Annual Statements Open main menu
  1. Annual Statements
  2. » Companies
  3. » KnowBe4, Inc.
  4. » Annual Report: 2021 (Form 10-K)

KnowBe4, Inc. - Annual Report: 2021 (Form 10-K)



UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
Form 10-K
ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the fiscal year ended December 31, 2021
or
TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
For the transition period from to
Commission File Number 001-40351
KNOWBE4, INC.
(Exact name of Registrant as specified in its charter)
Delaware737036-4827930
(State or other jurisdiction of incorporation or organization)(Primary Standard Industrial Classification Code Number)(I.R.S. Employer Identification Number)
KnowBe4, Inc.
33 N. Garden Avenue
Clearwater, FL 33755
(855) 566-9234
(Address, including zip code, and telephone number, including area code, of Registrant’s principal executive offices)
Securities registered pursuant to Section 12(b) of the Act:
Title of each classTrading SymbolName of each exchange on which registered
Class A common stock, par value $0.00001KNBEThe Nasdaq Stock Market LLC

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes ☐ No ☒
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes ☐ No ☒
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes ☐ No ☒
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes ☒ No ☐
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.
Large accelerated filer   ☐Accelerated filer  ☐
Non-accelerated filer  ☒  
Smaller reporting company  ☐
Emerging growth company  ☒
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☒
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. ☐
Indicate by check mark whether the registrant is a shell company (as defined by Rule 12b-2 of the Exchange Act).   Yes ☐      No ☒
The aggregate market value of voting stock held by non-affiliates of the registrant was $2.2 billion as of June 30, 2021, the last business day of the registrant’s most recently completed second fiscal quarter (based on the closing sales price for the common stock on the Nasdaq Stock Market on such date). Shares of common stock held by each executive officer and director have been excluded in that such persons may be deemed to be affiliates. This determination of affiliate status is not necessarily a conclusive determination for other purposes.
At March 4, 2022, there were 72,765,169 shares of the registrant’s Class A Common Stock outstanding.and 101,930,933 shares of the registrant’s Class B Common Stock outstanding.
Portions of the registrant’s Definitive Proxy Statement relating to the 2022 Annual Meeting of Stockholders are incorporated by reference into Part III of this Annual Report on Form 10-K where indicated. Such Definitive Proxy Statement will be filed with the Securities and Exchange Commission within 120 days after the end of the registrant’s fiscal year ended December 31, 2021.

1

TABLE OF CONTENTS
Page
PART I
Item 1.
Item 1A.
Item 1B.
Item 2.
Item 3.
Item 4.
PART II
Item 5.
Item 6.
Item 7.
Item 7A.
Item 8.
Item 9.
Item 9A.
Item 9B.
Item 9C.
PART III
Item 10.
Item11.
Item 12.
Item 13.
Item 14.
PART IV
Item 15.
Item 16.

2

Part I
CAUTIONARY NOTE REGARDING FORWARD-LOOKING STATEMENTS
This Annual Report on Form 10-K contains forward-looking statements. These statements may relate to, but are not limited to, expectations of future operating results or financial performance, capital expenditures, use of proceeds from this offering, introduction of new products, regulatory compliance, plans for growth and future operations, as well as assumptions relating to the foregoing. Forward-looking statements are inherently subject to risks and uncertainties, some of which cannot be predicted or quantified. These risks and other factors include, but are not limited to, those listed under “Risk Factors.” In some cases, you can identify forward-looking statements by terminology such as “may,” “will,” “should,” “could,” “expect,” “plan,” “anticipate,” “believe,” “estimate,” “predict,” “intend,” “potential,” “might,” “would,” “continue” or the negative of these terms or other comparable terminology. Actual events or results may differ from those expressed in these forward-looking statements, and these differences may be material and adverse. Forward looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:
our future financial performance, including our revenue, cost of revenue, gross profit or gross margin and operating expenses;
the sufficiency of our cash, cash equivalents and investments to meet our liquidity needs;
our ability to attract new customers, cross-sell or upsell our existing customers and develop new products;
our ability to maintain the security and availability of our platform and products;
our ability to continue to build our direct sales organization;
our ability to effectively manage our growth and future expenses;
our ability to increase our number of customers;
our ability to successfully expand in our existing markets and into new markets;
our ability to effectively manage our growth and future expenses;
our estimated total addressable market;
our ability to expand our network of channel partners;
our ability to maintain, protect and enhance our intellectual property;
our ability to comply with modified or new laws and regulations applying to our business;
our anticipated investments in sales and marketing and research and development;
our ability to manage growth through identification, execution and integration of acquisitions;
our ability to successfully defend litigation brought against us; and
the increased expenses associated with being a public company.
We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, results of operations, prospects, business strategy and financial needs. The outcome of the events described in these forward-looking statements is subject to risks, uncertainties, assumptions and other factors described in the section captioned “Risk Factors” and elsewhere in this Annual Report on Form 10-K. These risks are not exhaustive. New risks and uncertainties emerge from time to time and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements contained in this Annual Report on Form 10-K. We cannot assure you that the results, events and circumstances reflected in the forward-looking
3

statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in the forward-looking statements.
In addition, statements that “we believe” and similar statements reflect our beliefs and opinions on the relevant subject. These statements are based upon information available to us as of the date of this Annual Report on Form 10-K , and while we believe such information forms a reasonable basis for such statements, such information may be limited or incomplete, and our statements should not be read to indicate that we have conducted an exhaustive inquiry into, or review of, all potentially available relevant information. These statements are inherently uncertain and investors are cautioned not to unduly rely upon these statements.
You should read this Annual Report on Form 10-K and the documents that we reference in this Annual Report on Form 10-K and have filed as exhibits to the registration statement of which this Annual Report on Form 10-K forms a part with the understanding that our actual future results, levels of activity, performance and achievements may be materially different from what we expect. We qualify all of our forward-looking statements by these cautionary statements.
The forward-looking statements made in this Annual Report on Form 10-K relate only to events as of the date on which such statements are made. We undertake no obligation to update any forward-looking statements after the date of this Annual Report on Form 10-K or to conform such statements to actual results or revised expectations, except as required by law.
Item 1. Business
Overview
KnowBe4, Inc. (the “Company” or “KnowBe4”) has developed the leading security awareness platform enabling organizations to assess, monitor and minimize the ongoing cybersecurity threat of social engineering attacks. We are pioneering an integrated approach to security awareness that incorporates cloud-based software, machine learning, artificial intelligence, advanced analytics and insights with engaging content. Our platform is purpose-built to drive awareness, change human behavior and enable a security-minded culture that results in a reduction of social engineering risks.
We believe every organization’s greatest asset is also its greatest security risk – its people. As investments in security products grow significantly, attackers are increasingly leveraging social engineering to circumvent the traditional layers of cybersecurity defense. Social engineering relies on the manipulation of human behavior and can range from enlisting unsuspecting employees in schemes to defraud their employers to gaining access to systems during the initial phase of broader, multi-stage cyberattacks that can result in devastating breaches. Because these attacks are low-cost and high-volume and have a high probability of success, they enable the attacker to achieve a significant return on investment. Social engineering represents a universal cybersecurity risk, as it specifically targets the employees rather than the infrastructure of an organization. As such, social engineering risks affect every organization, regardless of the sophistication of their security infrastructure.
Historically, organizations have invested significantly in cybersecurity defenses with the belief that infrastructure-centric tools alone could provide adequate protection. Despite significant amounts spent each year, security breaches continue to be reported with increasing frequency. Additionally, recent trends, including globally distributed workforces, work from home and the technological complexity of the modern digital workplace have vastly expanded the attack surface. A single click on a phishing email, insecure disposal of a sensitive document, use of a weak password and a host of other employee behaviors can prove disastrous to an organization. These effects are far-reaching, ranging from incident response costs and lost productivity to negative media coverage, loss of revenue and impacted customer confidence. More often than not, the difference between a secure and insecure interaction comes down to human behavior.
We believe security awareness is the most effective way for organizations to manage the unaddressed risk of social engineering. Security awareness has historically been isolated to information security and IT professionals and focused on compliance and simplistic content delivery. Our platform is designed to promote awareness, change human behavior and drive a security-minded culture. The foundation of our security awareness platform combines
4

automation, machine learning, artificial intelligence and continuous testing with data analysis and relevant and interactive content. Our products enable customers to strengthen their overall security posture by creating a security-minded culture characterized by active user participation with a focus on mitigating the human element of security risk across their entire organization. We enable organizations to effectively enhance the security awareness of their workforce, converting their employees into a critical last line of defense against cyberattacks.
Our platform currently includes:
Security Awareness: enables continuous assessment of employees through simulated social engineering attacks across multiple mediums and remediation through real-time delivery of highly engaging modules that are curated based on relevant and specific risks;
Security Orchestration, Automation and Response (SOAR): enables security professionals to prioritize and automate security workstreams in order to respond to and remediate social engineering attacks; and
Governance, Risk and Compliance: enables organizations to analyze security risk and automate the management of compliance and audit functions.
We designed our platform to meet the needs of IT administrators, as effective, scalable, quick to deploy and easy to use for organizations of all sizes. Our platform design allows us to scale from small businesses to large enterprises and our products are deployed on a common data platform with embedded analytical tools and reporting APIs, resulting in seamless integration. Additionally, our products are designed to bring substantial amounts of data into an organization’s existing security stack allowing our customers to continually assess and monitor ongoing risks to the organization. With our recent acquisition of SecurityAdvisor, we believe we will be able to address an entirely new category of risk associated with human behavior through the introduction of Human Detection and Response or HDR. Through integrations with an organizations’ existing security layers, we expect to be able to take real-time corrective action against insecure human behaviors based on data obtained through existing technical security controls.
As the behavior of any employee could represent a threat, our customers tend to adopt our platform across the entire organization to protect all employees from social engineering threats. We have developed an effective go-to-market strategy that has been proven to help us reach both small and midsized businesses and large enterprises. We employ an efficient inside sales model that translates across all customer segments, complimented by channel partnerships that provide significant sales leverage and have enabled us to further penetrate the enterprise market.
Key Strengths of Our Platform
We provide an integrated platform that enables organizations to assess, monitor and mitigate the persistent threat of social engineering. Our cloud-based platform employs a differentiated combination of software, machine learning, artificial intelligence, analytics, insights, content and security workstreams that is designed to meaningfully impact human behavior and continually improve an organization’s security posture in response to social engineering threats. The key strengths of our platform include:
Targeted Focus on Human Behavior
Our platform is exclusively focused on human behavior, as we believe that elevating the security awareness of an organization’s employees is essential to managing the risk associated with social engineering. We believe that infrastructure-based security controls alone are inadequate, requiring humans to become the critical last line of defense for an organization. In growing the category for security awareness, we are focused on building a platform capable of changing insecure behaviors and reinforcing secure behaviors of individuals. This allows us to invest in technology and development resources to drive innovation and differentiation in products designed to address the human layer of security. We believe our focus has helped us establish market leadership and will position us favorably to capitalize on market opportunities as the scope of the human layer of security expands.
5

Continuous Intelligence and Analytics
Our platform continuously assesses users and monitors social engineering risk, creating an active feedback loop that enables organizations to drive improvements in employee security awareness and overall security posture. Frequent training, knowledge checks and behavior-based intervention all reinforce secure behaviors and provide critical data for measuring, improving and maintaining security awareness within an organization.
The advanced analytics delivered by our platform enable security administrators to identify, monitor and manage the social engineering risk of the organization as a whole, or of individual employees or groups of employees. Our platform analyzes a broad and extensive set of risk data to assess the level of social engineering risks within an organization and provides security professionals with actionable insights to modify and improve security awareness programs based on risk profiles at the individual or group level. Through the learner experience dashboard, our platform also provides employees visibility into their individual susceptibility to social engineering threats, which promotes continuous engagement and improvement in security awareness.
Effective and Efficient Security Awareness Administration
Our platform is designed to enable security administrators to mitigate social engineering risk through automated, machine learning-driven administration of training specifically customized to an individual user or group of users. The platform analyzes users’ behavior and allows organizations to categorize employees based on dynamic or custom groupings to tailor simulated social engineering campaigns, assignments and analytical reporting based on identified potential vulnerabilities. Our platform leverages a machine learning engine to provide administrators with targeted recommendations based on the results of simulated tests and users’ risk scores prompting the delivery of relevant content designed to reduce the risks associated with social engineering.
The platform also includes embedded SOAR functionality to prioritize and automate security operations related to user-reported social engineering threats. With these capabilities, security professionals can minimize risk to the organization by quickly responding to and effectively remediating the most severe social engineering threats. All together, these capabilities are designed to reduce the administrative burden of security awareness management and operations on resource-constrained IT and security professionals.
Expansive Library of Engaging and Effective Content
We have built an expansive library of differentiated security awareness content that is continuously refreshed to ensure that our offerings always reflect the expanding range of social engineering threats. We leverage our extensive proprietary data set on human behavior and social engineering attacks, first-party threat environment research and crowd-sourcing methods to update our simulated threat templates, in order to convincingly emulate real-world social engineering methods.
We believe the range and sophistication of our content library and technology makes our platform highly effective in changing human behavior to reduce social engineering risk. We employ dedicated content centers of excellence across geographies to produce differentiated content that reflects themes based on the broader global threat environment, but is highly localized and culturally relevant. The breadth and scope of our content enables it to fully meet the needs of large global enterprises with geographically diverse workforces, driving increased customer satisfaction and retention.
Ease of Platform Deployment and Use
We have designed our platform to be easy to deploy and use, enabling our customers to achieve rapid time-to-value and cost efficiency in security awareness operations. Our cloud-based platform requires minimal implementation efforts, enabling customers to quickly onboard and complete an initial baseline simulated social engineering campaign. We have also developed integrations with mainstream identity platforms, including Active Directory and SCIM, that further streamline platform deployment and ongoing user administration. Our management console offers simple and automated administration of security awareness programs and related workstreams, reducing the resource and expertise requirements on the organization. For employees, the user interface of our platform has also been designed to deliver an intuitive, easy-to-use and high quality experience.
6

Designed to Serve the Entire Market
The ability to scale our technology to meet the needs of all organizations has been a central tenet of our platform design philosophy from the beginning. As a result, we have designed our products to be both accessible to smaller organizations without dedicated IT departments and scalable to organizations with hundreds of thousands of users and multiple security teams dispersed across the world. Our cloud-based delivery model, scalable multi-tenant architecture and global content centers of excellence allow us to regularly introduce new content and platform features to our customers quickly and seamlessly.
Our Market Opportunity
We estimate the total market opportunity for our platform currently to be approximately $23.0 billion. For our KMSAT, PhishER and Compliance Plus products, we calculate our market opportunity by applying a per employee price by size of business, based on internally generated customer spend data, to an estimated total number of employees across over 50 addressable geographies. For KCM, in the U.S., we apply an average contract value to a set number of organizations using internally generated customer spend data. Internationally, we estimate the size of the market as a multiple of the U.S. market. Our total market opportunity also includes an estimate of the market opportunity related to our future product that will be developed utilizing technology obtained through our acquisition of SecurityAdvisor and integrated into our platform. The sum of the calculated values across KMSAT, PhishER, Compliance Plus, KCM and our future product, as described herein, represents our total estimated market opportunity.
Our Growth Strategy
We believe we have significant opportunities to extend our market leadership. Key elements of our growth strategy include:
Expand Our Customer Base
We believe there is a significant opportunity to invest in our sales and marketing activities to drive broader market knowledge of the importance of security awareness. Increasing category awareness of our market enables us to expand our customer base with less education effort and more efficient go-to-market execution. We believe that businesses of all sizes are exposed to the risks of social engineering and that there is a large opportunity to help both small and medium sized businesses (“SMBs”), and large enterprises defend against this threat. In addition to growing the small to medium sized customer base that we have focused on since inception, we believe that there is significant opportunity to increase penetration in the enterprise segment, which we define as customers with 1,000 or more employees.
Expand Internationally
The international market represents an expansion opportunity for us. To pursue this opportunity, we are rapidly expanding our international operations and increasing our physical presence through headcount additions in Europe, the Middle East, Asia-Pacific and South America. We are also investing in further localizing our platform through foreign language translation and customized content. Our platform is currently accessible in over 30 languages and we plan to expand this language support in the future, along with increasing our region-specific content offerings.
Grow Our Partner Network
We plan to increase our channel partnerships to help us efficiently reach new territories and opportunities. Growing our international channel partnerships will help us reach new jurisdictions where we have not yet developed extensive brand awareness and local customer relationships. We believe managed service providers or MSPs, and channel partners represent an efficient way to sell to smaller customers, as organizations with limited or no IT departments often rely on MSPs to provide specialized security skills or knowledge. As our business becomes more mature, we believe the revenue contribution from channel partners and MSPs will continue to increase.
7

Expand Our Existing Customer Relationships
We plan to continue cross-selling products and upselling subscription tiers within our existing customer base. Our extensive existing customer base provides substantial opportunity to expand use of our platform offerings as well as upgrade existing subscriptions to higher tiers. We believe that our integrated platform and the strength of our customer success program are key to our ability to cross-sell and upsell to our existing customers. We plan to create new adjacencies and use cases through investments in our technology and platform and customer success personnel to retain existing customers and drive increased product attachment rates.
Invest in Our Platform and Content
We believe that continued investment in our technology platform and content is important to our ability to maintain and extend our market leadership. We invest in technology and development activities to continuously strengthen our platform and release additional features and products to the market. These development efforts stay true to our core principles that the human layer in cybersecurity is important and that the human layer can be addressed without adding significant complexity to the end user or IT security professional. We believe that our ability to leverage the immense amount of data collected from our customers’ usage and to incorporate their feedback into our platform and content offerings have contributed to our market-leading position. We continue to explore methods to monetize our data assets in the future and to integrate customer feedback into future product development opportunities.
Selectively Pursue Strategic Acquisitions
We plan to pursue strategic acquisitions that we believe will be complementary to our existing platform, enhance our technology and our content, and increase the value proposition we deliver to our customers. For example, we may pursue acquisitions that we believe will help us add new features, accelerate customer growth, enter new markets and add talent and expertise to our organization.
Our Platform
The KnowBe4 security awareness platform consists of:
Kevin Mitnick Security Awareness Training, or KMSAT, our security awareness training product, which enables continuous assessment of employees through simulated social engineering attacks across multiple mediums and remediation through real-time delivery of highly engaging modules that are curated based on relevant and specific risks;
Compliance Plus, our compliance training product, which enables organizations to provide their employees with relevant, timely and engaging compliance content across a broad range of topics from data privacy to diversity, equity and inclusion;
PhishER, our SOAR product, which enables security professionals to prioritize and automate security workstreams in response to attacks targeted at the human layer; and
KnowBe4 Compliance Manager, or KCM, our governance, risk and compliance product, which enables organizations to analyze security risk and automate the management of compliance and audit functions.
All of our products are built on a cloud-based architecture designed to be easy to deploy across organizations of all sizes. We also build machine learning and artificial intelligence into our products to increase the product’s ability to enable behavioral change and to allow the administration of our products to be streamlined and efficient.
Our platform features integrated capabilities that are designed to enhance the overall value proposition to our customers and their employees. Through advanced analytics and risk scoring capabilities, our platform enables customers to proactively identify social engineering risk within their organizations. When a customer is onboarded, our platform provides a baseline risk assessment based on the performance of individual users in an initial simulated phishing campaign. Based on the risk assessment, our platform can enable the automatic administration of high quality, effective training aimed at mitigating identified risk. Organizations are then able to continuously simulate a
8

wide array of social engineering attacks, giving users the ability to fail safely, adjust their behavior and learn through action. This continuous cycle creates an active feedback loop and increases engagement which helps prevent users from reverting to risky behavior.
As users become more effective at identifying and reporting potential social engineering attacks, our orchestration, automation and response capabilities help security professionals efficiently manage the workstreams associated with user-reported threats. We leverage a vast repository of proprietary data gathered from user-reported threats that have bypassed infrastructure-based security defenses to evolve our platform, automation capabilities and security content to reflect the latest threat environment. Our dataset continually expands and becomes more valuable as the number of users on the platform and the security awareness of those users increase. This greatly enhances our ability to leverage the data derived from our customer base in improving our platform.
Our platform’s underlying features and capabilities include AI and machine learning, advanced analytics, risk scoring, reporting dashboards and flexible APIs. Organizations utilize these tools to continuously assess the ongoing risk of social engineering, respond to these threats and ultimately automate the enterprise’s defense against human-based cyberattacks. We also offer several free tools that provide IT professionals with the ability to identify and respond to a wide range of social engineering threats as well as to assess general end-user security behaviors. These free tools provide us with lead generation capabilities to focus on exposing organizations to our platform in a cost-efficient way. The capabilities of these tools are distinct from our paid products and focus on highlighting the need for effective security awareness.
Our Products
Kevin Mitnick Security Awareness Training (KMSAT)
Our flagship Security Awareness Training product, KMSAT, is named after our Chief Hacking Officer, Kevin Mitnick. Kevin’s history as a hacker and as a security consultant gave him unique insights into the social engineering techniques that are used by hackers to target employees and gain access to corporate networks, credentials and information. KMSAT has been recognized by independent industry research firms, including Gartner and Forrester Research, as a leader in Security Awareness Training.
KMSAT is a “new-school” security awareness product that combines automated phishing and social engineering simulation tests with engaging and curated content spanning across a variety of mediums, including email, SMS and voice. Our robust machine learning and data analytics capabilities allow our cyberattack simulations and training curriculum to automatically adapt to learner needs. We have developed advanced technological features including a full randomization feature that simulates the real world – every employee receives a random template at a random time, designed to eliminate the “prairie-dog effect” which occurs when co-workers alert each other of a test. Our patented Smart Groups feature allows organizations to categorize employees based on dynamic or custom groupings to tailor phishing campaigns, training assignments and analytical reporting. The data analysis capabilities offered by our Advanced Reporting features allow organizations to review the outcomes of social engineering and training campaigns across several dimensions and use enterprise-grade APIs to allow for customization of reports, integration with other business systems and ease of executive reporting.
We have also developed a machine learning engine that provides administrators with training recommendations based on the results of simulated social engineering tests and users’ risk scores. Our Virtual Risk Officer ingests and calculates data across a multitude of sources, evaluates the data using machine learning and provides dynamic Risk Scores — assigned to users, groups and organizations as a whole — empowering customers to make data-driven decisions. Calculated using both internal and external factors, including training history, simulation history, breach data and job function, the Risk Score is designed to measure how likely the user is to be targeted with a phishing or social engineering attack, how they would react to these types of events and how severe the consequences would be if they fell for an attack. The user Risk Score dashboard is continually updated to reflect the users’ completion of training and responses to simulated phishing emails, with the goal of providing an accurate view of the individual’s and organization’s overall susceptibility to social engineering attacks over time.
We believe we offer the world’s largest library of security awareness training with over a thousand items of content, including interactive modules, videos, games, posters and newsletters. Our content library is constantly
9

being updated with new materials created based on the latest social engineering tactics. Our training portal is intuitive and easy to use, and the production value of our premium content is comparable to that of a TV series or film.
KMSAT is offered on a SaaS subscription basis to serve the varying needs of our diverse customer base, from small businesses to large enterprises. We offer a range of subscription tiers at different pricing levels, which provide access to varying levels of functionality and content. Our basic tiers – Silver and Gold – offer access to features that are essential to an organization’s security awareness needs, including unlimited simulated social engineering tests, basic training content, machine learning-based individual security risk scoring and access to add-on features such as the Phish Alert button and phishing email reply tracking. Our Platinum tier provides users access to advanced reporting capabilities, such as reporting APIs and user event APIs, as well as advanced administrative functions, such as Smart Groups and Security Roles that help manage users, groups and various security roles within organizations. Our Platinum users also receive priority-level customer support. Our Diamond tier is our most popular subscription tier and includes access to our Artificial Intelligence-driven Agent, AIDA™, and additional pieces of premium content, including our award-winning The Inside Man series. The vast majority of our KMSAT customers subscribe to our Platinum and Diamond tiers.
Compliance Plus
The Compliance Plus product brings the “new-school” approach we pioneered with security awareness into the compliance market. Compliance Plus provides organizations’ employees with relevant and engaging content as well as training modules that address compliance topics ranging from data privacy to business ethics to diversity, equity and inclusion. Compliance Plus is accessible through the existing KnowBe4 platform which allows administrators access to robust, existing customization and automation features, such as automatic enrollment and advanced reporting. Additionally, we believe the Compliance Plus product will bring valuable behavioral data to our already data-rich platform, enabling organizations to further focus on mitigating risks presented by their employees. Compliance Plus is offered as a subscription that is paired with a customer’s new or existing KMSAT subscription.
PhishER
PhishER was created to help security administrators deal with the influx of user-reported social engineering attacks from an employee base that was made increasingly knowledgeable with KMSAT. PhishER allows the IT security team to analyze suspected attacks that employees report by clicking the Phish Alert Button, or PAB, within their email applications. PhishER integrates with major email platforms and related mobile applications, including Microsoft Outlook, Office 365 and G Suite. PhishER continues the remediation work-cycle by providing security incident response teams with a powerful platform to analyze reported emails and respond to threats faster and more effectively.
We designed PhishER to give security teams the ability to evaluate reported threats by using standard prioritization rules embedded in the platform or by creating custom rules to more closely align to their individual organization’s needs. These rules are applied to reported threats to automatically categorize them into “Emergency Rooms.” PhishER Emergency Rooms are built into the platform to show security teams pre-filtered views of reported messages, allowing drill down capabilities to take bulk actions on groups of messages. PhishER leverages our PhishML machine learning engine to analyze, categorize, evaluate threat levels and respond to each reported threat.
A key to the success of PhishER is that the emails used to train PhishML have already made it through email filters and security gateways to land in the end-users’ inboxes. This means that the machine learning model is being fed a unique stream of data that other security measures have failed to address, thereby improving the model’s accuracy and allowing more automated prioritization and decisioning. If an email is determined to be a threat, PhishER searches and, if directed, quarantines similar messages across all inboxes in the organization. Matching messages present in other users’ inboxes are then queued for further analysis, quarantine, or permanent deletion via our PhishRIP feature, which seamlessly integrates with major email platforms. If the user-reported email is determined to be safe and legitimate, it can be returned to the user. We believe the PhishER platform allows the IT Security team to close-the-loop on social engineering with the end-user and protect the organization.
10

