ITEM
1. BUSINESS
Unless
otherwise indicated, all references in this document to “Cyren”, “the Company,” “we,” “us”
or “our” are to Cyren Ltd., and its consolidated subsidiaries, namely Cyren Inc., Cyren Iceland hf, Cyren UK Ltd.,
and Cyren Gesellschaft GmbH.
Special
Note Regarding Forward-Looking Statements
This
Annual Report on Form 10-K contains “forward-looking statements” within the meaning of Section 27A of the Securities
Act and Section 21E of the Exchange Act. These forward-looking statements reflect our current views about future events and are
subject to risks, uncertainties, and assumptions. These statements concern expectations, beliefs, projections, plans and strategies,
anticipated events or trends and similar expressions concerning matters that are not historical facts. We urge you to consider
that statements which use the terms “anticipate,” “believe,” “expect,” “plan,”
“intend,” “estimate”, “will” and similar expressions are intended to identify forward-looking
statements. Specifically, this Annual Report contains forward-looking statements regarding:
|
●
|
our
expectations regarding our future profitability and revenue growth;
|
|
●
|
our
expectations regarding increases in cost of revenue and operating expenses, including as a result of our anticipated investments
in R&D;
|
|
●
|
our
expectation to lower the rate of R&D investment as a percentage of revenue in the future and to drive more revenue from
existing solutions rather than by adding new solutions;
|
|
●
|
our
expectations regarding reducing the historical rate of headcount growth and its resulting impact on our gross and operating
margins over time;
|
|
●
|
our
expectations regarding growth of our enterprise business and its expected impact on our business, including its contribution
to our cash flow and return on investment;
|
|
●
|
our
expectations regarding our capital expenditures for 2021;
|
|
●
|
our
belief regarding the adequacy of our existing capital resources and other future measures to satisfy our expected liquidity
requirements;
|
|
●
|
our
beliefs regarding our competitive position in the market in which we operate;
|
|
●
|
our
expectations regarding the regulatory environment of data privacy in the EU;
|
|
●
|
our
anticipated significant investments in R&D and promotion of our brand;
|
|
●
|
our
expectations regarding trends in the market for internet security and technology industry;
|
|
●
|
our
expectations regarding existing and new threats, key challenges and opportunities in our industry and their impact on our
business, including the impact of innovations in the technology industry;
|
|
●
|
our
expectations regarding the increase in utilization of our cloud infrastructure and the resulting impact on our gross margins;
|
|
●
|
our
expectations regarding continued and future customers that will contribute to our revenue, and the solutions we provide to
such customers;
|
|
●
|
our
beliefs regarding factors that make our vision compelling to the IT security market;
|
|
|
|
|
●
|
our
expectations regarding the locations where we conduct our business;
|
|
●
|
our
belief regarding passive foreign investment company status;
|
|
●
|
our
expectations regarding the impact of litigation;
|
|
●
|
our
beliefs regarding our net operating loss carry-forwards; and
|
|
●
|
our
expectations and estimates regarding certain tax and accounting matters, including the impact on our financial statements.
