 10 million users in Colombia and Panama. Nequi was created in the innovation lab of Bancolombia, the largest bank in Colombia. With the help of a 100% digital platform, Nequi aims to redesign the mobile banking experience.
Solution: Nequi’s strategy revolves around satisfying users’ needs and improving their relationship with money. Nequi’s top priorities are to provide secure access for employees and customers. They partnered with Appgate to solve for both requirements. Appgate’s RBA solution delivers a unified customer authentication experience with minimal friction and increased security when accessing Nequi’s services. It also enabled Nequi to support a significant increase in users during the height of the COVID-19 pandemic, without sacrificing the quality of the experience. Appgate SDP improves Nequi’s employee data access policies in a secure and simple fashion to support Nequi’s focus on business growth, user experience and cybersecurity controls.
Sales
We sell our security solutions and services through a combination of our direct sales team and channel partners. The direct sales team, which is composed of business development, inside sales, and regional sales representatives across various geographies, is responsible for identifying prospective and existing customers’ business problems. The direct sales team is supported by sales engineering and customer success specialists, who gather detailed customer specifications to develop a bespoke solution that surpasses customer requirements. Sales engineering team members collaborate closely with the regional sales representatives to demonstrate the strength and value of our solutions, while customer success team members ensure that clients realize the full value from our solutions once implemented. Overall, the direct sales team is responsible for managing the lifecycle of the customer relationship, from onboarding and implementation to ongoing advocacy. The team conducts formal business reviews with each customer to identity and solve new use cases, supporting our “land and expand” growth model.
Our Zero Trust solutions are highly complementary to other security solutions, and as such, we have built strategic, integral GTM partnerships with channel partners, including agents and resellers, service providers, systems integrators, cloud consulting partners, and original equipment manufacturers (“OEMs”). We offer our channel partners a robust training and certification program to help position them as Zero Trust specialists, advance their technical skills, and help them capitalize on the market opportunity. We expect our channel partner ecosystem to contribute heavily to future growth as we continue to invest resources in developing a robust, partner-led GTM strategy. However, we do not rely on any individual channel partner and no channel partner contributed more than 10% of our revenue for the years ended December 31, 2021 and 2020. For example, we have strong relationships with Alkami, CLM, DXC, GBM, Guidepoint Security, Kite, Lumen, Optiv, Presidio, Q2, SageNet, and TechMatrix, among others, and work closely with federal systems integrators such as ManTech, Northrop Grumman, and Raytheon, which are building solutions around our products for wider distribution. We also work with technology alliance partners, such as CrowdStrike and McAfee to devise industry leading solutions.
Marketing
Our marketing strategy is designed to build brand awareness and reputation, establish ourselves as thought leaders and trusted advisors in Zero Trust security, drive customer demand globally by increasing prospect consideration and conversion, and provide our customers with meaningful ways to engage with us. We have a holistic approach that includes digital and non-digital methods, such as paid digital media, search engine optimization, social media, website marketing,
events and sponsorships, live demos, media and analyst relations, speaker’s bureau, and account-based marketing programs. We produce original content in the form of blogs, ebooks, infographics, videos, case studies, surveys, and white papers to help educate our target customers about top-of-mind, mission-critical security concerns. To see the value of our solutions in-action, prospective customers can attend regularly scheduled, expert-led live demos or enroll in our Test Drive program for a hands-on experience. We also work with channel and technology alliance partners on GTM activities highlighting the value of our joint solutions. We believe an educated prospective customer makes the best decisions for their network security and we strive to help them in their journey.
Operations
We primarily utilize Microsoft and AWS cloud environments for our computing and storage needs required to deliver our products and services. In connection with our use of Microsoft and AWS cloud environments, we have entered into their standard terms and conditions in the ordinary course of our business. See “Item 1A—Risk Factors—Risks Related to our Business and Industry— We rely on third-party hosting and cloud computing providers, like Amazon Web Services (AWS) and Microsoft Azure, to operate certain aspects of our business. A significant portion of our product traffic is hosted by a limited number of vendors, and any failure, disruption or significant interruption in our network or hosting and cloud services could adversely impact our operations and harm our business.”
In order to meet the evolving security needs of organizations, our infrastructure is designed to be highly resilient, have multiple levels of redundancy and provide failover across cloud infrastructures. Our software technology and operational approach, combined with the use of Microsoft and AWS resources, provide us with a distributed and scalable architecture on a global scale.
Professional Services
We provide professional services as part of our Threat Advisory Services. We also offer support installation and training related to our software solutions:
•We offer Threat Advisory Services to help customers proactively identify and defend against exploitable cybersecurity vulnerabilities. Our Threat Advisory Services engage a dedicated, highly pedigreed team of cybersecurity experts who use offensive tactics to simulate the behavior of real-world adversaries. Our team uses highly sophisticated penetration testing methodologies, based on the customer’s individual needs, to simulate nation-state-level and other complex attacks targeting their networks, applications, and third-party solution providers. These services help our customers validate their current security solutions as well as preemptively identifying others that may be needed. We utilize the learnings of these engagements to inform our software product roadmap and future innovation, helping us more rapidly address our customers’ evolving security needs.
•As a part of our commitment to our customers’ success, we routinely offer professional services to help facilitate a smooth initial software deployment, in-line with industry standards.
•We also offer training services to teach customers best practices while using our software solutions.
Research and Development
Our research and development organization is responsible for the design, development, quality, and testing of our new and existing software and service offerings. In addition, it is responsible for improving our features, functionality, and scalability, while ensuring our platform is designed to be available, reliable, and stable.
Security is at the heart of our business, and our teams of network engineers, software developers, data scientists, security architects, and anti-fraud specialists are passionate about helping customers protect their environments. We work to continually improve and innovate, striving to offer high-quality, market-leading solutions. We work closely with our customers and partners, and by understanding their approaches and challenges, we gain insight into desired new capabilities and offerings that we can build to deliver value to the broader market. We also leverage key insights and capabilities from our products and services to inform and enhance other products and services in our portfolio.
We invest in and prioritize the quality of our offerings, utilizing both automated and manual testing and verification to ensure our products are functional, scalable, and secure. We regularly utilize both third-party and internal penetration testing experts to ensure our solutions are resilient to potential attacks, and work to continually improve them. We maintain
a regular release cadence to deliver updates to our products, and our customer success team works to ensure that customers stay up to date on the latest versions.
Our research and development expenses were equal to approximately 25% of our revenue for the year ended December 31, 2021. Our research and development teams are primarily located in the United States, Sweden, and Colombia, as well as remotely distributed. We plan to continue to dedicate significant and increasing resources to research and development.
Competition
The market for our solutions is competitive and characterized by evolving IT environments, customer requirements, industry standards, and frequent new product and service offerings and improvements. We compete with an array of established and emerging security solution vendors. Our competitors include the following by general category:
•Large networking and security vendors such as Cisco Systems, Inc. and Palo Alto Networks, Inc. which offer security appliances and cloud services.
•Independent security vendors and providers such as Zscaler, Inc. and Netskope, Inc., who provide cloud-based security services.
•Cloud providers who include Zero Trust security offerings within their platforms, specifically Microsoft Corporation and Google LLC.
•Anti-Fraud and risk-based authentication providers such as Outseer (RSA Security LLC), Broadcom Inc. (which acquired CA Technologies), Guardian Analytics, Inc., and BioCatch Ltd. who provide advanced, actionable intelligence that allows organizations to secure their customers.
•Digital Threat protection providers such as RSA Security LLC, PhishLabs, Inc., and ZeroFox, Inc., who provide brand protection against digital attacks across multiple verticals.
The principal competitive factors in the markets in which we operate include:
•ability to detect security threats and prevent security breaches;
•platform features, effectiveness and extensibility across the enterprise;
•ability to secure any combination of public clouds, private clouds, on-premises, and hybrid environments;
•ability to operate in dynamic environments;
•ability to automate threat prevention and remediation with limited human intervention;
•ease of deployment, implementation, management and maintenance of our offerings;
•rapid development and delivery of new capabilities and service;
•strength of sales, marketing and channel partner relationships;
•quality of customer support, incident response, and proactive services;
•breadth of offerings and ability to integrate with other participants in the security and network ecosystem;
•brand recognition, and reputation; and
•time to value, price, and total cost of ownership.
Although certain of our competitors enjoy greater brand awareness and resources, deeper customer relationships, and larger existing customer bases, we believe that we compete favorably with respect to the factors listed above and that we are well positioned as a leading provider of security solutions.
Intellectual Property
Our success depends in part upon our ability to protect and use our core technology and intellectual property rights. We rely on a combination of patents, copyrights, trademarks, trade secrets, license agreements, intellectual property assignment agreements, contractual provisions, confidentiality procedures, non-disclosure agreements, and employee non-disclosure and invention assignment agreements to establish and protect our intellectual property rights. As of March 22, 2022, we and our wholly-owned subsidiaries had over 73 total issued and pending patents, including in excess of 65 issued patents, in the United States and other countries. Our issued patents expire between 2033 and 2040 and cover various aspects of our solutions. In addition, we have registered “Appgate” as a trademark in the United States and certain foreign jurisdictions, and we or our wholly-owned subsidiaries have filed trademark registration applications in the United States and/or other jurisdictions for other ancillary marks that we use. We are also the registrant of a domestic domain names that include “Appgate” and variations. In addition to the protection provided by our intellectual property rights, we enter into confidentiality and invention assignment or similar agreements with our employees, consultants, and contractors. We further control the use of our proprietary technology and intellectual property rights through provisions in our subscription and license agreements. Despite our efforts to protect our trade secrets and other intellectual property rights, confidentiality agreements and contractual restrictions in other agreements, unauthorized parties might still copy or otherwise obtain and use our software and technology. Further, our patents and other intellectual property rights may not prevent other providers of cybersecurity services from introducing or offering products that compete with or are alternatives to our Zero Trust solutions. In addition to our internally developed technology, we also license software, including open source software, from third parties that we integrate into or bundle with our solutions.
Our industry is characterized by the existence of a large number of patents and frequent claims and related litigation based on allegations of patent infringement or other violations of intellectual property rights. We believe that competitors might try to develop products that are similar to ours and that may infringe our intellectual property rights. Our competitors or other third-parties may also claim that our security platform and other solutions infringe their intellectual property rights. In particular, some companies in our industry have extensive patent portfolios. From time to time, third parties, including certain of these companies and non-practicing entities, have in the past and may in the future assert claims of infringement, misappropriation and other violations of intellectual property rights against us or our customers or channel partners whom we may be obligated to indemnify against such claims in accordance with terms in our license or other agreements. Successful claims of infringement by a third-party could prevent us from offering certain services or features, require us to develop alternate, non-infringing technology, which could require significant time and during which we could be unable to continue to offer our affected subscriptions or services, require us to obtain a license, which may not be available on reasonable terms or at all, or force us to pay substantial damages, royalties or other fees. We cannot assure you that we do not currently infringe, or that we will not in the future infringe, upon any third-party patents or other proprietary rights. For additional information, see the section titled “Risk Factors — Risks Related to Our Business — It may be difficult to enforce our intellectual property rights, which could enable others to copy or use aspects of our solutions without compensating us.”
Properties
Our corporate headquarters are located in Coral Gables, Florida, where we currently lease approximately 6,000 square feet of space under a lease agreement that expires at the end of February 2027. We also have additional offices in multiple other locations in the United States, as well as locations internationally, including in Colombia, Sweden, Argentina and Japan. We do not own any real estate. We believe our current facilities are adequate to meet our needs for the immediate future and that, should it be needed, suitable additional space will be available to accommodate expansion of our operations.
Human Capital Resources
We had 472 full-time employees worldwide as of December 31, 2021. We also engage temporary employees and contractors as needed to support our operations. To our knowledge, none of our employees are represented by a labor organization or are a party to any collective bargaining arrangement. We have not experienced any work stoppages and we consider our relations with our employees to be good.
Corporate Information and History
Appgate is a Delaware corporation and was incorporated on September 26, 2005, originally under the name Newtown Lane Marketing, Incorporated. On October 12, 2021, in connection with the Merger (as described below), we changed our name
to Appgate, Inc. Appgate’s principal executive offices are located at 2 Alhambra Plaza, Suite PH-1-B, Coral Gables, FL 33134 and our phone number is (866) 524-4782.
Beginning in 2007, Newtown Lane had been a corporation with limited operations and no revenues, often referred to as a “shell” company, with the sole purpose of serving as a vehicle to acquire an operating business. Prior to the Merger, the operating business of Appgate was operated by Legacy Appgate. Since May 2017, Legacy Appgate was a wholly-owned subsidiary of and operated as a business segment of its former parent, Cyxtera. On December 31, 2019, Cyxtera spun out Legacy Appgate.
The Merger
On October 12, 2021, we consummated the Merger, which resulted in Legacy Appgate becoming a wholly owned subsidiary of the Company. In connection with the Merger, we changed our name from Newtown Lane Marketing, Incorporated to Appgate, Inc., and our business comprises the operations of Legacy Appgate.
The Merger effected a change of control of the Company, as:
•SIS Holdings, the sole stockholder of Legacy Appgate immediately prior to the Merger, became our controlling stockholder, owning approximately 89% of our issued and outstanding common stock immediately following consummation of the Merger;
•we increased the size of the Board to five directors and appointed four new directors; and
•we reconstituted our executive team, as Jonathan J. Ledecky resigned from his position as President of the Company, and Manuel D. Medina became our Executive Chairman, Barry Field became our Chief Executive Officer, Jawahar Sivasankaran became our President and Chief Operating Officer, Rene A. Rodriguez became our Chief Financial Officer, and Jeremy M. Dale became our General Counsel and Secretary.
We have accounted for the Merger as a recapitalization with Legacy Appgate as the acquirer for accounting purposes; therefore, the financial information, including the operating and financial results and audited financial statements included in this Amendment are those of: (1) except for the equity, which was retroactively restated following applicable accounting guidance, Legacy Appgate with respect to all periods prior to consummation of the Merger, and (2) those of us, inclusive of Newtown Lane for the period subsequent to the Merger.
Available Information
Our website address is www.appgate.com, and our investor relations website is http://ir.appgate.com/. We promptly make available on our investor relations website, free of charge, the reports that we file or furnish with the SEC, corporate governance information (including our Code of Business Conduct and Ethics) and select press releases. We file annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, proxy and information statements and amendments to reports filed or furnished pursuant to the Exchange Act. The SEC maintains a website at www.sec.gov that contains reports, proxy and information statements and other information regarding Appgate and other issuers that file electronically with the SEC.
Item 1A. Risk Factors
Risks Related to Our Business and Industry
Our relatively limited operating history makes it difficult to evaluate our current business and prospects and may increase the risk of an investment in us.
Our relatively limited operating history makes it difficult to evaluate our current business and prospects and plan for our future growth. We operated as a subsidiary of Cyxtera until December 31, 2019, at which time Cyxtera spun out Legacy Appgate to become a standalone company. As a result, our business model has not been fully proven, which subjects us to a number of uncertainties, including our ability to plan for and model future growth. While we have continued to develop our solutions to incorporate multiple security and compliance functions into our software, we have encountered and will continue to encounter risks and uncertainties frequently experienced by rapidly growing companies in developing markets, including our ability to achieve broad market acceptance of our Zero Trust solutions, attract additional customers, grow
partnerships, withstand increasing competition and manage increasing expenses as we continue to grow our business. If our assumptions regarding these risks and uncertainties are incorrect or change in response to changes in the market for network security solutions, our operating and financial results could differ materially from our expectations and our business could suffer.
We have a history of losses, may not be able to achieve or sustain profitability in the future and expect to incur significant losses for the foreseeable future.
We have incurred net losses in all periods since our inception, and we expect we will continue to incur net losses for the foreseeable future. We had an accumulated deficit of $516.0 million as of December 31, 2021 and experienced net losses from continuing operations before income taxes of $136.4 million and $52.5 million for the years ended December 31, 2021 and 2020, respectively. Because the market for our products and services is rapidly evolving, it is difficult for us to predict the future results of our operations. Our growth efforts may prove more expensive than we currently anticipate, and we may not succeed in increasing our revenues sufficiently, or at all, to offset increasing expenses. In addition to the expected costs to grow our business, we also expect to incur significant additional legal, accounting and other expenses as a public company. Revenue growth may slow or revenue may decline for a number of possible reasons, including slowing demand for our products or services, increasing competition, a decrease in the growth of, or a demand shift in, our overall market, or a failure to capitalize on growth opportunities. Any failure to increase our revenue as we grow our business could prevent us from achieving or maintaining profitability or maintaining or increasing cash flow on a consistent basis. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.