KnowBe4 Compliance Manager (KCM)
KCM was designed to help our customers save time and resources by providing an intuitive user interface with streamlined workflows that enables visibility into the ongoing audit and compliance processes at all levels of the business. To further simplify the user experience, we developed workflow templates that are applicable to a variety of common compliance needs, including the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI-DSS), among others. These templates, along with the ability for users to create their own custom workflows, allow the KCM product to easily scale across a variety of different compliance needs and programs. A recent addition to the KCM product is the Vendor Risk Management module, which allows our customers to centralize their vendor management process. This includes the onboarding of new vendors in a streamlined manner and tracking a vendor’s compliance with policies and procedures throughout the vendor lifecycle. Additionally, KCM dashboards have been specifically designed with automated reminders to equip users with the tool in the timely completion and tracking of compliance activities.
Product Pipeline
Our current product pipeline includes Security Coach, our future product that will incorporate technology gained through the SecurityAdvisor acquisition to address human behavior risks through HDR. Security Coach will utilize a cloud interface to download and aggregate security alerts from our customers’ existing security products, analyze those alerts and provide actionable messages to users through standard email and messaging applications. These messages are designed to address insecure behaviors in real-time. Additionally, our product code-named PasswordIQ will be used to mitigate risk related to password hygiene issues, such as weak or breached passwords. This product will monitor security risks detected with users’ passwords, organize this risk data on a dashboard and facilitate automatic employee training based on the risks identified.
Free Tools
As part of our go-to-market strategy, we offer a robust set of free tools that add value to our customers and help generate leads for our sales teams. Our free tools help users assess their security vulnerabilities and protect themselves against emerging security threats and challenges. Our strategy is to leverage the free tools as our lead generation engine to drive awareness, increase brand exposure and convert more users to long-term paying customers on our core products. Our free tools also provide important usage data and user feedback for our new product development. Oftentimes, we convert free tools into paid products after adding more functionalities. Our free tools include phishing tools, password tools, email security tools and other security awareness training tools. These tools are designed help organizations assess their vulnerability to various formats of phishing attacks, benchmark their security awareness levels, evaluate password-related risks, assess email-related security threats and help IT teams create and deploy security awareness programs.
Competition
We operate within the broader cybersecurity market and we believe we are one of the only companies that is primarily focused on the human layer of cybersecurity. The security awareness market is largely a greenfield market. Certain larger enterprise providers attempt to address the security awareness market through their own infrastructure-centric product offerings; however, these offerings are often tied to other products within their portfolio and do not focus on changing human behavior. While there are some smaller security awareness focused companies in the market, none have grown to a meaningful scale to be considered a material competitor.
We believe that we compete primarily on the following factors:
our ability to provide an integrated platform for organizations to assess, monitor and mitigate the persistent threat of social engineering;
the incorporation of artificial intelligence, machine learning, automation and integrations into our platform;
the overall strength of our sales, marketing and channel relationships;
11

our brand awareness and reputation within the market;
the perceived value of our products relative to the subscription cost;
the quality and breadth of our content offerings; and
our ability to provide a seamless customer experience for both IT personnel and individual users of our platform within the organization.
Although certain of our competitors may enjoy greater resources and recognition and customer relationships outside of security awareness, we believe that we compete favorably within our market with respect to these factors.
Customers
We define a customer as a separate and distinct buying entity, such as a company, an educational or government institution, or a distinct business unit of a large company that has an active contract with us to access our platform. As security awareness is a fundamental need for all organizations, we represent virtually all industry verticals. We have experienced success in industries where cybersecurity is of particular importance, such as financial services, technology, professional services, healthcare and the public sector. Additionally, we have received Federal Risk and Authorization Management Program, or FedRAMP, authorization to sell our KMSAT product to federal government agencies. We plan to apply for additional FedRAMP certifications for other products on our platform in the future. None of our customers accounted for more than ten percent of our revenues during the years ended December 31, 2021, 2020 or 2019. In addition, we do not have any material dependencies on any specific product, service or particular group or groups.
Sales and Marketing
Sales
We operate an inside sales model as well as a network of MSPs and channel partners, both domestically and internationally. Our inside sales representatives and partners are collectively responsible for our initial customer acquisition. Customers typically deploy our platform to their entire end user base upon initial subscription. We utilize our team of customer success managers to ensure onboarding to our platform and help drive adoption of additional features and products. Dedicated pricing specialists are tasked with negotiating customer renewals, along with upselling and cross-selling. Our cloud-based platform enables our inside sales team to seamlessly upgrade subscription tiers and activate additional products on behalf of customers. Additionally, we offer transparent and competitive pricing, which we believe translates into an efficient sales cycle.
Marketing
Our marketing strategy is highly focused on demand generation driving our opportunity pipeline. This strategy is intended to be applied broadly across all organization sizes and industries; however, some verticals like finance, healthcare and manufacturing have been exceptionally receptive. We offer over a dozen free tools that add value to our customers and help generate leads for our sales teams. Many of these tools integrate directly into our platform to provide additional layers of intelligence and risk data to our customers. These tools increase our sales velocity and are a testing ground for future paid products on our platform. Additionally, we run hundreds of webcasts annually, participate in cybersecurity industry events and utilize our product evangelist team to drive market awareness. We anticipate further building our marketing team and are investing in channel relationships to further penetrate up-market accounts.
Research and Development
Our research and development team is responsible for the design, development, testing and quality of our cloud-based platform. In addition to improving on our features and functionality, this team works to ensure that our platform is available, reliable and stable. We invest substantial resources in research and development to enhance our platform features and functionalities and develop new products designed to expand our presence in the security awareness market. We believe the timely development of new features and the enhancement of our existing platform
12

is essential to maintaining our competitive position. Our research and development team works closely with our customer success team to collect user feedback to enhance our development process as we continually incorporate suggestions and feedback from our customers into our platform. We also believe our research and development teams’ focus on developing new products that address the continuously evolving risks of social engineering and security awareness will help us maintain our market leading position. We utilize an agile development process to deliver numerous releases, fixes and feature updates each year and capitalize qualifying costs of developing larger scale projects. Our research and development team is primarily based in Clearwater, Florida, but we continue to build out additional research and development capabilities in certain international jurisdictions who supplement our core team.
Government Regulation
We are subject to various federal, state, local, and foreign laws and regulations, including those relating to data privacy, protection and security, intellectual property, employment and labor, workplace safety, consumer protection, anti-bribery, import and export controls, economic sanctions, immigration, federal securities, and tax. In addition, we are subject to various laws and regulations relating to the formation, administration, and performance of contracts with our customers in heavily regulated industries and the public sector, which affect how we and our partners do business with such customers. Additional laws and regulations relating to these areas likely will be passed in the future, and these or existing laws and regulations may be interpreted or enforced in new or expanded manners, each of which could result in significant limitations on how we operate our business. New and evolving laws and regulations, and changes in their enforcement and interpretation, may require changes to our platform, offerings or business practices, and may significantly increase our compliance costs and otherwise adversely affect our business, financial condition, and results of operations. As our business expands to include additional platform functionalities and offerings, and our operations continue to expand internationally, our compliance requirements and costs may increase, and we may be subject to increased regulatory scrutiny.
See the sections titled “Risk Factors,” including the subsections titled “Risk Factors—Risks Related to Governmental Regulation and Taxation—Complying with evolving privacy and other data related laws and requirements may be expensive and force us to make adverse changes to our business, and failure to comply with such laws and requirements could result in substantial harm to our business,” “Risk Factors—Risks Related to Governmental Regulation and Taxation—We are subject to laws and regulations, including governmental export and import controls, sanctions, anti-boycott regulations and anti-corruption laws that could impair our ability to compete in our markets and subject us to liability if we are not in full compliance with applicable laws,” “Risk Factors—Risks Related to Governmental Regulation and Taxation—Failure to comply with laws and regulations applicable to our business could subject us to fines and penalties,” and “Risk Factors—Risks Related to Governmental Regulation and Taxation—Sales to government entities are subject to a number of challenges and risks” for additional information about the laws and regulations we are subject to and the risks to our business associated with such laws and regulations.
Intellectual Property
We believe that our intellectual property rights are valuable and important to our business. We rely on trademarks, patents, copyrights, trade secrets and know-how, license agreements, intellectual property assignment agreements, confidentiality procedures, non-disclosure agreements and employee non-disclosure and invention assignment agreements to establish and protect our proprietary rights. Though we rely in part upon these legal and contractual protections, we believe that factors such as the skills and ingenuity of our employees and the functionality and frequent enhancements to our solutions are larger contributors to our success in the marketplace.
As of December 31, 2021, we had 71 issued patents in the United States, 62 patent applications pending in the United States and 5 patent applications pending internationally. Our issued patents expire between February 2037 and September 2040, and 3 of our pending patent applications have been allowed. These patents and patent applications seek to protect our proprietary inventions relevant to our business. We intend to pursue additional intellectual property protection to the extent we believe it would be beneficial and cost-effective. Despite our efforts to protect our intellectual property rights, they may not be respected in the future or may be invalidated, circumvented, or challenged. Our industry is characterized by the existence of a large number of patents and
13

frequent claims and related litigation based on allegations of patent infringement or other violations of intellectual property rights. We believe that competitors will try to develop products that are similar to ours and that may infringe our intellectual property rights. Our competitors or other third-parties may also claim that our security platform and other products infringe their intellectual property rights. In particular, some companies in our industry have extensive patent portfolios. From time to time, third parties have in the past and may in the future assert claims of infringement, misappropriation and other violations of intellectual property rights against us or our customers, with whom our agreements may obligate us to indemnify against these claims. Successful claims of infringement by a third party could prevent us from offering certain products or features, require us to develop alternate, non-infringing technology, which could require significant time and during which we could be unable to continue to offer our affected products or solutions, require us to obtain a license, which may not be available on reasonable terms or at all, or force us to pay substantial damages, royalties, or other fees.
Human Capital Resources
Our corporate culture is built on the goal of creating an environment where employees feel safe, feel they belong, in an inclusive team environment where they can rise to their full potential, and deliver their top performance in a sane, fun work environment. We strive to reach this goal by placing a focus on recruiting team-oriented, hardworking individuals, training those individuals, developing strong teams and creating an organized, efficient workplace. We believe that retaining employees who consistently contribute to the organization’s success in measurable ways is key to sustaining strong teams. We drive employee retention through our market-based compensation philosophy and the adoption of a holistic employee benefits package. In addition, our strong commitment to promoting diversity and inclusion has fostered a highly collaborative and motivated workforce. As of December 31, 2021, we had 1,366 full-time employees, of which 264 were located outside the United States.
Culture and Employee Engagement
We recognize that people are at the heart of our success and we leverage the broad diversity of our teams’ knowledge and identities to build quality products that reflect the collective experience of our users and surrounding communities. We believe our efforts in managing our workforce have been effective, as evidenced by recent awards including the 2022 Top Workplaces USA award for our size category, which was based solely on employee feedback, 2021 Fortune Best Workplaces for Women and Millennials and 2021 Mogul Top 100 Workplaces for D&I Initiatives, among others. We receive feedback on our culture directly from our employees through our annual, anonymous employee engagement survey. We also monitor external feedback, such as Glassdoor, where we were named on Glassdoor’s 2021 list of “Best Places to Work”.
Recruitment and Talent Development
As part of our recruiting initiatives, we sponsor several scholarship opportunities, including scholarships focused on increasing the presence of women, military veterans and other historically underrepresented minorities within the cybersecurity industry. We also sponsor various development programs to assist with our recruitment efforts including both sales-focused and technical-focused career development programs and internships focused on providing practical skills. training and relevant work experience.
We believe that a positive onboarding experience is foundational to positive employee engagement and rapid productivity. Our onboarding process is dedicated to ensuring all employees understand our culture, policies and products. We focus on the continuous education of our entire employee base by providing opportunities for real-time learning.
Compensation and Benefits
We provide competitive compensation and benefits packages to attract and retain our leading talent, including overall team incentive bonuses and stock compensation. We also offer a wide range of health and well-being programs designed to meet our employees’ physical and mental needs. We believe fair pay is essential to our ability to attract and motivate the highly qualified and diverse employees who are at the center of our current and future success.
14

Diversity, Equity and Inclusion
We understand the work needed to support and foster a culture of inclusivity and belonging. This is continuous and relies on our three components of (1) building diverse workforces and the accompanying knowledge bases to support our employees, (2) conquering bias, discrimination and inequity, and (3) celebrating diversity and all the intersections of identities that make us who we are. Our diversity, equity, and inclusion programs continue to advance a culture of inclusivity. We have seven employee resource groups or ERGs, including Knowster Parents, Black Knowsters Network, Women in Technology, LGBTQIA+, LatinX, Asian and Asian Pacific Islanders and the Military and Veterans Resource Group, which are employee-led groups that play a vital role in building understanding and awareness. The diversity of our workforce is an example of this vision in action. In 2021, females represented 40.6% of our workforce and approximately 25% of our workforce was made up of underrepresented groups, which we define as employees who identify as Black, Latinx, Indigenous, Multiracial, Asian, American Indian or Alaska Native, Native Hawaiian or Other Pacific Islander.
We have also created four “Start” programs which allow individuals from underrepresented groups or non-traditional backgrounds to transition into our technical support, customer success and research and development teams. These programs are (1) Jump Start, for high school or GED graduates, (2) Re-Start, for individuals looking for a career change, (3) New Start, for members of the military transitioning into civilian life, and (4) Code Start, for individuals interested in engineering careers who do not have traditionally required experience.
Sustainability and Environmental Responsibilities
We take environmental responsibility seriously and are committed to sustainability for the good of our customers, employees and the planet. We are committed to doing our part to reduce environmental impacts of our business. In 2021, we committed to achieve net zero carbon emissions across our business by 2040, to increase our use of clean, renewable energy to at least 25% for all of our offices globally by 2025 and to reach an overall annual average waste diversion rate of 80% in 2022 and 90% by 2023. We also value our role as a good corporate citizen and are dedicated to making a positive social impact through various employee-led initiatives.
Corporate Information
We were formed as a limited liability company in Delaware in August 2010 under the name SEQRIT, LLC and subsequently changed our name to KnowBe4, LLC. We then converted into a Delaware corporation under the name KnowBe4, Inc. in January 2016. Our headquarters is located at 33 N. Garden Avenue, Suite 1200, Clearwater, FL 33755 and our telephone number is (855) 566-9234.
Available Information
Our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and other filings with the Securities and Exchange Commission (“SEC”), and all amendments to these filings, can be obtained free of charge from our website at www.knowbe4.com or by contacting our Investor Relations department at our office address listed above following our filing of any of these reports with the SEC. The SEC maintains an internet site that contains reports, proxy and information statements and other information regarding issuers that file electronically with the SEC at www.sec.gov. The contents of these and other websites referenced throughout the filing are not incorporated and do not constitute a part of this filing. Further, the Company’s references to the URLs for these websites are intended to be inactive textual references only.
We announce material information to the public about us, our products and other matters through a variety of means, including filings with the SEC, press releases, public conference calls, webcasts, the investor relations section of our website (investors.knowbe4.com), our Twitter account (@KnowBe4) and our blogs (including blog.knowbe4.com) in order to achieve broad, non-exclusionary distribution of information to the public and for complying with our disclosure obligations under Regulation FD.
15

Item 1A. Risk Factors
An investment in our Class A common stock involves a high degree of risk. You should carefully consider these risk factors, together with all of the other information included in this Annual Report on Form 10-K, including the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes, before deciding whether to invest in our Class A common stock. The risks and uncertainties described below may not be the only ones we face. If any of the risks actually occur, our business, financial condition, results of operations, cash flows and prospects could be adversely affected. In that event, the market price of our Class A common stock could decline, and you could lose part or all of your investment.
Risk Factor Summary
Our business is subject to a number of risks, including those outside of our control, that may adversely affect our business, financial condition, results of operations, cash flows and prospects. These risks are discussed more fully below and include, but are not limited to:
Risks Related to Our Business and Industry
Our limited operating history including history of losses;
We have experienced rapid growth in recent periods and could experience difficulties managing our future growth;
Our long-term focus on growth;
Our ability to attract new customers and retain our existing customers;
Failure to effectively develop and expand our sales and marketing capabilities or maintain successful relationships with our channel partners;
Our exposure to risks related to international operations and plans for future international expansion;
A network, systems or data security incident may allow unauthorized access to our network, systems or data or our customer’s data;
Our reliance upon Software-as-a-Service, or “SaaS”, technologies from third parties to operate our business;
The delayed reflection of new sales in our results due to recognizing revenue over the term of our customer contracts;
The application of or changes in complex accounting rules;
We must maintain an effective system of internal controls over our financial reporting in order to produce timely and accurate financial statements and comply with applicable regulations;
The requirements of being a public company may strain our resources and divert management’s attention;
Risks Related to Our Platform and Products
Our ability to develop or acquire new products and/or provide successful updates, enhancements and features to our technology;
Interruptions or delays in the services provided by third-party data centers or internet service providers;
Failure of our platform and/or our products to perform properly;
16

Risks Related to Our Intellectual Property
An exposure to an infringement claim or a claim that results in a significant damage award;
Our ability to protect our proprietary rights;
Usage of open source software in our products;
Usage of third party technology and software in our platform and products;
Risks Related to Government Regulations and Taxation
Our failure to comply with evolving data privacy and other data related laws and requirements;
Our failure to comply with laws and regulations, including governmental export and import controls, economic sanctions or anti-boycott laws;
Adverse changes in tax laws or regulations in the various jurisdictions where we are subject to taxation;
Governance Risks and Risks Related to Ownership of Our Class A Common Stock
The dual-class structure of our common stock, which has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our IPO;
The volatility of the market price of our Class A common stock;
We have no intention of paying dividends in the foreseeable future;
Potential dilution to our existing stockholders due to the issuance of additional stock in connection with financings, acquisitions, investments, or our equity incentive and employee stock purchase plans;
Risks Related to Macroeconomic Conditions
Adverse economic conditions or reduced IT security spending; and
The unpredictability of the impact of the COVID-19 pandemic.
Risks Related to Our Business and Industry
We have a limited operating history, which makes it difficult to forecast our revenue and evaluate our business and future prospects.
We have been in existence since 2010 and much of our growth has occurred in recent periods. As a result of our limited operating history, our ability to forecast our future results of operations and model future growth is limited and subject to a number of uncertainties. We have encountered and will continue to encounter risks and uncertainties frequently experienced by growing companies in rapidly changing industries. Accordingly, we may be unable to prepare accurate internal financial forecasts or replace anticipated revenue that we do not receive as a result of these risks and uncertainties, and our results of operations in future reporting periods may be below the expectations of investors. If we do not address these risks successfully, our results of operations could differ materially from our estimates and forecasts or the expectations of investors, causing our business to suffer and our stock price to decline.
We have a history of losses and may not be able to achieve or sustain profitability in the future.
We have incurred net losses in all annual periods since our inception, and we expect we will continue to incur net losses for the foreseeable future. We experienced net losses of $11.8 million, $2.4 million, and $124.3 million for the years ended December 31, 2021, 2020, and 2019, respectively, and as of December 31, 2021, we had an accumulated deficit of $173.1 million. Because the market for our platform and products has not yet reached widespread adoption, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase significantly over the next several years, as we continue to hire additional personnel,
17

particularly in sales and marketing, expand our operations and infrastructure, both domestically and internationally, and continue to develop our platform and products. In addition to the expected costs to grow our business, we also expect to incur significant additional legal, accounting and other expenses as a newly public company. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.
We have experienced rapid growth in recent periods, and if we do not manage our future growth, our business and results of operations will be adversely affected.
We have experienced rapid growth in recent periods and we expect to continue to invest broadly across our organization to support our growth. Although we have experienced rapid growth historically, we may not sustain our current growth rates nor can we assure you that our investments to support our growth will be successful. The growth and expansion of our business will require us to invest significant financial and operational resources and will require the continuous dedication of our management team. We have encountered and will continue to encounter risks and difficulties frequently experienced by rapidly growing companies in evolving industries, including market acceptance of our platform and products, adding new customers, intense competition and our ability to manage our costs and operating expenses. Our future success will depend in part on our ability to manage our growth effectively, and if we fail to do so, our ability to ensure uninterrupted operation of our platform and products, comply with the rules and regulations applicable to our business and adequately address competitive challenges could be impaired. Any of the foregoing could adversely affect our business, financial condition and results of operations.
We believe our long-term value as a company will be greater if we focus on growth, which may negatively impact our profitability in the near term.
Part of our business strategy is to primarily focus on our long-term growth. As a result, our profitability may be lower in the near term than it would be if our strategy were to maximize short-term profitability. Significant expenditures on sales and marketing efforts, growing our platform and products and expanding our research and development, each of which we intend to continue to invest in, may not ultimately grow our business or cause long-term profitability. If we are ultimately unable to achieve profitability at the level anticipated by industry or financial analysts and our stockholders, our stock price may decline.
If we do not expand our current customer base by attracting new customers and retaining our existing customers our business, financial condition and results of operations could be harmed.
Since our customers tend to adopt our platform across their entire organization, to increase our revenue and achieve and maintain profitability, we must expand our customer base by attracting new customers and retaining our existing customers. To attract new customers, we must drive a broader awareness of the pervasive risks of social engineering. We will continue to invest in our inside sales force complemented by a channel strategy designed to increase brand awareness and to enable us to reach new territories and acquire new customers. Numerous factors, however, may impede our ability to acquire new customers, including our failure to recruit talented sales and marketing personnel and to retain and motivate our current sales and marketing personnel, to develop or expand relationships with effective channel partners and managed service providers, or MSPs, to successfully deploy products for new customers, to provide quality customer support once deployed and to execute on our marketing strategies.
Further, our customers have no obligation to renew their subscriptions for our platform and products after the expiration of their contractual period, which is typically one to three years, and in the normal course of business, some customers have elected not to renew. In addition, our customers may renew for fewer products, renew for shorter contract lengths or switch to a lower-cost subscription. If our customers do not renew their subscriptions, we could incur impairment losses related to our deferred contract acquisition costs. It is difficult to accurately predict long-term customer retention because of our varied customer base and given the length of our subscription contracts. Our customer retention and expansion may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction with our products, our customer support, our prices and pricing plans, our customers’
18

spending levels, mergers and acquisitions involving our customers, competition and deteriorating general economic conditions.
Failure to effectively develop and expand our sales and marketing capabilities or maintain successful relationships with our channel partners could harm our ability to increase our customer base and achieve broader market acceptance of our products.
Our ability to increase our customer base and achieve broader market acceptance of our platform and products will depend to a significant extent on our ability to expand our sales and marketing operations and to maintain successful relationships with our channel partners. We plan to continue expanding our direct inside sales force and engaging additional channel partners, both domestically and internationally. This expansion will require us to invest significant financial and other resources and our business will be harmed if our efforts do not generate a corresponding increase in revenue. We may not achieve anticipated revenue growth from expanding our direct sales force if we are unable to hire and develop talented direct inside sales personnel, if our new direct inside sales personnel are unable to achieve desired productivity levels in a reasonable period of time or if we are unable to retain our existing direct inside sales personnel.
In order to grow our business, we anticipate that we will continue to depend on our relationships with our channel partners who we rely on, in addition to our direct sales force, to sell and support our products. We utilize channel partners to efficiently increase the scale of our marketing and sales efforts and increase our market penetration to customers who we otherwise might not reach on our own. Our agreements with our channel partners are generally non-exclusive, meaning our channel partners may offer customers competitive products from different companies, and generally allow the channel partner to terminate its agreements with us for any reason upon 30 days’ notice. For example, some of our channel partners also sell or provide integration and administration services for our competitors’ products, and if such channel partners devote greater resources to marketing, reselling and supporting competing products, this could harm our business, financial condition and results of operations. If our channel partners do not effectively market and sell our products, choose to use greater efforts to market and sell their own products or those of others or fail to meet the needs of our customers, our ability to grow our business, sell our products and maintain our reputation may be adversely affected. The loss of key channel partners, our possible inability to replace them or the failure to recruit additional channel partners could materially and adversely affect our results of operations. If we are unable to maintain our relationships with these channel partners, our business, financial condition, results of operations or cash flows could be adversely affected.
Our international operations and plans for future international expansion expose us to significant risks, and failure to manage those risks could adversely impact our business, financial condition and results of operations.
We derived 15.9%, 11.9%, and 9.7% of our total revenue from international customers for the years ended December 31, 2021, 2020 and 2019, respectively. We are continuing to adapt to and develop strategies to address international markets and our growth strategy includes expansion into various international jurisdictions, but there is no guarantee that such efforts will be successful. We expect that our international activities will continue to grow in the future, as we continue to pursue opportunities in international markets. These international operations will require significant management attention and financial resources and are subject to substantial risks, including but not limited to:
greater difficulty in negotiating contracts with standard terms, enforcing contracts and managing collections and longer collection periods;
higher costs of doing business internationally, including costs incurred in establishing and maintaining office space and equipment for our international operations;
management communication and integration problems resulting from cultural and geographic dispersion;
risks associated with trade restrictions and foreign legal requirements, including any importation, certification and localization of our platform and products that may be required in foreign countries;
greater risk of unexpected changes in regulatory practices, tariffs and tax laws and treaties;
19

compliance with anti-bribery laws;
heightened risk of unfair or corrupt business practices and of improper or fraudulent sales arrangements;
the uncertainty of protection for intellectual property rights in some countries;
general economic and political conditions or events in these foreign markets, including, but not limited to, sanctioned countries, governments and industries around the world and other geopolitical uncertainty and instability, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the United States and other countries, and retaliatory actions taken by Russia in response to such sanctions;
foreign exchange controls or tax regulations that might prevent us from repatriating cash earned outside the United States;
double taxation of our international earnings and potentially adverse tax consequences due to changes in the tax laws of the United States or the foreign jurisdictions in which we operate;
unexpected costs for the localization of our services, including translation into foreign languages and adaptation for local practices and regulatory requirements;
requirements to comply with foreign privacy, data protection and information security laws and regulations, and the risks and costs of noncompliance;
greater difficulty in identifying, attracting and retaining local qualified personnel, and the costs and expenses associated with such activities;
greater difficulty identifying qualified channel partners and maintaining successful relationships with such partners; and
differing employment practices and labor relations issues.
As we continue to develop and grow our business globally, our success will depend in large part on our ability to anticipate and effectively manage these risks. The expansion of our existing international operations and entry into additional international markets will require significant management attention and financial resources. Our failure to successfully manage our international operations and the associated risks could limit the future growth of our business.
A network, systems or data security incident may allow unauthorized access to our network, systems or data or our customers’ data, harm our reputation, create additional liability and adversely impact our financial results.
Increasingly, companies are subject to a wide variety of attacks on their networks and systems on an ongoing basis. These attacks include, but are not limited to, hacking, the use of phishing and other forms of social engineering, attempts to introduce malicious code (such as viruses, ransomware or other malware) into the systems and networks used in our business, employee or contractor error or intentional acts, including theft or misuse, denial of service or other brute force attacks, and sophisticated attacks perpetrated by nation-state and nation-state supported actors. Despite significant efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks, in particular, as the frequency and sophistication of cyberattacks increases. For example, cybersecurity researchers anticipate an increase in cyberattack activity in connection with the Russia’s actions in Ukraine. The security measures we have integrated into our internal networks and systems, and into our platform and products may not function as expected or may not be sufficient to protect our internal networks, platform and products against certain attacks. In addition, techniques used to sabotage or to obtain unauthorized access to networks in which data is stored or through which data is transmitted change frequently and generally are not recognized until launched against a target. As a result, we may be unable to anticipate these techniques or implement adequate measures to prevent an electronic intrusion into our networks or systems, unauthorized access to, loss or unavailability of, or unauthorized alteration, use or disclosure of data or other security breaches or
20

incidents. We also may face difficulties or delays in identifying, remediating and responding to attacks and actual or perceived security breaches and incidents.

Third parties also may attempt to fraudulently induce employees or customers into disclosing sensitive information such as user names, passwords or other information or otherwise compromise the security of our networks, electronic systems and/or physical facilities in order to gain access to our data or our customers’ data, which could result in significant legal and financial exposure, the loss, alteration or compromise of our sensitive or otherwise critical business information, a loss of confidence in the security of our platform and products, interruptions or malfunctions in our operations, and, ultimately, harm to our future business prospects and revenue. As a well-known provider of products in the security awareness market, we may be a particularly attractive target for these and other forms of attacks. Further, with many of our employees and other personnel working remotely, the security risks we and our service providers face are heightened.
Our customers’ storage and use of data concerning, among others, their employees, contractors, customers and partners is essential to their use of our platform and products, which stores, transmits and processes customers’ proprietary information and personally identifiable information. If a security breach or incident compromising the security of customer data were to occur or to be perceived to occur, as a result of third-party action, employee or contractor error, malfeasance or otherwise, and the confidentiality, integrity or availability of our customers’ data was disrupted or believed to have been disrupted, we could face claims by and incur significant liability to our customers and to individuals or businesses whose information was being stored by our customers. In addition, a network, systems or other security breach or incident, whether or not impacting or being perceived to impact the confidentiality, integrity or availability of our customers’ data, could result in the loss of customers and make it more challenging to acquire new customers.
In addition, security breaches and incidents impacting our platform and products could result in a risk of loss, unavailability or unauthorized access to or alteration, use, disclosure, or other processing of information maintained on or processed by our platform and products, which, in turn, could lead to claims, litigation, governmental audits and investigations and possible liability, damage our relationships with our existing customers and have a negative impact on our ability to attract and retain new customers. These breaches or incidents or any perceived breach or incident, of our employees, contractors, networks or systems, in particular, because of our position as a security awareness company, may also undermine confidence in our platform or products and result in damage to our reputation, negative publicity, loss of channel partners, customers and sales, increased costs to remedy any problem and costly litigation. In addition, a security breach or incident impacting one of our key channel partners or independent software vendors could result in the exfiltration of confidential corporate information or other data that may provide additional avenues of attack. If a high profile security breach or incident occurs with respect to another SaaS provider, our customers and potential customers may lose trust in the security of the SaaS business model generally, which could adversely impact our ability to retain existing customers or attract new ones, potentially causing a negative impact on our business. Any of these negative outcomes could adversely impact market acceptance of our products and could harm our business, financial condition and results of operations.
We may be required to expend significant capital and financial resources to protect against the foregoing threats and to alleviate problems caused by actual or perceived security breaches or incidents. While we maintain insurance that may cover certain liabilities relating to security breaches or incidents, subject to applicable deductibles and policy limitations, our insurance may be insufficient to cover all liabilities incurred, which could have a material adverse effect on our business, financial condition and results of operations. Additionally, we cannot be certain that insurance coverage will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim.
We rely upon SaaS technologies from third parties to operate our business, and interruptions or performance problems with these technologies may adversely affect our business, financial condition and results of operations.
We rely on hosted SaaS applications from third parties in order to operate critical functions of our business, including platform delivery, enterprise resource planning, customer relationship management, billing, project management and accounting and financial reporting. If these services become unavailable due to extended outages, interruptions or because they are no longer available on commercially reasonable terms, our expenses could
21

increase, our ability to manage finances could be interrupted and our processes for managing sales of our platform and products and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and implemented, all of which could adversely affect our business, financial condition and results of operations.
We recognize revenue from subscriptions over the term of our customer contracts, and as such, our reported revenue and related metrics may differ significantly in a given period, and our revenue in any period may not be indicative of our financial health and future performance.
A substantial majority of our revenue is recognized over the term of our customer contracts. As a result, much of the revenue we report each quarter is derived from contracts that we entered into with customers in prior periods. Consequently, a decline in new or renewed subscriptions in any quarter will not be fully reflected in revenue or other results of operations in that quarter but will negatively affect our revenue and other results of operations across future quarters. Any increases in the average term of subscriptions would result in revenue for those contracts being recognized over longer periods of time with less positive impact on our results of operations in the near term. Accordingly, our revenue in any given period may not be an accurate indicator of our financial health and future performance.
The market in which we participate is competitive, and if we do not compete effectively, our business, financial condition and results of operations could be harmed.
The market for our platform and products is rapidly evolving and fragmented, and we expect competition to increase in the future. Although we believe competitors who specifically attempt to manage the ongoing problem of social engineering are currently limited, a number of companies have developed, or are developing, products that currently are, or in the future may be, competitive with our offerings. For example, certain larger enterprise providers, such as Proofpoint, Mimecast and Cofense, all attempt to address human risk through a product offering that is often tied to other products and is not given a singular focus. Nevertheless, competition continues to increase in the market segments in which we operate, and we expect competition to further increase in the future. Larger competitors with more diverse product and service offerings may reduce the price of products or subscriptions that compete with ours or may bundle them with other products and subscriptions. These competitive pressures may cause our subscription prices to decline for a variety of reasons, including competitive pricing pressures, discounts, anticipation of the introduction of new products by competitors or promotional programs offered by us or our competitors. As a result, as competition in our market increases, it could result in increased pricing pressure, decreased revenue, increased sales and marketing expenses and loss of market share for us, any of which could adversely affect our business, financial condition and results of operations.
We may experience quarterly fluctuations in our results of operations due to a number of factors, including increasing variability in our sales cycles. These fluctuations make our future results difficult to predict and could cause our results of operations to fall below analyst or investor expectations.
Our quarterly results of operations fluctuate as a result of a number of factors, many of which are outside of our control and may be difficult to predict, including, but not limited to:
the level of demand for our platform and products;
the timing and success of new product introductions by us or our competitors or any other change in the competitive landscape of our market;
pricing pressure as a result of competition or otherwise;
the length and predictability of our sales cycle;
seasonal buying patterns for IT spending;
errors in forecasting the demand for our products, which could lead to lower revenue, increased costs or both;
22

increases in and timing of sales and marketing and other operating expenses that we may incur to grow and expand our operations and to remain competitive;
credit or other difficulties confronting our channel partners;
adverse litigation judgments, settlements or other litigation-related costs;
changes in the legislative or regulatory environment, including with respect to privacy, data protection and security and enforcement by government regulators, including fines, orders or consent decrees;
system failures or actual or perceived security breaches;
fluctuations in foreign currency exchange rates;
costs related to the acquisition of businesses, talent, technologies or intellectual property, including potentially significant amortization costs and possible write-downs; and
general economic conditions in either domestic or international markets, including geopolitical uncertainty and instability, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the United States and other countries, and retaliatory actions taken by Russia in response to such sanctions.
Any one or more of the factors above may result in significant fluctuations in our results of operations. As we continue to focus on sales to larger organizations, we expect our sales cycles to lengthen and become less predictable. You should not rely on our past results as an indicator of our future performance. The variability and unpredictability of our quarterly results of operations or other operating metrics could result in our failure to meet our expectations or those of analysts that cover us or investors with respect to revenue or other metrics for a particular period. If we fail to meet or exceed such expectations for these or any other reasons, the market price of our Class A common stock could fall substantially, and we could face costly lawsuits, including securities class action suits.
If we fail to maintain an effective system of internal controls over our financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.
As a public company, we are subject to the reporting and corporate governance requirements of the Securities Exchange Act of 1934, as amended, or the Exchange Act, the listing requirements of Nasdaq and other applicable securities rules and regulations, including the Sarbanes-Oxley Act of 2002 and the Dodd-Frank Wall Street Reform and Consumer Protection Act. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. In order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting, we have expended and anticipate we will continue to expend significant resources, including accounting-related costs, and provide significant management oversight. Any failure to develop or maintain effective controls, or any difficulties encountered in their implementation or improvement, could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal controls also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we are required to include in our periodic reports that we will file with the SEC under Section 404 of the Sarbanes-Oxley Act.
We are not currently required to comply with the SEC rules that implement Section 404 of the Sarbanes-Oxley Act, and we are therefore not required to make a formal assessment of the effectiveness of our internal controls over financial reporting for that purpose. As a public company, we are required to comply with certain rules, which require management to certify financial and other information in our quarterly and annual reports and provide an annual management report on the effectiveness of our internal control over financial reporting commencing with our second Annual Report on Form 10-K. Additionally, our independent registered public accounting firm is not required to formally attest to the effectiveness of our internal control over financial reporting until after we are no
23