|
Risk
Factor Summary
We
are subject to various risks that could have a material adverse impact on our financial position, results of operations or cash
flows. We wish to caution readers that certain important factors may have affected and could in the future affect our actual results
and could cause actual results to differ significantly from those expressed in any forward-looking statement. The following is
a summary of our principal risks, as set forth in the section entitled “Item 1A. Risk Factors,” that could prevent
us from achieving our goals, and cause the assumptions underlying forward-looking statements and the actual results to differ
materially from those expressed in or implied by those forward-looking statements include, but are not limited to, the following:
|
●
|
our
ability to continue as a going concern;
|
|
●
|
our
ability to restructure or refinance our Convertible Notes;
|
|
●
|
our
ability to execute our business strategies, including our sales and business development plan;
|
|
●
|
our
ability to timely and successfully enhance and improve our existing solutions and introduce our new solutions;
|
|
●
|
the
commercial success of such enhancements and new solutions;
|
|
●
|
lack
of demand for our solutions, including as a result of actual or perceived decreases in levels of advanced cyber attacks;
|
|
●
|
our
ability to manage our cost structure, avoid unanticipated liabilities and achieve profitability;
|
|
●
|
our
ability to grow our revenues, including the ability of existing solutions to drive sufficient revenue;
|
|
●
|
our
ability to attract new customers and increase revenue from existing customers;
|
|
●
|
market
acceptance of our existing and new product offerings;
|
|
●
|
the
success of our partnership with Microsoft, including our ability to successfully integrate our web security technology into
its platform;
|
|
●
|
our
ability to adapt to changing technological requirements and shifting preferences of our customers and their users;
|
|
●
|
the
impact of the of the COVID-19 outbreak;
|
|
●
|
our
continued listing on Nasdaq;
|
|
●
|
our
ability to successfully shift the focus of our product development and sales efforts to new products, while de-emphasizing
our CWS offerings;
|
|
●
|
loss
of any of our large customers or contracts;
|
|
●
|
adverse
conditions in the national and global financial markets;
|
|
●
|
the
impact of currency fluctuations;
|
|
●
|
political
and other conditions in Israel that may limit our R&D activities;
|
|
●
|
increased
competition or our ability to anticipate or effectively react to competitive challenges;
|
|
●
|
the
ability of our brand development strategies to enhance our brand recognition;
|
|
●
|
our
ability to retain key personnel;
|
|
●
|
performance
of our OEM partners, service providers and resellers;
|
|
●
|
our
ability to successfully estimate the impact of regulatory and litigation matters;
|
|
●
|
our
ability to comply with applicable laws and regulations and the impact of changes in applicable laws and regulations, including
tax legislation or policies;
|
|
●
|
economic,
regulatory, and political risks associated with our international operations;
|
|
●
|
the
impact of cyber attacks or a security breach of our systems;
|
|
●
|
our
ability to protect our brand name and intellectual property rights;
|
|
●
|
the
impact of our controlling shareholder’s decisions, which may differ with respect to our strategic direction; and
|
|
●
|
our
ability to successfully estimate the impact of certain accounting and tax matters, including the effect on our company of
adopting certain accounting pronouncements.
|
The
foregoing list of important factors does not include all such factors, nor necessarily present them in order of importance. In
addition, you should consult other disclosures made by the Company (such as in our other filings with the SEC or in company press
releases) for other factors that may cause actual results to differ materially from those projected by the Company. Please refer
to Part I. Item 1A. Risk Factors, of this Annual Report for additional information regarding factors that could affect our results
of operations, financial condition, and liquidity. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of the date hereof. Except as required by applicable law, including the securities laws of the
United States, we undertake no obligation to update or revise any forward-looking statements to reflect new information, future
events, or circumstances, or otherwise after the date hereof.
General
Purpose
built for the cloud, Cyren was an early pioneer and is a leading innovator of cloud delivered Software-as-a-Service (SaaS) cybersecurity
solutions that protect businesses, their employees, and customers against threats from email, files, and the web.
Cyren’s
cloud-based approach to cybersecurity sets us apart from other vendors in the market. Our security solutions are architected around
the fundamental belief that cybersecurity is a race against time – and the cloud best enables the speed, sophistication
and advanced automation needed to detect and block threats as they emerge on the internet around the globe. As more and more businesses
move their data and applications to the cloud, they need a security provider that is able to keep pace.
Security
threats are more prevalent and stealthier than ever. As cybercrime has become more sophisticated, every malware, phishing and
ransomware variant is unique, making it more difficult to detect attacks. While organizations have traditionally protected their
users with gateway security appliances at their network perimeter, more frequent and evasive attacks combined with a more distributed
workforce are reducing the effectiveness of this approach. Traditional appliances lack the real-time threat intelligence and processing
power to detect emerging threats, and the growth of mobile devices and an increasingly distributed workforce mean that more and
more business is conducted outside of the traditional network perimeter. As a result, when new attacks appear in a matter of seconds,
legacy cybersecurity products can leave companies vulnerable for hours, days or even weeks.