Our failure to become and remain profitable may depress the market price of our common stock and could impair our ability to raise capital, expand our business, diversify our product offerings or continue our operations. If we continue to suffer losses as we have in the past, investors may not receive any return on their investment and may lose their entire investment.
We believe our long-term value as a company will be greater if we focus on growth, which may negatively impact our profitability in the near term.
Part of our business strategy is to primarily focus on our long-term growth. As a result, our profitability may be lower in the near term than it would be if our strategy were to maximize short-term profitability. Significant expenditures on sales and marketing efforts, and expenditures on growing our Zero Trust solutions and expanding our research and development, each of which we intend to continue to invest in, may not ultimately grow our business or cause long-term profitability. If we are ultimately unable to achieve profitability at the level anticipated by industry or financial analysts and our stockholders, our stock price may decline.
We face significant competition and could lose market share to our competitors, which could adversely affect our business, financial condition and results of operations.
The market for cybersecurity solutions is competitive and characterized by rapid changes in technology, customer requirements, industry standards and frequent introductions of new and improvements of existing products and services. Our business model of delivering security products through the Zero Trust model has not yet gained widespread market traction as the Zero Trust model is still an emerging solution. Moreover, we compete with many established network and cybersecurity vendors, as well as new entrants. As customer requirements evolve, and as new products, services and technologies are introduced, if we are unable to anticipate or effectively react to these competitive challenges, our competitive position could weaken, and we could experience a decline in revenue or our growth rate that could materially and adversely affect our business and results of operations.
Our competitors and potential competitors include:
•independent security vendors and providers, such as Zscaler, Inc. and Netskope, Inc.;
•large networking and security vendors, such as Cisco Systems, Inc. and Palo Alto Networks, Inc.;
•cloud providers who include similar security offerings within their platforms, such as Microsoft Corporation and Google LLC;
•anti-fraud and risk-based authentication providers, such as Outseer (RSA Security LLC), Broadcom Inc. (which acquired CA Technologies), Guardian Analytics, Inc. and BioCatch Ltd.;
•digital threat protection providers such as Outseer (RSA Security LLC), PhishLabs, Inc. and ZeroFox, Inc.; and
•other providers of cybersecurity services that offer, or may leverage related technologies to introduce, products that compete with or are alternatives to our Zero Trust solutions.
Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages such as:
•greater name recognition, longer operating histories and larger customer bases;
•larger sales and marketing budgets and resources;
•broader distribution and established relationships with channel partners and customers;
•greater customer support resources;
•greater resources to make acquisitions and enter into strategic partnerships;
•lower labor and research and development costs;
•larger and more mature intellectual property rights portfolios; and
•substantially greater financial, technical and other resources.
In addition, our competitors may develop technology solutions with architectures similar to our products. Our larger competitors have substantially broader and more diverse product and services offerings, which may allow them to leverage their relationships based on other products or incorporate functionality into existing products to gain business in a manner that discourages users from purchasing our products or services, including through selling at zero or negative margins, offering concessions, bundling products or maintaining closed technology platforms. Many competitors that specialize in providing protection from a single type of security threat may be able to deliver these targeted security products to the market more quickly than we can or to convince organizations that these limited products meet their needs.
Conditions in our market could change rapidly and significantly as a result of technological advancements, partnering or acquisitions by our competitors or continuing market consolidation. Start-up companies that innovate and large competitors that are making significant investments in research and development may invent similar or superior products, services and technologies that compete with our Zero Trust and other solutions. Some of our current or potential competitors have made or could make acquisitions of businesses or establish cooperative relationships that may allow them to offer more directly competitive and comprehensive solutions than were previously offered and adapt more quickly to new technologies and customer needs. These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders, reduced revenue and gross margins, increased net losses and loss of market share. Any failure to meet and address these factors could materially harm our business and operating results.
Our operating results may fluctuate significantly, which could make our future results difficult to predict and could cause our operating results to fall below expectations.
Our operating results may fluctuate from quarter to quarter as a result of a number of factors, many of which are outside of our control and may be difficult to predict. Some of the factors that may cause our results of operations to fluctuate from quarter to quarter include:
•broad market acceptance and the level of demand for our products and services;
•our ability to attract new customers, particularly large enterprises;
•our ability to retain customers and expand their usage of our Zero Trust solutions, particularly our largest customers;
•our ability to successfully expand internationally and penetrate key markets;
•the effectiveness of our sales and marketing programs;
•the length of our sales cycle, including the timing of renewals;
•technological changes and the timing and success of new service introductions by us or our competitors or any other change in the competitive landscape of our market;
•increases in and timing of operating expenses that we may incur to grow and expand our operations and to remain competitive;
•pricing pressure as a result of competition or otherwise;
•the quality and level of our execution of our business strategy and operating plan;
•adverse litigation judgments, settlements or other litigation-related costs;
•a possible downturn in cybersecurity spending due to a macroeconomic downturn;
•changes in the legislative or regulatory environment; and
•general economic conditions in either domestic or international markets, including geopolitical uncertainty and instability and global health crises and pandemics, such as COVID-19, and governmental responses thereto.
In addition, we generally experience seasonality in terms of when we enter into agreements with customers. We typically enter into a higher percentage of agreements with new customers, as well as renewal agreements with existing customers, in the first and fourth quarters of our fiscal year. This seasonality is reflected to a much lesser extent, and sometimes is not immediately apparent, in revenue, due to the fact that we generally recognize subscription revenue with respect to term-based and perpetual licenses up-front, which is generally one to three years. We expect that seasonality will continue to affect our operating results in the future and may reduce our ability to predict cash flow and optimize the timing of our operating expenses.
Any one or more of the factors above may result in significant fluctuations in our results of operations. As a result, our historical operating results are not a reliable indicator of future performance.
Additionally, the variability and unpredictability of our quarterly results of operations or other operating metrics could result in our failure to meet our expectations or those of industry or financial analysts. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our common stock could fall substantially.
Future acquisitions, strategic investments, partnerships or alliances could be difficult to identify and integrate, divert the attention of key management personnel, disrupt our business, dilute stockholder value and adversely affect our operating results, financial condition and prospects.
Our business strategy may, from time to time, include acquiring other complementary solutions, technologies or businesses. We have in the past acquired, and may in the future acquire, businesses that we believe will complement or augment our existing business. In order to expand our security offerings and features, we also may enter into relationships with other businesses, which could involve preferred or exclusive licenses, additional channels of distribution or investments in other companies. Negotiating these transactions can be time-consuming, difficult and costly, and our ability to close these transactions may be subject to third-party approvals, such as government regulatory approvals, which are beyond our control. Consequently, we cannot assure you that these transactions, once undertaken and announced, will close.
These kinds of acquisitions or investments may result in unforeseen operating difficulties and expenditures. In particular, we may encounter difficulties assimilating or integrating the businesses, technologies, products and services, personnel or operations of companies that we may acquire, particularly if the key personnel of an acquired business choose not to work for us. We may have difficulty retaining the customers of any acquired business or using or continuing the development of the acquired technologies. Acquisitions may also disrupt our ongoing business, divert our resources and require significant management attention that would otherwise be available for development of our business. We may not successfully evaluate or utilize the acquired technology or personnel, or accurately forecast the financial impact of an acquisition transaction, including accounting charges. Any acquisition or investment could expose us to unknown liabilities. Moreover, we cannot assure you that the anticipated benefits of any acquisition or investment would be realized or that we would not be exposed to unknown liabilities. In connection with these types of transactions, we may:
•issue additional equity securities that would dilute our stockholders;
•use cash that we may need in the future to operate our business;
•incur debt on terms unfavorable to us or that we are unable to repay;
•incur large charges or substantial liabilities;
•encounter difficulties integrating diverse business cultures;
•incur impairments; and
•become subject to adverse tax consequences, substantial depreciation or deferred compensation charges.
These challenges related to acquisitions or investments could adversely affect our business, operating results, financial condition and prospects.
False positive or false negative detection of risk, application tampering, viruses, spyware, vulnerability exploits, data patterns, or URL categories could adversely affect our business.
Our risk level determinations of application integrity, web-injections, potential vulnerability exploits, data leaks, or phishing and pharming URL categories may falsely report and alert on fraud risk threats that do not actually exist or fail to detect legitimate threats. Appgate determines risk threats using classifiers, analyzers, and machine learning model features in our products, which attempt to identify indicators of fraud risk and other threats both based on known indicators and
characteristics or unknown anomalies which indicate that a particular item may be a threat. Due to customer configurable risk and threat tolerance thresholds, our customers may perceive false positive detections or false negative missed detections as system unreliability, thereby adversely impacting market acceptance of our products. If our products are used by customers to restrict consumer access to applications based on falsely determining fraud risk, this could adversely affect end-customers’ user experience and result in damage to our reputation, negative publicity and decreased sales.
If our software does not interoperate with our customers’ network and security infrastructure or with third-party products, websites or services, our products may become less competitive and our results of operations may be harmed.
Our products and services must interoperate with our customers’ existing network and security infrastructure. These complex systems are developed, delivered and maintained by the customer and a myriad of vendors and service providers. As a result, the components of our customers’ infrastructure have different specifications, rapidly evolve, utilize multiple protocol standards, include multiple versions and generations of products and may be highly customized. We must be able to interoperate and provide our security products and services to customers with highly complex and customized networks, which requires careful planning and execution between our customers, our customer support teams and our channel partners. Further, when new or updated elements of our customers’ infrastructure or new industry standards or protocols are introduced, we may have to update or enhance our software to allow us to continue to provide service to customers. Any changes in such technologies that degrade the functionality of our products or give preferential treatment to competitive services could adversely affect adoption and usage of our products and services. Our competitors or other vendors may refuse to work with us to allow their products to interoperate with our solutions, which could make it difficult for our software to function properly in customer networks that include these third-party products.
We may not deliver or maintain interoperability quickly or cost-effectively, or at all. These efforts require capital investment and engineering resources. If we fail to maintain compatibility of our products and services with our customers’ network and security infrastructures, our customers may not be able to fully utilize our solutions, and we may, among other consequences, lose or fail to increase our market share and experience reduced demand for our services, which would materially harm our business, operating results and financial condition.
If we fail to develop or introduce new enhancements to our products on a timely basis, our ability to attract and retain customers, remain competitive and grow our business could be impaired. Our current research and development efforts may not produce successful products that result in significant revenue, cost savings or other benefits in the near future, if at all.
The industry in which we compete is characterized by rapid technological change, frequent introductions of new products and services, evolving industry standards and changing regulations, as well as changing customer security needs, technology requirements and preferences. Our ability to attract new customers and increase revenue from existing customers will depend in significant part on our ability to anticipate and respond effectively to these changes on a timely basis and continue to introduce enhancements to our products and services.
The success of our products depends on our continued investment in our research and development organization to increase the functionality, reliability, availability and scalability of our existing solutions. Our investments in research and development may not result in significant design improvements, marketable products, subscriptions, or features, or may result in products or services that are more expensive than anticipated. Additionally, we may not achieve the cost savings or the anticipated performance improvements we expect, and we may take longer to generate revenue, or generate less revenue, than we anticipate. Our future plans include significant investments in research and development and related product and service opportunities. We believe that we must continue to dedicate a significant amount of resources to our research and development efforts to maintain our competitive position. However, we may not receive significant revenue from these investments in the near future, if at all, or these investments may not yield the expected benefits, either of which could adversely affect our business and operating results.
The success of any enhancement depends on several factors, including the timely completion and market acceptance of the enhancement. Any new product or service that we develop might not be introduced in a timely or cost-effective manner and might not achieve the broad market acceptance necessary to generate significant revenue. If new technologies emerge that deliver competitive products and services at lower prices, more efficiently, more conveniently or more securely, these technologies could adversely impact our ability to compete effectively. Any delay or failure in the introduction of enhancements could materially harm our business, results of operations and financial condition.
We rely on third-party hosting and cloud computing providers, like Amazon Web Services (AWS) and Microsoft Azure, to operate certain aspects of our business. A significant portion of our product traffic is hosted by a limited number of vendors, and any failure, disruption or significant interruption in our network or hosting and cloud services could adversely impact our operations and harm our business.
Our technology infrastructure is critical to the performance of our products and to user satisfaction, as well as our corporate functions. Our products and company systems run on a complex distributed system, or what is commonly known as cloud computing. We own, operate and maintain elements of this system, but significant elements of this system are operated by third-parties that we do not control and which would require significant time and expense to replace. We expect this dependence on third-parties to continue. We have suffered interruptions in service in the past, including when releasing new software versions or bug fixes, and if any such interruption were significant and/or prolonged it could adversely affect our business, financial condition, results of operations or reputation.
In particular, a significant portion, if not almost all, of our product traffic, data storage, data processing and other computing services and systems is hosted by AWS and Microsoft Azure. AWS and Azure provide us with computing and storage capacity pursuant to agreements that continue until terminated by either party. The agreements require AWS and Azure to provide us their standard computing and storage capacity and related support in exchange for timely payment by us. We have experienced, and may in the future experience, disruptions, outages and other performance problems due to a variety of factors, including infrastructure changes, human or software errors and capacity constraints. If a particular application is unavailable when users attempt to access it or navigation through a product is slower than they expect, users may stop using the application and may be less likely to return to the application as often, if at all.
Any failure, disruption or interference with our use of hosted cloud computing services and systems provided by third-parties, like AWS or Azure, could adversely impact our business, financial condition or results of operations. In addition, since many of the technical specialists responsible for managing disruptions to our technology infrastructure are working from home due to the COVID-19 pandemic, the time required to remedy any interruption may increase. To the extent we do not effectively respond to any such interruptions, upgrade our systems as needed and continually develop our technology and network architecture to accommodate traffic, our business, financial condition or results of operations could be adversely affected. Furthermore, our disaster recovery systems and those of third-parties with which we do business may not function as intended or may fail to adequately protect our critical business information in the event of a significant business interruption, which may cause interruption in service of our products, security breaches or the loss of data or functionality, leading to a negative effect on our business, financial condition or results of operations.
In addition, we depend on the ability of our users to access the internet. Currently, this access is provided by companies that have significant market power in the broadband and internet access marketplace, including incumbent telephone companies, cable companies, mobile communications companies, government-owned service providers, device manufacturers and operating system providers, any of whom could take actions that degrade, disrupt or increase the cost of user access to our products or services, which would, in turn, negatively impact our business. The adoption or repeal of any laws or regulations that adversely affect the growth, popularity or use of the internet, including laws or practices limiting internet neutrality, could decrease the demand for, or the usage of, our products and services, increase our cost of doing business and adversely affect our results of operations.
If we are not able to maintain and enhance our brand, our business and results of operations may be adversely affected.
We believe that maintaining and enhancing our reputation as a provider of high-quality cybersecurity solutions is critical to our relationship with our existing customers and channel partners and our ability to attract new customers and channel partners. Furthermore, we believe that the importance of brand recognition will increase as competition in our market increases. The successful promotion of our brand will depend on several factors, including our marketing efforts, our ability to continue to develop high-quality features and enhancements for our technology solutions and our ability to successfully differentiate our solutions from competitive products and services. Our brand promotion activities may not be successful or yield increased revenue. In addition, independent industry or financial analysts often provide reviews of our products and services, as well as products and services of our competitors, and perception of our Zero Trust solutions in the marketplace may be significantly influenced by these reviews. If these reviews are negative, or less positive as compared to those of our competitors’ products and services, our brand may be adversely affected. In addition, we have been named as a “Leader” in the Forrester New Wave™ for Zero Trust Network Access (Q3 2021) report. Our failure to maintain our “Leader” status in the future may also adversely affect our brand. Additionally, the performance of our channel partners may affect our brand and reputation if customers do not have a positive experience with our channel partners’ services. The promotion of our brand requires us to make substantial expenditures, and we anticipate that the expenditures will increase
as our market becomes more competitive, we expand into new markets and more sales are generated through our channel partners. To the extent that these activities yield increased revenue, this revenue may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand, our business may not grow, we may have reduced pricing power relative to competitors and we could lose customers or fail to attract potential customers, all of which would materially and adversely affect our business, results of operations and financial condition.