longer an emerging growth company. At such time, our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed or operating. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the market price of our Class A common stock.
The requirements of being a public company may strain our resources and divert management’s attention.
As a public company, we are subject to the reporting and corporate governance requirements of the Exchange Act, the listing requirements of Nasdaq and other applicable securities rules and regulations. Among other things, the Exchange Act requires that we file annual, quarterly and current reports with respect to our business, financial condition and results of operations and maintain effective disclosure controls and procedures and internal control over financial reporting. Compliance with these rules and regulations will increase our legal and financial compliance costs, make some activities more difficult, time-consuming or costly and increase demand on our systems and resources, particularly after we are no longer an “emerging growth company” as defined in the Jumpstart Our Business Startups Act of 2012, or the JOBS Act. In addition, as a public company, we may be subject to stockholder activism, which can lead to additional substantial costs, distract management and impact the manner in which we operate our business in ways we cannot currently anticipate. As a result of disclosure of information in the filings required of a public company, our business, financial condition and results of operations will become more visible, which may result in threatened or actual litigation, including by competitors and other third parties. These new obligations and constituents will require significant attention from our senior management and could divert their attention away from the day-to-day management of our business, which could adversely affect our business, financial condition, and results of operations.
We depend on our executive officers and other key employees, the loss of whom could adversely affect our business.
We believe that our success is substantially dependent on our ability to attract, retain and motivate the members of our management team and other key employees throughout our organization. Although we have entered into employment agreements with our leadership team, our employees, including our executive officers, work for us on an “at-will” basis, which means they may terminate their employment with us at any time. In particular, we depend on the services of Stu Sjouwerman, our founder and Chief Executive Officer, who is critical to our future vision and strategic direction. We rely on our leadership team in the areas of research and development, operations, security, marketing, sales, customer support and general and administrative functions. If Mr. Sjouwerman or one or more of our key employees or members of our management team resigns or otherwise ceases to provide us with their service, and if we fail to have in place and execute an effective succession plan for key executives, our business could be harmed.
In addition, because our future success is dependent on our ability to continue to refresh and enhance our library of differentiated security awareness content and expand our platform features, we are heavily dependent on our ability to attract and retain qualified personnel with the requisite background and industry experience to drive content creation and product development. As we expand our business domestically and globally, our continued success will also depend on our ability to attract and retain qualified content development personnel capable of creating localized, culturally relevant security awareness content, as well as to attract and retain qualified sales, marketing and operational personnel capable of supporting a larger and more diverse customer base. The loss of the services of a significant number of our content, technology or sales personnel could be disruptive to our content and product development efforts, which could harm our ability to retain existing customers and to expand our global customer base.
The nature of our business requires the application of complex accounting rules, including revenue and expense recognition rules, and any significant changes in current rules, or interpretations thereof, could affect our financial statements and results of operations.
The accounting rules and regulations that we must comply with are complex and subject to interpretation by the Financial Accounting Standards Board, or the FASB, the Securities and Exchange Commission, or the SEC, and various bodies formed to promulgate and interpret appropriate accounting principles. Recent actions and public
24

comments from the FASB and the SEC have been focused on the integrity of financial reporting and internal controls over financial reporting. Many companies’ accounting policies and practices are being subject to heightened scrutiny by regulators and the public. In addition, the accounting rules and regulations are continually changing in ways that could materially impact our financial statements. We cannot predict the impact of future changes to accounting principles or our accounting policies on our financial statements going forward, which could significantly affect our reported financial results and could affect the reporting of transactions completed before the announcement of the change. Further, if we were to change our critical accounting estimates, our results of operations could be significantly affected.
Any future litigation against us could be costly and time-consuming to defend.
We may become subject to legal proceedings and claims that arise in the ordinary course of business, such as claims brought by our customers in connection with commercial disputes or employment claims made by our current or former employees. Litigation might result in substantial costs and may divert management’s attention and resources, which might seriously harm our business, financial condition and results of operations. Insurance might not cover such claims, might not provide sufficient payments to cover all the costs to resolve one or more such claims and might not continue to be available on terms acceptable to us (including premium increases or the imposition of large deductible or co-insurance requirements). A claim brought against us that is uninsured or underinsured could result in unanticipated costs, potentially harming our business, financial position and results of operations. In addition, we cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or that our insurers will not deny coverage as to any future claim.
Acquisitions, strategic investments, partnerships, or alliances could be difficult to identify, pose integration challenges, divert the attention of management, disrupt our business, dilute stockholder value, and adversely affect our business, financial condition and results of operations.
We have in the past and may in the future seek to acquire or invest in businesses, joint ventures, products and platform capabilities, or technologies that we believe could complement or expand our platform and product offerings, enhance our technical capabilities, or otherwise offer growth opportunities. Any such acquisition or investment may divert the attention of management and cause us to incur various expenses in identifying, investigating and pursuing suitable opportunities, whether or not the transactions are completed, and may result in unforeseen operating difficulties and expenditures. Specifically, we may encounter difficulties integrating the businesses, technologies, platform and product capabilities, or operations of any acquired companies, particularly if the key personnel of an acquired company choose not to work for us, their software is not easily adapted to work with our platform, or we have difficulty retaining the customers of any acquired business due to changes in ownership, management or otherwise. Additionally, any such transactions that we are able to complete may not result in the synergies or other benefits we had expected to achieve, which could result in impairment charges that could be substantial. In addition, we may not be able to find and identify desirable acquisition targets or business opportunities or be successful in entering into an agreement with any particular strategic partner. These transactions could also result in dilutive issuances of equity securities or the incurrence of debt, which could adversely affect our results of operations. In addition, if the resulting business from such a transaction fails to meet our expectations, our business, financial condition and results of operations may be adversely affected or we may be exposed to unknown risks or liabilities.
We may need to raise additional capital to expand our operations and invest in new products, which capital may not be available on terms acceptable to us, or at all, and which could reduce our ability to compete and could harm our business.
While we expect that our existing cash and cash equivalents, cash provided by operating activities, available borrowings under our revolving line of credit, and unbilled amounts related to contracted non-cancelable subscription agreements, which are not reflected on the balance sheet, will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months, retaining or expanding our current levels of personnel and product offerings may require additional funds. Our failure to raise additional capital or generate the significant capital necessary to expand our operations, invest in new products or acquire complementary
25

businesses and technologies could reduce our ability to compete and could harm our business. Accordingly, we may need to engage in additional equity or debt financings to secure additional funds. If we raise additional equity financing, our stockholders may experience significant dilution of their ownership interests and the market price of our Class A common stock could decline. If we engage in debt financing, the holders of debt may have priority over the holders of our Class A common stock, and we may be required to accept terms that restrict our operations or our ability to incur additional indebtedness or to take other actions that would otherwise be in the interests of the debt holders. Any of the above could harm our business, financial condition and results of operations.
Our Revolving Credit Facility contains financial covenants and other restrictions on our actions that may limit our operational flexibility or otherwise adversely affect our results of operations.
The terms of our Revolving Credit Facility include a number of covenants that limit our ability and our subsidiaries’ ability to, among other things, incur additional indebtedness, grant liens, merge or consolidate with other companies or sell substantially all of our assets, pay dividends, make redemptions and repurchases of stock, make investments, loans and acquisitions, or engage in transactions with affiliates. These terms may restrict our current and future operations and could adversely affect our ability to finance our future operations or capital needs. In addition, complying with these covenants may make it more difficult for us to successfully execute our business strategy, including potential acquisitions, and compete against companies which are not subject to such restrictions.
A failure by us to comply with the covenants or payment requirements specified in our credit agreement could result in an event of default under the agreement, which would give the lenders the right to terminate their commitments to provide additional loans and to declare all borrowings outstanding, together with accrued and unpaid interest and fees, to be immediately due and payable. If debt under our Revolving Credit Facility were to be accelerated, we may not have sufficient cash or be able to borrow sufficient funds to refinance the debt or sell sufficient assets to repay the debt, which could immediately adversely affect our business, cash flows, results of operations, and financial condition. As of December 31, 2021, there were no amounts outstanding under the Revolving Credit Facility.
If we fail to enhance our brand cost-effectively, our ability to expand our customer base will be impaired and our business, financial condition and results of operations may suffer.
We believe that developing and maintaining awareness of our brand in a cost-effective manner is critical to achieving widespread acceptance of our existing and future products and is an important element in attracting new customers. Furthermore, we believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts and on our ability to provide reliable and useful products at competitive prices. In the past, our efforts to build our brand have involved significant expenses. Brand promotion activities may not yield increased revenue, and even if they do, any increased revenue may not offset the expenses we incur in building our brand. If we fail to successfully promote and maintain our brand, or incur substantial expenses in an unsuccessful attempt to promote and maintain our brand, we may fail to attract new customers or retain our existing customers to the extent necessary to realize a sufficient return on our brand-building efforts, and our business, financial condition and results of operations could suffer.
If we cannot maintain our company culture as we grow, we could lose the innovation, teamwork, passion and focus on execution that we believe contribute to our success and our business may be harmed.
We believe that our corporate culture has been a contributor to our success, which we believe fosters innovation, teamwork, passion and focus on building and marketing our platform and products. As we grow and develop the infrastructure of a public company, we may find it difficult to maintain our corporate culture. Any failure to preserve our culture could harm our future success, including our ability to retain and recruit personnel, innovate and operate effectively, attract new customers, retain existing customers and execute on our business strategy. Additionally, our productivity and the quality of our products may be adversely affected if we do not integrate and train our new employees quickly and effectively. Any of these effects could adversely affect our business, financial condition and results of operations.
Risks Related to Our Platform and Products
26

If we are not able to develop or acquire new products and/or provide successful updates, enhancements and features to our technology, our business, financial condition and results of operations could be adversely affected.
Our industry is marked by rapid technological developments and demand for new and enhanced products and features to address the evolving risks associated with social engineering. In particular, cybersecurity threats are becoming increasingly sophisticated and responsive to the new security measures designed to thwart them. If we fail to update our products, through internal development or acquisition, to address such threats, our business and reputation will suffer. Our ability to increase revenue depends in large part on our ability to develop compelling new products to sell to new customers and to cross-sell and upsell to our existing customer base. To do so, we must continue to invest in our technology and platform in order to create new adjacencies and use cases. The success of any new product developments, enhancements, or features that we introduce depends on several factors, including the timely completion, introduction and market acceptance of such enhancements, features or products and integration with our existing platform and products.
We may not be successful in either developing these modifications and enhancements or in bringing them to market in a timely fashion. Furthermore, modifications to existing technologies will increase our research and development expenses. If we are unable to successfully enhance our existing products to meet customer requirements, increase adoption and usage of our products or develop new products, enhancements and features, our business, financial condition and results of operations will be harmed.
Interruptions or delays in the services provided by third-party data centers or internet service providers could impair the delivery of our platform and products, expose us to litigation and negatively impact our relationships with customers, adversely affecting our business.
We host our platform using Amazon Web Services, or AWS, data centers, a provider of cloud infrastructure services, and, therefore, we are vulnerable to service interruptions at AWS, which could impact the ability of our customers to access our platform. All of our products reside on hardware in these locations. Our operations depend on protecting the virtual cloud infrastructure hosted in AWS by maintaining its configuration, architecture and interconnection specifications, as well as the information stored in these virtual data centers, which third-party internet service providers transmit. Although we have disaster recovery plans that utilize multiple AWS locations, any incident affecting their infrastructure that may be caused by fire, flood, severe storm, earthquake, power loss, telecommunications failures, unauthorized intrusion, computer viruses and disabling devices, hacking and other security attacks, natural disasters, war, criminal acts, military actions, terrorist attacks and other similar events beyond our control could negatively affect the security or availability of our platform and products. A prolonged AWS service disruption affecting our platform and products for any reason could damage our reputation with current and potential customers, expose us to liability, cause us to lose customers or otherwise harm our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the AWS services we use.
AWS enables us to order and reserve server capacity in varying amounts and sizes distributed across multiple regions. AWS provides us with computing and storage capacity pursuant to an agreement that continues until terminated by either party. AWS may terminate the agreement by providing 30 days prior written notice and may, in some cases, terminate the agreement immediately for cause upon notice. In addition, the failure of AWS data centers or third-party internet service providers to meet our capacity requirements could result in interruptions or delays in access to our platform and products or impede our ability to scale our operations. In the event that our AWS service agreements are terminated, or there is a lapse of service, interruption of internet service provider connectivity or damage to such facilities, we could experience interruptions in access to our platform and products as well as delays and additional expense in arranging new facilities and services.
27

If our platform and products fail to perform properly, our reputation could be adversely affected and our market share could decline, which could have a material adverse effect on our business, financial condition and results of operations.
Our platform and products are inherently complex and may contain material defects or errors. In the future we may experience website disruptions, outages and other performance problems. These problems may be caused by a variety of factors, including infrastructure changes, human or software errors or negligence, viruses, hacking and other security attacks, fraud, increased resource consumption from expansion or modification to our code and spikes in customer usage. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time. If we do not accurately predict our infrastructure requirements, our existing customers may experience service outages and our operations infrastructure may fail to keep pace with increased sales, causing new customers to experience delays. We provide service level commitments under our customer contracts, under which we guarantee specified availability of our platform and products. If we fail to meet these contractual commitments, we could be obligated to provide credits for future service, or face contract termination with refunds of prepaid amounts related to unused subscriptions, which could harm our business, financial condition and results of operations. In light of our historical experience with meeting our service level commitments, we do not currently have any material liabilities accrued on our balance sheet for these commitments. Additionally, any defects in functionality or that cause interruptions in the availability of our platform and products could result in:
loss or delayed market acceptance and sales;
breach of warranty or other contractual claims for damages incurred by customers;
loss of customers;
diversion of development and customer service resources; and
injury to our reputation;
any of which could have a material adverse effect on our business, financial condition and results of operations. In addition, the costs incurred in correcting any material defects or errors might be substantial.

Risks Related to Our Intellectual Property
Our results of operations may be harmed if we are subject to a protracted infringement claim or a claim that results in a significant damage award.
A key tenet of our security awareness platform and products is the ability for our customers to perform simulated social engineering attacks on their users as part of our comprehensive training program. These social engineering attacks, typically in the form of simulated phishing emails, often use actual third-party names, logos, marks and other content in order to enhance the effectiveness of the simulation. Although we do not believe that the use of such names, logos, marks and other content for our customers’ internal training purposes infringes upon the trademark rights or other intellectual property rights of others, some third parties have objected to such use in our training program. These third parties have sent requests or demands to remove their names, logos, marks and other content from our platform and products, alleging that such use infringes upon their trademark rights and copyrights, creates actionable claims under state law or causes consumer confusion resulting in harm to their goodwill or reputation.

From time to time, we also register domain names containing typos, third-party names or marks, or variations thereof, to be used in connection with our simulated phishing emails. We register these domain names to serve a limited and specific purpose, and similar to the above-referenced simulated phishing emails, we do not believe that the limited manner and purpose in which any such third-party names, marks and other content are used in the registered domain names infringes upon their trademark rights or intellectual property rights. Some third parties
28

have, however, sent a privacy service request or initiated a proceeding to cease use of and/or transfer the domain containing their name, mark or variations thereof, including intentional typos, that have been resolved. To date, we have taken a case-by-case approach and worked to resolve all brand-owner demands directly with the individual brand owners. Nonetheless, there is no assurance that legal actions will not result in the future from objecting brand owners.
Additionally, as our presence in the market expands, we may experience such requests or demands with increasing frequency. Any legal action, regardless of their merit, may: require us to expend significant financial resources and attention of management and other personnel; result in injunctions against us that prevent us from using third-party names, logos, marks and other content on our platform and products; or require us to pay monetary fees to third parties; and/or require transfer of the domain name registrations.
Furthermore, because any legal action would likely involve novel questions of law regarding simulated phishing activities for which there is very little or no precedent to date, and, because the outcomes of any such actions may depend on questions of laws that vary from state to state, the outcomes of any such legal actions are uncertain and may ultimately vary widely based on the jurisdictions in which actions are brought. Any such outcomes may adversely impact our relationship with our customers, including prompting them to discontinue their business relationship with us. From time to time, third parties have asserted, or may assert, claims of infringement, misappropriation or other violations of intellectual property rights against us or our customers, with whom our agreements may obligate us to indemnify against these claims. Successful claims of infringement by a third party may prevent us from offering certain products or features, or require us to develop alternate non-infringing technology, which may require significant time, during which we may be: unable to continue offering the affected products or solutions; required to obtain a license that may not be available on reasonable terms, or at all; or forced to pay substantial damages, royalties, or other fees. The occurrence of any of these results may also materially adversely affect our business, financial condition and results of operations.
If we fail to adequately protect our proprietary rights, our competitive position could be impaired and we may lose valuable assets, generate reduced revenue and incur costly litigation to protect our rights.
Our success is dependent, in part, upon protecting our proprietary information and technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual restrictions to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Despite the precautions we have implemented, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of certain jurisdictions and foreign countries. Further, the laws of some countries do not protect proprietary rights to the same extent as the laws of the United States or the mechanisms for enforcement of intellectual property rights in some foreign countries may be inadequate. To the extent we expand our international activities, our exposure to the unauthorized use of our products and proprietary information may increase. Accordingly, despite our efforts, we may be unable to prevent third parties from infringing upon or misappropriating our technology and intellectual property.
We rely in part on trade secrets, proprietary know-how and other confidential information to maintain our competitive position. Although we enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances, no assurance can be given that these agreements will be effective in controlling access to, and distribution of, our products and proprietary information. Further, these agreements do not prevent our competitors from independently developing technologies that may be substantially equivalent or superior to our products.
To protect our intellectual property rights, we may be required to spend significant resources to monitor and protect these rights. Litigation may be necessary in the future to enforce our intellectual property rights and to protect our trade secrets. Such litigation may be costly, time consuming and distracting to management and may result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our
29

intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, may delay further sales, introductions of new products or implementation of existing products; may impair the functionality of our products; or may result in our substituting inferior or more costly technologies into our products that may injure our reputation. In addition, we may be required to license additional technology from third parties to develop and market new products, and we cannot assure customers we will be able to license that technology on commercially reasonable terms, or at all, and our inability to license this technology may harm our ability to compete.
We use open source software in our products, which could negatively affect our ability to offer our products and subject us to litigation or other actions.
We use open source software in our products and may use more open source software in the future. From time to time, there have been claims challenging the ownership of open source software against companies that incorporate open source software into their products. However, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses may be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open source software. Litigation could be costly for us to defend, potentially resulting in negative effects on our business, financial condition and results of operations or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with certain open source software in a certain manner, we may, under their specific terms and conditions, be required to release the source code of our proprietary software to the public. This would allow our competitors to create similar products with less development effort and time. If we inappropriately use open source software, or if the license terms for open source software that we use should change, we may be required to re-engineer our products, incur additional costs, discontinue the sale of some or all of our products or take other remedial actions.
In addition to risks related to open source software license requirements, usage of open source software may lead to greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or assurances of title or controls as to the origin of the software. Many of the risks associated with usage of open source software, such as the lack of warranties or assurances of title, cannot be eliminated, and could, if not properly addressed, negatively affect our business. We have established processes to help alleviate these risks, including a review process for screening requests from our development organizations for the use of open source software, but we cannot guarantee that all of our use of open source software is in a manner that is consistent with our current policies and procedures, or will not subject us to liability.
We incorporate technology from third parties into our platform and products, and our inability to obtain or maintain rights to the technology could harm our business.
We license software and other technology from third parties that incorporate into, or integrate with, our platform and products. We cannot be certain that our licensors are not infringing on the intellectual property rights of third parties or that our licensors have sufficient rights to the licensed intellectual property in all jurisdictions in which we may offer our platform and products. In addition, many licenses are non-exclusive, and therefore our competitors may have access to the same technology licensed to us. Some of our agreements with our licensors may be terminated for convenience by them, or otherwise provide for a limited term. If we are unable to continue to license any of this technology for any reason, our ability to develop and offer our platform and products containing such technology may be negatively impacted. Similarly, if we are unable to license necessary technology from third parties now or in the future, we may be forced to acquire or develop an alternative technology, which we may be unable to do in a commercially feasible manner, or at all, and we may be required to use alternative technology of lower quality or performance standards. This may limit or delay our ability to offer new or competitive products and increase our costs of production. As a result, our business and results of operations may be significantly harmed. Additionally, as part of our longer-term strategy, we plan to open our platform and products to third-party developers and applications to further extend their functionality. We cannot be certain that such efforts to grow our business will be successful.
30

Risks Related to Governmental Regulations and Taxation
Complying with evolving privacy and other data related laws and requirements may be expensive and force us to make adverse changes to our business, and failure to comply with such laws and requirements could result in substantial harm to our business.
Laws and regulations governing data privacy and protection, information security, the use of the Internet as a commercial medium, the use of data in artificial intelligence and machine learning and data sovereignty requirements are rapidly evolving, extensive, complex and include inconsistencies and uncertainties. Examples of recent and anticipated developments that have or could impact our business include the following:
The General Data Protection Regulation, or GDPR, took effect in May 2018 and established several requirements applicable to the handling of personal data of individuals in the European Economic Area, or EEA. The GDPR is wide-ranging in scope and imposes numerous requirements on companies that process personal data, including imposing accountability obligations requiring data controllers and processors to maintain a record of their data processing and implement policies and procedures as part of its mandated privacy governance framework. It also requires data controllers to be transparent and disclose to data subjects how their personal data will be used; establishes rights for individuals with respect to their personal data, including rights of access and deletion in certain circumstances; imposes limitations on retention of personal data; establishes data breach notification requirements; and sets standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities.
The GDPR and substantially equivalent legislation in the United Kingdom, or UK, also imposes strict rules applied to the transfer of personal data out of the EEA, Switzerland and the UK to third countries deemed to lack adequate privacy protections (including the United States), unless an appropriate safeguard is implemented, such as the Standard Contractual Clauses, or SCCs, approved by the European Commission, or a derogation applies. The Court of Justice of the European Union, or CJEU, deemed the SCCs valid in July 2020. However, the CJEU ruled that transfers made pursuant to the SCCs and other alternative transfer mechanisms must be analyzed on a case-by-case basis to ensure European Union, or EU, standards of data protection are met in the jurisdiction where the data importer is based, and concerns remain about the potential for the SCCs and other mechanisms to face additional challenges. European regulators have issued guidance following the CJEU ruling that imposes significant new requirements on transferring data outside the EEA and Switzerland, including under an approved transfer mechanism. On June 4, 2021, the European Commission issued new SCCs that account for the CJEU’s decision and other developments, which need to be put in place for new contracts involving the transfer of personal data from the EEA and Switzerland to a third country as of September 27, 2021. Complying with these obligations and applicable guidance could be expensive and time consuming, may require us to modify our data handling policies and procedures and undertake additional measures, including new contractual negotiations, and may ultimately prevent or restrict us from transferring personal data outside the EEA and the UK, which could cause significant business disruption.
The EU has proposed the Regulation on Privacy and Electronic Communications, or ePrivacy Regulation, which, if adopted, would impose new obligations on the use of personal data in the context of electronic communications, particularly with respect to online tracking technologies and direct marketing.
In January 2020, the UK formally left the EU. The UK’s withdrawal from the EU, commonly referred to as “Brexit,” became effective December 31, 2020. The UK has implemented legislation that implements and complements the GDPR, and which provides for the implementation of GDPR requirements, including those related to cross-border data transfer. In June 2021, the European Commission announced a decision of “adequacy” concluding that the UK ensures an equivalent level of data protection to the GDPR, which provides some relief regarding the legality of continued personal data flows from the EEA to the UK. Some uncertainty remains, however, as this adequacy determination must be renewed after four years and may be modified or revoked in the interim. Further, on February 2, 2022, the UK’s Information Commissioner’s Office issued new standard contractual clauses to support personal data transfers out of the UK. If approved by the UK Parliament, these standard contractual clauses will become effective March 21, 2022. We cannot
31

predict how UK data protection laws or regulations may develop in the longer term, including those relating to data transfers. We may be required to take steps to ensure the lawfulness of our data transfers and otherwise to address UK data protection law.
In January 2020, the California Consumer Privacy Act, or CCPA, took effect, providing California residents increased privacy rights and protections, including the ability to opt out of sales of their personal information. The CCPA went into effect in January 2020 and became enforceable by the California Attorney General in July 2020. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and afford such consumers new rights with respect to their personal information, including the right to request deletion of their personal information, the right to receive the personal information on record for them, the right to know what categories of personal information generally are maintained about them, as well as the right to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation.
California voters also approved a new privacy law, the California Privacy Rights Act, or CPRA, in the November 3, 2020 election. Effective January 1, 2023, the CPRA imposes additional obligations on covered companies and will significantly modify the CCPA, including by expanding consumers’ rights with respect to certain sensitive personal information. The CPRA also creates a new state agency that will have authority to implement and enforce the CCPA and the CPRA. The effects of the CCPA and the CPRA are significant. They increase our potential exposure to regulatory enforcement and/or litigation and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply. Other U.S. states are considering, and in certain cases have adopted, similar laws. For example, in March 2021, Virginia enacted the Virginia Consumer Data Protection Act, and in July 2021, Colorado enacted the Colorado Privacy Act. These both are comprehensive privacy statutes that will become effective in 2023 and share similarities with the CCPA, the CPRA and legislation proposed in other states. Recently proposed and enacted state privacy legislation beyond the CCPA and CPRA may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies.
Global governments are considering implementing regulations that would restrict cross-border data processing. Additionally, global governments are considering regulating artificial intelligence, machine learning and other technologies. These and other similar legal and regulatory developments could contribute to legal and economic uncertainty, affect how we design, market, sell and operate our platform and products, how our customers process and share data, how we process, transfer and use data, which could negatively impact demand for our platform and products. We may incur substantial costs to comply with such laws and regulations, to meet the demands of our customers relating to their own compliance with applicable laws and regulations and to establish and maintain internal policies, self-certifications, and third-party certifications supporting our compliance programs. Our customers may bind us to certain obligations pursuant to the GDPR or other laws or regulations relating to privacy, data protection or information security, and we may be or become bound by other contractual obligations relating to privacy, data protection or information security. We may be required to expend substantial resources to comply with these obligations. In addition, any actual or perceived non-compliance with applicable laws, regulations, policies, certifications or contractual or other actual or asserted obligations could result in proceedings, investigations or claims against us by regulatory authorities, customers or others, leading to reputational harm, significant fines, litigation costs and damages. For example, if regulators assert that we have failed to comply with the GDPR or the UK’s legislation implementing the GDPR, we may be subject to fines of up to EUR 20 million (or GBP 17.5 million) or 4% of our worldwide annual revenue, whichever is greater, as well as potential data processing restrictions. Authorities have shown a willingness to impose significant fines and issue orders preventing the processing of personal data on non-compliant businesses. Moreover, individuals can claim damages resulting from infringement of the GDPR and other European and UK data protection laws. The GDPR also introduces the right for non-profit organizations to bring claims on behalf of data subjects. In addition to the foregoing, an actual or alleged
32

breach of the GDPR or other applicable laws, regulations or other actual or asserted obligations related to privacy, data protection or information security could result in regulatory investigations, reputational damage, orders to change our use of data, enforcement notices, or potential civil claims including class action type litigation. All of these impacts could have a material adverse effect on our business, financial condition and results of operations.
We publish privacy policies and other documentation regarding our collection, processing, use and disclosure of personal information, credit card information or other confidential information. Although we endeavor to comply with applicable laws and regulations relating to privacy, data protection, and information security, and our related policies, certifications, representations and documentation, we may at times fail to do so or may be perceived to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving or maintaining compliance if our employees or service providers fail to comply with our policies, certifications, representations and documentation. Such actual or perceived failures can subject us to potential claims, litigation and international, local, state and federal action if they are found or alleged to be deceptive, unfair or to misrepresent our actual practices.
We also collect information about cyber threats from open sources, intermediaries and third parties that we make available to our customers in our industry publications. While we have implemented certain procedures to facilitate compliance with applicable laws and regulations in connection with the collection of this information, we cannot assure you that these procedures have been effective or that we, or third parties, many of whom we do not control, have complied with all laws or regulations in this regard. Failure by our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties to comply with applicable laws and regulations in the collection of this information also could have negative consequences to us, including reputational harm, government investigations and penalties. Although we take precautions to prevent our information collection practices and services from being provided in violation of such laws, our information collection practices and services may have been in the past, and could in the future be, provided in violation of such laws.
We are subject to laws and regulations, including governmental export and import controls, sanctions, anti-boycott regulations and anti-corruption laws that could impair our ability to compete in our markets and subject us to liability if we are not in full compliance with applicable laws.
We are subject to laws and regulations, including governmental export controls, that could subject us to liability or impair our ability to compete in our markets. Our products are subject to U.S. export controls, including the U.S. Department of Commerce’s Export Administration Regulations, and we and our employees, representatives, contractors, agents, intermediaries and other third parties are also subject to various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control. Furthermore, U.S. export control laws and economic sanctions prohibit the export and provision of certain cloud-based solutions to, and other transactions and dealings with, countries, governments, entities and persons targeted by U.S. sanctions.
In connection with our March 1, 2021 acquisition of MediaPro Holdings, LLC, we identified potential violations related to limited dealings by MediaPro Holdings, LLC in 2016 with Sudatel, a Sudanese telecommunications and internet service provider. As a condition of closing, MediaPro Holdings, LLC filed voluntary self-disclosures with the Office of Foreign Assets Control (“OFAC”) and the Office of Antiboycott Compliance (“OAC”). OFAC issued us a cautionary letter but did not pursue any penalties or take enforcement action. As of the date of this Annual Report on Form 10-K, the OAC case is pending. Although we have technical controls, policies and procedures in place designed to ensure our compliance, there is no guarantee that we will not inadvertently provide our products and services, including our publicly available online free tools, to persons targeted by U.S. sanctions, despite our reasonable efforts to prevent it.
If we or our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties fail to comply with these laws and regulations, we could be subject to civil or criminal penalties, including the possible loss of export privileges and fines. We may also be adversely affected through reputational harm, loss of access to certain markets, government investigations or otherwise. Obtaining the necessary authorizations including any required license for a particular transaction may be time-consuming, is not guaranteed and may result in the delay or loss of sales opportunities.
Various countries regulate the export and import of certain encryption technology, including through export and import permit and license requirements, and have enacted laws that could limit our ability to distribute our products
33