Our business and growth partially depend on the success of our relationships with our existing channel partners and adding new channel partners over time.
We currently derive a portion of our revenue from sales through our channel partner network, and we expect future revenue growth will also be driven through this network. Not only does our joint sales approach require additional investment to grow and train our sales force, but we believe that continued growth in our business is dependent upon identifying, developing and maintaining strategic relationships with our existing and potential channel partners, including global systems integrators and managed service providers that will in turn drive substantial revenue and provide additional value-added services to our customers. Our channel partners’ operations may also be negatively impacted by effects the COVID-19 pandemic is having on the global economy. Our agreements with our channel partners are generally non-exclusive, meaning our channel partners may offer customers the products of several different companies, including products that compete with our technology solutions. In general, our channel partners may also cease marketing or reselling our products and services with limited or no notice and without penalty. If our channel partners do not effectively market and sell subscriptions to our products and services, choose to promote our competitors’ products or fail to meet the needs of our customers, our ability to grow our business and sell subscriptions to our products and services may be adversely affected. In addition, our channel partner structure could subject us to lawsuits or reputational harm if, for example, a channel partner misrepresents the functionality of our products and services to customers or violates applicable laws or our corporate policies. Further, in circumstances where we do not enter into a direct agreement with end customers, we cannot be sure that on every occasion each channel partner has required end customers to agree to our standard terms which are protective of our solutions and technology, nor that the channel partners will enforce each failure by an end customer to comply with such terms. Our ability to achieve revenue growth in the future will depend in large part on our success in maintaining successful relationships with our channel partners, identifying additional channel partners and training our channel partners to independently sell and deploy our products and services. If we are unable to maintain our relationships with our existing channel partners or develop successful relationships with new channel partners or if our channel partners fail to perform, our business, financial position and results of operations could be materially and adversely affected.
Our business depends, in part, on sales to government organizations, and significant changes in the contracting or fiscal policies of such government organizations could have an adverse effect on our business and operating results.
Our future growth depends, in part, on increasing sales to government organizations. Demand from government organizations is often unpredictable, subject to budgetary uncertainty and typically involves long sales cycles. We have made significant investments to address the government sector, but we cannot assure you that these investments will be successful, or that we will be able to maintain or grow our revenue from the government sector. Although we anticipate that they may increase in the future, sales to governmental organizations have not accounted for, and may never account for, a significant portion of our revenue. Sales to governmental organizations are subject to a number of challenges and risks that may adversely impact our business. Sales to such government entities include the following risks:
•selling to governmental agencies can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that such efforts will generate a sale;
•government certification requirements applicable to our solutions may change and, in doing so, restrict our ability to sell into the governmental sector until we have attained the revised certification;
•government demand and payment for our solutions may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions;
•governments routinely investigate and audit government contractors’ administrative processes and compliance with contractual obligations, and any unfavorable audit or investigation, or adverse finding following a claim from a whistleblower, could result in the government refusing to continue buying our solutions, which would adversely impact our revenue and operating results, and/or fines or civil or criminal liability if the audit or investigation were to uncover improper or illegal activities; and
•governments may require certain products to be manufactured, produced, hosted or accessed solely in their country or in other relatively high-cost locations, and we may not produce or host all products in locations that meet these requirements, affecting our ability to sell these products to governmental agencies.
The occurrence of any of the foregoing could cause governmental organizations to delay or refrain from purchasing our solutions in the future or otherwise have an adverse effect on our business, operating results and financial condition.
Our international operations expose us to risks, and failure to manage those risks could materially and adversely impact our business.
Historically, we have derived a significant portion of our revenue from outside the United States. For the years ended December 31, 2021 and 2020, we derived approximately 52% and 53%, respectively, of our revenue from our international customers. As of December 31, 2021, approximately 57% of our full-time employees were located outside of the United States. We are continuing to adapt to and develop strategies to address international markets and our growth strategy includes expansion into target geographies, such as the Middle East, Africa, Japan and the Asia-Pacific regions, but there is no guarantee that such efforts will be successful. We expect that our international activities will continue to grow in the future, as we continue to pursue opportunities in international markets. These international operations will require significant management attention and financial resources and are subject to substantial risks, including:
•political, economic and social uncertainty;
•unexpected costs for the localization of our services, including translation into foreign languages and adaptation for local practices and regulatory requirements;
•greater difficulty in enforcing contracts and accounts receivable collection, and longer collection periods, which may be further lengthened by the COVID-19 pandemic and governmental responses thereto;
•reduced or uncertain protection for intellectual property rights in some countries;
•greater risk of unexpected changes in regulatory practices, tariffs and tax laws and treaties;
•greater risk of a failure of foreign employees, partners, distributors and resellers to comply with both U.S. and foreign laws, including antitrust regulations, anti-bribery laws, export and import control laws, and any applicable trade regulations ensuring fair trade practices;
•requirements to comply with foreign privacy, data protection and information security laws and regulations and the risks and costs of noncompliance;
•increased expenses incurred in establishing and maintaining office space and equipment for our international operations;
•greater difficulty in identifying, attracting and retaining local qualified personnel, and the costs and expenses associated with such activities;
•differing employment practices and labor relations issues;
•difficulties in managing and staffing international offices and increased travel, infrastructure and legal compliance costs associated with multiple international locations; and
•fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business, including but not limited to, the British Pound and Euro, and related impact on sales cycles.
Following a referendum in June 2016 in which voters in the United Kingdom approved an exit from the EU, the government of the United Kingdom initiated a process to leave the EU (often referred to as “Brexit”) without an agreement in place. This has led to legal uncertainty in the region and could adversely affect the tax, operational, legal and regulatory regimes to which our business is subject. In addition, any continued or further uncertainty, weakness or deterioration in global macroeconomic and market conditions may cause our UK or EU customers to modify spending priorities or delay purchasing decisions, and may result in lengthened sales cycles, any of which could harm our business and operating results.
As we continue to develop and grow our business globally, our success will depend, in part, on our ability to anticipate and effectively manage these risks. The expansion of our existing international operations and entry into additional international markets will require management attention and financial resources. Our failure to successfully manage our international operations and the associated risks could limit the future growth of our business.
We have grown rapidly in recent periods. If we fail to effectively manage our growth, our business, financial condition and results of operations would be harmed.
Our growth may place a significant strain on our management and our administrative, operational and financial infrastructure. Our organizational structure is becoming more complex as we improve our administrative, operational and financial infrastructure as well as our reporting systems and procedures. Our success will depend in part on our ability to
manage this growth effectively, which will require that we continue to improve our administrative, operational, financial and management systems and controls by, among other things:
•effectively attracting, training and integrating, including collaborating with, a large number of new employees;
•further improving our key business applications, processes and security and IT infrastructure to support our business needs;
•enhancing our information and communication systems to ensure that our employees and offices around the world are well coordinated and can effectively communicate with each other and our growing base of channel partners, customers and users; and
•appropriately documenting and testing our security and IT systems and business processes.
These and other improvements in our systems and controls may require significant capital expenditures and the allocation of management and employee resources. If we fail to implement these improvements effectively, our ability to manage our expected growth, ensure uninterrupted operation of our software and key business systems and comply with the rules and regulations applicable to public companies could be impaired, the quality of our products and services could suffer and we may not be able to adequately address competitive challenges. Failure to manage any future growth effectively could result in increased costs, disrupt our existing customer relationships, reduce demand for or limit us to smaller deployments of our products and services, or harm our business performance and operating results.
In addition, as we expand our business, it is important that we continue to maintain a high level of customer service and satisfaction. As our customer base continues to grow, we will need to expand our account management, customer service and other personnel to provide personalized account management and customer service. If we are not able to continue to provide high levels of customer service, our reputation, as well as our business, results of operations and financial condition, could be harmed.
In addition, we believe that our corporate culture has been a contributor to our success, which we believe fosters innovation, teamwork and an emphasis on customer-focused results. We also believe that our culture creates an environment that drives and perpetuates our strategy and cost-effective distribution approach. As we grow and develop the infrastructure of a public company, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could harm our future success, including our ability to retain and recruit personnel, innovate and operate effectively and execute on our business strategy. If we experience any of these effects in connection with future growth, it could materially impair our ability to attract new customers, retain existing customers and expand their use of our Zero Trust solutions, all of which would materially and adversely affect our business, financial condition and results of operations.
Our sales cycles can be long and unpredictable, and our sales efforts can require considerable time and expense.
The timing of our sales and related revenue recognition is difficult to predict because of the length and unpredictability of the sales cycle for our products and services, particularly with respect to large organizations. Our sales efforts typically involve educating our prospective customers about the uses, benefits and the value proposition of our products and services, and often include a detailed Proof of Concept (POC) deployment in the prospect’s environment. Customers often view the subscription to our products as a significant decision as part of a strategic transformation initiative and, as a result, frequently require considerable time to evaluate, test and qualify our Zero Trust solutions prior to entering into or expanding a relationship with us. Large enterprises and government entities in particular often undertake a significant evaluation process that further lengthens the sales cycle. The ongoing COVID-19 pandemic may further extend sales cycles for some of our products and services.
Our sales force develops relationships directly with our customers, and together with our channel account teams, works with our channel partners on account penetration, account coordination, sales and overall market development. We spend substantial time and resources on our sales efforts, especially with larger customers, without any assurance that our efforts will produce a sale. Product purchases are frequently subject to budget constraints, multiple approvals and unanticipated administrative, processing and other delays. As a result, it is difficult to predict whether and when a sale will be completed and when revenue from a sale will be recognized.
The failure of our efforts to secure sales after investing resources in a lengthy sales process could materially and adversely affect our business and operating results.
The sales prices of our solutions may decrease, or the mix of our sales may change, which may reduce our gross profits and adversely impact our financial results.
We have limited experience with respect to determining the optimal prices for our solutions. As the market for our solutions matures, or as new competitors introduce new products or services that are similar to or compete with ours, we may be unable to attract new customers at the same price or based on the same pricing model as we have used historically. Further, competition continues to increase in the market segments in which we participate, and we expect competition to further increase in the future, thereby leading to increased pricing pressures. Larger competitors with more diverse product and service offerings may reduce the price of products or services that compete with ours or may bundle them with other products and services. This could lead customers to demand greater price concessions or additional functionality at the same price levels. As a result, in the future we may be required to reduce our prices or provide more features without corresponding increases in price, which would adversely affect our business, operating results, and financial condition.
The impact of the ongoing COVID-19 pandemic, including the resulting global economic uncertainty, is fluid, very unclear and difficult to predict at this time, but it may have a material adverse impact on our business, results of operations, financial condition, liquidity and cash flows.
The COVID-19 pandemic has caused general business disruption worldwide beginning in January 2020. The full extent to which the COVID-19 pandemic will directly or indirectly impact our business, operating results, cash flows, and financial condition will depend on future developments that are highly uncertain and cannot be accurately predicted.
However, as economic activity has been recovering, the impact of the COVID-19 pandemic on our business has been more reflective of greater economic and marketplace dynamics, which include minimal supply chain disruptions, rather than pandemic-related issues such as mandated restrictions and employee illness. Notwithstanding the recent resurgence of economic activity, in light of variant strains of the virus that have emerged, the COVID-19 pandemic could once again impact our operations and the operations of our customers and suppliers as a result of quarantines, location closures, illnesses, and travel restrictions. We do not yet know the full extent of potential impacts on our business, operations or on the global economy as a whole, particularly if the COVID-19 pandemic continues and persists for an extended period of time. Potential impacts include:
•our customer prospects and our existing customers may experience slowdowns in their businesses, which in turn may result in reduced demand for our solutions, lengthening of sales cycles, loss of customers, and difficulties in collections;
•we continue to incur fixed costs, particularly for certain real estate office leases, and may derive reduced benefit from those costs;
•we may be subject to legal liability for safe workplace claims;
•our critical vendors could go out of business; and
•our marketing, sales, and support organizations are accustomed to extensive face-to-face customer and partner interactions, and our ability to conduct business remotely is largely unproven.
Any of the foregoing could adversely affect our business, financial condition, and operating results.
While we have not to date experienced a significant impact to our business, operations or financial results as a result of the COVID-19 pandemic, there can be no assurance that these events will not have a material adverse impact on our business, operations or financial results in subsequent quarters or years.
We provide service level commitments under some of our customer contracts. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service and our business could suffer.
Certain of our customer agreements contain service level commitments, which contain specifications regarding the availability and performance of our products and services. Any failure of or disruption to our infrastructure could impact the performance of our products and the availability of services to customers. If we are unable to meet our stated service level commitments or if we suffer extended periods of poor performance or unavailability of our products, we may be contractually obligated to provide affected customers with service credits for future subscriptions, and, in certain cases, refunds. To date, there has not been a material failure to meet our service level commitments, and we do not currently have any material liabilities accrued on our balance sheet for such commitments. Our revenue, other results of operations and financial condition could be harmed if we suffer performance issues or downtime that exceeds the service level commitments under our agreements with our customers.
Our business is subject to the risks of warranty claims, product returns and product defects from real or perceived defects in our solutions or their misuse by our customers or third parties and indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
We may be subject to liability claims for damages related to errors or defects in our solutions. A material liability claim or other occurrence that harms our reputation or decreases market acceptance of our solutions will harm our business and operating results. Although we generally have limitation of liability provisions in our terms and conditions of sale, they may not fully or effectively protect us from claims as a result of federal, state or local laws or ordinances, or unfavorable judicial decisions in the United States or other countries. The sale and support of our solutions also entails the risk of product liability claims.
Additionally, we typically provide indemnification to customers for certain losses suffered or expenses incurred as a result of third-party claims arising from our infringement of a third party’s intellectual property. We also provide unlimited liability for certain breaches of confidentiality, as defined in our terms of service. We also provide limited liability in the event of certain breaches of our terms of service. Certain of these contractual provisions survive termination or expiration of the applicable agreement.
If our customers or other third parties we do business with make intellectual property rights or other indemnification claims against us, we will incur significant legal expenses and may have to pay damages, license fees and/or stop using technology found to be in violation of the third party’s rights. We may also have to seek a license for the technology. Such license may not be available on reasonable terms, if at all, and may significantly increase our operating expenses or may require us to restrict our business activities and limit our ability to deliver certain solutions or features. We may also be required to develop alternative non-infringing technology, which could require significant effort and expense and/or cause us to alter our solutions, which could harm our business. Large indemnity obligations, whether for intellectual property or in certain limited circumstances, other claims, would harm our business, operating results and financial condition.
Additionally, our solutions may be used by our customers and other third parties who obtain access to our solutions for purposes other than for which our solutions were intended.
Under certain circumstances our employees may have access to our customers’ solutions. An employee may take advantage of such access to conduct malicious activities. Any such misuse of our solutions could result in negative press coverage and negatively affect our reputation, which could result in harm to our business, reputation and operating results.
We maintain insurance to protect against certain claims associated with the use of our solutions, but our insurance coverage may not adequately cover any claim asserted against us. In addition, even claims that ultimately are unsuccessful could result in our expenditure of funds in litigation, divert management’s time and other resources, and harm our business and reputation.
If organizations do not adopt a Zero Trust model for cybersecurity, our ability to grow our business and operating results may be adversely affected.
Cybersecurity technologies are still evolving, and it is difficult to precisely predict customer demand and adoption rates for our services generally. We believe that our Zero Trust model for cybersecurity offers superior protection to our customers, who are becoming increasingly aware of the importance of implementing cybersecurity measures beyond a perimeter-centric model to secure access to their network. Following the 2020 SolarWinds attack, guidance was released by the National Institute of Standards and Technology, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency recommending a Zero Trust framework. Subsequently, in May 2021, President Joe Biden issued an Executive Order explicitly calling for the adoption of a Zero Trust Architecture by the federal government to improve the nation’s response to “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” The federal government continues to lead the industry in setting standards with the September 2021 release of a Zero Trust maturity model and Zero Trust strategy documents. We also believe that our products and services represent a major shift from perimeter-centric cybersecurity models.
However, traditional perimeter-centric cybersecurity models are entrenched in the infrastructure of many of our potential customers, particularly large enterprises, because of their prior investment in and the familiarity of their IT personnel with such cybersecurity solutions. As a result, our sales process often involves extensive efforts to educate our customers on the benefits and capabilities of Zero Trust solutions, particularly as we continue to pursue customer relationships with large
organizations. Even with these efforts, we cannot predict market acceptance of our products and services, or the development of competing products or services based on other technologies. If we fail to achieve market acceptance of our products and services or are unable to keep pace with industry changes, our ability to grow our business and our operating results will be materially and adversely affected.
If we are unable to attract new customers or if our existing customers do not renew their subscriptions for our services or add additional users and services to their subscriptions the future results of our operations could be harmed.
Our growth is substantially dependent on adding new customers and expanding our relationships with existing customers. Potential clients that use legacy products and services may believe that these products and services are sufficient to meet their security needs or that our offerings only serve the needs of a portion of the enterprise security market. Accordingly, these organizations may continue allocating their information technology budgets for legacy products and services and may not adopt our security offerings. Further, many organizations have invested substantial personnel and financial resources to design and operate their networks and have established deep relationships with other providers of networking and security products. As a result, these organizations may prefer to purchase from their existing suppliers rather than add or switch to a new supplier such as us regardless of product performance, features, or greater services offerings. They may also be more willing to incrementally add solutions to their existing security infrastructure from existing suppliers rather than to replace some or all of their existing security infrastructure with our solutions. In addition, numerous other factors, many of which are out of our control, may now or in the future impact our ability to add new customers, including our failure to expand, retain and motivate our sales and marketing personnel, our failure to develop or expand relationships with our channel partners or to attract new channel partners, failure by us to help our customers to successfully deploy our software and expertise, negative media or industry or financial analyst commentary regarding us or our solutions, litigation and deteriorating general economic conditions, including as a result of the COVID-19 pandemic. Our success in attracting new customers also depends on our ability to develop innovative, high-quality, and appealing new products, including alternatives to products introduced by our competitors, and to effectively communicate and market the benefits of such new products. Our ability to attract new customers also depends on the effectiveness of our sales and marketing efforts. We plan to dedicate significant resources to sales and marketing programs and to expand our sales and marketing capabilities to target additional potential customers, but there is no guarantee that we will be successful in attracting and maintaining additional customers. Furthermore, our ability to achieve growth will partially depend on our success in hiring, integrating, training and retaining a sufficient number of sales personnel to support our growth. If we are unable to find efficient ways to deploy our sales and marketing programs, are unable to hire and train a sufficient number of effective sales personnel, or our efforts to attract new customers are not successful, our revenue and rate of revenue growth may decline, we may not achieve profitability and the future results of our operations could be materially harmed.
Our growth is also partially dependent on our customers renewing their subscriptions for our products when existing contract terms expire and expanding our commercial relationships with our existing customers. Our customers have no obligation to renew their subscriptions for our services after the expiration of their contractual subscription period, which is typically one to three years, and in the normal course of business, some customers have elected not to renew. In addition, in certain cases, customers may cancel their subscriptions without cause either at any time or upon advance written notice (typically ranging from 30 days to 60 days), typically subject to an early termination penalty for unused services. In addition, our customers may renew for fewer users, renew for shorter contract lengths or switch to a lower-cost suite. If our customers do not renew their subscription services, if our revenues decline or if we fail to grow our business, we could incur impairment losses on our assets. Our customer retention and expansion may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our services, our customers’ ability to adopt our solutions correctly, our prices and pricing plans, our customers’ spending levels, decreases in the number of users to which our customers deploy our solutions, mergers and acquisitions involving our customers, competition and deteriorating general economic conditions.
Our future success also depends in part on the rate at which our current customers add additional users to their subscriptions or expand to utilize additional products, which is driven by a number of factors, including customer satisfaction with our services, customer security and networking issues and requirements, including demand for our products and services, general economic conditions and customer reaction to the price per additional user or of additional services. If our efforts to expand our relationship with our existing customers are not successful, our business may materially suffer.
Our business is subject to the risks of hurricanes, earthquakes, fire, floods and other natural catastrophic events, and to interruption by man-made problems such as power disruptions, computer viruses, data security breaches or terrorism effecting our operations or the operations of our third-party cloud service providers.
Our success depends, in part, on our ability to maintain the integrity of our systems and infrastructure, including website, information and related systems. We also currently host some of our products and serve our customers from third-party cloud service providers. While we have electronic access to the components and infrastructure of our software that are hosted by these third parties, we do not control the operation of these environments. Consequently, we may be subject to service disruptions as well as failures to provide adequate support for reasons that are outside of our direct control. Our corporate headquarters are located in Coral Gables, FL, a region known for hurricane activity. A significant natural disaster, such as a hurricane, fire, flood or public health emergency, such as COVID-19, or a significant man-made problem, such as acts of terrorism and other geopolitical unrest, occurring at our headquarters, at one of our other facilities or where a key channel partner, data center or third-party cloud service provider, component supplier or other third-party provider is located, could adversely affect our business, results of operations and financial condition. Although we maintain incident management and disaster response plans, disaster recovery planning by its nature cannot be sufficient for all eventualities. Though it is difficult to determine what, if any, harm may directly result from any specific interruption or attack, any failure to maintain performance, reliability, security and availability of our products and services to the satisfaction of our users may materially harm our reputation and our ability to retain existing customers and attract new customers.
If the delivery of our services to our customers is interrupted or delayed for any reason, our business could suffer.
Any interruption or delay in the delivery of our services may negatively impact our customers. Certain of our products are deployed via the internet, and our customers’ access to network resources is dependent on the continuous availability of the internet and our services to utilize such products. If an interruption in our services were to occur, our customers’ users could lose access to network resources (including private on-premises resources, public cloud IaaS-deployed resources, or public cloud SaaS resources, depending on customer configuration) until such disruption is resolved or customers deploy disaster recovery options that allow them to remediate the problem. The adverse effects of any service interruptions on our reputation and financial condition may be disproportionately heightened due to the nature of our business and the fact that our customers expect continuous and uninterrupted access to resources and may have a low tolerance for interruptions of any duration. While we do not consider them to have been material, we have experienced, and may in the future experience, service disruptions and other performance problems due to a variety of factors.
The following factors, many of which are beyond our control, can affect the delivery and availability of our services and the performance of our products:
•the development and maintenance of the infrastructure of the internet;
•the performance and availability of cloud service providers or third-party telecommunications services with the necessary speed, data capacity and security for providing reliable internet access and services;
•decisions by the owners and operators of the cloud infrastructures or data centers where our infrastructure is deployed to terminate our contracts, discontinue services to us, shut down operations or facilities, increase prices, change service levels, limit bandwidth, declare bankruptcy or prioritize the traffic of other parties;
•the occurrence of earthquakes, floods, fires, pandemics, power loss, system failures, physical or electronic break-ins, acts of war or terrorism, human error or interference (including by disgruntled employees, former employees or contractors) and other catastrophic events;
•cyberattacks, including ransomware, denial of service attacks, targeted at us, our cloud service providers, data centers or the infrastructure of the internet;
•failure by us to maintain and update our infrastructure to meet customer requirements;
•errors, defects or performance problems in our software, including third-party software incorporated in our software, which we use to operate our products;
•improper classification of websites or known-bad phishing domains by our vendors who provide us with lists of malicious sites;
•improper deployment or configuration of our services;
•the failure of our redundancy systems, in the event of a service disruption at one of our cloud service providers, to provide failover to other regions in our cloud service provider environment network; and
•the failure of our disaster recovery and business continuity arrangements.
The occurrence of any of these factors, or if we are unable to efficiently and cost-effectively fix such errors or other problems that may be identified, could damage our reputation, negatively impact our relationship with our customers or otherwise materially harm our business, results of operations and financial condition.
A network or data security incident against us, whether actual, alleged, or perceived, could harm our reputation, create liability, and regulatory exposure, and adversely impact our business, operating results, and financial condition.
Increasingly, companies are subject to a wide variety of attacks on their networks on an ongoing basis, including traditional computer hackers, malicious code (such as viruses and worms), distributed denial-of-service attacks, sophisticated attacks conducted or sponsored by nation-states, advanced persistent threat intrusions, ransomware, software supply chain attacks, and theft or misuse of intellectual property or business or personal data, including by disgruntled employees, former employees or contractors. Cybersecurity companies face particularly intense attack efforts, and we have faced and will continue to face cyber threats and attacks from a variety of sources. Although we have implemented security measures to prevent such attacks, our networks and systems may be breached due to the actions of outside parties, employee error, malfeasance, a combination of these, or otherwise, and as a result, an unauthorized party may obtain access to our systems, networks, or data. We may face difficulties or delays in identifying or otherwise responding to any attacks or actual or potential security breaches or threats. A breach in our data security or an attack against our platform could impact our networks or the networks of our customers that are secured by our platform, creating system disruptions or slowdowns and providing access to malicious parties to information stored on our networks or the networks of our customers, resulting in data being publicly disclosed, altered, lost, or stolen, which could subject us to liability and adversely impact our financial condition.
In addition, any actual, alleged or perceived security breach in our systems or networks, or any other actual, alleged or perceived data security incident we suffer, could result in damage to our reputation, negative publicity, loss of customers and sales, loss of competitive advantages over our competitors, increased costs to remedy any problems and otherwise respond to any incident, regulatory investigations and enforcement actions, costly litigation, and other liability. We would also be exposed to a risk of loss or litigation and potential liability under laws, regulations and contracts that protect the privacy and security of personal information.
In addition, we may incur significant financial and operational costs to investigate, remediate, eliminate and put in place additional tools and devices designed to prevent actual or perceived security breaches and other security incidents, as well as costs to comply with any notification obligations resulting from any security incidents. Any of these negative outcomes could adversely impact the market perception of our platform and customer and investor confidence in our company, and would adversely impact our business, operating results, and financial condition.
The actual or perceived failure of our technology solutions to prevent a security breach or address targeted security threats could harm our reputation and adversely impact our business, financial condition and results of operations.
Our Zero Trust solutions may fail to prevent security breaches for any number of reasons. Our products are complex and may be misconfigured by customers or contain performance or functional issues that are not detected until after deployment. We also provide frequent solution updates and enhancements, which increase the possibility of errors, and our reporting, tracking, monitoring and quality assurance procedures may not be sufficient to ensure we detect any such defects in a timely manner. The performance of our products can be negatively impacted by our failure to enhance, expand or update our products, errors or defects in our software, improper deployment or configuration of our services and many other factors.
In addition, because the techniques used by computer hackers to access or sabotage networks change frequently and generally are not recognized until launched against a target, there is a risk that a cyber threat could emerge that our services are unable to detect or prevent until after some of our customers are impacted. Moreover, as our services are adopted by an increasing number of enterprises, it is possible that the individuals and organizations behind cyber threats will focus on finding ways to defeat our services. If this happens, our products could be targeted by attacks specifically designed to disrupt our Zero Trust model and create the perception that our technology is not capable of providing superior cybersecurity, which, in turn, could have a serious impact on our reputation as a provider of cybersecurity solutions. Further, if a high-profile security breach occurs with respect to another similar cybersecurity services provider, our customers and potential customers may lose trust in cybersecurity solutions generally, and with respect to Zero Trust security in particular, which could materially and adversely impact our ability to retain existing customers or attract new customers.
No security solution, including our Zero Trust solutions, can address all possible security threats or block all methods of penetrating a network or otherwise perpetrating a security incident. Our customers must rely on complex network and security infrastructures, which include products and services from multiple vendors, to secure their networks. If any of our customers becomes infected with malware or experiences a security breach, they could be disappointed with our services or products, regardless of whether our services or products are intended to block the attack or would have blocked the attack if the customer had properly configured our product or engaged our services in time. Additionally, if any enterprises that are publicly known to use our services or products are the subject of a cyberattack that becomes publicized, our current or potential customers may look to our competitors for alternatives to our services.
From time to time, industry or financial analysts and research firms evaluate our solutions against other security products. Our services may fail to prevent threats in any particular test for a number of reasons, including misconfiguration. To the extent potential customers, industry or financial analysts or testing firms believe that the occurrence of a failure to prevent any particular threat is a flaw or indicates that our services do not provide significant value, our reputation and business could be materially harmed.
Any real or perceived flaws in our products or services, any real or perceived security breaches or other security incidents of our customers or loss of compliance attestations required by customer contracts, could result in:
•a loss of existing or potential customers or channel partners;
•delayed or lost sales and harm to our financial condition and results of operations;
•a delay in attaining, or the failure to attain, market acceptance;
•the expenditure of significant financial resources in efforts to analyze, correct, eliminate, remediate or work around errors or defects, to address and eliminate vulnerabilities and to address any applicable legal or contractual obligations relating to any actual or perceived security breach;
•negative publicity and damage to our reputation and brand; and
•legal claims and demands (including for stolen assets or information, repair of system damages, and compensation to customers and business partners), litigation, regulatory inquiries or investigations and other liability.
Any of the above results could materially and adversely affect our business, financial condition and results of operations.
Additionally, with product effectiveness a critical competitive factor in our industry, we make public statements, including on our website, in marketing materials and elsewhere, describing the effectiveness of our products and the performance of our solutions. As a result, we may face claims, including claims of unfair or deceptive trade practices, brought by the U.S. Federal Trade Commission, state, local, or foreign regulators, and private litigants.
Risks Related to Our People
We rely on our key technical, sales and management personnel to grow our business, and the loss of one or more key employees or the inability to attract and retain qualified personnel could harm our business.
Our future success is substantially dependent on our ability to attract, retain and motivate the members of our management team and other key employees throughout our organization. We rely on our leadership team in the areas of operations, security, marketing, sales, support and general and administrative functions, and on individual contributors on our research and development team. Although we have entered into employment agreements and other arrangements with certain of our key personnel, our employees, including our executive officers, may terminate their employment with us at any time. We do not maintain key person life insurance policies on any of our employees. The loss of one or more of our executive officers or key employees could seriously harm our business.
To execute our growth plan, we must attract and retain highly qualified personnel. Competition for these personnel is intense, especially for experienced sales professionals and for engineers experienced in designing and developing cybersecurity applications and security software. We have from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. For example, in recent years, recruiting, hiring and retaining employees with expertise in the cybersecurity industry has become increasingly difficult as the demand for cybersecurity professionals has increased as a result of the recent cybersecurity attacks on global corporations and governments. Many of the companies with which we compete for experienced personnel have greater resources than we have, which provides those companies an advantage in, among other things, recruiting and retaining foreign employees on Visas for work in the U.S. In addition, job candidates and existing employees often consider the value of the equity awards they receive in connection with their employment. Volatility or lack of performance in our stock
price may also affect our ability to attract and retain our key employees. Any failure to successfully attract, integrate or retain qualified personnel to fulfill our current or future needs could materially and adversely affect our business, operating results and financial condition.
Our ability to maintain customer satisfaction depends in part on the quality of our customer support, including the quality of the support provided on our behalf by certain channel partners. Failure to maintain high-quality customer support could have an adverse effect on our business, financial condition and results of operations.
If we do not provide adequate support to our customers, our ability to renew subscriptions, increase the number of users and sell additional services to customers will be adversely affected. We believe that successfully delivering our Zero Trust solutions often require a high level of customer support and engagement. We or our channel partners must successfully assist our customers in deploying our Zero Trust solutions, resolving performance issues, and addressing interoperability challenges with a customer’s existing network and security infrastructure. Many enterprises, particularly large organizations, have very complex networks and require high levels of focused support, including premium support offerings, to fully realize the benefits of our products and services. We believe our service is of high quality and a key competitive advantage. Any failure by us to maintain the expected level of support could reduce customer satisfaction and hurt our customer retention, particularly with respect to our large enterprise customers. Additionally, if our channel partners do not provide support to the satisfaction of our customers, we may be required to provide this level of support to those customers, which would require us to hire additional personnel and to invest in additional resources. We may not be able to hire such resources fast enough to keep up with demand, particularly if the sales of our products and services exceed our internal forecasts. To the extent that we or our channel partners are unsuccessful in hiring, training and retaining adequate support resources, our ability and the ability of our channel partners to provide adequate and timely support to our customers will be negatively impacted, and our customers’ satisfaction with our products or services could be adversely affected. Furthermore, as we sell our solutions internationally, our support organization faces additional challenges, including those associated with delivering support, training and documentation in languages other than English. Any failure to maintain high-quality customer support, or a market perception that we do not maintain high-quality support, could materially harm our reputation, adversely affect our ability to sell our solutions to existing and prospective customers and could harm our business, financial condition and results of operations.