or could limit our customers’ ability to implement our products in those countries. Changes in our products or changes in export and import regulations may create delays in the introduction of our products into international markets, prevent our customers with international operations from deploying our products globally or, in some cases, prevent the export or import of our products to certain countries, governments, entities or persons altogether. Any change in export or import regulations, economic sanctions or related legislation, shift in the enforcement or scope of existing regulations or change in the countries, governments, entities or persons or technologies targeted by such regulations could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations.
We are also subject to the FCPA, Bribery Act and other anti-corruption, anti-bribery, anti-money laundering and similar laws in the United States and other countries in which we conduct activities. Anti-corruption and anti-bribery laws, which have been enforced aggressively and are interpreted broadly, prohibit companies and their employees, agents, intermediaries and other third parties from promising, authorizing, making or offering improper payments or other benefits to government officials and others in the private sector. We leverage third parties, including intermediaries, agents and channel partners, to conduct our business in the United States and abroad to sell subscriptions to our products and to collect information about cyber threats. We and these third parties may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and we may be held liable for the corrupt or other illegal activities of these third-party business partners and intermediaries, our employees, representatives, contractors, channel partners, agents, intermediaries and other third parties, even if we do not explicitly authorize such activities. While we have policies and procedures to address compliance with the FCPA, Bribery Act and other anti-corruption, sanctions, anti-bribery, anti-money laundering and similar laws, we cannot assure you that they will be effective, or that all of our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties have taken, or will not take, actions in violation of our policies and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, our risks under these laws may increase. Noncompliance with these laws could subject us to investigations, severe criminal or civil sanctions, settlements, prosecution, loss of export privileges, suspension or debarment from U.S. government contracts, other enforcement actions, disgorgement of profits, significant fines, damages, other civil and criminal penalties or injunctions, whistleblower complaints, adverse media coverage and other consequences. Any investigations, actions or sanctions could harm our reputation, business, financial condition and results of operations.
Failure to comply with laws and regulations applicable to our business could subject us to fines and penalties.
Our business is subject to regulation by various federal, state, local and foreign governmental agencies, including, but not limited to, agencies responsible for monitoring and enforcing privacy, data protection and information security laws and regulations, employment and labor laws, workplace safety, product safety, environmental laws, consumer protection laws, anti-bribery laws, import and export controls, economic sanctions, federal securities laws and tax laws and regulations. In certain jurisdictions, these regulatory requirements may be more stringent than in the United States. Actual or alleged noncompliance by us, our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties with applicable regulations or requirements could subject us to:
investigations, enforcement actions and sanctions;
mandatory changes to our platform, products or business practices;
disgorgement of profits, fines and damages;
civil and criminal penalties or injunctions;
claims for damages by our customers or channel partners;
termination of contracts;
34

loss of intellectual property rights; and
temporary or permanent debarment from sales to government organizations.
In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. If any governmental sanctions or enforcement actions are imposed, or if we do not prevail in any possible civil or criminal litigation, our business, financial condition and results of operations could be adversely affected.
In addition, we endeavor to properly classify employees as exempt versus non-exempt under applicable law. Although there are no pending or threatened material claims or investigations against us asserting that some employees are improperly classified as exempt, the possibility exists that some of our current or former employees could have been incorrectly classified as exempt employees.
Sales to government entities are subject to a number of challenges and risks.
A number of our customers are U.S., state or foreign government entities. Such entities may demand contract terms that are less favorable than standard arrangements with private sector customers and may have statutory, contractual or other legal rights to terminate contracts with us or our partners for convenience or for other reasons. Generally, the laws, regulations and policies that govern our ability to contract with government customers impose added costs on our business, and failure by us, our employees, representatives, contractors, channel partners, agents, intermediaries or other third parties to comply with applicable regulations and requirements could lead to claims for damages, penalties, termination of contracts, loss of exclusive rights in our intellectual property and temporary suspension or permanent debarment from government contracting. Any such damages, penalties, disruptions or limitations in our ability to do business with the public sector could result in reduced sales of our products, reputational damage, penalties and other sanctions, any of which could harm our reputation, business, financial condition and results of operations.
In addition, as a vendor for government entities, we must comply with laws, regulations and policies governing such governmental bodies, including those related to their cybersecurity practices. For example, the State of California Office of Information Security Phishing Exercise Standard (SIMM 5320-A), released in October 2020, established specific requirements for California state entities and agencies to coordinate phishing exercises with the California Department of Technology Office of Information Security and the California Cybersecurity Integration Center and other requirements for execution. Other states and jurisdictions may adopt versions of this standard or consider other new cybersecurity or data protection measures in the future, imposing additional compliance burdens on us and our customers.
Delaware law and provisions in our amended and restated certificate of incorporation and amended and restated bylaws could make a merger, tender offer or proxy contest difficult, thereby depressing the market price of our Class A common stock.
Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may make the acquisition of our company more difficult, including the following:
our board of directors is classified into three classes of directors with staggered three-year terms, and directors are only able to be removed from office for cause;
certain amendments to our amended and restated certificate of incorporation require the approval of at least 66-2/3% of the voting power of the outstanding shares of our stock entitled to vote generally in the election of directors, voting together as a single class;
our dual class common stock structure provides pre-IPO stockholders with the ability to significantly influence the outcome of matters requiring stockholder approval, even if they own significantly less than a majority of the shares of our outstanding capital stock;
our stockholders are only able to take action at a meeting of stockholders and are not able to take action by written consent for any matter;
35

our amended and restated certificate of incorporation does not provide for cumulative voting;
vacancies on our board of directors may be filled only by our board of directors and not by stockholders;
a special meeting of our stockholders may only be called by the chairperson of our board of directors, our Chief Executive Officer or a majority of our board of directors;
certain litigation against us can only be brought in Delaware;
our amended and restated certificate of incorporation authorizes undesignated preferred stock, the terms of which may be established and shares of which may be issued without further action by our stockholders; and
advance notice procedures apply for stockholders to nominate candidates for election as directors or to bring matters before an annual meeting of stockholders.
In addition, while we have opted out of Section 203 of the Delaware General Corporation Law, or the DGCL, our amended and restated certificate of incorporation contains similar provisions providing that we may not engage in certain “business combinations” with any “interested stockholder” for a three year period following the time that the stockholder became an interested stockholder, unless:
prior to such time, our board of directors approved either the business combination or the transaction that resulted in the stockholder becoming an interested stockholder;
upon consummation of the transaction that resulted in the stockholder becoming an interested stockholder, the interested stockholder owned at least 85% of the votes of our voting stock outstanding at the time the transaction commenced, excluding certain shares; or
at or subsequent to that time, the business combination is approved by our board of directors and by the affirmative vote of holders of at least 66-2/3% of the votes of our outstanding voting stock that is not owned by the interested stockholder.
Generally, a “business combination” includes a merger, asset or stock sale or other transaction resulting in a financial benefit to the interested stockholder. Subject to certain exceptions, an “interested stockholder” is a person who, together with that person’s affiliates and associates, owns, or within the previous three years owned, 15% or more of the votes of our outstanding voting stock. For purposes of this provision, “voting stock” means any class or series of stock entitled to vote generally in the election of directors. Our amended and restated certificate of incorporation provides that any interested stockholder who became an interested stockholder prior to our IPO and Mr. Sjouwerman and any of their respective direct or indirect designated transferees (other than in certain market transfers and gifts) and any group of which such persons are a party do not constitute “interested stockholders” for purposes of this provision.
Under certain circumstances, this provision will make it more difficult for a person who would be an “interested stockholder” to effect various business combinations with our company for a three year period. This provision may encourage companies interested in acquiring us to negotiate in advance with our board of directors because the stockholder approval requirement would be avoided if our board of directors approves either the business combination or the transaction that results in the stockholder becoming an interested stockholder. These provisions also may have the effect of preventing changes in our board of directors and may make it more difficult to accomplish transactions that stockholders may otherwise deem to be in their best interests.
These provisions, alone or together, could discourage, delay or prevent a transaction involving a change in control of our company. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors of their choosing and to cause us to take other corporate actions they desire, any of which, under certain circumstances, could limit the opportunity for our stockholders to receive a premium for their shares of our Class A common stock, and could also affect the price that some investors are willing to pay for our Class A common stock.
36

Our amended and restated bylaws designate a state or federal court located within the State of Delaware and the federal district courts of the United States as the exclusive forum for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to choose the judicial forum for disputes with us or our directors, officers or employees.
Our amended and restated bylaws provide that, unless we consent in writing to the selection of an alternative forum, to the fullest extent permitted by law, the sole and exclusive forum for (i) any derivative action or proceeding brought on our behalf, (ii) any action asserting a claim of breach of a fiduciary duty owed by any of our directors, officers or other employees to us or our stockholders, (iii) any action arising pursuant to any provision of the Delaware General Corporation Law, our amended and restated certificate of incorporation or our amended and restated bylaws, or (iv) any other action asserting a claim that is governed by the internal affairs doctrine shall be the Court of Chancery of the State of Delaware (or, if the Court of Chancery does not have jurisdiction, the federal district court for the District of Delaware), in all cases subject to the court having jurisdiction over indispensable parties named as defendants. Our amended and restated bylaws further provide that the federal district courts of the United States will be the exclusive forum for resolving any complaints asserting a cause of action arising under the Securities Act of 1933, as amended, or the Securities Act.
Any person or entity purchasing or otherwise acquiring any interest in any of our securities shall be deemed to have notice of and consented to this provision. This exclusive forum provision may limit a stockholder’s ability to bring a claim in a judicial forum of its choosing for disputes with us or our directors, officers or other employees, which may discourage lawsuits against us and our directors, officers and other employees. This exclusive forum provision will not apply to any causes of action arising under the Securities Act or the Exchange Act or any other claim for which the federal courts have exclusive jurisdiction. Further, the enforceability of similar choice of forum provisions in other companies’ charter documents has been challenged in legal proceedings, and it is possible that a court could find these types of provisions to be inapplicable or unenforceable. For example, the Court of Chancery of the State of Delaware recently determined that a provision stating that U.S. federal district courts are the exclusive forum for resolving any complaint asserting a cause of action arising under the Securities Act is not enforceable. However, this decision may be reviewed and ultimately overturned by the Delaware Supreme Court. If a court were to find either exclusive forum provision in our amended and restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the dispute in other jurisdictions, which could harm our results of operations.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.
As of December 31, 2021, we had U.S. federal and state net operating loss carryforwards of $59.6 million and $41.8 million, respectively, and we had a U.S. federal research and development credit carryforward of $2.7 million. Realization of these net operating loss and research and development credit carryforwards depends on future income, and there is a risk that our existing carryforwards could expire unused and be unavailable to offset future income tax liabilities, which could adversely affect our results of operations.
In addition, under Sections 382 and 383 of the Internal Revenue Code, if a corporation undergoes an “ownership change,” generally defined as a greater than 50% change (by value) in ownership by “5 percent shareholders” over a rolling three-year period, the corporation’s ability to use its pre-change net operating loss carryovers and other pre-change tax attributes, such as research and development credits, to offset its post-change income or taxes may be limited. We may experience ownership changes in the future as a result of shifts in our stock ownership. As a result, if we earn net taxable income, our ability to use our pre-change net operating loss carryforwards to offset U.S. federal taxable income may be subject to limitations, which could potentially result in increased future tax liability to us.
Changes in tax laws or regulations in the various tax jurisdictions we are subject to that are applied adversely to us or our customers could increase the costs of our products and harm our business.
New income, sales, use or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time. Those enactments could harm our domestic and international business operations, and our business and financial performance. Further, existing tax laws, statutes, rules, regulations or ordinances could be interpreted, changed,
37

modified or applied adversely to us. These events could require us or our customers to pay additional tax amounts on a prospective or retroactive basis, as well as require us or our customers to pay fines and/or penalties and interest for past amounts deemed to be due. Additionally, new, changed, modified or newly interpreted or applied tax laws could increase our customers’ and our compliance, operating and other costs, as well as the costs of our products. Further, these events could decrease the capital we have available to operate our business. Any or all of these events could harm our business, financial condition and results of operations.
Our business may be subject to additional obligations to collect and remit sales tax and other taxes, and we may be subject to tax liability for past sales. Any successful action by state, foreign or other authorities to collect additional or past sales tax could harm our business.
States and some local taxing jurisdictions have differing rules and regulations governing sales and use taxes, and these rules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our platform and products in various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as state tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. Liability for past taxes may also include substantial interest and penalty charges. Any successful action by state, foreign or other authorities to compel us to collect and remit sales, use or other taxes, either retroactively, prospectively or both, could harm our business, financial condition and results of operations.
We are a multinational organization faced with increasingly complex tax issues in many jurisdictions, and we could be obligated to pay additional taxes in various jurisdictions.
As a multinational organization, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents, which could have a material adverse effect on our liquidity and results of operations. Furthermore, one or more jurisdictions in which we do not believe we are currently subject to tax payment, withholding or filing requirements could assert that we are subject to such requirements. Any of these claims or assertions could have a material impact on us and our financial condition and results of operations.
Governance Risks Related to Ownership of Our Class A Common Stock
The dual-class structure of our common stock has the effect of concentrating voting control with those stockholders who held our capital stock prior to the completion of our initial public offering (IPO), which will limit your ability to influence the outcome of important transactions, including a change in control.
Our Class B common stock has ten votes per share, and our Class A common stock, has one vote per share. Because of the ten-to-one voting ratio between our Class B common stock and Class A common stock, as of December 31, 2021 the holders of our Class B common stock collectively held approximately 94.2% of the combined voting power of our outstanding capital and will therefore, if acting together, be able to control all matters submitted to our stockholders for approval until the earlier of the fifth anniversary of the filing and effectiveness of our amended and restated certificate of incorporation or the affirmative vote of the holders of 66-2/3% of the voting power of our outstanding Class B common stock. This concentrated control will limit or preclude a potential investor’s ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets or other major corporate transactions requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may feel are in your best interest as one of our stockholders.
Future transfers by holders of shares of our Class B common stock will generally result in those shares converting to Class A common stock, subject to limited exceptions, including but not limited to, transfers effected for estate planning purposes and transfers among affiliates, to the extent the transferee continues to remain an affiliate. The conversion of Class B common stock to Class A common stock will have the effect, over time, of
38

increasing the relative voting power of those individual holders of Class B common stock who retain their shares in the long term.
The market price of our Class A common stock may be volatile, and you could lose all or part of your investment.
The market price of our Class A common stock could be subject to fluctuations in response to various factors, some of which are beyond our control and could cause you to lose all or part of your investment in our Class A common stock. Factors that could cause fluctuations in the market price of our Class A common stock include the following:
price and volume fluctuations in the overall stock market from time to time;
volatility in the market prices and trading volumes of technology stocks;
changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
sales of shares of our Class A common stock by us or our stockholders;
failure of securities analysts to maintain coverage of us, changes in financial estimates by securities analysts who follow our company or our failure to meet these estimates or the expectations of investors;
the financial projections we may provide to the public, any changes in those projections or our failure to meet those projections;
announcements by us or our competitors of new offerings or platform features;
the public’s reaction to our press releases, other public announcements and filings with the SEC;
rumors and market speculation involving us or other companies in our industry;
short selling of our Class A common stock or related derivative securities;
actual or anticipated changes or fluctuations in our results of operations;
actual or anticipated developments in our business, our competitors’ businesses or the competitive landscape generally;
announced or completed acquisitions of businesses, offerings or technologies by us or our competitors;
developments or disputes concerning our intellectual property or other proprietary rights;
litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors;
new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
system failures or actual or perceived privacy or security incidents;
changes in accounting standards, policies, guidelines, interpretations or principles;
any significant change in our management; and
general economic conditions and slow or negative growth of our markets.
In addition, the stock market has experienced substantial price and volume volatility that is often seemingly unrelated to the operating performance of particular companies. These broad market fluctuations may cause the trading price of our Class A common stock to decline. Furthermore, the trading price of our Class A common stock may be adversely affected by third-parties trying to drive down the price. In addition, in the past, following periods of volatility in the overall market and the market price of a particular company’s securities, securities class action
39

litigation has often been instituted against these companies. This litigation, if instituted against us, would result in substantial costs and a diversion of our management’s attention and resources.
We are an “emerging growth company” and we cannot be certain if the reduced disclosure requirements applicable to emerging growth companies will make our Class A common stock less attractive to investors.
For so long as we remain an “emerging growth company” as defined in the JOBS Act, we may take advantage of certain exemptions from various requirements that are applicable to public companies that are not “emerging growth companies,” including, but not limited to, not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act, reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements and exemptions from the requirements of holding a nonbinding advisory vote on executive compensation and stockholder approval of any golden parachute payments not previously approved. We may take advantage of these exemptions until we are no longer an emerging growth company. We would cease to be an emerging growth company upon the earliest to occur of: (i) the first fiscal year following the fifth anniversary of our initial public offering; (ii) the first fiscal year after our annual gross revenue is $1.07 billion or more; (iii) the date on which we have, during the previous three-year period, issued more than $1.0 billion in non-convertible debt securities; or (iv) the date we qualify as a “large accelerated filer,” which means the end of any fiscal year in which the market value of our Class A common stock held by non-affiliates exceeded $700.0 million as of the end of the second quarter of that fiscal year. We cannot predict if investors will find our Class A common stock less attractive because we may rely on these exemptions. If some investors find our Class A common stock less attractive as a result, there may be a less active trading market for our Class A common stock and our stock price may be more volatile.
If securities or industry analysts do not publish research or publish inaccurate or unfavorable research about us, our business or our market, or if they change their recommendations regarding our Class A common stock adversely, the market price and trading volume of our Class A common stock could decline.
The trading market for our Class A common stock depends, in part, on the research and reports that securities or industry analysts publish about us, our business, our market or our competitors. The analysts’ estimates are based upon their own opinions and are often different from our estimates or expectations. If any of the analysts who cover us change their recommendation regarding our Class A common stock adversely, provide more favorable relative recommendations about our competitors or publish inaccurate or unfavorable research about our business, the price of our securities would likely decline. If few securities analysts commence coverage of us, or if one or more of these analysts cease coverage of us or fail to publish reports on us regularly, we could lose visibility in the financial markets and demand for our securities could decrease, which could cause the price and trading volume of our Class A common stock to decline.
We do not intend to pay dividends for the foreseeable future.
We currently intend to retain any future earnings to finance the operation and expansion of our business, and we do not expect to declare or pay any dividends in the foreseeable future. In addition, our Revolving Credit Facility contains restrictions on our ability to pay dividends. As a result, stockholders must rely on sales of their Class A common stock after price appreciation as the only way to realize any future gains on their investment.
The issuance of additional stock in connection with financings, acquisitions, investments, our equity incentive plans or otherwise will dilute all other stockholders.
Our amended and restated certificate of incorporation authorizes us to issue up to 1,000,000,000 shares of Class A common stock, up to 500,000,000 shares of Class B common stock and up to 100,000,000 shares of preferred stock with such rights and preferences as may be determined by our board of directors. Subject to compliance with applicable rules and regulations, we may issue shares of Class A common stock or securities convertible into shares of our Class A common stock from time to time in connection with a financing, acquisition, investment, our equity incentive plans, or otherwise. Any such issuance could result in substantial dilution to our existing stockholders and cause the market price of our Class A common stock to decline.
40

We cannot predict the impact our dual class structure may have on the market price of our Class A common stock.
We cannot predict whether our dual class structure will result in a lower or more volatile market price of our Class A common stock or in adverse publicity or other adverse consequences. For example, certain index providers have restrictions on including companies with multiple-class share structures in certain of their indexes. In July 2017, FTSE Russell and Standard & Poor’s announced that they would cease to allow most newly public companies utilizing dual or multi-class capital structures to be included in their indices. Affected indices include the Russell 2000 and the S&P 500, S&P MidCap 400 and S&P SmallCap 600, which together make up the S&P Composite 1500. Under these policies, our dual class capital structure would make us ineligible for inclusion in certain indices, and as a result, mutual funds, exchange-traded funds and other investment vehicles that attempt to passively track those indices will not be investing in our stock. Because of our dual class structure, we will likely be excluded from certain of these indexes and we cannot assure you that other stock indexes will not take similar actions. Given the sustained flow of investment funds into passive strategies that seek to track certain indexes, exclusion from stock indexes would likely preclude investment by many of these funds and could make our Class A common stock less attractive to other investors. As a result, the market price of our Class A common stock could be adversely affected.
Risks Related to Macroeconomic Conditions
Adverse economic conditions and reduced IT security spending may adversely impact our revenue and profitability.
Our operations and performance depend in part on worldwide economic conditions and the impact these conditions have on levels of spending on IT networking and security solutions. Our business depends on the overall demand for these solutions and on the economic health and general willingness of our current and prospective customers to purchase our platform and products. Weak economic conditions, including conditions resulting from financial and credit market fluctuations, changes in economic policy, trade uncertainty, including changes in tariffs, sanctions, international treaties and other trade restrictions, the occurrence of a natural disaster or global public health crisis, or armed conflicts, such as the ongoing geopolitical tensions related to Russia’s actions in Ukraine, resulting sanctions imposed by the U.S. and other countries, and retaliatory actions taken by Russia in response to such sanctions, and a reduction in IT security spending could materially and adversely affect our business, financial condition and results of operations in a number of ways, including by reducing sales, lengthening sales cycles and lowering prices for our platform and products.
We are unable to predict with certainty the extent to which the global COVID-19 pandemic may continue to impact our business, financial condition or results of operations.
The ongoing COVID-19 pandemic and efforts to mitigate its impact have caused social and economic disruption and financial market volatility. Concerns over the ultimate economic impact of COVID-19 have caused and may continue to cause extreme volatility in financial and other capital markets, which may adversely affect our stock price and our ability to access capital markets in the future.
We believe that the conditions caused by the pandemic have not significantly affected demand for our platform and products; therefore, although the COVID-19 pandemic has caused us to experience, in some cases, longer sales cycles and an increase in certain prospective and current customers seeking lower prices or other more favorable contract terms, we do not believe these developments have been substantial enough to cause a significantly negative impact on our results of operations. Additionally, we have not seen significant negative impacts on collections of accounts receivable or attrition rates of our customers. Conversely, the long term work-from-home policies, which have stemmed from the COVID-19 pandemic, have resulted in employees accessing their companies’ systems remotely, which has increased cybersecurity, privacy and data protection risks for these companies and may lead to heightened interest in our platform and products. There is no assurance that the levels of interest, demand and use of our platform and products will continue or will not decrease in the future. Any such decrease could have an adverse effect on our growth and the success of our platform and products.
41

We may face exposure to foreign currency exchange rate fluctuations.
Today, our international contracts are sometimes denominated in local currencies; however, the majority of our international costs are denominated in local currencies. Over time, an increasing portion of our international contracts may be denominated in local currencies. Therefore, fluctuations in the value of the U.S. dollar and foreign currencies may affect our results of operations when translated into U.S. dollars. We do not currently engage in currency hedging activities to limit the risk of exchange rate fluctuations. However, in the future, we may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign currency exchange rates. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.
Catastrophic events may disrupt our business.
Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce and the global economy, and thus could harm our business. We have a large employee presence in Clearwater, Florida and the east coast of the United States is often subject to seasonal hurricanes. In the event of a major hurricane, earthquake or other catastrophic event such as fire, power loss, telecommunications failure, cyber-attack, acts of war, including Russia’s actions in Ukraine, or terrorist attack, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our application development, lengthy interruptions in our products, breaches of data security and loss, alteration or compromise of critical data, all of which could harm our business, financial condition and results of operations. In addition, the insurance we maintain may not be adequate to cover our losses resulting from disasters or other business interruptions.
Item 1B. Unresolved Staff Comments
None.
Item 2. Properties
Our corporate headquarters is located in the Tampa Bay, Florida area, where we currently lease approximately 154,300 square feet of space under lease agreements that expire between 2022 and 2027. We also maintain offices in multiple international locations, including Australia, Brazil, Germany, Japan, the Netherlands, Norway, Singapore, South Africa, the United Arab Emirates and the United Kingdom. We lease all of our offices and do not own any real property. We expect to add additional office space as we grow our employee base and expand geographically. We believe that our offices are adequate to meet our needs for the immediate future and that, should it be needed, suitable additional space will be available to accommodate expansion of our operations.
Item 3. Legal Proceedings
From time to time, we may be subject to legal proceedings arising in the ordinary course of business. In addition, from time to time, third parties may assert intellectual property infringement claims against us in the form of letters and other forms of communication. As of the date of this Annual Report on Form 10-K , we are not a party to any litigation the outcome of which, if determined adversely to us, would individually or in the aggregate be reasonably expected to have a material adverse effect on our results of operations, prospects, cash flows, financial position, or brand.
Item 4. Mine Safety Disclosures
Not applicable.
Part II
42

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Market Information for Common Stock
Our Class A common stock is listed on the Nasdaq Global Select Market, or Nasdaq, under the symbol “KNBE” since April 26, 2021. Prior to that date, there was no public market for our Class A common stock. There is no public market for our Class B common stock.
Holders of Record
As of March 4, 2022, we had 45 and 49 holders of record of our Class A common stock and Class B common stock, respectively. Because many of our shares of Class A common stock are held by brokers and other institutions on behalf of shareholders, we are unable to estimate the total number of beneficial owners of our Class A common stock represented by these holders.
Dividend Policy
We anticipate that we will retain any earnings to support operations and to finance the growth and development of our business. Accordingly, although we paid a one-time special dividend in the year ended December 31, 2019, we do not expect to pay cash dividends on our Class A common stock or Class B common stock in the foreseeable future. In addition, the terms of our Revolving Credit Facility contain restrictions on our ability to declare and pay cash dividends on our capital stock.
Use of Proceeds
On April 26, 2021, we completed an IPO of our Class A common stock, in which we issued and sold 10,425,000 shares of Class A common stock, including 1,425,000 shares resulting from the exercise in full of the underwriters’ option to purchase additional shares, at an IPO price of $16.00 per share for net proceeds to the Company of $156.0 million. Upon recording the proceeds from the transaction, we reclassified $2.2 million of offering costs into stockholders’ equity (deficit) as a reduction of the net proceeds received from the IPO. All of the shares issued and sold in our IPO were registered under the Securities Act pursuant to a registration statement on Form S-1 (File No. 333‑254518), which was declared effective by the SEC on April 21, 2021. There has been no material change in the planned use of proceeds from our IPO from those disclosed in the final prospectus for our IPO dated as of April 16, 2019 and filed with the SEC pursuant to Rule 424(b)(4) on April 23, 2021.
Stock Performance Graph
The graph below compares the cumulative total return to our shareholders between April 22, 2021 (the date our Class A common stock commenced trading on the Nasdaq stock exchange) through December 31, 2021 in comparison to Nasdaq Global Select Index and Nasdaq CTA Cybersecurity Index.
The graph assumes $100 was invested in each of our Class A common stock, the Nasdaq Global Select and the Nasdaq CTA Cybersecurity. The comparisons are based on historical data and are not indicative of, nor intended to, forecast the future performance of our Class A common stock.
43

knbe-20211231_g1.jpg
This performance graph shall not be deemed incorporated by reference into any of our other filings under the Securities Exchange Act of 1934, as amended, or the Securities Act of 1933, as amended.
Recent Sales of Unregistered Securities
On November 1, 2021, we issued 1,194,957 shares of Class A common stock to SecurityAdvisor Technologies, Inc. (“SecurityAdvisor”) in connection with our acquisition of SecurityAdvisor for cash and equity consideration.
Issuer Purchases of Equity Securities
None.
Item 6. [ Reserved ]
Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our consolidated financial statements and the related notes to those statements included elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion and analysis contains forward-looking statements based upon current expectations that involve risks, uncertainties and assumptions. Our actual results and timing of selected events may differ materially from those anticipated in these forward-looking statements as a result of many factors, including those discussed under “Risk Factors” and elsewhere in this Annual Report on Form 10-K.
Overview
KnowBe4 has developed the leading security awareness platform enabling organizations to assess, monitor and minimize the ongoing cybersecurity threat of social engineering attacks. We are pioneering an integrated approach to security awareness that incorporates cloud-based software, machine learning, artificial intelligence, advanced analytics and insights with engaging content. Our platform is designed to drive awareness, change human behavior and enable a security-minded culture that results in a reduction of social engineering risks.
KnowBe4 was founded in 2010 by cybersecurity veterans based on the observation that social engineering tactics targeted at the human level often allowed attackers to bypass and evade security infrastructure defenses. Attackers often use low-cost, high-volume social engineering methods to gain access to systems during the initial phase of broader, multi-stage cyberattacks that can result in devastating security breaches. Social engineering
44

represents a universal cybersecurity risk, as it specifically targets the employees rather than the infrastructure of an organization. As such, social engineering affects organizations of all sizes and across all industries, regardless of their level of security infrastructure spend.
We began selling our initial product, which was the precursor to our Kevin Mitnick Security Awareness Training product, or KMSAT, in 2011 and began experiencing more significant market adoption in 2014, which coincides with the emergence of ransomware attacks spread via social engineering tactics. Our initial product provided the foundation for our future offerings, as it focused on enabling organizations to assess their social engineering risks and provided security awareness training to mitigate these risks. Over time, we have developed additional functionality to enhance management and risk assessment capabilities of our platform, as well as additional content to improve the efficacy of our security awareness modules. We later released KnowBe4 Compliance Manager, or KCM, a product enabling organizations to manage compliance and audit cycles. In December 2018, we released PhishER, our security orchestration and automation product, that enables security operations teams to prioritize and automate security workstreams in order to respond to and remediate social engineering attacks. Compliance Plus, our most recent product, was launched in June 2021 and expands our platform to include compliance training, with relevant and engaging content and training modules addressing compliance topics ranging from data privacy to diversity, equity and inclusion. We generate substantially all of our revenue from the sale of subscriptions to access our cloud-based platform. Our platform is priced individually by product then based on the subscription tier and number of subscribed users.
Our platform is designed to be powerful, yet highly scalable, intuitive and easy to deploy, in order to reduce the administrative burden of managing social engineering risk on security and IT professionals. Customers typically deploy our platform quickly across their entire organization to monitor and reduce the cybersecurity risk associated with their employees’ behavior. Because our products are designed to change human behavior within the entire organization, rollout of our products is performed organization-wide at the onset of a contract rather than focused on certain departments or portions of an organization. We utilize our team of customer success managers to ensure successful adoption and use of our products, while dedicated pricing specialists are tasked with negotiating customer renewals, along with upselling and cross-selling.
We sell our products to customers of all sizes both directly through our dedicated inside sales teams for enterprise and small and medium businesses (“SMBs”), and indirectly through channel partners and managed service providers, or MSPs. Our deeply integrated ecosystem of channel partners significantly expands our market reach and ability to expand our sales efforts. Our inside sales representatives work alongside our network of channel partners to engage in joint marketing activities. As a result of our ongoing MSP and channel development efforts, our partners have increasingly driven net new business, particularly in our international markets.
We have established a significant market presence, with more than 47,000 customers as of December 31, 2021, across virtually all industries and multiple geographies. No single direct customer represented more than 10% of our annual revenue for the year ended December 31, 2021.
Our business has experienced significant growth with total revenue of $246.3 million, $174.9 million and $120.6 million for the years ended December 31, 2021, 2020 and 2019, respectively. As of the ends of the same periods, we had annual recurring revenue, or ARR, of $285.4 million, $198.4 million and $145.4 million, respectively. For the years ended December 31, 2021, 2020 and 2019, we had net losses of $11.8 million, $2.4 million, and $124.3 million, respectively, which included $29.3 million, $5.2 million and $118.1 million of stock compensation expense, respectively. See the sections titled “—Key Business Metrics—Annual Recurring Revenue” for additional information regarding ARR.
We have built our business with a focus on cash flow generation. Our net cash provided by operating activities was $76.8 million, $44.9 million and $29.7 million and our free cash flow was $71.2 million, $36.7 million and $18.9 million for the years ended December 31, 2021, 2020 and 2019, respectively. See the sections titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Non-GAAP Financial Measures—Free Cash Flow” for additional information regarding free cash flow and for a reconciliation of free cash flow to the most directly comparable financial measure calculated in accordance with U.S. generally accepted accounting principles, or GAAP.
45