Risks Related to Our Intellectual Property
It may be difficult to enforce our intellectual property rights, which could enable others to copy or use aspects of our solutions without compensating us.
We believe our intellectual property is a key competitive advantage. We rely on a combination of patent, copyright, trademark and trade secret laws, as well as confidentiality procedures and contractual provisions, to establish and protect our intellectual property rights, all of which provide only limited protection. The efforts we have taken to protect our intellectual property rights may not be sufficient or effective, and our patents, trademarks and copyrights may be held invalid or unenforceable. Moreover, we cannot assure you that any patents will be issued with respect to our currently pending patent applications in a manner that gives us adequate defensive protection or competitive advantages, or that any patents issued to us will not be challenged, invalidated or circumvented. We have filed for patents in the United States and in certain non-U.S. jurisdictions, but such protections may not be available in all countries in which we operate or in which we seek to enforce our intellectual property rights or may be difficult to enforce in practice. For example, many foreign countries have compulsory licensing laws under which a patent owner must grant licenses to third parties. In addition, many countries limit the enforceability of patents against certain third parties, including government agencies or government contractors. In these countries, patents may provide limited or no benefit. Moreover, we may need to expend additional resources to defend our intellectual property rights in these countries, and our inability to do so could impair our business or adversely affect our international expansion. Our currently issued patents and any patents that may be issued in the future with respect to pending or future patent applications may not provide sufficiently broad protection, or they may not prove to be enforceable in actions against alleged infringers. Additionally, the U.S. Patent and Trademark Office and various foreign governmental patent agencies require compliance with a number of procedural, documentary, fee payment and other similar provisions during the patent application process and to maintain issued patents. There are situations in which noncompliance can result in abandonment or lapse of the patent or patent application, resulting in partial or complete loss of patent rights in the relevant jurisdiction. If this occurs, it could materially harm our business, operating results, financial condition and prospects. Likewise, we have applied for trademark registrations in the U.S. and certain non-U.S. jurisdictions, but have not applied to register our trademarks in every country in which we currently conduct business or may expand in the future. Third parties may register our marks in those countries and prevent us from doing so.
We may not be effective in policing unauthorized use of our intellectual property rights, as we do not take active measures to monitor for infringement of our patents or trademarks, and even if we do detect violations, litigation may be necessary to enforce our intellectual property rights. In addition, our intellectual property may be stolen, including by cybercrimes, and we may not be able to identify the perpetrators or prevent the exploitation of our intellectual property by our competitors or others. Protecting against the unauthorized use of our intellectual property rights, technology and other proprietary rights is expensive and difficult, particularly outside of the United States. Any enforcement efforts we undertake, including litigation, could be time-consuming and expensive and could divert management’s attention, either of which could harm our business, operating results and financial condition. Further, attempts to enforce our rights against third parties could also provoke these third parties to assert their own intellectual property or other rights against us, or result in a holding that invalidates or narrows the scope of our rights, in whole or in part. The inability to adequately protect and enforce our intellectual property and other proprietary rights could seriously harm our business, operating results, financial condition and prospects. Even if we are able to secure our intellectual property rights, we cannot assure you that such rights will provide us with competitive advantages or distinguish our services from those of our competitors or that our competitors will not independently develop similar technology, duplicate any of our technology, or design around our patents.
We incorporate technology from third parties into our products, and our inability to obtain or maintain rights to the technology could harm our business.
We license software and other technology from third parties that we incorporate into or integrate with, our products. We cannot be certain that our licensors are not infringing the intellectual property rights of third parties or that our licensors have sufficient rights to the licensed intellectual property in all jurisdictions in which we may sell our services. In addition, many licenses are non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Some of our agreements with our licensors may be terminated for convenience by them, or otherwise provide for a limited term. If we are unable to continue to license any of this technology for any reason, our ability to develop and sell our services containing such technology could be harmed. Similarly, if we are unable to license necessary technology from third parties now or in the future, we may be forced to acquire or develop alternative technology, which we may be unable to do in a commercially feasible manner or at all, and we may be required to use alternative technology of lower quality or performance standards. This could limit and delay our ability to offer new or competitive products and services. As a result, our business and results of operations could be significantly harmed.
Some of our technology incorporates “open source” software, and we license some of our software through open source projects, which could negatively affect our ability to sell our products and subject us to possible litigation.
Some of our solutions incorporate software licensed by third parties under open source licenses, including open source software embedded in software we receive from third-party commercial software vendors. Use of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide support, updates or warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, the wide availability of open source software used in our solutions could expose us to security vulnerabilities. Furthermore, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that such licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to market or commercialize our solutions. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, have a negative effect on our results of operations and financial condition or require us to devote additional research and development resources to change our solutions. In addition, by the terms of some open source licenses, under certain conditions we could be required to release the source code of our proprietary software, and to make our proprietary software available under open source licenses, including authorizing further modification and redistribution. In the event that portions of our proprietary software are determined to be subject to such requirements by an open source license, we could be required to publicly release the affected portions of our source code, re-engineer all or a portion of our products or services or otherwise be limited in the licensing of our services, each of which provide an advantage to our competitors or other entrants to the market, create security vulnerabilities in our solutions and could reduce or eliminate the value of our services. Further, if we are held to have breached or otherwise failed to comply with the terms of an open source software license, we could be required to release certain of our proprietary source code under open source licenses, pay monetary damages, seek licenses from third parties to continue offering our services on terms that are not economically feasible or be subject to injunctions that could require us to discontinue the sale of our services if re-engineering could not be accomplished on a timely basis. Many of the risks associated with use of open source software cannot be eliminated and could negatively affect our business. Moreover, we cannot assure you that our processes for controlling our use of open source software in our products will be effective. Responding to any infringement or noncompliance claim by an open source vendor, regardless of its validity, or
discovering open source software code in our software could harm our business, operating results and financial condition by, among other things:
•resulting in time-consuming and costly litigation;
•diverting management’s time and attention from developing our business;
•requiring us to pay monetary damages or enter into royalty and licensing agreements that we would not normally find acceptable;
•causing delays in the deployment of our products or service offerings to our customers;
•requiring us to stop offering certain services on or features of our products;
•requiring us to redesign certain components of our software using alternative non-infringing or non-open source technology, which could require significant effort and expense;
•requiring us to disclose our software source code and the detailed program commands for our software; and
•requiring us to satisfy indemnification obligations to our customers.
Claims by others that we infringe their proprietary technology or other rights, or other lawsuits asserted against us, could result in significant costs and substantially harm our business, financial condition, results of operations and prospects.
A number of companies in our industry hold a large number of patents and also protect their copyright, trade secret and other intellectual property rights, and companies in the networking and security industry frequently enter into litigation based on allegations of patent infringement or other violations of intellectual property rights. In addition, patent holding companies seek to monetize patents they previously developed, have purchased or otherwise obtained. Many companies, including our competitors, may now, and in the future, have significantly larger and more mature patent, copyright, trademark and trade secret portfolios than we have, which they may use to assert claims of infringement, misappropriation and other violations of intellectual property rights against us. In addition, future litigation may involve non-practicing entities or other patent owners who have no relevant product offerings or revenue and against whom our own patents may therefore provide little or no deterrence or protection. As we face increasing competition and gain an increasingly higher profile, including as a result of becoming a public company, the possibility of intellectual property rights claims against us grows. Third parties have asserted in the past and may in the future assert claims of infringement of intellectual property rights against us and these claims, even without merit, could harm our business, including by increasing our costs, reducing our revenue, creating customer concerns that result in delayed or reduced sales, distracting our management from the running of our business and requiring us to cease use of important intellectual property. For instance, the e-commerce company Rakuten had made us aware that it owns a registration for the APPGATE trademark in Japan. We take no position on the possible outcome of that matter. In addition, because patent applications can take years to issue and are often afforded confidentiality for some period of time, there may currently be pending applications, unknown to us, that later result in issued patents that could cover one or more of our services. Moreover, in a patent infringement claim against us, we may assert, as a defense, that we do not infringe the relevant patent claims, that the patent is invalid or both. The strength of our defenses will depend on the patents asserted, the interpretation of these patents, and our ability to invalidate the asserted patents. However, we could be unsuccessful in advancing non-infringement and/or invalidity arguments in our defense. In the United States, issued patents enjoy a presumption of validity, and the party challenging the validity of a patent claim must present clear and convincing evidence of invalidity, which is a high burden of proof. Conversely, the patent owner need only prove infringement by a preponderance of the evidence, which is a lower burden of proof. Furthermore, because of the substantial amount of discovery required in connection with patent and other intellectual property rights litigation, there is a risk that some of our confidential information could be compromised by the discovery process.
As the number of products and competitors in our market increases and overlaps occur, claims of infringement, misappropriation and other violations of intellectual property rights may increase. Our insurance may not cover intellectual property rights infringement claims. Third parties may in the future also assert infringement claims against our customers or channel partners, with whom our agreements may obligate us to indemnify against these claims. In addition, to the
extent we hire personnel from competitors, we may be subject to allegations that such employees have divulged proprietary or other confidential information to us.
From time to time, the U.S. Supreme Court, other U.S. federal courts and the U.S. Patent and Trademark Appeals Board, and their foreign counterparts, have made and may continue to make changes to the interpretation of patent laws in their respective jurisdictions. We cannot predict future changes to the interpretation of existing patent laws or whether U.S. or foreign legislative bodies will amend such laws in the future. Any changes may lead to uncertainties or increased costs and risks surrounding the outcome of third-party infringement claims brought against us and the actual or enhanced damages, including treble damages, that may be awarded in connection with any such current or future claims and could have a material adverse effect on our business and financial condition.
We are unable to predict the likelihood of success in defending against future infringement claims. In the event that we fail to successfully defend ourselves against an infringement claim, a successful claimant could secure a judgment or otherwise require payment of legal fees, settlement payments, ongoing royalties or other costs or damages; or we may agree to a settlement that prevents us from offering certain services or features; or we may be required to obtain a license, which may not be available on reasonable terms, or at all, to use the relevant technology. If we are prevented from using certain technology or intellectual property, we may be required to develop alternative, non-infringing technology, which could require significant time, during which we could be unable to continue to offer our affected services or features, effort and expense and may ultimately not be successful. Any of these outcomes could result in a material adverse effect on our business. Even if we were to prevail, third-party infringement lawsuits could be costly and time-consuming, divert the attention of our management and key personnel from our business operations, deter channel partners from selling or licensing our services and dissuade potential customers from purchasing our services, which would also materially harm our business. In addition, any public announcements of the results of any proceedings in third-party infringement lawsuits could be negatively perceived by industry or financial analysts and investors and could cause our stock price to experience volatility or decline. Further, the expense of litigation and the timing of this expense from period to period are difficult to estimate, subject to change and could adversely affect our results of operations. Any of these events could materially and adversely harm our business, financial condition and results of operations.
Risks Related to Legal and Regulatory Matters
Failure to comply with laws and regulations applicable to our business could subject us to fines and penalties and could also cause us to lose customers in the public sector or negatively impact our ability to contract with the public sector.
Our business is subject to regulation by various federal, state, local and foreign governmental agencies, including agencies responsible for monitoring and enforcing privacy and data protection laws and regulations, government contract laws, employment and labor laws, workplace safety, anti-bribery laws, import and export controls, federal securities laws and tax laws and regulations. In certain jurisdictions, these regulatory requirements may be more stringent than in the United States. These laws and regulations impose added costs on our business. Noncompliance with applicable regulations or requirements could subject us to:
•investigations, enforcement actions and sanctions;
•mandatory changes to our Zero Trust solutions;
•disgorgement of profits, fines and damages;
•civil and criminal penalties or injunctions;
•claims for damages by our customers or channel partners;
•termination of contracts;
•loss of intellectual property rights; and
•temporary or permanent debarment from sales to government organizations.
If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, operating results and financial condition could be adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions and sanctions could materially harm our business, operating results and financial condition.
We endeavor to properly classify employees as exempt versus non-exempt under applicable law. Although there are no pending or threatened material claims or investigations against us asserting that some employees are improperly classified as exempt, the possibility exists that some of our current or former employees could have been incorrectly classified as exempt employees.
In addition, we must comply with laws and regulations relating to the formation, administration and performance of contracts with the public sector, including U.S. federal, state and local governmental organizations, which affect how we and our channel partners do business with governmental agencies. Selling our solutions to the U.S. government, whether directly or through channel partners, also subjects us to certain regulatory and contractual requirements. Failure to comply with these requirements by either us or our channel partners could subject us to investigations, fines and other penalties, which could have an adverse effect on our business, operating results, financial condition and prospects. As an example, the U.S. Department of Justice, or DOJ, and the General Services Administration, or GSA, have in the past pursued claims against and financial settlements with IT vendors under the False Claims Act and other statutes related to pricing and discount practices and compliance with certain provisions of GSA contracts for sales to the federal government. The DOJ and GSA continue to actively pursue such claims. Violations of certain regulatory and contractual requirements could also result in us being suspended or debarred from future government contracting. Any of these outcomes could have a material adverse effect on our revenue, operating results, financial condition and prospects.
We are also subject to the U.S. Foreign Corrupt Practices Act of 1977, the U.K. Bribery Act 2010 and other anti-corruption, anti-bribery, anti-money laundering and similar laws in the United States and other countries in which we conduct activities. Anti-corruption and anti-bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees and agents from promising, authorizing, making or offering improper payments or other benefits to government officials and others in the private sector. We leverage third parties, including channel partners, to sell subscriptions to our products and conduct our business abroad. We and these third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of these third-party business partners and intermediaries, our employees, representatives, contractors, channel partners and agents, even if we do not explicitly authorize such activities. While we have policies and procedures to address compliance with such laws, we cannot assure you that all of our employees and agents will not take actions in violation of our policies and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase. Noncompliance with these laws could subject us to investigations, severe criminal or civil sanctions, settlements, prosecution, loss of export privileges, suspension or debarment from U.S. government contracts, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, whistleblower complaints, adverse media coverage and other consequences. Any investigations, actions or sanctions could materially harm our reputation, business, results of operations and financial condition.
These laws and regulations impose added costs on our business, and failure to comply with these or other applicable regulations and requirements could lead to claims for damages from our channel partners or customers, penalties, termination of contracts, loss of exclusive rights in our intellectual property and temporary suspension or permanent debarment from government contracting. Any such damages, penalties, disruptions or limitations in our ability to do business with the public sector could have a material adverse effect on our business and operating results.
We and our directors, officers and affiliates have in the past and may in the future become involved in litigation and other proceedings that may adversely affect us.
From time to time, we and our directors, officers and affiliates have been subject to claims, suits and other proceedings. Regardless of the outcome, legal proceedings can have an adverse impact on us because of legal costs and diversion of management attention and resources, and could cause us to incur significant expenses or liability, adversely affect our brand recognition or require us to change our business practices. The expense of litigation and the timing of this expense from period to period are difficult to estimate, subject to change and could adversely affect our business, operating results and financial condition. It is possible that a resolution of one or more such proceedings could result in substantial damages, settlement costs, fines and penalties that would adversely affect our business, financial condition, operating results or cash flows in a particular period. These proceedings could also result in reputational harm, sanctions, consent decrees or orders requiring a change in our business practices. Additionally, our directors, officers and affiliates, or their respective affiliated entities, are currently and may in the future be the subject of claims, suits, litigation and government investigation in their individual capacities or in connection with other business ventures, which could adversely impact our reputation or public perception of our company, irrespective of the merits of any such proceeding. Because of the potential risks, expenses and uncertainties of litigation, we may, from time to time, settle disputes, even where we have meritorious claims or defenses, by agreeing to settlement agreements. Because litigation is inherently unpredictable, we cannot assure you that the results of any of these actions will not have a material adverse effect on our business, financial condition, operating results and prospects. Any of these consequences could adversely affect our business, operating results and financial condition.
We could be subject to securities class action litigation. In the past, securities class action litigation has often been instituted against companies following periods of volatility in the market price of a company’s securities.
This type of litigation, if instituted, could result in substantial costs and a diversion of management’s attention and resources, which could adversely affect our business, operating results, or financial condition. Additionally, the dramatic increase in the cost of directors’ and officers’ liability insurance may cause us to opt for lower overall policy limits or to forgo insurance that we may otherwise rely on to cover significant defense costs, settlements, and damages awarded to plaintiffs.
If we were not able to satisfy data protection, security, privacy and other government- and industry-specific requirements or regulations, our business, results of operations and financial condition could be harmed.
Personal privacy, data protection and information security are significant issues in the United States, Europe and in other jurisdictions where we offer our cybersecurity solutions. The regulatory framework for privacy, data protection, and cybersecurity matters is rapidly evolving and is likely to remain uncertain for the foreseeable future. Our handling of data is subject to a variety of laws and regulations, including regulation by various government agencies. Evolving and changing definitions of personal data and personal information, within the E.U., the United States, and elsewhere, may limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing or uses of personal data and personal information, and may require significant expenditures and efforts in order to comply.
The U.S. federal government, and various state and foreign governments, have adopted or proposed limitations on the collection, distribution, use and storage of information relating to individuals. Such laws and regulations may require companies to implement privacy and security policies, permit customers to access, correct and delete information stored or maintained by such companies, inform individuals of security breaches that affect their information, and, in some cases, obtain individuals’ consent to use information for certain purposes. Laws and regulations outside the United States, and particularly in Europe, often are more restrictive than those in the United States. In addition, some foreign governments require that certain information collected in a country be retained within that country. We also may find it necessary or desirable to join industry or other self-regulatory bodies or other information security or data protection-related organizations that require compliance with their rules pertaining to information security and data protection. We also may be bound by additional, more stringent contractual obligations relating to our collection, use and disclosure of personal, financial and other data.
We also expect that there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection and information security in the United States, the European Union and other jurisdictions in which we operate or may operate, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. For example, the European Union implemented the General Data Protection Regulation in May 2018, which imposes stringent data protection requirements and provides for significant penalties for noncompliance. In addition, data protection laws in Europe impose requirements with respect to the cross-border transfer of certain personal data. We historically relied upon data transfer mechanisms such as the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield frameworks, and the use of certain standard contractual clauses approved by the European Commission, to address these requirements. In July 2020, the CJEU, Europe’s highest court, held that the EU-U.S. Privacy Shield was invalid, and imposed additional obligations in connection with the use of contractual clauses governing cross-border transfers of personal data. As a result, we may need to implement different or additional measures to establish or maintain legitimate means for the transfer and receipt of personal data from the European Union to the U.S. In addition, due to the UK’s departure from the European Union, we are subject to requirements for personal data transfers to and from the UK, which continue to evolve following Brexit. If the measures we implement are later determined to be insufficient, we may face enforcement actions by data protection authorities.
In addition, California adopted the California Consumer Privacy Act in 2018, which took effect in January 2020 and seeks to provide California consumers with increased privacy rights and protections for their personal information. The 2018 Act will be further modified by the California Privacy Rights Act, which becomes effective January 1, 2023. Similar laws in Virginia and Colorado take effect on January 1, 2023, and July 1, 2023, respectively. We expect that existing laws, regulations and standards may be interpreted in new manners in the future. Future laws, regulations, standards and other obligations, and changes in the interpretation of existing laws, regulations, standards and other obligations could require us to modify our solutions, restrict our business operations, increase our costs and impair our ability to maintain and grow our customer base and increase our revenue.
Although we work to comply with applicable laws and regulations, industry standards, contractual obligations and other legal obligations, those laws, regulations, standards and obligations are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another. In addition, they may conflict with other requirements or legal obligations that apply to our business or the security features and services that our customers expect from our solutions and may require us to make changes to our solutions or other practices in an effort to comply with them. As such, we cannot assure ongoing compliance with all such laws, regulations, standards and obligations. Any failure or perceived failure by us to comply with applicable laws, regulations, standards or obligations, or any actual or suspected security breach or other security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of information relating to individuals or other data, may result in governmental investigations, enforcement actions and other proceedings, private litigation, fines and penalties or adverse publicity, and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. Any inability to adequately address privacy and security concerns, even if unfounded, or comply with applicable laws, regulations, standards and obligations, could result in additional cost and liability to us, damage our reputation, inhibit sales, and materially and adversely affect our business and operating results.
Claims for indemnification by our directors and officers may reduce our available funds to satisfy successful third-party claims against us and may reduce the amount of money available to us.
Our A&R Charter and A&R Bylaws provide that we will indemnify our directors and officers, in each case, to the fullest extent permitted by Delaware law. Our A&R Charter also allows our Board to indemnify other employees. This indemnification will extend to the payment of judgments in actions against officers and directors and to reimbursement of amounts paid in settlement of such claims or actions and may apply to judgments in favor of the Company or amounts paid in settlement to the Company. This indemnification will also extend to the payment of attorneys’ fees and expenses of officers and directors in suits against them where the officer or director acted in good faith and in a manner he or she reasonably believed to be in, or not opposed to, the best interests of the Company, and, with respect to any criminal action or proceeding, he or she had no reasonable cause to believe his or her conduct was unlawful. This right of indemnification is not exclusive of any right to which the officer or director may be entitled as a matter of law and shall extend and apply to the estates of deceased officers and directors.
Risks Related to Financial, Tax and Accounting Matters
If we fail to maintain effective disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
As a public company, we are subject to the reporting requirements of the Exchange Act and the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”). We expect that the requirements of these rules and regulations will continue to increase our legal, accounting, and financial compliance costs, make some activities more difficult, time-consuming, and costly, and place significant strain on our personnel, systems, and resources.
The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. We are continuing to develop and refine our disclosure controls and other procedures that are designed to ensure that information required to be disclosed by us in the reports that we will file with the SEC is recorded, processed, summarized, and reported within the time periods specified in SEC rules and forms and that information required to be disclosed in reports under the Exchange Act is accumulated and communicated to our principal executive, financial officers and Board of Directors. We are also continuing to improve our internal control over financial reporting, which includes hiring additional accounting and financial personnel to implement such processes and controls.
Our current controls and any new controls that we develop may become ineffective because of changes in conditions in our business. Further, weaknesses in our disclosure controls and internal control over financial reporting may be identified in the future. Any failure to develop or maintain effective controls or any challenges encountered in their implementation or improvement could harm our results of operations or cause us to not meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we may be required to include in our periodic reports filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financials and other information, which may have a negative effect on the trading price of our common stock. In addition,
if we are unable to continue to meet these requirements, we may not be able to remain listed on any national securities exchange on which our common stock may be listed in the future.
We consummated the Merger on October 12, 2021, and management was unable to conduct an assessment of our internal control over financial reporting as of December 31, 2021, as otherwise required by Section 404 of the Sarbanes-Oxley Act (the “404 Assessment”), due to the limited time available between the Closing and December 31, 2021. Consequently, we have relied on published SEC guidance and excluded our 404 Assessment from the Annual Report. We intend to provide an annual management report on the effectiveness of our internal control over financial reporting with our annual reports on Form 10-K beginning with our annual report on Form 10-K for the year ending December 31, 2022.
Our independent registered public accounting firm is not required to attest to the effectiveness of our internal control over financial reporting until after we are no longer a smaller reporting company as defined under Regulation S-K promulgated by the SEC. At such time, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our internal control over financial reporting is documented, designed, or operating. Any failure to maintain effective disclosure controls and internal control over financial reporting could have an adverse effect on our business and results of operations and could cause an adverse effect on the trading price of our securities.
We have identified material weaknesses in our internal control over financial reporting as of December 31, 2021, and we have previously identified other material weaknesses in our internal control over financial reporting. These material weaknesses could continue to adversely affect our ability to report our results of operations and financial condition accurately and in a timely manner.
On November 8, 2022, our Board, after meeting with management to consider the relevant facts and circumstances, determined that the Company’s financial statements as of and for the years ended December 31, 2021 and 2020, the interim periods within those years, and the Company’s financial statements for the interim periods ended March 31, 2022 and June 30, 2022 should no longer be relied upon because of errors in such financial statements.
Although our management has not yet conducted a 404 Assessment, as part of the Restatement process, we identified material weaknesses in our internal control over financial reporting. As described in this Amendment, subsequent to filing the Original 10-K, our management identified (i) errors in our accounting relating to our controls over the estimation of the relationship between the term license and the support and maintenance for establishing their respective stand-alone sales prices in multi-year contracts related to revenue for our sales of software through multi-year term-based license agreements, (ii) errors in our accounting relating to our controls related to recognition of commission expense and (iii) inadequate management review controls over our financial statement disclosures with respect certain calculations.
In addition, in connection with the preparation of Legacy Appgate’s consolidated financial statements as of and for the year ended December 31, 2020, Legacy Appgate’s management and its independent registered public accounting firm identified material weaknesses in internal control over financial reporting with respect to the design of our information technology general controls related to user access and change management as well as certain financial reporting transaction level controls including account reconciliations, related party transactions and journal entries.
For a discussion of management’s consideration of its material weaknesses and plans for their remediation, see Part II, Item 9A, “Controls and Procedures” included in this Amendment.
A material weakness is a deficiency, or a combination of control deficiencies, in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. Our management is responsible for our internal control over financial reporting and has taken steps to address the material weaknesses, which include engaging external advisors to document the design and implementation of our internal controls, including the evaluation of the operating effectiveness of these internal controls. While we continue to expend significant resources, including accounting-related costs and management oversight on the continued design, improvement and implementation of our internal controls, if any of these new or improved controls and systems do not perform as expected, then we may experience additional deficiencies and material weaknesses in our controls.
There can be no assurance that other material weaknesses will not arise in the future. Additionally, it is possible that we may discover additional material weaknesses upon completion of our 404 Assessment. Any material weaknesses in our internal control over financial reporting could cause us to fail to meet our future reporting obligations or could result in material misstatements in our financial statements, which in turn could have an adverse effect on our reputation, financial
condition and our ability to timely and properly comply with our reporting obligations under the Exchange Act. Any material weakness could also adversely affect the results of the periodic management evaluations and, to the extent we are no longer a smaller reporting company, the annual auditor attestation reports regarding the effectiveness of our internal control over financial reporting that will be required under Section 404 of the Sarbanes-Oxley Act. Internal control deficiencies could also cause investors to lose confidence in our reported financial information which could have an adverse effect on the trading price of our securities.
The requirements of being a public company will increase our costs, may divert our resources and management’s attention and may affect our ability to attract and retain executive management and qualified Board members.
As a public company, we are subject to the reporting and corporate governance requirements of the Exchange Act, and other applicable securities rules and regulations, including the Sarbanes-Oxley Act and the Dodd-Frank Wall Street Reform and Consumer Protection Act. Compliance with these rules and regulations will increase our legal and financial compliance costs, make some activities more difficult, time-consuming or costly and increase demand on our systems and resources. Among other things, the Exchange Act requires that we file annual, quarterly and current reports with respect to our business and results of operations and maintain effective disclosure controls and procedures and internal control over financial reporting. In order to improve our disclosure controls and procedures and internal control over financial reporting to meet this standard, additional resources and management oversight may be required. As a result, management’s attention may be diverted from other business concerns, which could harm our business, financial condition, results of operations and prospects. Although we have hired additional personnel to help comply with these requirements, we may need to further expand our legal and finance departments in the future, which will increase our costs and expenses. In addition, changing laws, regulations and standards relating to corporate governance and public disclosure are creating uncertainty for public companies, increasing legal and financial compliance costs and making some activities more time-consuming. These laws, regulations and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We intend to invest resources to comply with evolving laws, regulations and standards, and this investment may result in increased general and administrative expense and a diversion of management’s time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations and standards differ from the activities intended by regulatory or governing bodies, regulatory authorities may initiate legal proceedings against us and our business and prospects may be harmed.
As a result of disclosure of information in the filings required of a public company, our business and financial condition have become more visible, which could result in threatened or actual litigation, including by competitors and other third parties. If such claims are successful, our business, financial condition, results of operations and prospects could be harmed, and even if the claims do not result in litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and harm our business, financial condition, results of operations and prospects. These factors could also make it more difficult for us to attract and retain qualified employees, executive officers and members of our Board.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
As of December 31, 2021, we had aggregate U.S. federal and state net operating loss carryforwards of $181.4 million and $90.0 million, respectively, which may be available to offset future taxable income for U.S. income tax purposes. If not utilized, $71.9 million of the federal net operating loss carryforwards will begin to expire in 2035 with the remainder carried forward indefinitely, and $68.0 million of the state net operating loss carryforwards will begin to expire in 2022 with the remainder carried forward indefinitely. We also had foreign net operating loss carryforwards of $5.6 million, which do not expire. Realization of these net operating loss carryforwards depends on future income, and there is a risk that certain of our existing carryforwards could expire unused and be unavailable to offset future income tax liabilities, which could adversely affect our operating results and financial condition. In addition, under Sections 382 and 383 of the Internal Revenue Code, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in ownership by “5 percent shareholders” over a rolling three-year period, the corporation’s ability to use its pre-change net operating loss carryovers and other pre-change tax attributes to offset its post-change income or taxes may be limited. Similar rules apply under U.S. state tax laws. We have experienced ownership changes in the past and we may experience an ownership change in the future as a result of shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change U.S. net operating loss carryforwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us.
We could be subject to additional tax liabilities and United States federal income tax reform could adversely affect us.
We are subject to U.S. federal, state, local and sales taxes in the United States and foreign income taxes, withholding taxes and transaction taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for income taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our future income tax obligations could be adversely affected by changes in, or interpretations of, tax laws in the United States or in other jurisdictions in which we operate. For example, in December 2017, the United States adopted new tax law legislation commonly referred to as the U.S. Tax Cuts and Jobs Act of 2017 (the “Tax Act”) (as modified by the Coronavirus Aid, Relief, and Economic Security Act), which significantly reforms the Internal Revenue Code of 1986, as amended, or the Internal Revenue Code. The Tax Act, among other things, includes changes to U.S. federal tax rates, imposes significant additional limitations on the deductibility of interest and the use of net operating losses generated in tax years beginning after December 31, 2017, allows for the expensing of certain capital expenditures, and puts into effect the migration from a “worldwide” system of taxation to a largely territorial system. Further changes to U.S. tax laws, including limitations on the ability of taxpayers to claim and utilize foreign tax credits, as well as changes to U.S. tax laws that may be enacted in the future, could impact the tax treatment of our foreign earnings. Due to expansion of our international business activities, any changes in the U.S. taxation of such activities may increase our worldwide effective tax rate and adversely affect our operating results and financial condition. The enactment of legislation implementing changes in the U.S. taxation of international business activities or the adoption of other tax reform policies could adversely impact our operating results and financial condition.
We could be required to collect additional sales, use, value added, digital services, or other similar taxes or be subject to other liabilities that may increase the costs our customers would have to pay for our solutions and adversely affect our business, operating results, and financial condition.