Key Factors Affecting Our Performance
Market Adoption and Technology Leadership
Our future success depends in large part on the growth in the market for security awareness which encompasses all products designed to address the risks of social engineering. Many organizations have yet to deploy technology to address the risks associated with the human layer; as such, we view this market as a largely greenfield opportunity.
Maintaining our market-leading position in the emerging market for security awareness is a key to our future success. Our position is, in large part, attributable to the combination of software, content and data analytics on our platform, thoughtful design of our products, prioritization of content development and a focus on customer service. To maintain our position as a market leader, we intend to continue to innovate our existing product features and develop new products that complement our existing offerings and further address the ongoing risks of social engineering. Additionally, we plan to generate training content that is responsive in near real-time to the current threat environment and is localized to the geographies where we plan to expand.
Investment in Customer Acquisition and Retention
Our results of operations depend significantly on our ability to acquire new customers, which we plan to do by continuing to make significant investments in sales and marketing and brand awareness. Our ability to attract new customers will depend on a number of factors, including our success in recruiting, training and retaining talented salespeople while scaling our sales and marketing organization and competitive dynamics in our target markets. We intend to expand both our direct inside sales force and our channel partnerships, with a focus on increasing sales to enterprise customers, which we define as customers with greater than 1,000 employees. We expect new customer acquisition, which is measured through number of customers and ARR, to drive significant growth in the near term.
Our potential for growth further depends on our ability to retain existing customers. Our dollar-based net retention rate as of December 31, 2021 was 108.4% representing an increase over our dollar-based net retention rates as of December 31, 2020 of 102.8%. We do not believe our dollar-based net retention rate as of December 31, 2019 provides a meaningful comparison to more current rates based on the evolution of our product offerings and customer adoption of our products since that time. We calculate our dollar-based net retention rate as ARR at the end of the current reporting period for customers who were also active at the end of the same reporting period in the prior year divided by ARR for the same reporting period in the prior year. Our dollar-based net retention rate measures our ability to increase revenue across our existing customer base through expanded use of our platform, offset by customers whose subscriptions with us are not renewed or are renewed at a lower amount. We believe the momentum in dollar-based net retention over prior periods reflects the investments we have made across our platform and within our customer success teams. Our management believes dollar-based net retention is an indicator of our ability to cross sell our products and has become increasingly important as we have expanded our platform through the introduction of new products.
We employ a business model centered around offering products that are easy to adopt and have a very short time to value. As of December 31, 2021, 2020 and 2019, approximately 22.1%, 13.7% and 7.7%, respectively, of our customers were using more than one product. We believe these metrics indicate strong momentum in the uptake of our newer products.
Expansion of International Operations
A substantial portion of our revenue from international customers has been generated through the establishment of our international sales operations and MSPs and channel partnerships. Additionally, our recent acquisitions have resulted in further international revenue growth. We believe that there is significant opportunity to continue to grow our international business through these sales operations and further development of our international channel partnerships. We believe that global demand for our platform and products will continue to increase as international market awareness grows. We have invested, and plan to continue to invest, ahead of this potential demand, in sales, marketing and support personnel.
46

Key Business Metrics
We regularly monitor a number of financial and operating metrics, including the following key metrics, in order to measure our current performance and estimate our future performance, as follows:
December 31,
202120202019
(annual recurring revenue in thousands)
Number of customers47,174 36,753 30,259 
Year-over-year growth28.4 %21.5 %34.4 %
Annual recurring revenue$285,437 $198,369 $145,369 
Year-over-year growth43.9 %36.5 %64.0 %
Number of Customers
We believe that our ability to increase and retain the number of customers on our platform is an indicator of our market penetration, the growth of our business and potential future business opportunities. Increasing awareness of our platform and products, combined with further overall awareness of the need to address the human risk within cybersecurity, has continued to expand our customer base to include organizations of all sizes across all industries. We define a customer as a separate and distinct buying entity, such as a company, an educational or government institution or a distinct business unit of a large company that has an active contract with us to access our platform. We do not consider our channel partners as separate customers as our contracts are executed with the end user, and we treat MSPs, who may purchase our products on behalf of multiple companies, as a single customer. Our number of customers increased on an absolute basis, but there has been a decrease in growth rate since December 31, 2019 as a result of an increased focus on enterprise customers and MSPs, which are subject to longer sales cycles. Additionally, as our customer base grows and as our market penetration increases, we do not expect to continue to grow at the same year-over-year rate.
Annual Recurring Revenue
We believe that ARR is a key metric to measure our business performance because it is driven by our ability to acquire new customers and to maintain and expand our relationship with existing customers. We define ARR as the annualized value of all contractual subscription agreements as of the end of the period. We perform this calculation on an individual contract basis by dividing the total dollar amount of a contract by the total contract term stated in months and multiplying this amount by twelve to annualize. Calculated ARR for each individual contract is then aggregated to arrive at total ARR. ARR does not have a standardized meaning and therefore may not be comparable to similarly titled measures presented by other companies. ARR should be viewed independently of revenue, deferred revenue and remaining performance obligations and is not intended to be combined with or to replace any of those items. Specifically, ARR, as calculated under the definition herein, does not adjust for the timing impact of revenue recognition for specific performance obligations identified within a contract. ARR is not a forecast and the active contracts at the date used in calculating ARR may or may not be extended by our customers. We expect ARR in total dollars to continue to grow as we execute on our growth strategies and increase our market penetration, but we do not expect to continue to grow at the same year-over-year rate as we become a larger, more mature business.
Non-GAAP Financial Measures
In addition to our results determined in accordance with GAAP, we believe the following non-GAAP measures are useful in evaluating our operating performance. We believe that non-GAAP financial information, when taken collectively, may be helpful to investors because it provides consistency and comparability with past financial performance. However, non-GAAP financial information is presented for supplemental informational purposes only, has limitations as an analytical tool, and should not be considered in isolation or as a substitute for financial information presented in accordance with GAAP. Other companies, including companies in our industry, may calculate similarly-titled non-GAAP measures differently or may use other measures to evaluate their performance, all of which could reduce the usefulness of our non-GAAP financial measures as tools for comparison. A reconciliation is provided below for each non-GAAP financial measure to the most directly comparable financial
47

measure stated in accordance with GAAP. Investors are encouraged to review the related GAAP financial measures and the reconciliation of these non-GAAP financial measures to their most directly comparable GAAP financial measures and not rely on any single financial measure to evaluate our business.
Non-GAAP Gross Profit
We define non-GAAP gross profit as GAAP gross profit excluding stock compensation expense, amortization of acquired technology and intangible assets and acquisition and integration related costs. Costs associated with acquisitions and integration include legal, accounting and other professional fees, changes in the fair value of contingent consideration obligations and other costs related to the transition of the acquired business. We believe non-GAAP gross profit provides our management and investors consistency and comparability with our past financial performance and facilitates period-to-period comparisons of our results of operations, as this metric generally eliminates the effects of certain variables unrelated to our overall operating performance.
Year Ended December 31,
202120202019
(in thousands)
Gross profit$211,183 $148,156 $99,996 
Add: Stock compensation expense470 188 83 
Add: Amortization of acquired technology and intangible assets848 240 164 
Non-GAAP gross profit$212,501 $148,584 $100,243 
Non-GAAP Operating Income (Loss)
We define non-GAAP operating income (loss) as GAAP operating loss excluding stock compensation expense, amortization of acquired technology and intangible assets and acquisition and integration related costs. Costs associated with acquisitions and integration include legal, accounting and other professional fees, as well as changes in the fair value of contingent consideration obligations and other costs related to the transition of the acquired business. We believe non-GAAP operating income (loss) provides our management and investors consistency and comparability with our past financial performance and facilitates period-to-period comparisons of operations, as this metric generally eliminates the effects of certain variables unrelated to our overall operating performance.
Year Ended December 31,
202120202019
(in thousands)
Operating loss$(6,588)$(1,542)$(125,532)
Add: Stock compensation expense29,345 5,234 118,105 
Add: Amortization of acquired technology and intangible assets1,397 332 247 
Add: Acquisition and integration related costs4,271 — 292 
Non-GAAP operating income (loss)$28,425 $4,024 $(6,888)
Free Cash Flow
We define free cash flow as net cash provided by operating activities, the most directly comparable financial measure calculated in accordance with GAAP, less purchases of property and equipment, amounts capitalized for internal-use software and principal payments on finance leases. We believe that free cash flow is a meaningful indicator of liquidity to management and investors about the amount of cash generated from our operations that,
48

after the investments in property, equipment and capitalized internal-use software, can be used for strategic initiatives.
Year Ended December 31,
202120202019
(in thousands)
Net cash provided by operating activities $76,778 $44,864 $29,718 
Less: Purchases of property and equipment(3,010)(5,426)(5,573)
Less: Capitalized internal-use software(2,506)(2,682)(5,223)
Less: Principal payments on finance leases(40)(35)— 
Free cash flow$71,222 $36,721 $18,922 
Components of Our Operating Results
Revenue
We derive substantially all of our revenue from subscription services fees paid by customers for access to our cloud-based platform, which includes support services and feature upgrades throughout the duration of the customer’s contract. While contracts with our customers do not provide the customer with the right to take possession of software operating on our global cloud-based platform, certain arrangements allow our customers the ability to download and use our content within their own learning management systems. Our content is only available to customers throughout the duration of their subscription and is accessed through our cloud-based platform. Subscription services fees and access to content for download are considered separate performance obligations. Invoiced amounts are allocated between subscription services fees and access to content and are recorded as deferred revenue and revenue, respectively. Deferred revenue primarily consists of amounts invoiced to customers for our subscription services and is generally recognized ratably over the subscription period while revenue related to content downloads is recognized at contract inception.
Subscription terms typically range from one year to three years and generally begin on the date access to our platform is made available to the customer. Our subscriptions are generally invoiced upfront for the duration of the contract term or in annual installments. Our arrangements are primarily noncancellable and nonrefundable. We collect our receivables in advance of the subscription service period and often issue renewal invoices in advance of the renewal service period.
Because we recognize revenue ratably over the terms of our subscription contracts, a substantial portion of the revenue that we report in each period is attributable to the recognition of deferred revenue relating to agreements that we entered into during previous periods. Consequently, increases or decreases in new sales or renewals in any one period may not be immediately reflected as revenue for that period. Accordingly, the effect of downturns in sales and market acceptance of our platform, and potential changes in our rate of renewals, may not be fully reflected in our results of operations until future periods.
Cost of Revenues and Gross Margin
Cost of revenues consists of costs associated with delivering our platform and providing support. These costs include employee-related costs such as salaries and bonuses, stock compensation expense and benefits costs associated with our operations and support personnel, costs associated with third-party hosting services, amortization of acquired technology, amortization of capitalized internal-use software and content and allocated overhead. We expect cost of revenues to increase in absolute dollars and as a percentage of revenue, relative to the extent of the growth of our business and reflective of the impacts of wage inflation seen in the market as a whole.
Gross margin is gross profit expressed as a percentage of total revenue. Our gross margin has been and will continue to be affected by various factors, including the timing and amount of costs associated with supporting our platform, the extent to which we expand our customer success team and the rate at which we develop or acquire new products, significant features and additional content to be added to our platform. We intend to continue to invest
49

additional resources in our platform, content development and support services which we expect to result in steady gross margin over time.
Operating Expenses
Sales and Marketing
Sales and marketing expenses consist primarily of employee-related costs, including salaries and wages, stock compensation expenses and sales commissions, costs of general marketing programs and promotional activities, travel-related expenses and allocated overhead. Sales commissions earned by our sales force that are considered to be incremental to the cost of acquiring a customer are deferred and amortized over the estimated period of benefit. Marketing programs consist of advertising, events, including our KB4-CON customer conference, which has historically been held during the second quarter of each year, corporate communications, brand building and product marketing activities. We expect our sales and marketing expenses to increase on an absolute dollar basis as we continue to make significant investments in our sales and marketing organization to drive additional revenue, increase market share and expand our global customer base.
Technology and Development
Technology and development costs consist primarily of research and development activities, non-capitalizable costs of developing platform features and content and certain overhead allocations. These costs include employee-related costs, including salaries and wages and stock compensation expenses, consulting services, expenses related to the design, development, testing and enhancements of our subscription services. Technology and development costs are expensed as incurred. From a unit cost standpoint, our technology and development costs are lower primarily due to favorable costs of living in the geographic locations in which our offices are based but could be impacted in the future by the ongoing trend towards remote work and overall wage inflation. We expect that our technology and development expenses will increase in absolute dollars and may increase as a percentage of our revenue as we continue to enhance our platform functionality and develop new content and features. Additionally, our technology and development expense may fluctuate as a percentage of our revenue from period to period depending on the timing and nature of development activities.
General and Administrative
General and administrative expenses consist primarily of employee-related costs for accounting, finance, legal, IT and human resources personnel and also include expenses related to consulting services, audit fees, tax services, legal services and other general corporate items. Our general and administrative costs also include our investment in internal initiatives and tools which we believe promotes our corporate culture and helps us attract and retain talent. We expect our general and administrative expenses to increase in absolute dollars in future periods as we continue to expand our operations, hire additional personnel, see the ongoing impact of overall wage inflation and incur costs to support the requirements of being a public company.
Interest and Other Income
Interest and other income primarily consists of interest earned on overnight cash deposits and fluctuates with market rates of interest and overall cash balances.
Interest Expense
Interest expense primarily relates to imputed interest calculated on certain contingent consideration obligations arising from our historical business combinations along with fees associated with our revolving line of credit.
Income Tax (Expense) Benefit
Income tax (expense) benefit consists of federal and state income taxes in the United States and income taxes in certain foreign jurisdictions. Our provision for income taxes has not historically been significant to our business as we have incurred operating losses to date. We maintain a valuation allowance on our U.S. federal, state and certain
50

foreign deferred tax assets as we have concluded that it is not more likely than not that the deferred assets will be realized.
Results of Operations
The following table is a summary of our consolidated statements of operations:
Year Ended December 31,
202120202019
(in thousands)
Revenues, net$246,298 $174,886 $120,575 
Cost of revenues(1)
35,115 26,730 20,579 
Gross profit211,183 148,156 99,996 
Operating expenses:
Sales and marketing(1)
107,519 82,188 69,090 
Technology and development(1)
28,110 19,804 10,662 
General and administrative(1)
82,142 47,706 145,776 
Total operating expenses217,771 149,698 225,528 
Operating loss(6,588)(1,542)(125,532)
Other income (expense):
Interest income57 197 799 
Interest expense(396)(60)(47)
Other (loss) income(1,030)807 90 
Loss before income tax (expense) benefit(7,957)(598)(124,690)
Income tax (expense) benefit(3,888)(1,832)367 
Net loss$(11,845)$(2,430)$(124,323)
________________
(1)Amounts include stock compensation expense as follows:
Year Ended December 31,
202120202019
(in thousands)
Cost of revenues$470 $188 $83 
Sales and marketing8,474 1,579 5,750 
Technology and development1,706 896 162 
General and administrative18,695 2,571 112,110 
Total stock compensation expense$29,345 $5,234 $118,105 
Comparison of the Years Ended December 31, 2021 and 2020
Revenues
Year Ended December 31,Change
20212020$%
(in thousands)
Revenues, net$246,298 $174,886 $71,412 40.8 %
Revenues increased by $71.4 million, or 40.8%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. Due to the nature of our subscription-based business model, a large portion of our revenues in a given period results from the recognition of revenues deferred in prior periods. As such, $37.7 million of the year-over-year increase in revenue is related to the recognition of deferred revenues from the accumulation of
51

contracts entered into during prior periods. Revenues earned in foreign jurisdictions has increased by $18.3 million compared to the prior year. The remaining increase is attributable to revenues from new customers combined with revenues from cross-selling additional products into our existing customer base. Our customer base grew by 28.4% and the number of customers with active subscriptions to more than one of our products has increased to 22.1% of our total customer base.
Cost of Revenues and Gross Margin
Year Ended December 31,Change
20212020$%
(in thousands)
Cost of revenues$35,115 $26,730 $8,385 31.4 %
Gross margin85.7 %84.7 %
Cost of revenues increased by $8.4 million, or 31.4%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. The overall increase in cost of revenues is in line with our increase in revenues over the same period, while maintaining our margin position. The total dollar value increase in cost of revenues is primarily driven by approximately $6.3 million of additional personnel and other allocated costs related to a combination of headcount expansion, comparatively higher performance bonuses resulting from the growth in revenues over the period and higher overhead allocations. Additionally, $1.2 million of the increase relates to increased costs of hosting our platform with the remaining cost increases attributable the amortization of both our acquired and internally developed technology and content. Gross margin slightly increased compared to the prior year period as we continue to scale our customer support functions.
Operating Expenses
Sales and Marketing
Year Ended December 31,Change
20212020$%
(in thousands)
Sales and marketing$107,519 $82,188 $25,331 30.8 %
Sales and marketing expenses increased by $25.3 million, or 30.8%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. The increase in sales and marketing expenses primarily relates to increased personnel costs of $21.2 million, including salaries, commissions and performance bonus costs primarily driven by a corresponding increase in headcount which is consistent with our overall business growth. These personnel costs include an increase in stock compensation expense of $6.9 million, the majority of which relates to the issuance of RSUs to certain executives in conjunction with our initial public offering or IPO in April 2021. Additionally, $2.6 million of the increase primarily relates to marketing campaigns to support new product launches and public relations efforts to evangelize the need to address the human risk in cybersecurity. The remaining increases are attributable to overall growth in the business, including overhead allocations, of approximately $1.3 million.
Technology and Development
Year Ended December 31,Change
20212020$%
(in thousands)
Technology and development$28,110 $19,804 $8,306 41.9 %
Technology and development expenses increased by $8.3 million, or 41.9%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. The increase in technology and development costs is primarily driven by $7.5 million of additional personnel costs as we increase developer headcount to support our
52

product development initiatives combined with higher performance bonuses. The increased developer headcount has also led to higher subscription costs and overhead allocations which make up the remaining increase. These expenses have remained consistent as a percentage of revenue as they align to growth in our business.
General and Administrative
Year Ended December 31,Change
20212020$%
(in thousands)
General and administrative$82,142 $47,706 $34,436 72.2 %
General and administrative expenses increased by $34.4 million, or 72.2%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. This increase is driven by $29.6 million of additional personnel costs, which includes additional stock compensation expense of $16.1 million the majority of which relates to the issuance of RSUs to certain executives in conjunction with the completion of our IPO in April 2021. The remaining increase in personnel costs is driven by increases in headcount across our administrative functions, such as legal, finance and human resources, to support overall business growth and costs of operating as a public company. An additional $2.7 million of the increase relate to consulting and professional fees incurred primarily to support the completion of our IPO, secondary offerings and the two business combinations completed during the year ended December 31, 2021.
Income Tax Expense
Year Ended December 31,Change
20212020$%
(in thousands)
Income tax expense$(3,888)$(1,832)$(2,056)112.2 %
Income tax expense increased by $2.1 million, or 112.2%, for the year ended December 31, 2021, compared to the year ended December 31, 2020. This increase is due to additional deferred tax expense recognized in our foreign jurisdictions due to growth in our international operations.
Comparison of the Years Ended December 31, 2020 and 2019
Revenues
Year Ended December 31,Change
20202019$%
(in thousands)
Revenues, net$174,886 $120,575 $54,311 45.0 %
Revenues increased by $54.3 million, or 45.0%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. Due to the nature of our subscription-based business model, a large portion of our revenues in a given period results from the recognition of revenues deferred in prior periods. As such, $39.0 million of the year-over-year increase in revenue is related to the recognition of deferred revenues from the accumulation of contracts entered into during prior periods. The remaining increase is attributable to revenues from new customers combined with revenues from cross-selling additional products into our existing customer base, including substantial increases in revenues earned in foreign jurisdictions. Our customer base grew by 21.5% and the number of customers with active subscriptions to more than one of our products has increased to 13.7% of our total customer base.
53

Cost of Revenues and Gross Margin
Year Ended December 31,Change
20202019$%
(in thousands)
Cost of revenues$26,730 $20,579 $6,151 29.9 %
Gross margin84.7 %82.9 %
Cost of revenues increased by $6.2 million, or 29.9%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. The overall increase in cost of revenues is primarily driven by increased headcount to support our overall business growth combined with increases in amortization related to our developed technology and content assets. The year-over-year increase in cost of revenues is slightly less than the increase in revenues over the same period due to efficiencies experienced in our customer support functions which contributed to the increase in gross margins for the year ended December 31, 2020 when compared to December 31, 2019.
Operating Expenses
Sales and Marketing
Year Ended December 31,Change
20202019$%
(in thousands)
Sales and marketing$82,188 $69,090 $13,098 19.0 %
Sales and marketing expenses increased by $13.1 million, or 19.0%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. The increase in sales and marketing expenses relates to a $8.4 million increase in employee-related costs, including salaries and commissions, primarily driven by increased headcount during the year, a $2.6 million increase in software license fees and additional increases in expenditures for marketing and promotional activities and allocated overhead.
Technology and Development
Year Ended December 31,Change
20202019$%
(in thousands)
Technology and development$19,804 $10,662 $9,142 85.7 %
Technology and development expenses increased by $9.1 million, or 85.7%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. The increase in technology and development costs is driven by an $8.0 million increase in employee-related research and development costs associated with the development of new platform features and preliminary development activity related to new products. The increase is further attributable to increased overhead allocations and production expenses which are in line with the overall growth of our business.
General and Administrative
Year Ended December 31,Change
20202019$%
(in thousands)
General and administrative$47,706 $145,776 $(98,070)(67.3)%
General and administrative expenses decreased by $98.1 million, or (67.3)%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. The decrease is primarily due to $110.6 million of stock compensation expense recognized in conjunction with the Series C and C-1 Preferred Stock transactions during the
54

year ended December 31, 2019. Excluding the impact of these transactions, the change in general and administrative expenses was an increase of $12.5 million or 35.4%. These increases in general and administrative expenses as compared to the prior year relate to $9.4 million in additional employee-related expenses within our administrative functions along with an additional $3.1 million of costs to support overall growth in the business including professional fees and other general operating costs, such as depreciation and amortization expenses, lease and utilities costs.
Income Tax Benefit (Expense)
Year Ended December 31,Change
20202019$%
(in thousands)
Income tax (expense) benefit$(1,832)$367 $(2,199)(599.2)%
Income tax expense increased by $2.2 million, or (599.2)%, for the year ended December 31, 2020, compared to the year ended December 31, 2019. This increase is primarily due to a $2.7 million valuation allowance recorded as a result of continuing losses generated at our German subsidiary.
Quarterly Results of Operations
The following tables set forth selected unaudited quarterly statements of operations data for each of the eight quarters ended December 31, 2021, as well as the percentage of total revenue that each line item represents for each quarter. The information for each of these quarters has been prepared on the same basis as the audited annual consolidated financial statements included elsewhere in this Annual Report on Form 10-K and, in the opinion of management, includes all adjustments, which consist only of normal recurring adjustments, necessary for the fair presentation of the results of operations for these periods. This data should be read in conjunction with our audited
55

consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10-K. These quarterly results are not necessarily indicative of our results of operations to be expected for any future period.
Three Months Ended
December 31, 2021September 30, 2021June 30, 2021March 31, 2021December 31, 2020September 30, 2020June 30, 2020March 31, 2020
(in thousands, except customer data)
Revenues, net$69,307 $64,091 $59,350 $53,550 $49,287 $44,932 $41,489 $39,178 
Cost of revenues (1)
9,572 9,609 8,591 7,343 7,466 6,918 6,303 6,043 
Gross profit59,735 54,482 50,759 46,207 41,821 38,014 35,186 33,135 
Operating expenses:
Sales and marketing (1)
25,207 27,731 31,510 23,071 21,934 20,752 19,875 19,627 
Technology and development (1)
8,029 7,579 6,760 5,742 5,685 4,822 4,391 4,906 
General and administrative (1)
19,377 19,852 28,284 14,629 13,170 13,440 10,976 10,120 
Total operating expenses52,613 55,162 66,554 43,442 40,789 39,014 35,242 34,653 
Operating income (loss)7,122 (680)(15,795)2,765 1,032 (1,000)(56)(1,518)
Other income (expense):
Interest income16 16 18 38 20 14 125 
Interest expense(67)(67)(66)(196)(15)(16)(16)(13)
Other (expense) income(585)114 (416)(143)665 29 80 33 
Income (loss) before income tax (expense) benefit6,486 (617)(16,270)2,444 1,720 (967)22 (1,373)
Income tax (expense) benefit(2,088)(963)(593)(244)(1,516)(735)407 12 
Net income (loss)$4,398 $(1,580)$(16,863)$2,200 $204 $(1,702)$429 $(1,361)
Number of customers47,174 44,319 41,601 38,975 36,753 34,604 33,056 31,823 
Annual recurring revenue(2)
$285,437 $262,172 $240,595 $222,270 $198,369 $181,924 $169,003 $157,919 
Free cash flow(2)
$19,562 $17,910 $12,789 $20,961 $4,117 $11,017 $11,201 $10,386 
________________
(1)Amounts include stock compensation expense as follows:
Three Months Ended
December 31, 2021September 30, 2021June 30, 2021March 31, 2021December 31, 2020September 30, 2020June 30, 2020March 31, 2020
(in thousands)
Cost of revenues$217 $124 $76 $53 $66 $70 $31 $21 
Sales and marketing1,197 726 5,662 889 754 423 251 151 
Technology and development1,176 242 148 140 573 153 100 70 
General and administrative3,483 1,652 12,983 577 588 588 934 461 
Total stock compensation expense$6,073 $2,744 $18,869 $1,659 $1,981 $1,234 $1,316 $703 
(2)See the sections entitled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Key Business Metrics—Annual Recurring Revenue” for additional information regarding ARR and “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Non-GAAP Financial Measures—Free Cash Flow” for additional information regarding free cash flow and for a reconciliation of free cash flow to the most directly comparable financial measure calculated in accordance with U.S. generally accepted accounting principles, or GAAP.”
56

Percentage of Revenues Data
All values from the statement of operations, expressed as percentage of total revenues are as follows:
Three Months Ended
December 31, 2021September 30, 2021June 30, 2021March 31, 2021December 31, 2020September 30, 2020June 30, 2020March 31, 2020
Revenues, net100.0 %100.0 %100.0 %100.0 %100.0 %100.0 %100.0 %100.0 %
Cost of revenues13.8 %15.0 %14.5 %13.7 %15.1 %15.4 %15.2 %15.4 %
Gross margin86.2 %85.0 %85.5 %86.3 %84.9 %84.6 %84.8 %84.6 %
Operating expenses:
Sales and marketing36.4 %43.3 %53.1 %43.1 %44.5 %46.2 %47.9 %50.1 %
Technology and development11.6 %11.8 %11.4 %10.7 %11.5 %10.7 %10.6 %12.5 %
General and administrative28.0 %31.0 %47.7 %27.3 %26.7 %29.9 %26.5 %25.8 %
Total operating expenses75.9 %86.1 %112.1 %81.1 %82.8 %86.8 %84.9 %88.5 %
Operating income (loss)10.3 %(1.1)%(26.6)%5.2 %2.1 %(2.2)%(0.1)%(3.9)%
Other income (expense):
Interest income— %— %— %— %0.1 %— %— %0.3 %
Interest expense(0.1)%(0.1)%(0.1)%(0.4)%— %— %— %— %
Other (expense) income(0.8)%0.2 %(0.7)%(0.3)%1.3 %0.1 %0.2 %0.1 %
Income (loss) before income tax (expense) benefit9.4 %(1.0)%(27.4)%4.6 %3.5 %(2.2)%0.1 %(3.5)%
Income tax (expense) benefit(3.0)%(1.5)%(1.0)%(0.5)%(3.1)%(1.6)%1.0 %— %
Net income (loss)6.3 %(2.5)%(28.4)%4.1 %0.4 %(3.8)%1.0 %(3.5)%
Quarterly Trends
Our quarterly revenue increased in each of the periods presented due to the combination of increases in the number of new customers, contract renewals with existing customers and sales of our newer products. Additionally, our fourth quarter has historically been our strongest quarter for new business and renewals, driven by the overall timing of existing customer contract renewals and customer budget timing. The effect of this seasonality in both invoicing patterns and overall new and renewal business causes the value of invoices that we generate in the fourth quarter for both new business and renewals to increase as a proportion of our total annual invoices.
Cost of revenues has increased in the majority of the periods presented. This overall increase in cost of revenues is in line with our increase in revenue and is primarily driven by increased headcount to support our overall business growth, particularly within our customer success team, combined with increases in amortization related to both our internally developed and acquired assets and costs of hosting our technology platform. Gross margin has slightly improved over the periods presented due to achieving some scale with our customer success team. We expect margins to remain steady in the future as we continue to build out our customer support structure to support our overall business growth.
Our operating expenses have generally increased over the periods presented primarily due to increases in headcount and other related expenses to support our growth. Any periods in which operating expenses have not increased sequentially were due to variability in our stock compensation expense. Additionally, our technology and development expenses fluctuate quarter to quarter based on the timing and extent of research and development and content production activities while our sales and marketing expenses can be impacted by the timing of industry events. Excluding the impact of the non-recurring stock compensation expense, our general and administrative expenses remain relatively consistent quarter over quarter when considering the growth in our business and impact of non-recurring transactions, such as business combinations and public offerings.
57