We collect sales, use, value added, digital services, and other similar taxes in a number of jurisdictions. One or more U.S. states or countries may seek to impose incremental or new sales, use, value added, digital services, or other tax collection obligations on us. Further, an increasing number of U.S. states have considered or adopted laws that attempt to impose tax collection obligations on out-of-state companies. Additionally, the Supreme Court of the United States ruled in South Dakota v. Wayfair, Inc. et al, or Wayfair, that online sellers can be required to collect sales and use tax despite not having a physical presence in the state of the customer. In response to Wayfair, or otherwise, U.S. states or local governments may adopt, or begin to enforce, laws requiring us to calculate, collect, and remit taxes on sales in their jurisdictions. A successful assertion by one or more U.S. states requiring us to collect taxes where we presently do not do so, or to collect more taxes in a jurisdiction in which we currently do collect some taxes, could result in substantial liabilities, including taxes on past sales, as well as interest and penalties. Furthermore, certain jurisdictions, such as the U.K. and France, have recently introduced a digital services tax, which is generally a tax on gross revenue generated from users or customers located in those jurisdictions, and other jurisdictions have enacted or are considering enacting similar laws. A successful assertion by a U.S. state or local government, or other country or jurisdiction that we should have been or should be collecting additional sales, use, value added, digital services or other similar taxes could, among other things, result in substantial tax payments, create significant administrative burdens for us, discourage potential customers from subscribing to our solutions due to the incremental cost of any such sales or other related taxes, or otherwise harm our business.
Our corporate structure and intercompany arrangements are subject to the tax laws of various jurisdictions, and we could be obligated to pay additional taxes, which would harm our results of operations.
We are expanding our international operations and staff to support our business in international markets. Our corporate structure and associated transfer pricing policies contemplate the business flows and future growth into the international markets, and consider the functions, risks and assets of the various entities involved in the intercompany transactions. The amount of taxes we pay in different jurisdictions may depend on the application of the tax laws of the various jurisdictions, including the United States, to our international business activities, changes in tax rates, new or revised tax laws or interpretations of existing tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. For example, certain jurisdictions have recently introduced a digital services tax, which is generally a tax on gross revenue generated from users or customers located in those jurisdictions, and other jurisdictions are considering enacting similar laws. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to the intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, or if there are changes in tax laws or the way existing tax laws are interpreted or applied, we could be required to pay additional taxes, interest and penalties, which could result in
one-time tax charges, higher effective tax rates, reduced cash flows and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency.
Our revenue recognition policy and other factors may distort our financial results in any given period and make them difficult to predict.
Under accounting standards update No. 2014-09 (Topic 606), Revenue from Contracts with Customers (“ASC 606”), we recognize revenue when our customer obtains control of goods or services in an amount that reflects the consideration that we expect to receive in exchange for those goods or services. We sell and deliver our solutions as term-based license subscriptions, perpetual licenses and software-as-a-service (“SaaS”), together with related support services. For those term-based and perpetual license arrangements, we generally recognize both revenue upfront when the distinct license is made available to the customer, as well as revenue recognized ratably over the contract period for support and maintenance based on the stand-ready nature of these elements. For SaaS arrangements that do not contain variable consideration, and for support and maintenance, we recognize revenue ratably over the contract period as the Company satisfies its performance obligation, beginning on the date the Company makes its service available to the customer. Because of this revenue recognition methodology, a single, large term-based or perpetual license in a given period may distort our operating results for that period. In contrast, the impact of agreements that are recognized ratably may take years to be fully reflected in our financial statements. Consequently, a significant increase or decline in our subscription SaaS and support and maintenance contracts in any one quarter will not be fully reflected in the results for that quarter, but will affect our revenue in future quarters. This also makes it challenging to forecast our revenue for future periods, as both the mix of solutions, solution packages and services we will sell in a given period, as well as the size of contracts, is difficult to predict.
Furthermore, the presentation of our financial results requires us to make estimates and assumptions that may affect revenue recognition. In some instances, we could reasonably use different estimates and assumptions, and changes in estimates are likely to occur from period to period. See “Item 8. Financial Statements and Supplementary Data — Note 2. Business and Summary of Significant Accounting Policies — Revenue Recognition.” Given the foregoing factors, our actual results could differ significantly from our estimates, comparing our revenue and operating results on a period-to-period basis may not be meaningful, and our past results may not be indicative of our future performance.
If our estimates or judgments relating to our critical accounting policies prove to be incorrect or financial reporting standards or interpretations change, our results of operations could be adversely affected.
The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the amounts reported in our consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and in our consolidated financial statements and related notes included elsewhere in this Amendment. The results of these estimates form the basis for making judgments about the carrying values of assets, liabilities and equity, and the amount of revenue and expenses that are not readily apparent from other sources. Significant assumptions and estimates used in preparing our consolidated financial statements include those related to the determination of revenue recognition, and more specifically, the estimation and allocation of the transaction price to each performance obligation based on a relative standalone selling price, allowance for doubtful accounts, valuation and impairment of intangible assets and goodwill, impairment of other long-lived assets, useful lives of property and equipment and definite-lived intangible assets and the period of benefit generated from our deferred contract acquisition costs. Our results of operations may be adversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our results of operations to fall below the expectations of industry or financial analysts and investors, resulting in a decline in the trading price of our common stock.
Additionally, we regularly monitor our compliance with applicable financial reporting standards and review new pronouncements and drafts thereof that are relevant to us. As a result of new standards, changes to existing standards and changes in their interpretation, we might be required to change our accounting policies, alter our operational policies and implement new or enhance existing systems so that they reflect new or amended financial reporting standards, or we may be required to restate our published financial statements. Such changes to existing standards or changes in their interpretation may have an adverse effect on our reputation, business, financial position and profit, or cause an adverse deviation from our revenue and operating profit target, which may negatively impact our financial results.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our business, operating results and financial condition.
Our sales contracts are primarily denominated in U.S. dollars, and therefore our revenue is not subject to significant foreign currency risk. However, strengthening of the U.S. dollar increases the real cost of our solutions to our customers outside of the United States, which could lead to delays in the purchase of our solutions and the lengthening of our sales cycle. If the U.S. dollar continues to strengthen, this could adversely affect our financial condition and operating results. In addition, increased international sales in the future, including through our channel partners and other partnerships, may result in greater foreign currency denominated sales, increasing our foreign currency risk. Our operating expenses incurred outside the U.S. are primarily denominated in the currency of the country in which such expenses are incurred. As our business continues to grow globally, our exposure to currency exchange rates may increase, which could negatively affect our business, operating results and financial condition. We do not currently hedge against the risks associated with currency fluctuations but may do so in the future.
We may require additional capital to expand our operations and invest in new solutions, and failure to do so could reduce our ability to compete and could harm our business and financial condition.
We may need to raise additional funds in the future to fund our operating expenses, make capital purchases and acquire or invest in business or technology, and we may not be able to obtain those funds on favorable terms, or at all. If we raise additional equity financing, our stockholders may experience significant dilution of their ownership interests and the per share value of our common stock could decline. Furthermore, if we engage in additional debt financing, the holders of our debt would have priority over the holders of our common stock, and we may be required to accept terms that restrict our ability to incur additional indebtedness or our ability to pay any dividends on our common stock, though we do not intend to pay dividends in the foreseeable future. We may also be required to take other actions, any of which could harm our business and operating results. If we need to access the capital markets, there can be no assurance that financing may be available on attractive terms, if at all. If we are unable to obtain adequate financing, or financing on terms satisfactory to us, when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly limited, and our business, operating results, financial condition and prospects could be materially and adversely affected. See also “We have indebtedness, which may increase risk to our business and your investment in us.”
Our Company may have undisclosed liabilities and any such liabilities could negatively impact our revenues, business, prospects, financial condition and results of operations.
Before the Closing, Legacy Appgate conducted due diligence on the Company customary and appropriate for a transaction similar to the Merger. However, the due diligence process may not reveal all material liabilities of our Company currently existing or which may be asserted in the future against our Company relating to its activities before the Closing. In addition, the Merger Agreement contains representations with respect to the absence of any liabilities. However, there can be no assurance that our Company will not have any liabilities upon Closing that we are unaware of or that we will be successful in enforcing any indemnification provisions or that such indemnification provisions will be adequate to reimburse us. Any such liabilities of our Company that survived the Closing could negatively impact our revenues, business, prospects, financial condition and results of operations.
Risks Related to the Ownership of Our Common Stock
The market price of our common stock has been volatile and may continue to be volatile, and you could lose all or part of your investment.
Prior to the closing of the Merger, there was no public trading market for shares of Legacy Appgate’s common stock, and shares of Newtown Lane were thinly traded. Following the Merger through March 29, 2022, our common stock has been volatile, with our opening/closing price ranging from a high of $21.25 to a low of $7.68. It is possible that neither an active nor liquid trading market for our common stock will develop, and, if such a market does develop, it is possible that such market will not be sustained, which could make it difficult for you to sell your shares of common stock at an attractive price or at all.
Many factors, many of which are outside our control, may cause the market price for shares of our common stock to fluctuate significantly, including those described elsewhere in this “Risk Factors” section, as well as the following:
•actual or anticipated changes or fluctuations in our operating results;
•the financial projections we may provide to the public, any changes in these projections or our failure to meet these projections;
•announcements by us or our competitors of new products or new or terminated significant contracts, commercial relationships or capital commitments;
•industry or financial analyst or investor reaction to our press releases, other public announcements and filings with the SEC;
•rumors and market speculation involving us or other companies in our industry;
•price and volume fluctuations in the overall stock market from time to time;
•volume fluctuations in the trading of our common stock from time to time;
•changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
•the sales of shares of our common stock by us or our stockholders;
•failure of industry or financial analysts to maintain coverage of us, changes in financial estimates by any analysts who follow our company, or our failure to meet these estimates or the expectations of investors;
•actual or anticipated developments in our business or our competitors’ businesses or the competitive landscape generally;
•litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors;
•developments or disputes concerning our intellectual property rights or our solutions, or third-party proprietary rights;
•announced or completed acquisitions of businesses or technologies by us or our competitors;
•actual or perceived privacy, data protection, or information security incidents or breaches;
•new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
•any major changes in our management or our Board;
•general economic conditions and slow or negative growth of our markets; and
•other events or factors, including those resulting from war, incidents of terrorism, global pandemics or responses to these events.
In addition, the stock market in general, and the market for technology companies in particular, has experienced price and volume fluctuations that have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry factors may affect the market price of our common stock, regardless of our actual operating performance.
Our common stock is currently thinly traded, liquidity is limited, and we may be unable to obtain listing of our common stock on a more liquid market.
Our common stock is currently thinly traded and quoted on the OTC Markets, which provide significantly less liquidity than a national securities exchange such as the NYSE or Nasdaq. In addition, in connection with the Closing, holders of approximately 95.9% of our common stock have entered into lock-up agreements that, subject to certain exceptions, prohibit the signing party from selling, contracting to sell or otherwise disposing of any common stock or securities that are convertible or exchangeable for common stock or entering into any arrangement that transfers the economic consequences
of ownership of our common stock for a period of up to twelve months from the Closing, or October 12, 2022. Without a large public float, our common stock is less liquid than the stock of companies with broader public ownership, and, as a result, the trading prices of our common stock may be more volatile.
For the foregoing reasons, purchasers of our common stock may be subject to price volatility risk given the price of our common stock may change dramatically from a relatively small trading volume, which may also make our common stock more vulnerable to price manipulation attempts. We cannot predict the prices at which our common stock will trade in the future, if at all.
As a former shell company, resales of shares of our restricted common stock in reliance on Rule 144 of the Securities Act are subject to the requirements of Rule 144(i).
We previously were a “shell company” and, as such, sales of our securities pursuant to Rule 144 under the Securities Act of 1933, as amended, cannot be made unless, among other things, at the time of a proposed sale, we are subject to the reporting requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, as amended, and have filed all reports and other materials required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 as amended, as applicable, during the preceding 12 months, other than Form 8-K reports. Because, as a former shell company, the reporting requirements of Rule 144(i) will apply regardless of holding period, restrictive legends on certificates for shares of our common stock cannot be removed except in connection with an actual sale that is subject to an effective registration statement under, or an applicable exemption from the registration requirements of, the Securities Act. Because our unregistered securities cannot be sold pursuant to Rule 144 unless we continue to meet such requirements, any unregistered securities we issue will have limited liquidity unless we continue to comply with such requirements.
SIS Holdings can control our business and affairs and may have conflicts of interest with us in the future.
As of the date of the Original 10-K, SIS Holdings, through which, among others, BC Partners and Medina Capital (the “Investors”) hold an indirect interest in our common stock, collectively own approximately 89% of our common stock. As a result, so long as the Investors and/or their affiliates remain our controlling stockholders they will be able to control, directly or indirectly, and subject to applicable law, all matters affecting us, including:
•any determination with respect to our business direction and policies, including the appointment and removal of officers and directors;
•any determinations with respect to mergers, business combinations or disposition of assets;
•compensation and benefit programs and other human resources policy decisions;
•the payment of dividends on our common stock; and
•determinations with respect to tax matters.
In addition, the Investors are in the business of making investments in companies and may from time to time acquire and hold interests in businesses that compete directly or indirectly with us. One or more of the Investors may also pursue acquisition opportunities that may be complementary to our business and, as a result, those acquisition opportunities may not be available to us. So long as the Investors, or their respective affiliates, continue to own a significant amount of the outstanding shares of our common stock, even if such amount is less than 50%, the Investors will continue to be able to strongly influence us. Certain of our directors are affiliates of the Investors, and our A&R Charter provides that, subject to certain limitations, none of our directors or officers, or any of their affiliates, will have any duty to refrain from (i) engaging in a corporate opportunity in the same or similar lines of business in which we or our affiliates now engage or propose to engage or (ii) otherwise competing with us or our affiliates.
If we list our common stock on the NYSE or Nasdaq, we will be considered a “controlled company” within the meaning of the rules of the NYSE or Nasdaq stock market, as applicable, and, as a result, will qualify for exemptions from certain corporate governance requirements.
The OTC Markets do not prescribe corporate governance requirements for companies that trade on those markets. We intend to apply to list our common stock on either the NYSE or Nasdaq stock market. As of the date of the Original 10-K, SIS Holdings, through which the other Investors hold an indirect interest in our common stock, owns approximately 89%
of our common stock. As a result, we are considered as a “controlled company” within the meaning of the corporate governance standards of the NYSE and Nasdaq. Under these rules, a listed company of which more than 50% of the voting power is held by an individual, group or another company is a “controlled company” and may elect not to comply with certain corporate governance requirements, including:
•the requirement that a majority of the board of directors consist of independent directors;
•the requirement that our nominating and corporate governance committee be composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities;
•the requirement that our compensation committee be composed entirely of independent directors with a written charter addressing the committee’s purpose and responsibilities; and
•the requirement for an annual performance evaluation of our corporate governance and compensation committees.
While SIS Holdings controls a majority of the voting power of our outstanding common stock, we may elect to rely on these exemptions and, as a result, may not have a majority of independent directors on our Board. When established, our nominating and corporate governance and compensation committees may also not consist entirely of independent directors. Accordingly, holders of our common stock do not have the same protections afforded to stockholders of companies that are subject to all of the corporate governance requirements of the NYSE or Nasdaq.
Future sales, or the perception of future sales, by us or our existing stockholders in the public market following the Merger could cause the market price for our common stock to decline.
The sale of substantial amounts of shares of our common stock in the public market, or the perception that such sales could occur, could harm the prevailing market price of shares of our common stock. These sales, or the possibility that these sales may occur, also might make it more difficult for us to sell equity securities in the future at a time and at a price that we deem appropriate.
In connection with the Closing, holders of approximately 95.9% of our outstanding common stock entered into lock-up agreements that, subject to certain exceptions, prohibit the signing party from selling, contracting to sell or otherwise disposing of any common stock or securities that are convertible or exchangeable for common stock or entering into any arrangement that transfers the economic consequences of ownership of our common stock for a period of up to twelve months from the Closing, or October 12, 2022.
As restrictions on resale end, the market price of our shares of common stock could drop significantly if the holders of these restricted shares sell them or are perceived by the market as intending to sell them. These factors could also make it more difficult for us to raise additional funds through future offerings of our shares of common stock or other securities.
In addition, certain holders of our common stock and the Convertible Senior Notes are entitled to rights with respect to registration of their shares under the Securities Act pursuant to certain registration rights agreements. If these holders of our common stock, by exercising their registration rights, sell a large number of shares, they could adversely affect the market price for our common stock.
We may also issue our shares of common stock or securities convertible into shares of our common stock from time to time in connection with a financing, acquisition, investments or otherwise. Any such issuance could result in substantial dilution to our existing stockholders and cause the market price of our common stock to decline.