Liquidity and Capital Resources
At December 31, 2021, our principal sources of liquidity were cash and cash equivalents totaling $273.7 million and accounts receivable of $54.1 million. Our cash and cash equivalents are comprised of time deposits with financial institutions. To date, we have financed our operations primarily through payments received from customers using our platform supplemented by proceeds from private placements of our equity securities and our recent IPO. Our positive cash flows from operations enable us to make continued investments in the growth of our business. We expect our operating cash flows to further improve over the intermediate to long term as we increase our operational efficiency and experience economies of scale.
We typically invoice our subscription customers annually in advance. Therefore, a substantial source of our cash is from customer prepayments, which are included on our consolidated balance sheets as deferred revenue. Deferred revenue consists of invoiced fees for our subscription services, prior to satisfying the criteria for revenue recognition, which are subsequently recognized as revenue in accordance with our revenue recognition policy. As of December 31, 2021, we had deferred revenue of $265.8 million, of which $81.3 million was recorded as a current liability and is expected to be recorded as revenue in the next 12 months, provided all other revenue recognition criteria are met.
Our remaining performance obligation represents contracted revenue that has not yet been recognized and includes deferred revenue, which has been invoiced and is recorded on the consolidated balance sheets, and unbilled amounts that are not recorded on the consolidated balance sheets, that will be recognized as revenue in future periods. As of December 31, 2021, our remaining performance obligation was $323.7 million.
On March 12, 2021, we entered into a three-year $100.0 million revolving credit facility with Bank of America, or the Revolving Credit Facility. Interest on any borrowings under the revolving credit facility bear interest, at our option, at (i) a base rate equal to the highest of (a) the federal funds rate plus 0.50%, (b) the rate of interest in effect for such date as publicly announced from time to time by Bank of America as its “prime rate”, or (c) the eurodollar rate plus 1.0%, provided that such rate will not be less than 0.5%. We are obligated to pay other customary fees for a credit facility of this size and type, including letter of credit fees, an upfront fee, and an unused commitment fee. The terms of our Revolving Credit Facility include a number of covenants that limit our ability and our subsidiaries’ ability to, among other things, incur additional indebtedness, grant liens, merge or consolidate with other companies or sell substantially all of our assets, pay dividends, make redemptions and repurchases of stock, make investments, loans and acquisitions, or engage in transactions with affiliates. We expect to use the revolving credit facility for general corporate purposes, including potential future acquisitions and expansions. As of December 31, 2021, we were in compliance with all covenants and there were no amounts outstanding under this facility.
On April 26, 2021, we completed our IPO, in which we sold 10,925,000 shares of our Class A common stock at a price to the public of $16.00 per share, including 1,425,000 shares pursuant to the exercise in full of the underwriters’ option to purchase additional shares and 500,000 shares of our Class A common stock sold by certain selling stockholders. We received net proceeds of $153.0 million, after deducting underwriting discounts and commissions of $10.8 million and offering expenses paid by us of approximately $3.0 million.
We believe our existing cash and cash equivalents, cash provided by operating activities, available borrowings under our Revolving Credit Facility, and unbilled amounts related to contracted non-cancelable subscription agreements, which are not reflected on the balance sheets, will be sufficient to meet our working capital and capital expenditure needs over the next 12 months. In the future, we may enter into arrangements to acquire or invest in complementary businesses, products and technologies, and intellectual property rights, though we currently have no agreements or commitments to do so. To facilitate these acquisitions or investments, we may seek additional equity or debt financing, which may not be available on terms favorable to us or at all, impacting our ability to complete subsequent acquisitions or investments.
58

Cash Flows
The following table presents a summary of our consolidated cash flows from operating, investing and financing activities.
Year Ended December 31,
202120202019
(in thousands)
Net cash provided by operating activities$76,778 $44,864 $29,718 
Net cash used in investing activities$(39,340)$(8,108)$(15,766)
Net cash provided by (used in) financing activities$151,232 $(436)$(9,612)
Operating Activities
Our largest source of cash flows from operations is cash collections from our customers for subscription services while our primary use of cash for operating activities is for employee-related expenses, including salaries, commissions and monthly performance bonuses. We have historically generated positive cash flows from operations as a result of our efficient sales model and period-over-period growth in subscription services.
Net cash provided by operating activities during the year ended December 31, 2021 was $76.8 million, which consisted of net loss of $11.8 million, adjusted for non-cash charges of $57.7 million and net cash inflows of $30.9 million provided by changes in our operating assets and liabilities. Non-cash charges primarily consisted of $19.5 million of amortization of deferred commissions, $13.6 million of depreciation and amortization of our capital assets and $29.3 million of stock compensation expense, which was primarily incurred in conjunction with our initial public offering (IPO). Cash outflows from changes in operating assets and liabilities primarily resulted from a $14.5 million increase in the total deferred commissions balance, a $15.4 million increase in the accounts receivable balance and a $4.5 million increase in the prepaid and other assets balance. The increases in our deferred commissions balance is due to the addition of new customers and renewal of existing contracts during the period while the increase in accounts receivable is due to the timing of billings and collections combined with growth in sales. The increase in prepaid and other assets is primarily due to a payroll tax credit recorded during the current year of $3.2 million and additional director and officer insurance costs. Cash inflows from changes in operating assets and liabilities primarily relate to a $80.1 million increase in the total deferred revenue balance resulting from the sale of additional subscription services under our standard advanced invoicing practices and an $18.4 million increase in accounts payable and accrued expense balances due primarily to increases in payroll related accruals resulting from payment timing and overall headcount growth.
Net cash provided by operating activities during the year ended December 31, 2020 was $44.9 million, which consisted of a net loss of $2.4 million, adjusted for non-cash charges of $26.9 million and net cash inflows of $20.4 million provided by changes in our operating assets and liabilities. Non-cash charges primarily consisted of $5.3 million of stock compensation expense, $14.2 million of amortization of deferred commissions and $11.8 million of depreciation and amortization of our capital assets. Cash outflows from changes in operating assets and liabilities primarily resulted from a $6.7 million increase in the accounts receivable balance and a $8.0 million increase in the total deferred commissions balance. The increase in both accounts receivable and deferred commissions balances is due to the addition of new customers and renewal of existing contracts during the period. The accounts receivable balance is also impacted by the timing of cash collections received. Cash inflows from changes in operating assets and liabilities primarily relate to an $46.7 million increase in the total deferred revenue balance resulting from the sale of additional subscription services under our standard advanced invoicing practices.
Net cash provided by operating activities during the year ended December 31, 2019 was $29.7 million, which consisted of a net loss of $124.3 million, adjusted for non-cash charges of $131.3 million and net cash inflows of $22.7 million provided by changes in our operating assets and liabilities. Non-cash charges primarily consisted of $118.1 million of stock compensation expense, $12.3 million of amortization of deferred commissions and $7.9 million of depreciation and amortization of our capital assets. Cash outflows from changes in operating assets and liabilities primarily resulted from an $11.8 million increase in the accounts receivable balance and a $10.1 million increase in the total deferred commissions balance. The increase in both accounts receivable and deferred
59

commissions balances is due to the addition of new customers and renewal of existing contracts during the period. The accounts receivable balance is also impacted by the timing of cash collections received. Cash inflows from changes in operating assets and liabilities primarily relate to a $55.3 million increase in the total deferred revenue balance resulting from the sale of additional subscription services under our standard advanced invoicing practices.
Investing Activities
Net cash used in investing activities during the year ended December 31, 2021 primarily related to the $11.2 million of net cash paid for the acquisition of MediaPro Holdings, LLC, which closed on March 1, 2021, and the $22.6 million of net cash paid for the acquisition of SecurityAdvisor Technologies, Inc., which closed on November 1, 2021, combined with $2.5 million and $3.0 million of capital expenditures for internal-use software and the purchase of property and equipment, respectively.
Net cash used in investing activities during the year ended December 31, 2020 related to $2.7 million and $5.4 million of capital expenditures for internal-use software and the purchase of property and equipment, respectively.
Net cash used in investing activities during the year ended December 31, 2019 related to $5.0 million of business combinations completed during the year, combined with $5.2 million and $5.6 million of capital expenditures for internal-use software and the purchase of property and equipment, respectively.
Financing Activities
Net cash provided by financing activities during the year ended December 31, 2021 primarily related to $156.0 million of net proceeds received from the issuance of common stock in connection with the IPO, as well as $5.8 million of cash received upon the issuance of common stock from the exercise of stock options and $3.3 million cash received from the issuance of common stock under the employee stock purchase plan. These financing activities proceeds were offset by $12.3 million paid for taxes related to the net share settlement of our outstanding equity instruments and $1.2 million paid to repurchase shares of our common stock, prior to the IPO.
Net cash used in financing activities during the year ended December 31, 2020 primarily related to $4.9 million paid for the repurchase of common stock and options offset by $4.3 million of cash received upon the issuance of common stock from the exercise of stock options.
Net cash used in financing activities during the year ended December 31, 2019 primarily related to a $10.0 million one-time dividend payment issued to our existing shareholders offset by the net impact of the Series C and C-1 Preferred Stock transactions where we received proceeds of $340.4 million for the issuance of preferred stock and paid $339.9 million to repurchase existing common stock and outstanding stock options.
Backlog
Our backlog is made up of remaining performance obligations associated with our customer contracts. These remaining performance obligations represent all future revenue under contract that has not yet been recognized which includes deferred revenue and unbilled amounts.
Indemnification Agreements
Our subscription agreements generally contain standard indemnification obligations. Pursuant to these agreements, we will indemnify, defend and hold the other party harmless with respect to a claim, suit, or proceeding brought against the other party by a third party alleging that our intellectual property infringes upon the intellectual property of the third party, or results from a breach of our representations and warranties or covenants, or that results from any acts of negligence or willful misconduct. The term of these indemnification agreements is generally perpetual any time after the execution of the agreement. Typically, these indemnification provisions do not provide for a maximum potential amount of future payments we could be required to make. However, in the past we have not been obligated to make significant payments for these obligations and no liabilities have been recorded for these obligations on our consolidated balance sheets as of December 31, 2021 or December 31, 2020.
60

We also indemnify our officers and directors for certain events or occurrences, subject to certain limits, while the officer is or was serving at our request in such capacity. The maximum amount of potential future indemnification is unlimited. However, our director and officer insurance policy limits our exposure and enables us to recover a portion of any future amounts paid. Historically, we have not been obligated to make any payments for these obligations and no liabilities have been recorded for these obligations on our consolidated balance sheets as of December 31, 2021 or December 31, 2020.
Critical Accounting Policies and Estimates
We prepare our consolidated financial statements in accordance with GAAP. In the preparation of these consolidated financial statements, we are required to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenue, costs and expenses, and related disclosures. To the extent that there are material differences between these estimates and actual results, our financial condition or results of operations would be affected. We base our estimates on past experience and other assumptions that we believe are reasonable under the circumstances, and we evaluate these estimates on an ongoing basis. We refer to accounting estimates of this type as critical accounting policies and estimates, which we discuss below.
Revenue Recognition
We account for revenue in accordance with Accounting Standards Codification, or ASC, Topic 606 - Revenue from Contracts with Customers, and apply the following five-step approach for considering contracts:
1.Identification of the contract, or contracts, with the customer.
2.Identification of the performance obligations in the contract.
3.Determination of the transaction price.
4.Allocation of the transaction price to the performance obligations in the contract.
5.Recognition of revenue when, or as, we satisfy a performance obligation.
We recognize revenue at the time the related performance obligation is satisfied by transferring the service to a customer in an amount that reflects the consideration we expect to be entitled to in exchange for those services, net of any sales or other tax. Our subscription contracts typically vary from one year to three years and are generally noncancellable and nonrefundable.
Subscription services revenue consists of subscription fees earned from providing access to our cloud-based platform, including support services and feature upgrades, if and when available. Our cloud-based platform also includes training content which can be downloaded by the customer during their subscription term. Our subscription service contracts do not provide customers with the right to take possession of the software operating on the cloud platform and, as a result, are accounted for as service arrangements. Our customers’ ability to access our platform represents a series of distinct services, which fulfills our performance obligation over the subscription term. Accordingly, the amounts invoiced related to the ratable portion of subscription revenue are recorded as deferred revenue and recognized on a straight-line basis over the contract term, beginning on the date that the service is made available to the customer.
Additionally, our customers’ ability to access and download the content hosted within our KMSAT product is considered distinct and accounted for as a separate performance obligation, as our customers benefit from the use of the content independent of the KMSAT product through the download. The portion of the transaction price allocated to the downloadable content performance obligation is recognized as revenue at contract inception when the customer gains access to the downloadable content.
The transaction price is allocated to the separate performance obligations on a relative stand-alone selling price, or SSP, basis. The SSP for the ratable portion of subscription revenue is determined using observable stand-alone sales data, including adjustments for standard discounting practices. As it relates to the content available for download, we determine SSP using an adjusted market assessment approach , which requires significant judgment.
61

The calculation of SSP primarily utilizes suggested royalty rates, assumptions regarding content production costs and other industry pricing data.
Deferred Commissions
We capitalize sales commissions and associated payroll taxes and benefits paid to internal sales personnel that are considered incremental to the acquisition of customer contracts. These costs are recorded as deferred commissions on the consolidated balance sheets upon invoicing to the customer and are paid upon cash collection from the customer. We determine whether costs should be deferred based on sales compensation plans if the commissions are incremental and would not have occurred absent the customer contract. Sales commissions related to an initial subscription contract are considered incremental to the acquisition of the customer contract to the extent that they exceed commissions earned on renewal sales. Sales commissions related to the renewal of a subscription contract are not considered commensurate with the commissions paid for the acquisition of the initial subscription contract given the substantive difference in commission rate between new and renewal contracts.
The portion of commissions paid upon the initial acquisition of a contract that are incremental to acquisition of the customer contract are amortized over an estimated period of benefit of six years. The portion of commissions paid upon initial acquisition that are commensurate with those paid on a renewal contract and commissions paid related to renewal contracts are amortized over the average length of the related revenue contract. An estimate of the portion of commissions related to the downloadable content performance obligation is made, which is recognized at contract inception consistent with the pattern of revenue recognition. This estimate is made in a consistent manner to the SSP allocated to the related portion of revenue, which requires judgment. Judgment is also required when determining the period of benefit for commissions paid for the acquisition of the initial subscription contract. We evaluate both qualitative and quantitative factors including the initial estimated customer life, the technological life of our platform and related significant features, customer attrition and industry practices.
Business Combinations
We allocate the fair value of purchase consideration to the tangible assets acquired, liabilities assumed, and intangible assets acquired based on their estimated fair values. The excess of the fair value of purchase consideration over the fair values of these identifiable assets and liabilities is recorded as goodwill. Such valuations require management to make significant estimates and assumptions, especially with respect to intangible assets. Significant estimates in valuing certain intangible assets include, but are not limited to, future expected cash flows from acquired customers, acquired technology, trade names from a market participant perspective, useful lives and discount rates. Additionally, contingent consideration arrangements are considered to be part of the purchase consideration and are measured at their acquisition date fair value which is determined using complex valuation methodologies. The inputs to the valuation methodologies used to determine management’s estimates of fair value are based upon assumptions believed to be reasonable, but which are inherently uncertain and unpredictable and, as a result, actual results may differ from estimates. During the measurement period, which is one year from the acquisition date, we may record adjustments to the assets acquired and liabilities assumed, with the corresponding offset to goodwill. Upon the conclusion of the measurement period, any subsequent adjustments are recorded in the consolidated statement of operations.
Stock Compensation
Prior to our IPO and before there was an active market for our Class A common stock, we primarily issued stock options and estimated the fair value of those stock options using the Black-Scholes option-pricing model. The most significant estimate utilized in the model was the fair value of our common stock which was historically determined by the board of directors who exercised judgment and considered numerous objective and subjective factors to determine the best estimate of the fair value of our common stock including (i) valuations performed at or near the time of grant; (ii) rights, preferences, and privileges of our redeemable convertible preferred stock relative to those of our common stock; (iii) our actual operating and financial performance at the time of the option grant; (iv) likelihood of achieving a liquidity event, such as an IPO or a merger or acquisition of our business; (v) the value of comparable companies with respect to industry, business model, stage of growth, financial risk or other factors; (vi) our stage of development and future financial projections; (vii) market transactions at or near the time of grant;
62

and (viii) the lack of marketability of our common stock. Following the IPO, there is an active market for our Class A common stock, and we are no longer estimating the fair value of our common stock.
Recent Accounting Pronouncements
See Note 2 to our consolidated financial statements “Summary of Significant Accounting Policies” for more information.
Item 7A. Quantitative and Qualitative Disclosures About Market Risk
We have operations in the United States and internationally and we are exposed to market risk in the ordinary course of business.
Interest Rate Risk
Our cash and cash equivalents primarily consist of cash on hand and highly liquid investments in money market funds, including overnight investments. As of December 31, 2021, we had cash and cash equivalents of $273.7 million. The carrying amount of our cash equivalents reasonably approximates fair value, due to the short maturities of these instruments. The primary objectives of our investment activities are the preservation of capital, the fulfillment of liquidity needs and the fiduciary control of cash and investments. We do not enter into investments for trading or speculative purposes. Our investments are exposed to market risk due to fluctuations in interest rates, which may affect our interest income and the fair market value of our investments. However, due to the short-term nature of our investment portfolio, we do not believe an immediate 10% increase or decrease in interest rates would have a material effect on the fair market value of our portfolio. We therefore do not expect our operating results or cash flows to be materially affected by a sudden change in market interest rates.
Foreign Currency Risk
The vast majority of our sales contracts are denominated in U.S. dollars, with a small number of contracts denominated in foreign currencies. A portion of our operating expenses are incurred outside the United States, denominated in foreign currencies and subject to fluctuations due to changes in foreign currency exchange rates, particularly changes in the British Pound, Euro, Brazilian Real and South African Rand. Additionally, fluctuations in foreign currency exchange rates may cause us to recognize transaction gains and losses in our consolidated statements of operations. During the years ended December 31, 2021, 2020 and 2019, a hypothetical 10% change in foreign currency exchange rates applicable to our business would not have had a material impact on our consolidated financial statements. As the impact of foreign currency exchange rates has not been material to our historical operating results, we have not entered into derivative or hedging transactions, but we may do so in the future if our exposure to foreign currency becomes more significant.
63

Item 8. Financial Statements and Supplementary Data
INDEX TO CONSOLIDATED FINANCIAL STATEMENTS
Page
KnowBe4, Inc. Consolidated Financial Statements
64

REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
To the Stockholders and Board of Directors
KnowBe4, Inc.:
Opinion on the Consolidated Financial Statements
We have audited the accompanying consolidated balance sheets of KnowBe4, Inc. and subsidiaries (the Company) as of December 31, 2021 and 2020, the related consolidated statements of operations, comprehensive loss, stockholders’ equity (deficit), and cash flows for each of the years in the three‑year period ended December 31, 2021, and the related notes (collectively, the consolidated financial statements). In our opinion, the consolidated financial statements present fairly, in all material respects, the financial position of the Company as of December 31, 2021 and 2020, and the results of its operations and its cash flows for each of the years in the three‑year period ended December 31, 2021, in conformity with U.S. generally accepted accounting principles.
Basis for Opinion
These consolidated financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on these consolidated financial statements based on our audits. We are a public accounting firm registered with the Public Company Accounting Oversight Board (United States) (PCAOB) and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing procedures to assess the risks of material misstatement of the consolidated financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements. We believe that our audits provide a reasonable basis for our opinion.
/s/ KPMG
We have served as the Company’s auditor since 2017.
Tampa, Florida
March 10, 2022
65

KNOWBE4, INC.
CONSOLIDATED BALANCE SHEETS
(in thousands, except share and per share amounts)
December 31, 2021December 31, 2020
Assets
Current assets
Cash and cash equivalents$273,723 $85,582 
Accounts receivable, net of allowance for doubtful accounts54,071 38,664 
Current portion of deferred commissions17,842 13,177 
Prepaid and other current assets10,580 6,124 
Total current assets356,216 143,547 
Deferred commissions, net of current portion33,869 24,022 
Capitalized software and content, net27,074 15,523 
Property and equipment, net9,120 10,284 
Operating lease right of use assets, net12,998 12,067 
Intangible assets, net7,992 2,985 
Goodwill89,329 8,605 
Other assets1,080 1,177 
Total assets
537,678 218,210 
Liabilities and stockholders’ equity (deficit)
Current liabilities:
Accounts payable and accrued expenses37,642 19,265 
Current portion of deferred revenue184,496 127,043 
Current portion of operating lease liabilities2,938 2,651 
Total current liabilities225,076 148,959 
Non-current liabilities:
Deferred revenue, net of current portion81,278 58,653 
Operating lease liabilities, net of current portion10,484 9,766 
Other non-current liabilities3,573 3,991 
Total liabilities
320,411 221,369 
Stockholders’ equity (deficit)
Preferred stock, $0.00001 par value, 0 shares authorized, issued, and outstanding at December 31, 2021 and 114,164,600 shares authorized, issued and outstanding (Liquidation value $384.5 million) at December 31, 2020, respectively
— — 
Common stock, $0.00001 par value, 0 shares authorized, issued, and outstanding at December 31, 2021 and 176,000,000 shares authorized; and 42,279,000 shares issued and outstanding at December 31, 2020, respectively
— — 
Common stock, Class A, 0.00001 par value, 1,000,000,000 shares authorized; and 66,335,930 shares issued and outstanding at December 31, 2021 and 0 shares authorized, issued and outstanding at December 31, 2020, respectively
— 
Common stock, Class B, $0.00001 par value, 500,000,000 shares authorized; and 107,936,779 shares issued and outstanding at December 31, 2021 and 0 shares authorized, issued and outstanding at December 31, 2020, respectively
— 
Additional paid-in capital391,803 158,483 
Accumulated deficit(173,148)(161,303)
Accumulated other comprehensive loss(1,391)(339)
Total stockholders’ equity (deficit)217,267 (3,159)
Total liabilities and stockholders’ equity (deficit)$537,678 $218,210 
The accompanying notes are an integral part of these consolidated financial statements.
66

KNOWBE4, INC.
CONSOLIDATED STATEMENTS OF OPERATIONS
(in thousands, except share and per share amounts)
Year Ended December 31,
202120202019
Revenues, net$246,298 $174,886 $120,575 
Cost of revenues35,115 26,730 20,579 
Gross profit211,183 148,156 99,996 
Operating expenses:
Sales and marketing107,519 82,188 69,090 
Technology and development28,110 19,804 10,662 
General and administrative82,142 47,706 145,776 
Total operating expenses217,771 149,698 225,528 
Operating loss(6,588)(1,542)(125,532)
Other income (expense):
Interest income57 197 799 
Interest expense(396)(60)(47)
Other (expense) income(1,030)807 90 
Loss before income tax (expense) benefit(7,957)(598)(124,690)
Income tax (expense) benefit(3,888)(1,832)367 
Net loss$(11,845)$(2,430)$(124,323)
Net loss per share, basic and diluted(1)
$(0.10)$(0.06)$(1.91)
Weighted-average shares used in calculating basic and diluted net loss per share116,938,683 42,049,840 66,958,400 
________________
(1)For the year ended December 31, 2021, basic and diluted loss per share for Class A and Class B common stock are the same.

The accompanying notes are an integral part of these consolidated financial statements.
67

KNOWBE4, INC.
CONSOLIDATED STATEMENTS OF COMPREHENSIVE LOSS
(in thousands)
Year Ended December 31,
202120202019
Net loss$(11,845)$(2,430)$(124,323)
Other comprehensive (loss) income:
Net change in foreign currency translation adjustments(1,052)90 23 
Other comprehensive (loss) income:(1,052)90 23 
Total comprehensive loss$(12,897)$(2,340)$(124,300)
The accompanying notes are an integral part of these consolidated financial statements.
68

KNOWBE4, INC.
CONSOLIDATED STATEMENTS OF STOCKHOLDERS’ EQUITY (DEFICIT)
(in thousands, except shares)
Convertible Preferred StockCommon StockCommon Stock, Class ACommon Stock, Class BAdditional Paid In CapitalAccumulated Other Comprehensive (Loss) IncomeAccumulated DeficitTotal
SharesAmountSharesAmountSharesAmountSharesAmount
Balance, December 31, 201855,245,840 $— 92,097,360 $— — $— — $— $45,523 $(452)$(34,550)$10,521 
Issuance of common stock for exercise of stock options— $— 9,402,120 $— — $— — $— $353 $— $— $353 
Repurchase of common stock— $— (59,412,200)$— — $— — $— $(339,880)$— $— $(339,880)
Dividends paid— $— — $— — $— — $— $(10,000)$— $— $(10,000)
Issuance of Preferred Stock, Series C6,511,400 $— — $— — $— — $— $31,163 $— $— $31,163 
Issuance of Preferred Stock, Series C-152,407,360 $— — $— — $— — $— $309,230 $— $— $309,230 
Stock compensation expense— $— — $— — $— — $— $117,898 $— $— $117,898 
Other comprehensive income, net— $— — $— — $— — $— $— $23 $— $23 
Net loss— $— — $— — $— — $— $— $— $(124,323)$(124,323)
Balance, December 31, 2019114,164,600 $— 42,087,280 $— — $— — $— $154,287 $(429)$(158,873)$(5,015)
Issuance of common stock for exercise of stock options— $— 328,600 $— — $— — $— $220 $— $— $220 
Issuance of common stock— $— 731,760 $— — $— — $— $4,274 $— $— $4,274 
Repurchase of common stock— $— (868,640)$— — $— — $— $(5,579)$— $— $(5,579)
Stock compensation expense— $— — $— — $— — $— $5,281 $— $— $5,281 
Other comprehensive income— $— — $— — $— — $— $— $90 $— $90 
Net loss— $— — $— — $— — $— $— $— $(2,430)$(2,430)
Balance, December 31, 2020
114,164,600 $— 42,279,000 $— — $— — $— $158,483 $(339)$(161,303)$(3,159)
Issuance of common stock for exercise of stock options— — 274,720 — — — 4,333,816 5,773— — 5,774 
Issuance of common stock under the employee stock purchase plan— — — — 239,937 — — — 3,339— — 3,339 
Issuance of common stock for business combinations— — 1,245,440 — 1,194,957 — — — 53,653— — 53,653 
Repurchase of common stock— — (97,600)— — — — — (181)— — (181)
Conversion of convertible preferred stock and previously authorized common stock to Class B common stock(114,164,600)— (43,701,560)— — — 157,866,160 — — — 
Issuance of common stock, Class A in connection with initial public offering, net of underwriting discounts and issuance costs— — — — 10,425,000 — — — 153,796 — — 153,796 
Issuance of common stock from vesting of restricted stock units— — — — 1,016,959 — — — — — — — 
Conversion of Class B common stock to Class A common stock— — — — 53,900,456 (53,900,456)(1)— — — — 
Taxes paid related to net share settlement of equity awards— — — — (441,379)— (362,741)— (12,253)— — (12,253)
Stock compensation expense— — — — — — — — 29,193— — 29,193 
Other comprehensive loss— — — — — — — — — (1,052)— (1,052)
Net loss— — — — — — — — — — (11,845)(11,845)
Balance, December 31, 2021
— $— — $— 66,335,930 $107,936,779 $$391,803 $(1,391)$(173,148)$217,267 
The accompanying notes are an integral part of these consolidated financial statements.
69

KNOWBE4, INC.
CONSOLIDATED STATEMENTS OF CASH FLOWS
(in thousands)
Year Ended December 31,
202120202019
Cash flows from operating activities:
Net loss$(11,845)$(2,430)$(124,323)
Adjustments to reconcile net loss to net cash from operating activities:
Additions to capitalized content(6,914)(5,215)(6,368)
Depreciation and amortization expense13,639 11,762 7,898 
Deferred commissions amortization19,474 14,238 12,279 
Stock compensation expense29,347 5,281 118,147 
Other, net2,155 848 (664)
Changes in operating assets and liabilities:
Accounts receivable(14,415)(6,978)(11,403)
Deferred commissions(34,340)(22,161)(22,375)
Prepaid and other assets(6,200)679 (3,645)
Accounts payable and other liabilities9,292 2,328 4,938 
Deferred revenue76,585 46,512 55,234 
Net cash provided by operating activities76,778 44,864 29,718 
Cash flows from investing activities:
Business combinations, net of cash acquired(33,824)— (4,970)
Purchases of property and equipment(3,010)(5,426)(5,573)
Capitalized internal-use software costs(2,506)(2,682)(5,223)
Net cash used in investing activities(39,340)(8,108)(15,766)
Cash flows from financing activities:
Dividends paid— — (10,000)
Proceeds from the exercise of stock options5,774 220 353 
Proceeds from issuance of common stock under the employee stock purchase plan3,339 — — 
Repurchase of common stock and options(1,171)(4,857)(339,880)
Proceeds from the issuance of preferred stock, net of issuance costs— — 340,393 
Proceeds from the issuance of common stock155,958 4,274 — 
Acquisition-related contingent consideration payments(375)(252)(478)
Proceeds from finance lease obligations— 214 — 
Payments for finance lease obligations(40)(35)— 
Taxes paid for the net share settlement of restricted stock units(12,253)— — 
Net cash provided by (used in) financing activities151,232 (436)(9,612)
Effect of exchange rate changes on cash and cash equivalents(529)398 (49)
Net change in cash and cash equivalents$188,141 $36,718 $4,291 
Cash and cash equivalents, beginning of period$85,582 $48,864 $44,573 
Cash and cash equivalents, end of period$273,723 $85,582 $48,864 
The accompanying notes are an integral part of these consolidated financial statements.
70

KNOWBE4, INC.
CONSOLIDATED STATEMENTS OF CASH FLOWS (CONTINUED)
SUPPLEMENTAL CASH FLOW DISCLOSURES
(in thousands)
Year Ended December 31,
202120202019
Supplemental disclosure of cash flow information:
Cash paid for taxes$2,637 $101 $16 
Supplemental disclosure of noncash investing and financing activities:
Capital expenditures and other assets included in accounts payable and accrued expenses$574 $875 $1,723 
Stock compensation recorded as liability$— $991 $249 
The accompanying notes are an integral part of these consolidated financial statements.
71