We do not intend to pay dividends in the foreseeable future. As a result, your ability to achieve a return on your investment will depend on appreciation in the price of our common stock.
We have never declared or paid any cash dividends on our common stock. We currently intend to retain all available funds and any future earnings for use in the operation of our business and do not anticipate paying any dividends on our common stock in the foreseeable future. Any determination to pay dividends in the future will be at the discretion of our Board. Accordingly, investors must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.
If industry or financial analysts do not publish research about our business, or if they issue inaccurate or unfavorable research regarding our common stock, our stock price and trading volume could decline.
The trading market for our common stock is influenced by, among other things, the research and reports that industry or financial analysts publish about us or our business. We do not control these analysts, or the content and opinions included in their reports. We may be slow to attract research coverage and the analysts who publish information about our common stock will have had relatively little experience with our company, which could affect their ability to accurately forecast our results and make it more likely that we fail to meet their estimates. If we are unable to attract research coverage, this could limit investor interest in our securities and result in decreased trading liquidity. Further, if any of the analysts who cover us issues an inaccurate or unfavorable opinion regarding our stock price, our stock price would likely decline and it could cause our trading liquidity to decline. In addition, the stock prices of many companies in the technology industry have declined significantly after those companies have failed to meet, or significantly exceed, the expectations of analysts. If our financial results fail to meet, or significantly exceed, the expectations of analysts or public investors, analysts could downgrade our common stock or publish unfavorable research about us. If one or more of these analysts cease coverage of our company or fail to publish reports on us regularly, our visibility in the financial markets could decrease, which in turn could cause our stock price or trading liquidity to decline.
If our operating and financial performance in any given period do not meet or exceed the guidance that we provide to the public, the market price of our common stock may decline.
We may, but are not obligated to, provide public guidance on our expected operating and financial results for future periods. If we elect to issue such guidance, it will be composed of forward-looking statements subject to the risks and uncertainties described in the Annual Report. Our actual results may not always be in line with or exceed any guidance we have provided, especially in times of economic uncertainty. If, in the future, our operating or financial results for a particular period do not meet any guidance we provide or the expectations of investment analysts, or if we reduce our guidance for future periods, the market price of our common stock may decline.
Our A&R Charter designates specific courts as the exclusive forum for certain litigation that may be initiated by our stockholders, which could limit our stockholders’ abilities to obtain a favorable judicial forum for disputes with us or our directors, officers or employees.
Our A&R Charter provides that, unless we consent in writing to the selection of an alternative forum, the sole and exclusive forum, to the fullest extent permitted by law, for (1) any derivative action or proceeding brought on our behalf, (2) any action asserting a claim of breach of a fiduciary duty owed by any of our current or former directors, officers or other employees or stockholders to us or our stockholders, creditors or other constituents, or a claim of aiding and abetting any such breach of fiduciary duty, (3) any action asserting a claim against us or any of our directors or officers or other employees or stockholders arising pursuant to, or any action to interpret, apply, enforce any right, obligation or remedy under or determine the validity of, any provision of the DGCL or our A&R Charter or A&R Bylaws or as to which the DGCL confers jurisdiction on the Court of Chancery of the State of Delaware, (4) any action asserting a claim that is governed by the internal affairs doctrine, or (5) any other action asserting an “internal corporate claim” under the DGCL shall be the Court of Chancery of the State of Delaware (or, if and only if the Court of Chancery does not have subject matter jurisdiction, another state court sitting in the State of Delaware or, if and only if neither the Court of Chancery nor any state court sitting in the State of Delaware has subject matter jurisdiction, then the federal district court for the District of Delaware) (the “Delaware Forum Provision”). Notwithstanding the foregoing, our A&R Charter provides that the Delaware Forum Provision will not apply to any actions arising under the Securities Act or the Exchange Act. Section 27 of the Exchange Act creates exclusive federal jurisdiction over all suits brought to enforce any duty or liability created by the Exchange Act or the rules and regulations thereunder. Our A&R Charter further provides that unless we consent in writing to the selection of an alternative forum, the federal district court for the District of Delaware shall, to the fullest extent permitted by law, be the sole and exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act (the “Federal Forum Provision”). We note, however, that there is uncertainty as to whether a court would enforce this provision and that investors cannot waive compliance with the federal securities laws and the rules and regulations thereunder. Section 22 of the Securities Act creates concurrent jurisdiction for state and federal courts over all suits brought to enforce any duty or liability created by the Securities Act or the rules and regulations thereunder.
The Delaware Forum Provision and the Federal Forum Provision may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers or other employees, which may discourage lawsuits against us and our directors, officers and other employees. Alternatively, if a court were to find the Delaware Forum Provision or the Federal Forum Provision to be inapplicable or unenforceable in an action, we may incur
additional costs associated with resolving such action in other jurisdictions, which could harm our business, financial condition or results of operations. Any person or entity purchasing or otherwise acquiring any interest in our shares of capital stock shall be deemed to have notice of and consented to the Delaware Forum Provision and the Federal Forum Provision, but will not be deemed to have waived our compliance with the federal securities laws and the rules and regulations thereunder.
We may issue preferred stock whose terms could adversely affect the voting power or value of our common stock.
Our A&R Charter authorizes us to issue, without the approval of our stockholders, one or more classes or series of preferred stock having such designations, preferences, limitations and relative rights, including preferences over our common stock with respect to dividends and distributions, as our Board may determine. The terms of one or more classes or series of preferred stock could adversely impact the voting power or value of our common stock. For example, we might grant holders of preferred stock the right to elect some number of our directors in all events or on the happening of specified events or the right to veto specified transactions. Similarly, the repurchase or redemption rights or liquidation preferences we might assign to holders of preferred stock could affect the residual value of the common stock.
Anti-takeover provisions in our governing documents and under Delaware law could make an acquisition of our company more difficult, limit attempts by our stockholders to replace or remove our current management or directors and limit the market price of our common stock.
Our A&R Charter, A&R Bylaws and Delaware law contain provisions that could have the effect of rendering more difficult, delaying or preventing an acquisition deemed undesirable by our Board. Among other things, our A&R Charter and/or A&R Bylaws include the following provisions:
•a staggered board, which means that our Board is classified into three classes of directors with staggered three-year terms and, from and after a Trigger Event (as defined in the A&R Charter), directors are only able to be removed from office for cause and only upon the affirmative vote of the holders of at least 66 2/3% in voting power of all of the then outstanding shares of our common stock entitled to vote thereon;
•limitations on convening special stockholder meetings, which could make it difficult for our stockholders to adopt desired governance changes;
•a prohibition on stockholder action by written consent from and after the Trigger Event;
•a forum selection clause, which means certain litigation against us can only be brought in Delaware;
•from and after the Trigger Event, require the affirmative vote of holders of at least 75% of the voting power of all of the then outstanding shares of common stock to amend provisions of the A&R Charter relating to the management of our business, the Board, stockholder action by written consent, competition and corporate opportunities, Section 203 of the DGCL, forum selection and the liability of our directors, or to amend, alter, rescind or repeal our A&R Bylaws;
•the authorization of undesignated preferred stock, the terms of which may be established and shares of which may be issued without further action by our stockholders; and
•advance notice procedures, which apply for stockholders to nominate candidates for election as directors or to bring matters before an annual meeting of stockholders.
These provisions, alone or together, could delay or prevent hostile takeovers and changes in control or changes in our management. We have opted out of Section 203 of the DGCL. However, our A&R Charter contains similar provisions providing that we many not engage in certain “business combinations” with any “interested stockholder” for a three-year period following the time that the stockholder became an interested stockholder, unless (i) prior to the time such stockholder became an interested stockholder, the Board approved the transaction that resulted in such stockholder becoming an interested stockholder, (ii) upon consummation of the transaction that resulted in such stockholder becoming an interested stockholder, the interested stockholder owned at least 85% of the common stock or (iii) following Board approval, the business combination receives the approval of the holders of at least two-thirds of our outstanding common stock not held by such interested stockholder at an annual or special meeting of stockholders. Our A&R Charter provides
that the Investors and their respective affiliates, and any of their respective direct or indirect transferees and any group as to which such persons are a party, do not constitute “interested stockholders” for purposes of this provision.
In addition, our A&R Charter provides that the federal district courts of the United States will be the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act but that the forum selection provision will not apply to claims brought to enforce a duty or liability created by the Exchange Act.
Any provision of our A&R Charter, A&R Bylaws or Delaware law that has the effect of delaying, preventing or deterring a change in control could limit the opportunity for our stockholders to receive a premium for their shares of our common stock and could also affect the price that some investors are willing to pay for our common stock.
Risks Related to Our Outstanding Indebtedness
We have indebtedness, which may increase risk to our business and your investment in us.
Concurrently with the execution of the Merger Agreement, Legacy Appgate entered into the Note Purchase Agreement with the Noteholders and the Note Issuance Agreement with Legacy Appgate’s wholly owned domestic subsidiaries and Magnetar (the Note Purchase Agreement and the Note Issuance Agreement, as amended, collectively, the “Note Agreements”). Pursuant to the Note Agreements, Legacy Appgate issued and sold to the Noteholders $50.0 million aggregate principal amount of Initial Convertible Senior Notes on February 9, 2021 and agreed to issue and sell to the Noteholders $25.0 million aggregate principal amount of Additional Convertible Senior Notes on the date of the consummation of the Merger and, Magnetar may elect, with our consent, to invest up to $25.0 million additional Convertible Senior Notes in one or more subsequent transactions, on or prior to the earlier of (x) 75 days after we close a registered offering of equity securities in an aggregate amount of no less than $40.0 million and (y) October 31, 2022. Interest on the Convertible Senior Notes is payable either entirely in cash or entirely in kind (“PIK Interest”), or a combination of cash and PIK Interest at our option. The Convertible Senior Notes bear interest at the annual rate of 5.0% with respect to interest payments made in cash and 5.5% with respect to PIK Interest. In connection with the consummation of the Merger, Legacy Appgate issued the Additional Convertible Senior Notes and Newtown Lane entered into a Supplemental Agreement, providing for the assumption or guarantee by Newtown Lane of all of Legacy Appgate’s obligations under the Note Agreements and the substitution of the Company’s common stock for Legacy Appgate’s capital stock thereunder in all respects. For additional details on the Convertible Senior Notes see “Item 7—Management’s Discussion and Analysis of Financial Condition and Results of Operations—Liquidity and Capital Resources.”
In addition, on March 29, 2022, Legacy Appgate and SIS Holdings entered into the Revolving Credit Facility Commitment Letter, pursuant to which SIS Holdings agreed to provide to Legacy Appgate, subject to the satisfaction of the terms and conditions contained therein, the Revolving Credit Facility in an aggregate principal amount of $50.0 million. This indebtedness would be contractually subordinated to the Convertible Senior Notes. SIS Holdings’ commitment to provide the Revolving Credit Facility will expire, and, if entered into, the Revolving Credit Facility will mature, on the earlier to occur of (a) June 30, 2023 and (b) the closing a registered offering of equity securities of the Company in an aggregate amount of not less than $50.0 million. Interest will accrue on amounts drawn under the Revolving Credit Facility at rate of 10.0% per annum, payable in cash on the maturity date.
Entry into the Revolving Credit Facility will be subject to customary closing conditions, including the execution and delivery of appropriate definitive documentation related to the Revolving Credit Facility, including customary terms, covenants and conditions, and there can be no assurance that such closing conditions will be satisfied or that the Revolving Credit Facility will be entered into prior to the expiration of SIS Holdings’ commitment or at all.
Our ability to make scheduled payments of the principal of, to pay cash interest on, the Convertible Senior Notes and, if entered into and drawn, the Revolving Credit Facility, if we desire to do so, or to refinance the Convertible Senior Notes or, if entered into and drawn, the Revolving Credit Facility, or any other indebtedness we may incur, depends on our future performance, which is subject to economic, financial, competitive and other factors beyond our control. Our business may not generate cash flow from operations in the future sufficient to service our debt and make necessary capital expenditures. The Note Agreements contain, and the Revolving Credit Facility will contain, customary restrictive covenants that limit our ability to engage in activities that may be in our long-term best interest. Those covenants include restrictions on our ability to, among other things, incur additional debt and issue disqualified stock; create liens; pay dividends, acquire shares of capital stock, or make certain investments; issue guarantees; sell certain assets and enter into transactions with affiliates. The Note Issuance Agreement also contains a financial covenant that requires that we maintain liquidity of not less than $10.0 million as of the last day of any calendar month. Our failure to comply with any of those covenants could result in an
event of default which, if not cured or waived, could result in the acceleration of our debt issued under the Note Agreements or Revolving Credit Facility. Any such event of default or acceleration could have an adverse effect on the trading price of our common stock. Furthermore, the terms of any future debt we may incur could have further additional restrictive covenants. We may not be able to maintain compliance with these covenants in the future, and in the event that we are not able to maintain compliance, we cannot assure you that we will be able to obtain waivers from the lenders or amend the covenants.
If we are unable to generate such cash flow, we may be required to adopt one or more alternatives, such as selling assets, restructuring debt or obtaining additional debt financing or equity capital on terms that may be onerous or highly dilutive. Pursuant to the Note Purchase Agreement, Magnetar has certain rights of first offer to purchase no less than 25% of the amount issued by us in certain debt financings, subject to certain exceptions and certain preemptive rights in connection with equity issuances by us, subject to certain exceptions, which may make obtaining additional debt financing or raising equity capital more difficult. Our ability to refinance any future indebtedness will depend on the capital markets, contractual restrictions and our financial condition at such time. We may not be able to engage in any of these activities or engage in these activities on desirable terms, which could result in a default on our debt obligations. In addition, any of our future debt agreements may contain restrictive covenants that may prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt.
We may not have the ability to raise the funds necessary to repurchase the Convertible Senior Notes for cash upon occurrence of certain events, and conversion of the Convertible Senior Notes may affect the value of our common stock by causing dilution to our existing stockholders.
Holders of the Convertible Senior Notes have the right to require us to repurchase their Convertible Senior Notes upon the occurrence of (i) a fundamental change (as defined in the Note Issuance Agreement) at a repurchase price equal to 100% of the principal amount of the Convertible Senior Notes to be repurchased, plus accrued and unpaid interest, if any, or (ii) upon a change of control (as defined in the Note Issuance Agreement) at a repurchase price equal to 102% of the principal amount of the Convertible Senior Notes to be repurchased, plus accrued and unpaid interest, if any. We may not have enough available cash or be able to obtain financing at the time we are required to make such repurchases of Convertible Senior Notes. In addition, our ability to repurchase the Convertible Senior Notes or to pay cash upon conversions of the Convertible Senior Notes may be limited by law, by regulatory authority or by agreements governing our future indebtedness. Our failure to repurchase Convertible Senior Notes at a time when the repurchase is required by the Note Issuance Agreement would constitute a default under the Note Issuance Agreement. A default under the Note Issuance Agreement or the fundamental change itself could also lead to a default under agreements governing our future indebtedness. If the repayment of the related indebtedness were to be accelerated after any applicable notice or grace periods, we may not have sufficient funds to repay the indebtedness and repurchase the Convertible Senior Notes or make cash interest or principal payments.
In addition, our indebtedness, combined with our other financial obligations and contractual commitments, could have other important consequences. For example, it could:
•make us more vulnerable to adverse changes in general U.S. and worldwide economic, industry and competitive conditions and adverse changes in government regulation;
•limit our flexibility in planning for, or reacting to, changes in our business and our industry;
•place us at a disadvantage compared to our competitors who have less debt;
•limit our ability to borrow additional amounts to fund acquisitions, for working capital and for other general corporate purposes; and
•make an acquisition of our company less attractive or more difficult.
Any of these factors could harm our business, results of operations and financial condition. In addition, if we incur additional indebtedness, the risks related to our business and our ability to service or repay our indebtedness would increase.
Subject to certain exceptions, prior to maturity, each holder of Convertible Senior Notes shall have the option to convert all or any portion of such Convertible Senior Notes into our common stock in accordance with the terms of the Note Issuance Agreement. If holders of our Convertible Senior Notes elect to convert their notes, we may be obligated to deliver them a significant number of shares of our common stock, which would cause dilution to our existing stockholders.