KNOWBE4, INC.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
Note 1 – Description of Business
KnowBe4, Inc. (“KnowBe4” or the “Company”), was incorporated in Delaware in January 2016 and is the successor to operations which began in August 2010. The Company is currently headquartered in Clearwater, Florida.
The Company provides a comprehensive platform incorporating security awareness training and simulated phishing with advanced analytics and reporting that helps organizations manage the ongoing problem of social engineering. Additional offerings on the Company’s platform include a security orchestration, automation and response or “SOAR” tool and a governance, risk and compliance or “GRC” product, both of which further the Company’s goal of providing products focused on meeting the needs of information security professionals. KnowBe4 conducts business globally and its platform is available as a software as a service (“SaaS”) subscription.
Stock Split
On April 9, 2021, the Company effected a 40-for-1 forward stock split of its authorized, issued and outstanding capital stock. All share and per share amounts presented in the accompanying consolidated financial statements have been retrospectively adjusted to reflect the forward stock split for all periods presented.
Initial Public Offering
As further described in Note 11 “Stockholders’ Equity”, in April 2021, the Company completed an initial public offering (“IPO”) of its Class A common stock.
Note 2 – Summary of Significant Accounting Policies
a.Basis of Presentation and Consolidation
The Company’s consolidated financial statements and accompanying notes include the accounts of the Company and its wholly-owned subsidiaries and have been prepared in accordance with United States generally accepted accounting principles (“U.S. GAAP”). All intercompany balances and transactions have been eliminated in consolidation. Certain prior period amounts within the accompanying consolidated balance sheets reflect an immaterial error correction and have been reclassified. The consolidated balance sheet as of December 31, 2020 differs from the previously filed Form S-1 as they reflect an adjustment to reclassify amounts from noncurrent deferred revenue to current deferred revenue.
b.Use of Estimates
The preparation of consolidated financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the amounts reported and disclosed in the Company’s consolidated financial statements and accompanying notes. Estimates and assumptions used by management primarily affect revenue recognition, deferred commissions, fair value of net assets acquired in business combinations, common stock valuations (prior to the Company's IPO) and stock compensation expense.
These estimates are based on information available as of the date of the consolidated financial statements. On an ongoing basis, the Company evaluates these assumptions, judgments and estimates. Actual results may differ materially from these estimates.
c.Operating Segments
The Company operates as a single operating segment, which engages in the development, marketing and sale of the Company’s SaaS-based security awareness platform. Operating segments are defined as components of an enterprise for which separate financial information is evaluated regularly by the chief operating decision maker in deciding how to allocate resources and assess performance. The Company’s chief operating decision maker is the
72

Chief Executive Officer, who is responsible for evaluating the Company’s financial results, evaluating the Company’s resources and assessing the performance of the operations on a consolidated basis.
d.Cash and Cash Equivalents
The Company considers all investments purchased with an original maturity of 90 days or less to be cash equivalents. Cash and cash equivalents include $180.2 million and $22.5 million of overnight money market mutual funds at December 31, 2021 and 2020, respectively. The carrying amount of such cash equivalents approximates their fair value due to the short-term and highly liquid nature of these instruments.
e.Accounts Receivable
Accounts receivable represents amounts owed to the Company for subscriptions to the Company’s platform and unbilled receivables representing the Company’s unconditional right to consideration for subscription contracts for which revenue has been earned in excess of the amount invoiced. Accounts receivable balances are recorded at the invoiced amount and are non-interest bearing.
The Company maintains an allowance for doubtful accounts based on future expected credit losses measured over the contractual term of the receivable. Management regularly reviews the adequacy of the allowance for doubtful accounts by considering various factors including the age of each outstanding invoice, each customer’s expected ability to pay, historical loss rates and expectations of forward-looking loss estimates to determine whether the allowance is appropriate. The Company writes off accounts receivable balances to the allowance for doubtful accounts when the Company has exhausted all collection efforts. As of December 31, 2021 and 2020, the allowance for doubtful accounts was $0.5 million and $0.4 million, respectively. Allowance activity for the periods was not material to the consolidated financial statements.
f.Deferred Commissions
The Company capitalizes sales commissions and associated benefits and payroll taxes paid to internal sales personnel that are considered incremental costs to acquire a customer contract. These costs are classified as deferred commissions on the consolidated balance sheets. Sales commissions related to an initial subscription contract are considered incremental to the acquisition of the customer contract to the extent that they exceed commissions earned on renewal sales. Sales commissions related to the renewal of a subscription contract are not considered commensurate with the commissions paid for the acquisition of the initial subscription contract given the substantive difference in commission rate between new and renewal contracts. The portion of commissions paid upon the initial acquisition of a contract that are incremental to acquisition of the customer contract are amortized over an estimated period of benefit of six years. The portion of commissions paid upon initial acquisition that are commensurate with those paid on a renewal contract and commissions paid related to renewal contracts are amortized over the average length of the related revenue contract. An estimate of the portion of commissions related to the downloadable content performance obligation is made, which is recognized at contract inception consistent with the pattern of revenue recognition. The estimated period of benefit for commissions paid for the acquisition of the initial subscription contract is determined based on qualitative and quantitative factors including the initial estimated customer life, the technological life of the Company’s platform and related significant features, customer attrition and industry practices. Amortization of deferred sales commissions is included in sales and marketing expense in the accompanying consolidated statements of operations. 
g.Property and Equipment, Net
Property and equipment are stated at cost, net of accumulated depreciation. Depreciation is calculated on a straight-line basis over the estimated useful lives of the assets, as follows:
Computers and equipment3 years
Furniture and fixtures
5 - 7 years
Leasehold improvements
shorter of lease term or 5 years
73

Expenditures which significantly add to productive capacity or extend the useful life of an asset are capitalized. Maintenance and repairs to property and equipment are expensed as incurred. When assets are retired or otherwise disposed of, the cost and accumulated depreciation is removed from the accounts and gains or losses, if any, are recorded in other expenses.
h.Capitalized Software and Content, Net
The Company capitalizes costs incurred related to the development of internal use software during the application development stage. These capitalized costs are primarily related to the development of the Company’s security awareness platform. Costs are capitalized to develop new internal use software or to significantly increase the functionality of existing software. Additionally, the Company records acquired internal-use software and technology assets within the capitalized software and content caption on its consolidated balance sheets. Capitalized software costs are amortized on a straight-line basis over the software’s estimated useful life of three to six years. Management evaluates the useful lives of these assets on an annual basis and tests for impairment whenever events or changes in circumstances occur that could impact the recoverability of these assets. There were no impairments of capitalized internal use software during the years ended December 31, 2021 or 2020.
The Company also capitalizes costs related to the production of its training content, which includes interactive modules, movie series, videos, games and other content. Costs associated with the production of content, including development costs, direct costs and production overhead, are capitalized. Capitalized content is amortized over the estimated period of use, which generally ranges from three to seven years. The Company’s business model is subscription based, therefore, capitalized content is reviewed in the aggregate when an event or change in circumstances indicates a change in the expected usefulness of the content. To date, we have not identified any such event or change in circumstances. If such changes are identified in the future, capitalized content will be stated at the lower of unamortized cost, net realizable value or fair value. In addition, unamortized costs for assets that have been, or are expected to be, abandoned are written off.
i.Goodwill and Intangible Assets
Goodwill represents the excess of the purchase price in a business combination over the estimated fair value of identifiable net assets acquired. The Company evaluates and tests the recoverability of goodwill for impairment at least annually, on October 1, or more frequently if circumstances indicate that goodwill may not be recoverable. The Company performs the impairment testing by first assessing qualitative factors to determine whether the existence of events or circumstances leads to a determination that it is more likely than not that the fair value of its single reporting unit is less than its carrying amount. In assessing the qualitative factors, the Company considers the impact of certain key factors including macroeconomic conditions, industry and market considerations, changes in management, litigation or regulatory matters, changes in enterprise value, and overall financial performance. If, after assessing the totality of events or circumstances, the Company determines it is more likely than not that the fair value of the reporting unit is less than its carrying amount, the Company calculates the estimated fair value of the reporting unit and any excess of the carrying amount over fair value is recognized as a goodwill impairment loss. Based on the results of the qualitative goodwill impairment analyses, the Company has determined there were no triggering events indicating impairment of goodwill during the years ended December 31, 2021 or 2020.
Intangible assets consist of both definite-lived intangible assets, primarily acquired content, customer relationships, patents, trademarks and domain names, and indefinite-lived trade name intangible assets. Definite-lived intangible assets are amortized on a straight-line basis over their estimated useful lives, as follows:
Acquired content
3 - 4 years
Customer relationships
4 - 6 years
Other Intangibles
3 - 10 years
Patents20 years
74

j.Impairment of Intangible and Other Long-Lived Assets
The Company performs an impairment review of long-lived assets, including property and equipment and both definite and indefinite-lived intangible assets, whenever events or changes in circumstances indicate that the carrying value may not be recoverable, in accordance with the respective accounting standards. If the Company determines that the carrying value of an asset group may not be recoverable, the Company measures recoverability by comparing the carrying amount of the asset group to the future undiscounted cash flows it expects the asset group to generate. If the Company considers any of these assets to be impaired, the impairment to be recognized equals the amount by which the carrying value of the asset exceeds its fair value. In addition, the Company periodically evaluates the estimated remaining useful lives of long-lived assets to determine whether events or changes in circumstances warrant a revision to the remaining period of depreciation or amortization. No impairment indicators were identified and no impairment charges were recorded during the years ended December 31, 2021 or 2020.
k.Leases
The Company determines whether an arrangement is or contains a lease at inception and classifies its leases at commencement. Operating leases with initial terms of twelve months or greater are included in operating lease right-of-use (“ROU”) assets and operating lease liabilities in the consolidated balance sheets.
ROU assets represent the Company’s right to use underlying assets over the term of the lease and lease liabilities represent the Company’s contractual obligation to make lease payments over the lease term. Operating lease ROU assets and lease liabilities are recognized at the commencement date based on the present value of the lease payments over the lease term. Operating lease ROU assets also include any unamortized initial direct costs and any prepayments less any unamortized lease incentives received. As the Company’s leases do not provide an implicit rate for use in determining the present value of future payments, the Company uses its incremental borrowing rate. Options to extend or terminate a lease are included in the ROU asset and lease liability when it is reasonably certain that the Company will exercise the option.
Lease expense for minimum lease payments for operating leases is recognized on a straight-line basis over the lease term and is included in operating expenses within the consolidated statements of operations. Variable lease costs represent non-lease components, namely common area maintenance and taxes, that are not fixed and are expensed as incurred.
l.Income Taxes
The Company uses the asset and liability method of accounting for income taxes. Under this method, deferred tax assets and liabilities are determined based on temporary differences between the financial statement and tax bases of assets and liabilities using enacted tax rates in effect for the year in which the differences are expected to reverse.
The Company’s tax positions are subject to income tax audits by certain tax jurisdictions throughout the world. The Company recognizes the tax benefit of an uncertain tax position only if it is more likely than not that the position will be sustainable upon examination by the taxing authority. The tax benefit recognized is measured as the largest amount of benefit which is greater than 50 percent likely to be realized upon settlement with the taxing authority. The Company recognizes interest accrued and penalties related to unrecognized tax benefits in the income tax (benefit) provision.
Valuation allowances are established when necessary to reduce deferred tax assets to the amounts that are more likely than not expected to be realized based on the weighting of positive and negative evidence. Future realization of deferred tax assets ultimately depends on the existence of sufficient taxable income of the appropriate character (for example, ordinary income or capital gain) within the carryback or carryforward periods available under the applicable tax law. The Company regularly reviews the deferred tax assets for recoverability based on historical taxable income, projected future taxable income, the expected timing of the reversals of existing temporary differences and tax planning strategies. The Company’s judgments regarding future profitability may change due to many factors, including future market conditions and the ability to successfully execute its business plans and/or tax
75

planning strategies. Should there be a change in the ability to recover deferred tax assets, the tax provision would increase or decrease in the period in which the assessment is changed.
m.Foreign Currency Transactions
The functional currency of the Company’s subsidiaries is determined based on the primary economic environment in which the subsidiary operates. Assets and liabilities of its non-U.S. dollar functional currency subsidiaries are translated into U.S. dollars using exchange rates in effect at the end of each period and revenues and expenses are translated at the average exchange rate for the period. Gains and losses from these translations are recognized as cumulative translation adjustments and included in accumulated other comprehensive loss.
The Company remeasures monetary assets and liabilities that are not denominated in the functional currency at average exchange rates in effect during each period. Gains and losses from these remeasurement adjustments are recognized within other income (expense).
n.Revenue Recognition
The Company derives substantially all of its revenue from subscription services fees paid by customers for access to the Company’s cloud-based platform and content. The Company applies the following five-step approach for considering contracts:
identification of the contract, or contracts, with the customer;
identification of the performance obligations in the contract;
determination of the transaction price;
allocation of the transaction price to the performance obligations in the contract; and
recognition of revenue when, or as, the Company satisfies a performance obligation.
The Company recognizes revenue at the time the related performance obligation is satisfied by transferring the service to a customer in an amount that reflects the consideration the Company expects to be entitled to in exchange for those services, net of any sales or other tax. The Company’s subscription contracts typically vary from one year to three years and are generally noncancellable and nonrefundable.
Subscription service revenue consists of subscription fees earned from providing access to the Company’s cloud-based platform, including support services and feature upgrades, if and when available. The Company’s cloud-based platform also includes training content which can be downloaded by the customer during their subscription term. The subscription service contracts do not provide customers with the right to take possession of the software operating on the cloud platform and, as a result, are accounted for as service arrangements. Access to the platform represents a series of distinct services that the Company continually provides access to, which fulfills its obligation to the end customer over the subscription term. This series of distinct services represents a single performance obligation that is satisfied over time. Accordingly, the amounts allocated to the ratable portion of subscription revenue are recorded as deferred revenue and recognized on a straight-line basis over the contract term, beginning on the date that the service is made available to the customer. Amounts expected to be recognized within one year of the balance sheet date are classified within current liabilities and the remaining portion is classified in long-term liabilities.
The customers’ ability to access and download content throughout their subscription term is considered distinct and accounted for as a separate performance obligation. The portion of the transaction price allocated to the downloadable content performance obligation is recognized as revenue at contract inception when the customer gains access to the downloadable content.
The transaction price is allocated to the separate performance obligations on a relative stand-alone selling price, or SSP, basis. The SSP for the ratable portion of subscription revenue is determined using observable stand-alone sales data, including adjustments for standard discounting practices. As it relates to the content available for
76

download, we determine SSP using an adjusted market assessment approach , which requires significant judgment. The calculation of SSP primarily utilizes suggested royalty rates, assumptions regarding content production costs and other industry pricing data.
o.Cost of Revenues
Cost of revenues consists of certain direct costs associated with delivering the Company’s platform and includes hosting fees as well as amortization of capitalized internal-use software and content and allocated overhead. Cost of revenues also includes personnel costs, including salaries, benefits, bonuses, and stock compensation, for employees who provide support services to customers.
p.Stock Compensation
The Company measures and recognizes compensation expense for all stock-based awards based on the estimated fair value of the award on the date of grant. Following the Company’s IPO, stock awards primarily consist of time and performance-based restricted stock units (“RSUs”). The grant date fair value of RSUs is measured at the grant date closing stock price and expense is recognized on a straight-line basis over the vesting period of the award, which is generally three years, and net of forfeitures, which are recorded as incurred.
Performance-based RSUs vest, if at all, based on internal performance targets in effect during the year of grant. Stock compensation expense related to these awards is initially based on the number of shares that would vest if the Company achieved 100% of the performance target, which is the intended outcome at the grant date. Throughout the requisite service period, which is generally three years, management monitors the probability of achievement of the performance target. If it becomes probable that more or less than the current estimate of awarded shares will vest, an adjustment to stock compensation expense will be recognized as a change in accounting estimate in the period that such probability changes.
Stock compensation expenses related to the Company’s Employee Stock Purchase Plan (“ESPP”) are based on the grant date fair value using the Black-Scholes option-pricing model. These expenses are recognized on a straight-line basis over the offering period, which is generally 6 months unless otherwise determined by the Company’s board of directors or compensation committee. The ESPP allows eligible employees to purchase shares of the Company’s Class A common stock at a 15.0% discount from the lesser of the fair market value of our common stock on (i) the first trading day of the applicable offering period or (ii) the last trading day of the purchase period in the applicable offering period.
Prior to the Company’s IPO and before there was an active market for the Company’s Class A common stock, the Company primarily issued stock options and estimated the fair value of its stock options using the Black-Scholes option-pricing model. The most significant estimate utilized in the model was the fair value of the Company’s common stock which was historically determined by our board of directors who exercised judgment and considered numerous objective and subjective factors to determine the best estimate of the fair value of our common stock including (i) valuations performed at or near the time of grant; (ii) rights, preferences, and privileges of our redeemable convertible preferred stock relative to those of our common stock; (iii) our actual operating and financial performance at the time of the option grant; (iv) likelihood of achieving a liquidity event, such as an initial public offering or a merger or acquisition of our business; (v) the value of comparable companies with respect to industry, business model, stage of growth, financial risk or other factors; (vi) our stage of development and future financial projections; (vii) market transactions at or near the time of grant; and (viii) the lack of marketability of our common stock. Following the IPO, there is an active market for the Company’s Class A common stock, and the Company is no longer estimating the fair value of its common stock.
q.401(k) Plan
The Company maintains a tax-qualified retirement plan, or the 401(k) plan, that provides eligible employees with an opportunity to save for retirement on a tax-advantaged basis. Eligible employees are able to participate in the 401(k) plan as of the first day of the month following the date they meet the 401(k) plan’s eligibility requirements, and participants are able to defer up to 100% of their eligible compensation subject to applicable annual Internal Revenue Code limits. All participants’ interests in their deferrals are 100% vested when contributed and the
77

Company’s matching contributions are 100% vested following one year of service. The Company contracted with a third-party provider to act as a custodian and trustee, and to process and maintain the records of participant data. For the years ended December 31, 2021, 2020 and 2019, the Company made contributions to the 401(k) Plan of $1.3 million, $2.4 million and $1.2 million, respectively.
r.Advertising
Advertising costs are expensed as incurred. Advertising expenses were $14.4 million, $13.3 million and $12.2 million for the years ended December 31, 2021, 2020 and 2019, respectively. These costs are included within sales and marketing expenses in the accompanying consolidated statements of operations.
s.Research and Development Costs
Research and development costs are expensed when incurred, except for certain internal-use software development costs, which may be capitalized as noted above. Research and development expenses consist primarily of personnel and related headcount costs, costs of professional services associated with the ongoing development of the Company’s technology, and allocated overhead and are recorded within technology and development expense in the accompanying consolidated statements of operations.
t.Net Loss per Share
Basic and diluted net loss per share is presented in conformity with the two-class method required for participating securities. Prior to the IPO, the Company considered all series of its convertible preferred stock to be participating securities. Net loss was not allocated to the convertible preferred stock as the holders of the convertible preferred stock do not have a contractual obligation to share in any losses. Since the completion of the IPO, the Company considers shares of Class B common stock to be participating securities, since each share of Class B common stock is convertible into one share of Class A common stock at the option of the holder. Net income is attributed to common stockholders and participating securities based on their participation rights.
Basic net loss per share is computed by dividing the net loss by the weighted-average number of shares of common stock outstanding during the period. Diluted earnings per share is computed by giving affect to all potentially dilutive common stock equivalents to the extent they are dilutive. As the Company has reported losses for all periods presented, all potentially dilutive securities are antidilutive and, accordingly, basic net loss per share equals diluted net loss per share.
u.Business Combinations
The Company includes the results of operations of the businesses that it acquires as of the respective dates of acquisition. The Company allocates the fair value of the purchase price of its acquisitions to the assets acquired and liabilities assumed based on their estimated fair values at the date of acquisition. The excess of the fair value of the purchase price over the fair values of these identifiable assets and liabilities is recorded as goodwill. Such valuations require management to make significant estimates and assumptions, especially with respect to intangible assets. Significant estimates in valuing certain intangible assets include, but are not limited to, future expected cash flows from acquired customers, acquired technology, the value of trade names from a market participant perspective, useful lives and discount rates. Management’s estimates of fair value are based upon assumptions believed to be reasonable, but which are inherently uncertain and, as a result, actual results may differ from estimates. During the measurement period, which may be up to one year from the acquisition date, the Company may record adjustments to the fair value of assets acquired and liabilities assumed. Upon conclusion of the measurement period or final determination of the fair value of assets acquired or liabilities assumed, whichever comes first, any subsequent adjustments are recorded to the Company’s consolidated statements of operations. Transaction costs associated with business combinations are expensed as incurred, and are included in general and administrative expense in the Company’s consolidated statements of operations.
78

v.Concentrations of Credit Risk and Significant Customers
The Company’s financial instruments that are exposed to concentrations of credit risk consist primarily of cash and cash equivalents and accounts receivable. The Company’s cash deposits typically exceed the federally insured limits. Collateral is not required for accounts receivable.
No single customer accounted for more than ten percent of total revenue during the years ended December 31, 2021, 2020 and 2019. Additionally, no single customer accounted for more than ten percent of accounts receivable at December 31, 2021 or 2020.
w.Fair Value Measurement
Assets and liabilities recorded at fair value in the consolidated financial statements are categorized based upon the level of judgment associated with the inputs used to measure their fair value. The lowest level of significant input determines the placement of the fair value measurement within the following hierarchical levels:
Level 1: Observable inputs that reflect quoted prices (unadjusted) for identical assets or liabilities in active markets.
Level 2:  Other inputs that are directly or indirectly observable in the marketplace.
Level 3:  Unobservable inputs which are supported by little or no market activity.
The following tables present information about the Company’s financial assets and liabilities that are measured at fair value and indicate the fair value hierarchy of the valuation inputs used (in thousands):
December 31, 2021
Quoted Prices in Active Markets for Identical Assets
(Level 1)		Significant Other
Observable
Inputs
(Level 2)		Significant
Unobservable
Inputs
(Level 3)		Total
Assets:
Cash equivalents:
Money market mutual funds$180,170 $— $— $180,170 
Total assets$180,170 $— $— $180,170 
Liabilities:
Accounts payable and accrued expenses:
Contingent consideration$— $— $5,000 $5,000 
Total liabilities$— $— $5,000 $5,000 
December 31, 2020
Quoted Prices in Active Markets for Identical Assets
(Level 1)		Significant Other
Observable
Inputs
(Level 2)		Significant
Unobservable
Inputs
(Level 3)		Total
Assets:
Cash equivalents:
Money market mutual funds$22,479 $— $— $22,479 
Total assets$22,479 $— $— $22,479 
Liabilities:
Accounts payable and accrued expenses:
Contingent consideration$— $— $350 $350 
Total liabilities$— $— $350 $350 
79

The Company’s contingent consideration liabilities were initially measured using (1) a probability estimate of achieving the contingency and (2) a Monte Carlo simulation utilizing future revenue projections, a risk-adjusted discount rate and performance volatility assumptions both of which involve inherent uncertainties.
The carrying amounts of certain financial instruments, including cash held in banks, accounts receivable, and accounts payable, approximate fair value due to their short-term maturities and are excluded from the fair value tables above.
There were no transfers between levels during the years ended December 31, 2021, 2020 or 2019.
x.Recent Accounting Pronouncements
Recently Adopted Accounting Pronouncements
In December 2019, the FASB issued ASU No. 2019-12, Income Taxes (Topic 740): Simplifying the Accounting for Income Taxes, (“ASU 2019-12”), which removes certain exceptions related to the approach for intraperiod tax allocation, the methodology for calculating income taxes in an interim period and the recognition of deferred tax liabilities for outside basis differences. ASU 2019-12 also amends other aspects of the guidance to help simplify and promote consistent application of US GAAP. The guidance is effective for interim and annual periods beginning after December 15, 2020, with early adoption permitted. The Company adopted ASU 2019-12 on January 1, 2021 and the adoption was not material to the Company’s consolidated financial statements.
Note 3 - Revenue, Deferred Revenue and Remaining Performance Obligations
The following table summarizes revenue recognized from performance obligations delivered to customers which relate to (i) subscription services that are recognized ratably over the term of the contract and (ii) subscription revenue allocated to downloadable content which is recognized at a point in time, as follows (in thousands):
Year Ended December 31,
202120202019
Ratable portion of subscription revenue$212,128 $148,977 $100,084 
Subscription revenue allocated to downloadable content34,170 25,909 20,491 
Total$246,298 $174,886 $120,575 
The following table summarizes the revenue by region based on the shipping address of customers who have contracted to use the Company’s platform (in thousands):
Year Ended December 31,
202120202019
North America $207,221 $154,131 $108,835 
International39,077 20,755 11,740 
Total$246,298 $174,886 $120,575 
Contract Balances
The Company records unbilled receivables when revenue recognized on a contract exceeds amounts invoiced. Unbilled receivables were not material as of December 31, 2021 and 2020.
80

Contract liabilities consist of deferred revenue which represents contractual billings made in advance of performance under the contract. Changes in deferred revenue were as follows (in thousands):
Year Ended December 31,
202120202019
Beginning balance$185,696 $138,990 $83,676 
Plus: Additions to deferred revenue326,376 221,671 175,636 
Less: Recognition of revenue deferred in the prior year(136,325)(98,657)(59,682)
Less: Recognition of revenue deferred in the current year(109,973)(76,308)(60,640)
Ending balance$265,774 $185,696 $138,990 
Remaining Performance Obligations
The transaction price allocated to remaining performance obligations represents contracted revenue that has not yet been recognized, which includes deferred revenue and unbilled amounts that will be recognized as revenue in future periods. The transaction price allocated to the remaining performance obligation is influenced by several factors, including the timing of delivery of the Company’s products and average contract terms. Unbilled portions of the remaining performance obligation are subject to future economic risks including bankruptcies, regulatory changes and other market factors. The Company excludes from the remaining performance obligation amounts related to performance obligations that are billed and recognized as they are delivered. The majority of the Company’s noncurrent remaining performance obligation is expected to be recognized in the next 13 to 36 months.
Remaining performance obligations consisted of the following (in thousands):
December 31,
20212020
Current$198,134 $136,382 
Noncurrent125,534 87,395 
Total$323,668 $223,777 
Deferred Commissions
Changes in deferred commissions were as follows (in thousands):
Year Ended December 31,
202120202019
Beginning balance$37,199 $29,176 $19,080 
Plus: Additions to deferred commissions34,340 22,161 22,375 
Less: Recognition of deferred commissions(19,474)(14,238)(12,279)
Plus: Foreign currency impacts on deferred commissions(354)100 — 
Ending balance$51,711 $37,199 $29,176 
Note 4 – Business Combinations
MediaPro
On March 1, 2021, the Company acquired all outstanding equity interests in MediaPro Holdings, LLC (“MediaPro”), a SaaS company that specializes in security and privacy solutions including production of digital content and custom software. The acquisition was funded using cash consideration of approximately $11.2 million, net of cash acquired of $1.9 million, and equity consideration of $24.7 million. The acquisition was accounted for as a business combination in accordance with ASC 805, Business Combinations and the Company has included the financial results of the acquired business in the consolidated financial statements from the date of acquisition. The
81

resulting goodwill, which is deductible for tax purposes, is reflective of synergies the Company expects to realize and the assembled workforce.
The Company has recorded the assets acquired and liabilities assumed at their respective fair values as of the acquisition date. MediaPro revenues and losses were not material for the year ended December 31, 2021. Acquisition related costs of $0.5 million are included in the accompanying consolidated statements of operations for the year ended December 31, 2021. The Company has not presented pro forma results of operations because the acquisition is not material to the Company's consolidated results of operations, financial position, or cash flows.
The following table summarizes the fair values of the assets acquired and liabilities assumed as of the acquisition date (in thousands):
Accounts receivable$1,391 
Other assets acquired4,171 
Trade name300 
Acquired content1,600 
Customer relationships3,300 
Deferred revenue(3,919)
Other liabilities acquired(3,172)
Total identifiable net assets assumed3,671 
Goodwill34,243 
Total net asset value$37,914 
SecurityAdvisor
On November 1, 2021 the Company acquired all outstanding equity interests of SecurityAdvisor Technologies, Inc., collectively referred to as “SecurityAdvisor”, a software-as-a-service company providing a real-time, personalized security awareness platform that integrates with its customers’ existing security infrastructure and provides customers the ability to address human layer risks in real-time. The acquisition was funded using cash consideration of approximately $22.6 million, net of cash acquired of $4.0 million, and equity consideration of $29.0 million.
The purchase agreement also includes earn-out provisions payable in a combination of cash and equity that are contingent upon future events. These earn-outs include $5.0 million payable in cash upon the first sale of a product incorporating the developed technology and up to $10.0 million payable in Class A common shares based upon performance targets measured by the achievement of certain annual recurring revenue levels. These earn-out provisions are classified as contingent consideration liabilities and are subject to recurring fair value measurements. The preliminary fair value of the contingent consideration is estimated to be $5.0 million.
The acquisition was accounted for as a business combination in accordance with ASC 805, Business Combinations and the Company has included the financial results of the acquired business in the consolidated financial statements from the date of acquisition. The resulting goodwill, which is not deductible for tax purposes, is primarily attributable to expanded market opportunities and the assembled workforce. The Company has recorded the assets acquired and liabilities assumed at their respective fair values as of the acquisition date. SecurityAdvisor revenues and losses were not material for the year ended December 31, 2021. Acquisition related costs of $0.6 million are included in the accompanying consolidated statement of operations for the year ended December 31, 2021.
82

The following table summarizes the fair values of the assets acquired and liabilities assumed as of the acquisition date (in thousands):
Cash$3,985 
Deferred tax asset938 
Other assets119 
Acquired technology11,900 
Deferred tax liability(3,010)
Other liabilities(221)
Total identifiable net assets assumed13,711 
Goodwill46,849 
Total net asset value$60,560 
The purchase price allocation was based on estimates of the fair value of the net assets acquired and is considered preliminary and subject to change as the valuation is finalized. Specifically, the Company is continuing to evaluate the valuation of the developed technology and future earn-out provisions. The Company expects to finalize the valuation as soon as practicable, but not later than one year from the acquisition date. The Company has not presented pro forma results of operations because the acquisition is not material to the Company's consolidated results of operations, financial position, or cash flows.
Following the acquisition, the Company also granted certain key employees of SecurityAdvisor restricted stock awards, containing both service and performance-based vesting conditions, with an aggregate grant date fair value of $15.9 million. The awards are expensed as stock compensation expense over the requisite service period, assuming the service and performed conditions are achieved.
Note 5 - Capitalized Software and Content, Net
Capitalized software and content, net consists of the following (in thousands):
December 31,
20212020
Internally developed capitalized software$16,689 $15,081 
Acquired developed technology11,900 — 
Capitalized content23,277 16,899 

51,866 31,980 
Less: Accumulated amortization(24,792)(16,457)
Total capitalized software and content, net$27,074 $15,523 
Amortization expense for the years ended December 31, 2021, 2020 and 2019 totaled $8.5 million, $8.0 million and $5.6 million, respectively. These costs are primarily included in cost of revenues in the accompanying consolidated statements of operations.
Internally developed capitalized software and content balances include accumulated costs not yet placed in service of $3.5 million at December 31, 2021. As the related software and content is not yet in service, the costs are
83

not included in the following estimated future amortization expenses for capitalized software and content placed in service at the balance sheet dates shown below (in thousands):
December 31, 2021
2022$8,142 
20235,200 
20243,273 
20252,588 
20262,363 
Thereafter1,977 
Total$23,543 
Note 6 - Property and Equipment, Net
Property and equipment, net consists of the following (in thousands):

December 31,
20212020
Leasehold improvements$8,677 $9,143 
Computers and other equipment7,038 5,630 
Furniture and fixtures2,002 2,107 

17,717 16,880 
Less: Accumulated depreciation(8,597)(6,596)
Total property and equipment, net$9,120 $10,284 
Depreciation expense for the years ended December 31, 2021, 2020 and 2019 totaled $4.1 million, $3.6 million and $2.1 million, respectively.
Additionally, 92.6% and 92.7% of the Company’s property and equipment were located in the United States and 7.4% and 7.3% were located in various international jurisdictions, as of December 31, 2021 and December 31, 2020, respectively.
Note 7 - Intangible Assets and Goodwill
Intangible assets
Intangible assets, net consist of the following (in thousands):
Weighted Average Amortization PeriodDecember 31, 2021
Gross Carrying AmountAccumulated AmortizationNet Carrying Amount
(in years)
Acquired content and customer relationships(1)
4.5 years$7,124 $(2,762)$4,362 
Domain names2.1 years260 (211)49 
Patents18.5 years1,761 (120)1,641 
Trade names and other indefinite-lived intangibles(1)
Indefinite709 — 709 
In-process patents and trademarksNot applicable1,231 — 1,231 
Total intangible assets$11,085 $(3,093)$7,992 

84

Weighted Average Amortization PeriodDecember 31, 2020
Gross Carrying AmountAccumulated AmortizationNet Carrying Amount
(in years)
Acquired content and customer relationships(1)
3.7 years$2,268 $(1,859)$409 
Domain names1.3 years245 (156)89 
Patents19.1 years1,235 (46)1,189 
Trade names and other indefinite-lived intangibles(1)
Indefinite425 — 425 
In-process patents and trademarksNot applicable873 — 873 
Total intangible assets$5,046 $(2,061)$2,985 
_______________
(1) - Gross carrying amount includes impact of translation of foreign denominated intangible assets.
Intangible asset amortization for the years ended December 31, 2021, 2020 and 2019 totaled $1.1 million, $0.3 million and $0.2 million, respectively. These expenses are primarily presented in operating expenses with a portion allocated to cost of revenue within the accompanying consolidated statements of operations.
Estimated future amortization expense is as follows (in thousands):
December 31, 2021
2022$1,161 
20231,107 
20241,075 
2025739 
2026665 
Thereafter1,305 
Total$6,052 
Goodwill
Goodwill represents the excess of the purchase price in a business combination over the fair value of net assets acquired. Goodwill amounts are not amortized, but rather tested for impairment at least annually.
The changes in carrying amounts of goodwill were as follows (in thousands):
Balance at December 31, 2019
$8,873 
Other adjustments(1)
(268)
Balance at December 31, 2020
$8,605 
Acquisitions81,092 
Other adjustments(1)
(368)
Balance at December 31, 2021
$89,329 
________________
(1)Other adjustments represents the impact of translation of our foreign currency denominated goodwill balances.
85

Note 8 - Accounts Payable and Accrued Expenses
Accounts payable and accrued expenses consisted of the following (in thousands):
December 31, 2021December 31, 2020
Accrued commissions$9,302 $6,662 
Accrued payroll8,798 4,839 
Accounts payable5,628 2,530 
Contingent consideration5,000 350 
Other accrued expenses8,914 4,884 
Total accounts payable and accrued expenses$37,642 $19,265 
Note 9 - Leases
The Company primarily enters into operating lease agreements for office space and other property and equipment, some of which include options to renew or terminate the lease. The options to renew, which extend for up to 5 years, are reviewed on a per lease basis to determine if the renewal option is considered reasonably certain to be recognized and, therefore, are included in the determination of lease payments. Additionally, during the year ended December 31, 2020, the Company entered into a finance lease agreement with total future lease payments of $0.2 million, which is not considered material to the business.
The components of lease costs were as follows (in thousands):
Year Ended December 31,
202120202019
Operating lease cost$3,565 $2,932 $2,133 
Short-term lease cost556 656 562 
Variable lease cost707 501 484 
Total lease cost$4,828 $4,089 $3,179 
Lease costs are primarily included in general and administrative expenses in the accompanying consolidated statements of operations. The Company reports the amortization of ROU assets and the change in operating lease liabilities on a net basis in accounts payable and other liabilities in the accompanying consolidated statements of cash flows.
Other information related to operating and finance leases is as follows:
Year Ended December 31,
202120202019
Weighted-average remaining lease term (in years)5.25.23.5
Weighted-average discount rate2.0 %5.6 %7.8 %
86

Future lease payments under non-cancellable leases recorded as of December 31, 2021, were as follows (in thousands):
Operating Leases
2022$3,156 
20232,742 
20242,582 
20251,994 
20262,045 
Thereafter1,504 
Total lease payments14,023 
Less: imputed interest(601)
Total future lease payments under non-cancellable leases$13,422 
Supplemental cash flow information related to leases is as follows (in thousands):
Year Ended December 31,
202120202019
Cash paid for amounts included in the measurement of lease liabilities:
Operating cash outflows from operating leases$3,150 $2,920 $2,152 
ROU assets obtained in exchange for lease obligations:
Operating leases$3,240 $3,503 $2,287 
Note 10 – Revolving Credit Facility
The Company has a revolving line of credit (the “Revolving Credit Facility”) that provides for a $100.0 million revolving credit facility, with a letter of credit and swingline sublimit of $10.0 million each, and an accordion feature under which the Company can increase borrowings under the credit facility by up to $50.0 million. The Company is also obligated to pay other customary fees for a credit facility of this size and type, including letter of credit fees, an upfront fee, and an unused commitment fee which are expensed as incurred and included within interest expense in the consolidated statements of operations. The Revolving Credit Facility matures on March 12, 2024 and contains certain financial covenants.
The borrowings under the Revolving Credit Facility bear interest, at our option, at a base rate equal to the highest of (a) the federal funds rate plus 0.50%, (b) the rate of interest in effect for such date as publicly announced from time to time by Bank of America as its “prime rate”, or (c) the eurodollar rate plus 1.0%, provided that such rate shall not be less than 0.5%. As of December 31, 2021, the Company did not have any outstanding borrowings under the Revolving Credit Facility, there were no issued letters of credit outstanding from the credit agreement and the Company was in compliance with all covenant requirements.
Note 11 - Stockholder’s Equity
Initial Public Offering
On April 26, 2021, the Company completed an IPO of its Class A common stock, in which the Company issued and sold 10,425,000 shares of Class A common stock, including 1,425,000 shares resulting from the exercise in full of the underwriters’ option to purchase additional shares, at an IPO price of $16.00 per share for net proceeds to the Company of $156.0 million. Upon recording the proceeds from the transaction, the Company reclassified $2.2 million of offering costs into stockholders’ equity (deficit) as a reduction of the net proceeds received from the IPO.
87

Immediately prior to the completion of the IPO, the Company amended its Fifth Charter in the form of the IPO Charter, which authorized capital stock consisting of 1,000,000,000 shares of Class A common stock, par value $0.00001 per share, 500,000,000 shares of Class B common stock, par value $0.00001 per share, and 100,000,000 shares of preferred stock, par value $0.00001 per share. The rights of the holders of Class A common stock and Class B common stock are identical, except with respect to voting and conversion rights. Each share of Class B common stock is entitled to 10 votes and is convertible into one share of Class A common stock. Additionally, all shares of the Company’s capital stock outstanding immediately prior to the IPO, including all of the Company’s outstanding shares of convertible preferred stock, were reclassified into shares of the Company’s Class B common stock.
Stockholder’s Equity Prior to Initial Public Offering
Prior to the completion of the IPO, the terms of the Company’s equity securities were defined in the Company’s Fifth Amended and Restated Certificate of Incorporation, which was filed with the Secretary of the State of Delaware on July 1, 2019 (the “Fifth Charter”). As described above, the Company amended and then restated its Fifth Charter. The summary below relates to the Company’s Fifth Charter, inclusive of the amendment, which included the forward stock split, but prior to the restatement which was filed in conjunction with the IPO.
Common Stock
Prior to the completion of the IPO, the Company had one class of common stock where each share of common stock entitled the holder to one vote, together with the holders of preferred stock, on all matters submitted to the stockholders for a vote. The voting, dividend and liquidation rights of the holders of the common stock are subject to and qualified by the rights, powers and preference of the holders of the preferred stock set forth below.
Preferred Stock
Prior to the completion of the IPO, the Company was authorized to issue 114,164,600 shares of preferred stock, par value $0.00001 per share. As of December 31, 2020, the Company had outstanding Series A, A-1, B, C and C-1 Preferred Stock (individually referred to as “Series A, A-1, B, C or C-1” or collectively “Preferred Stock”) as follows (in thousands, except share and per share amounts):
Issue Price per ShareShares AuthorizedIssued and OutstandingNet Carrying ValueLiquidation Preference
Series A$0.26 30,525,040 30,525,040 $8,000 $8,000 
Series A-1$0.82 6,764,960 6,764,960 5,541 5,541 
Series B$1.67 17,955,840 17,955,840 30,000 30,000 
Series C$4.85 6,511,400 6,511,400 31,377 31,561 
Series C-1$5.90 52,407,360 52,407,360 309,015 309,400 
Total114,164,600 114,164,600 $383,933 $384,502 
As it relates to voting and dividend rights, the rights, preferences, and privileges of the preferred stock did not differ from the rights of the common stock. Dividends in the amount of $0.07 per share were declared and paid in 2019. No dividends were declared during the years ended December 31, 2021 and 2020. In the event of any liquidation or Deemed Liquidation Event as defined in the Certificate of Incorporation, the holders of preferred stock were entitled to the greater of (i) the original issue price of the preferred stock plus any dividends declared and unpaid thereon, or ii) the amount payable had all classes of shares been converted to common stock.
Additionally, each share of preferred stock was convertible, at the option of the holder at any time, into the number of shares of common stock determined by dividing the original issue price for such series of preferred stock by the conversion price for such series of preferred share that is in effect at the time of conversion. Each share of preferred stock was converted to one share of Class B common stock in connection with the IPO.
88

Note 12 - Stock Compensation
2016 Equity Incentive Plan
Effective January 19, 2016, the Company established the KnowBe4, Inc. 2016 Equity Incentive Plan (the “2016 Incentive Plan”). The 2016 Incentive Plan authorizes the issuance of up to an aggregate of 37,728,000 shares of common stock in the form of stock options and other types of equity awards that may be granted to officers, employees, directors, consultants and advisors of the Company and its subsidiaries and affiliates. The Company has only granted stock options under the 2016 Incentive Plan. These options generally become vested within four years from the date of grant and expire ten years from the date of grant, with typical vesting of 25% on the first anniversary and monthly thereafter.
The Company (i) amended the 2016 Incentive Plan to clarify that, following the closing of the IPO, outstanding awards under the 2016 Incentive Plan would cover shares of the Company’s Class B common stock, and (ii) terminated the 2016 Incentive Plan; provided, however, that the 2016 Incentive Plan continues to govern the terms and conditions of outstanding awards under the 2016 Incentive Plan as of the time of its termination. As of December 31, 2021, a total of 9,104,749 shares of common stock have been reserved for issuance upon the exercise of stock options under the 2016 Incentive Plan.
2021 Equity Incentive Plan
Effective April 20, 2021, the Company adopted the 2021 Equity Incentive Plan (“2021 Incentive Plan”). The 2021 Incentive Plan authorizes the issuance of up to an aggregate of 18,400,000 shares of Class A common stock in the form of incentive stock options, nonstatutory stock options, restricted stock, restricted stock units, stock appreciation rights, performance units and performance shares to our employees, directors and consultants and any of our future subsidiary corporations’ employees and consultants. As of December 31, 2021, 18,262,924 shares were reserved for future issuance under the 2021 Incentive Plan.
Stock Options
The Company records compensation expense for stock options based on the estimated fair value of the options on the date of grant using the Black-Scholes option-pricing model with the assumptions set forth in the table below.
Year Ended December 31,
202120202019
Expected term (years)6.3
4.0 - 6.3
6.3
Expected stock price volatility45.0 %
45.0% - 50.0%
40.0% - 45.0%
Risk-free interest rate0.8 %
0.2% - 1.7%
1.4% - 2.5%
Dividend yield — %— %— %
Fair value of common stock $19.82
$4.14 - $5.84
$1.07 - $4.07
89

The following table summarizes the common stock option activity during the years ended December 31, 2021 and 2020:
Number of SharesWeighted-Average Exercise PriceWeighted-Average Grant Date Fair ValueWeighted-Average Remaining Contractual Term
(years)		Aggregate Intrinsic Value
(in thousands)
Outstanding as of December 31, 201910,364,520 $1.47 $0.71 8.1$18,952 
Granted5,060,720 $4.93 $2.22 
Exercised(328,600)$0.68 $3,724 
Forfeited or expired(876,840)$1.92 
Options outstanding at December 31, 2020
14,219,800 $2.73 $1.25 7.9$131,893 
Granted40,000 12.01 11.52 
Exercised(4,608,536)1.78 90,492 
Canceled, forfeited or expired(546,515)4.15 
Options outstanding at December 31, 2021
9,104,749 $3.18 $1.51 6.9$123,605 
Options vested and exercisable at December 31, 2021
6,050,749 $2.51 $1.17 8.2$21,378 
The aggregate intrinsic value of the options exercised represents the difference between the estimated fair value of our common stock on the date of exercise and the exercise price of the options.
Share Repurchases
Prior to the completion of its IPO, the Company had repurchased or promised to repurchase shares of common stock from former employees under pre-existing contingent call options triggered upon termination. The repurchase price paid or promised was in excess of the fair value of the common stock and options on the repurchase date, which did not result in additional expense for the year ended December 31, 2021 but resulted in additional compensation expense of $1.9 million and $116.5 million for the years ended December 31, 2020 and 2019, respectively. During the year ended December 31, 2021, the Company repurchased 97,600 common shares then subsequently completed it’s IPO, establishing a public market for the Company’s shares and no longer intends to repurchase shares under remaining contingent call options.
Restricted Stock Units
The Company recognizes stock compensation expense associated with restricted stock units (“RSUs”) over the term of the respective awards. The following table summarizes the RSUs activity during the year ended December 31, 2021:
SharesWeighted-Average Grant-Date Fair Value per share
Outstanding as of December 31, 2020
— $— 
Granted3,468,858 $19.61 
Vested(1,016,959)$16.70 
Forfeited or expired(18,218)$24.14 
Outstanding as of December 31, 2021
2,433,681 $20.80 
90

2021 Employee Stock Purchase Plan
Effective April 20, 2021, the Company’s 2021 Employee Stock Purchase Plan (“ESPP”) allows for the sale of 3,350,000 shares of Class A common stock. The fair value of the ESPP purchase right is estimated on the grant date using the Black-Scholes option-pricing model with the following assumptions:
Year Ended December 31, 2021
Expected term (years)0.5
Expected stock price volatility
60.9% - 71.0%
Risk-free interest rate
0.1% - 0.4%
Dividend yield
—%
Stock Compensation Expense
The following table summarizes the components of stock compensation expense recognized in the consolidated statements of operations (in thousands):
Year Ended December 31,
202120202019
Cost of revenues$470 $188 $83 
Sales and marketing8,474 1,579 5,750 
Technology and development1,706 896 162 
General and administrative18,695 2,571 112,110 
Total stock compensation expense$29,345 $5,234 $118,105 
As of December 31, 2021, the Company had $51.8 million of unrecognized stock compensation associated with stock options, which is expected to be recognized over a weighted-average period of 2.7 years.
Note 13 - Net Loss per Share
The computation of net loss per share is as follows (in thousands, except share and per share data):
Year Ended December 31,
2021
Class AClass B
Numerator:
Allocation of undistributed losses for basic calculation$(1,985)$(9,860)
Reallocation of undistributed losses for diluted calculation— — 
Allocation of undistributed losses for diluted calculation$(1,985)$(9,860)
Denominator:
Number of shares used in basic and diluted per share computation19,600,001 97,338,682 
Net loss per share, basic and diluted$(0.10)$(0.10)
91

Year Ended December 31,
20202019
Numerator:
Net loss$(2,430)$(124,323)
Less: dividend distribution allocated to preferred stockholders— (3,749)
Net loss attributable to common stockholders$(2,430)$(128,072)
Denominator:
Weighted-average common shares outstanding42,049,840 66,958,400 
Net loss per share, basic and diluted$(0.06)$(1.91)
Potentially dilutive securities that were not included in the diluted per share calculations because they would be anti-dilutive were as follows:
Year Ended December 31,
202120202019
Stock options12,399,924 12,974,400 12,173,640 
Restricted stock units367,270 — — 
Employee stock purchase plan— — — 
Preferred shares, Series A— 30,525,040 30,525,040 
Preferred shares, Series A-1— 6,764,960 6,764,960 
Preferred shares, Series B— 17,955,840 17,955,840 
Preferred shares, Series C— 6,511,400 5,102,080 
Preferred shares, Series C-1— 52,407,360 26,131,880 
Note 14 - Income Taxes
The domestic and foreign components of income before provision for (benefit from) income taxes consisted of the following (in thousands):
Year Ended December 31,
202120202019
Domestic $(16,975)$(5,274)$(125,014)
International9,018 4,676 324 
Loss before income taxes$(7,957)$(598)$(124,690)
The (provision for) benefit from income taxes consisted of the following (in thousands):
Year Ended December 31,
202120202019
Current:
Federal and State$(403)$(90)$(34)
Foreign(2,243)(1,113)(270)
Total current tax expense(2,646)(1,203)(304)
Deferred:
Federal and State1,543 (4)(5)
Foreign(2,785)(625)694 
Total deferred tax (expense) benefit(1,242)(629)689 
(Provision for) benefit from income taxes$(3,888)$(1,832)$385 
92

The following table presents the reconciliation of the statutory federal income tax rate to our effective tax rate:
Year Ended December 31,
202120202019
Tax at federal statutory rate21.0 %21.0 %21.0 %
Foreign income taxes(39.6)%113.9 %0.3 %
State income taxes14.6 %(3.7)%1.6 %
Permanent differences1.9 %(204.8)%(11.6)%
Change in valuation allowance(61.9)%(447.8)%(9.3)%
Research and development tax credit15.0 %192.7 %— %
Other, net0.1 %22.6 %(1.8)%
Effective tax rate(48.9)%(306.2)%0.3 %
Deferred Tax Assets and Liabilities
Significant components of the Company’s deferred tax assets and liabilities are as follows (in thousands):
Year Ended December 31,
20212020
Deferred tax assets:
Net operating loss carryforward$15,892 $12,156 
Deferred revenue21,905 16,007 
Stock compensation2,451 2,838 
Operating lease liabilities2,899 2,521 
Research and development tax credit2,419 1,151 
Other2,602 429 
Gross deferred tax assets48,168 35,102 
Less: Valuation allowances(27,601)(21,862)
Total deferred tax assets$20,567 $13,240 
Deferred tax liabilities:
Deferred commissions$(12,282)$(7,398)
Property, equipment and intangible assets(7,976)(2,918)
Operating lease right of use assets, net(2,798)(2,440)
Other(740)(361)
Total deferred tax liabilities(23,796)(13,117)
Net deferred tax (liabilities) assets$(3,229)$123 
The Company has established a valuation allowance against its U.S. net deferred tax assets and deferred tax assets in certain foreign jurisdictions due to the uncertainty surrounding the realization of those assets. The Company periodically evaluates the recoverability of the deferred tax assets by assessing the available positive and negative evidence to estimate whether sufficient future taxable income will be generated to permit use of the existing deferred tax assets. When it is determined to be more-likely-than-not that the deferred tax assets are realizable, the valuation allowance is reduced. The increase in the valuation allowance of $5.7 million during the year ended December 31, 2021 resulted primarily from losses generated in the United States.
As of December 31, 2021 and 2020, the Company had indefinite-lived federal net operating loss carryforwards of $59.6 million and $41.3 million, respectively, which may be available to offset future taxable income for federal income tax purposes. As of December 31, 2021 and 2020, the Company had net operating loss carryforwards for state income tax purposes of $41.8 million and $33.8 million, respectively, a portion of which will begin to expire in 2025 if not utilized. As of December 31, 2021 and 2020, the Company’s research and development tax credit
93

carryforward was $2.4 million and $1.2 million, respectively. This tax credit was established in 2020 retrospectively to 2017 and is subject to a 20 year carryforward. This tax credit will begin to expire in 2037, if not used.
Unrecognized Tax Benefits and Other Considerations
The Company records liabilities related to its uncertain tax positions. The Company recognizes the tax benefit of an uncertain tax position only if it is more likely than not that the position is sustainable upon examination by the taxing authority, based on the technical merits. The tax benefit recognized is measured as the largest amount of benefit which is greater than 50 percent likely to be realized upon settlement with the taxing authority. The Company did not have any unrecognized tax benefits as of December 31, 2021 or 2020.
Tax positions for the Company and its subsidiaries are subject to income tax audits by multiple tax jurisdictions throughout the world. Tax years 2018 and forward generally remain open for examination for federal and state tax purposes. Tax years 2016 and forward generally remain open for examination for foreign tax purposes. The Company is currently under audit in Germany for tax years 2017 - 2019. To the extent utilized in future years’ tax returns, existing net operating loss carryforwards will remain subject to examination until the respective tax year is closed. 
Note 15 - Commitments and Contingencies
The Company is subject to various legal proceedings and claims arising in the ordinary course of business. The Company establishes accruals for specific legal proceedings when it is considered probable that a loss has been incurred and the amount of the loss can be reasonably estimated. Accruals for loss contingencies are reviewed periodically and adjusted as additional information becomes available. If a loss is not both probable and reasonably estimable, or if an exposure to loss exists in excess of the amount accrued, the Company assesses whether there is at least a reasonable possibility that a loss, or additional loss, may have been incurred. If there is a reasonable possibility that a loss, or additional loss, may have been incurred, the Company discloses the estimate of the possible loss or range of loss, or states that such an estimate cannot be made. The evaluation as to whether a loss is reasonably possible or probable is based on the Company’s assessment, in conjunction with legal counsel, regarding the ultimate outcome of the matter.
The Company believes that it has adequately accrued for the potential impact of loss contingencies that are probable and reasonably estimable. The Company does not believe that the ultimate resolution of any matters to which the Company is presently a party will have a material adverse effect on its consolidated results of operations, financial condition or cash flows. However, the results of these matters cannot be predicted with certainty, and an unfavorable resolution of one or more of these matters could have a material adverse effect on the Company’s consolidated results of operations, financial condition or cash flows. Legal costs are expensed as incurred.
Note 16 - Subsequent Events
The Company has evaluated subsequent events through the filing of this Annual Report on Form 10-K, and determined that there have been no events that have occurred that would require adjustments to our disclosures in the consolidated financial statements.
Item 9. Changes in and Disagreements With Accountants on Accounting and Financial Disclosures
None.
Item 9A. Controls and Procedures
Evaluation of Disclosure Controls and Procedures
Our management, with the participation of our principal executive officer and principal financial officer, has evaluated the effectiveness of our disclosure controls and procedures (as defined in Rules 13a-15(e) and 15d-15(e) under the Securities Exchange Act of 1934, as amended (the “Exchange Act”)), as of the end of the period covered by this Annual Report on Form 10-K. Based on such evaluation, our principal executive officer and principal
94

financial officer have concluded that, as of such date, our disclosure controls and procedures were effective at a reasonable assurance level.
Management’s Report on Internal Control Over Financial Reporting
This Annual Report on Form 10-K does not include a report of management’s assessment regarding our internal control over financial reporting (as defined in Rules 13a-15(f) and 15d-15(f) under the Exchange Act) or an attestation report of our independent registered accounting firm due to a transition period established by rules of the SEC for newly public companies. Additionally, our independent registered accounting firm will not be required to opine on the effectiveness of our internal control over financial reporting pursuant to Section 404 until we are no longer an “emerging growth company” as defined in the JOBS Act.
Changes in Internal Control
There were no changes in our internal control over financial reporting identified in management’s evaluation pursuant to Rules 13a-15(d) or 15d-15(d) of the Exchange Act during the period covered by this Annual Report on Form 10-K, that materially affected, or are reasonably likely to materially affect, our internal control over financial reporting.
Limitations on Effectiveness of Controls and Procedures
Our management, including our principal executive officer and principal financial officer, do not expect that our disclosure controls and procedures or our internal control over financial reporting will prevent all errors and all fraud. A control system, no matter how well designed and operated, can provide only reasonable, not absolute, assurance that the objectives of the control system are met. Further, the design of a control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that all control issues and instances of fraud, if any, have been detected. These inherent limitations include the realities that judgments in decision-making can be faulty, and that breakdowns can occur because of a simple error or mistake. Additionally, controls can be circumvented by the individual acts of some persons, by collusion of two or more people or by management override of the controls. The design of any system of controls is also based in part upon certain assumptions about the likelihood of future events, and there can be no assurance that any design will succeed in achieving its stated goals under all potential future conditions; over time, controls may become inadequate because of changes in conditions, or the degree of compliance with policies or procedures may deteriorate. Due to inherent limitations in a cost-effective control system, misstatements due to error or fraud may occur and not be detected.
Item 9B. Other Information
None.
Item 9C. Disclosure Regarding Foreign Jurisdiction that Prevent Inspections
None.
Part III
Item 10. Directors, Executive Officers and Corporate Governance
The information required by this item will be included in the Proxy Statement relating to our 2022 Annual Meeting of Stockholders and is incorporated herein by reference. Such Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the year ended December 31, 2021.
95

Item 11. Executive Compensation
The information required by this item will be included in the Proxy Statement relating to our 2022 Annual Meeting of Stockholders and is incorporated herein by reference. The Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the year ended December 31, 2021.
Item 12. Security Ownership of Certain Beneficial Owner and Management and Related Stockholder Matters
The information required by this item will be included in the Proxy Statement relating to our 2022 Annual Meeting of Stockholders and is incorporated herein by reference. The Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the year ended December 31, 2021.
Item 13. Certain Relationships and Related Transactions, and Director Independence
The information required by this item will be included in the Proxy Statement relating to our 2022 Annual Meeting of Stockholders and is incorporated herein by reference. The Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the year ended December 31, 2021.
Item 14. Principal Accounting Fees and Services
Our independent registered public accounting firm is KPMG LLP, Tampa, FL, Auditor Firm ID: 185.
The information required by this item will be included in the 2022 Proxy Statement and is incorporated herein by reference. The Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the year ended December 31, 2021.
Part IV
Item 15. Exhibits and Financial Statement Schedules
(a) Financial Statements
The information concerning our financial statements, and Report of Independent Registered Public Accounting Firm required by this Item is incorporated by reference herein to the section of this Annual Report on Form 10-K in Item 8, entitled “Financial Statements”
(b) Financial Statement Schedules
All schedules have been omitted because the required information is not present or not present in amounts sufficient to require submission of the schedules, or because the information required is included in Item 8, entitled “Financial Statements”
(c) Exhibits
The documents listed in the Exhibit Index of this Annual Report on Form 10-K are incorporated by reference or are filed with this Annual Report on Form 10-K, in each case as indicated therein (numbered in accordance with Item 601 of Regulation S-K).
Incorporated by Reference
Exhibit
Number		DescriptionFormFile No.ExhibitFiling Date
2.18-K001-403512.1October 21, 2021
3.110-Q001-403513.1May 26, 2021
3.210-Q001-403513.2May 26, 2021
4.1*
4.2S-1/A333-2545184.1April 12, 2021
96

4.3*
10.1†
S-1/A333-25451810.1April 12, 2021
10.2†
S-1/A333-25451810.2April 12, 2021
10.3†S-1/A333-25451810.3April 12, 2021
10.4†S-1333-25451810.4March 19, 2021
10.5†S-1333-25451810.5March 19, 2021
10.6†S-1333-25451810.6March 19, 2021
10.7†S-1333-25451810.7March 19, 2021
10.8†S-1333-25451810.8March 19, 2021
10.9†*
10.10†S-1333-25451810.9March 19, 2021
10.11S-1333-25451810.10March 19, 2021
10.1210-Q001-4035110.9May 26, 2021
10.13*
21.1*
23.1*
24.1*Power of Attorney (contained in the signature page to this Annual Report on Form 10-K).
31.1*
31.2*
32.1*
101.INS
XBRL Instance Document
101.SCH
XBRL Taxonomy Extension Schema Document
101.CAL
XBRL Taxonomy Extension Calculation Linkbase Document
101.DEF
XBRL Taxonomy Extension Definition Linkbase Document
101.LAB
XBRL Taxonomy Extension Label Linkbase Document
101.PRE
XBRL Taxonomy Extension Presentation Linkbase Document
104
Cover Page Interactive Data File (formatted as inline XBRL with applicable taxonomy extension information contained in Exhibits 101)
________________
*Filed herewith.
Indicates a management contract or compensatory plan or arrangement.
The certifications attached as Exhibit 32.1 that accompany this Annual Report on Form 10-K are not deemed filed with the Securities and Exchange Commission and are not to be incorporated by reference into any filing of KnowBe4, Inc. under the
97

Securities Act of 1933, as amended, or the Securities Exchange Act of 1934, as amended, whether made before or after the date of this Annual Report on Form 10-K, irrespective of any general incorporation language contained in such filing.

Item 16. Form 10-K Summary
None.
98

Signatures
Pursuant to the requirements of the Securities Exchange Act of 1934, as amended, the registrant has duly caused this Annual Report on Form 10-K to be signed on its behalf by the undersigned hereunto duly authorized.
Date: March 10, 2022
KnowBe4, Inc.
By:/s/ Sjoerd Sjouwerman
Sjoerd Sjouwerman
Chief Executive Officer
99

Power of Attorney
KNOW ALL PERSONS BY THESE PRESENTS, that each person whose signature appears below constitutes and appoints each of Sjoerd Sjouwerman and Shrikrishna Venkataraman, as his or her true and lawful attorney-in-fact and agent with full power of substitution and resubstitution, for such individual in any and all capacities, to sign any and all amendments to this Annual Report on Form 10-K, and to file the same, with all exhibits thereto and other documents in connection therewith, with the Securities and Exchange Commission, granting unto said attorneys-in-fact and agents, and each of them, full power and authority to do and perform each and every act and thing requisite and necessary to be done in connection therewith, as fully for all intents and purposes as he or she might or could do in person, hereby ratifying and confirming all that said attorneys-in-fact and agents, or any of them, or the individual’s substitute, may lawfully do or cause to be done by virtue hereof.
Pursuant to the requirements of the Securities Exchange Act of 1934, this Annual Report on Form 10-K has been signed below by the following persons on behalf of the registrant and in the capacities and on the dates indicated.
SignatureTitleDate
/s/ Sjoerd SjouwermanChief Executive Officer & Director
(Principal Executive Officer)
March 10, 2022
Sjoerd Sjouwerman
/s/ Shrikrishna VenkataramanCo-President and Chief Financial Officer
(Principal Financial and Accounting Officer)		March 10, 2022
Shrikrishna Venkataraman
/s/ Jeremiah DalyDirectorMarch 10, 2022
Jeremiah Daly
/s/ Joseph DiSabatoDirectorMarch 10, 2022
Joseph DiSabato
/s/ Kevin KlausmeyerDirectorMarch 10, 2022
Kevin Klausmeyer
/s/ Stephen ShanleyDirectorMarch 10, 2022
Stephen Shanley
/s/ Gerhard WatzingerDirectorMarch 10, 2022
Gerhard Watzinger
/s/ Kara WilsonDirectorMarch 10, 2022
Kara Wilson
100