Our
Offerings
Cyren’s
cloud security products and services fall into three categories:
|
●
|
Cyren
Threat Detection Services – these services detect a variety of threats in email, files and from the web, and are
embedded into products from the world’s leading email and cybersecurity vendors. Cyren Threat Detection Services include
our Email Security Detection Engine, Malware Detection Engine, Web Security Engine, and Threat Analysis Service.
|
|
●
|
Cyren Threat Intelligence Data – Cyren’s Threat Intelligence Data products provide valuable threat intelligence that can be used by enterprise or OEM customers to support threat detection, threat hunting and incident response. Cyren’s Threat Intelligence Data offerings include IP Reputation Intelligence, Phishing Intelligence, Malware Intelligence and Zombie Intelligence.
|
|
●
|
Cyren Enterprise Email Security Products – these include cloud-based solutions designed for enterprise customers, and are sold either directly or through channel partners. Cyren Enterprise Email Security products include Cyren Email Security, a cloud-based secure email gateway and Cyren Inbox Security, an anti-phishing and remediation product for Microsoft 365.
|
All
of Cyren’s cybersecurity products are powered by Cyren GlobalView, Cyren’s global security cloud that identifies emerging
threats on a global basis, in real-time. GlobalView analyzes billions of security transactions each day and rapidly detects a
variety of threats in email, files and from the web. By inspecting internet traffic in the cloud, Cyren identifies threats as
they emerge, stopping them before they reach users.
Cyren
GlobalView
With
a massive volume of customer traffic flowing through it every day, GlobalView is able to identify emerging threats on the internet
within seconds. The key to GlobalView’s detection capabilities include:
|
(i)
|
Massive
Security Data Flow – Every day, Cyren’s GlobalView processes billions of security transactions generated by
over 1.3 billion users worldwide to detect cyber threats as they emerge – including thousands of new IP addresses, phishing
sites, and URLs. As a result, Cyren is able to identify new and emerging threats in seconds.
|
|
(ii)
|
Comprehensive
Detection Technologies – Cyren’s family of proprietary detection engines leverage big data analytics, advanced
heuristics, Recurrent Pattern Detection (RPD), and behavioral sandboxing, all tied together in a single-pass streaming architecture
that applies these detection techniques in parallel. Distributed, massively scalable, and fault tolerant, this approach delivers
fully automated real-time threat identification across email, files, and web.
|
|
(iii)
|
Advanced
Cyber Intelligence – Real-time, actionable cyber intelligence services are used by major email providers and cybersecurity
vendors including Google, Microsoft, and Check Point. The breadth and accuracy of our GlobalView security cloud identifies
millions of threats each day, and enables protection from malicious messages, hosts, and websites.
|
Figure
1: Cyren Threat Intelligence Services include threat detection engines, threat intelligence data, and our threat analysis services
which are connected through the GlobalView security cloud.
Threat
Detection Services
Used
and trusted by many of the world’s leading email and cybersecurity vendors, Cyren Threat Detection Services empower technology
companies with the real-time threat detection capabilities enabled by our threat detection engines and our GlobalView threat intelligence
network, backed by a dedicated technical and commercial support model. Our globally comprehensive and unique insights into current
and emerging threats are provided as individual cyber intelligence services:
Email
Security Engine – Our embedded email security includes a complete set of protection that can be deployed in a wide range
of configurations. Suitable as a core security offering or as a complementary layer, the flexible engine easily integrates into
existing platforms, minimizing costs without affecting performance. Available services include:
|
●
|
Anti-Spam
Inbound Service
|
|
●
|
Anti-Spam
Outbound Service
|
|
●
|
IP
Reputation Service for Email
|
|
●
|
Virus
Outbreak Detection for Email
|
Malware
Detection Engine – Our malware detection capabilities are used to detect the latest viruses, malware, ransomware, and
advanced threats that are used by hackers to infiltrate an enterprise’s network. Our SDK can scan and classify objects including
files, scripts, emails, and web-based threats, and use cases include email scanning, UTM and firewall appliances, and anti-malware
software applications. Cyren’s Malware Detection Engine is used to protect email applications.
Web
Security Engine – Our Web Security Engine is used by customers to provide URL classification for web browser filtering
and safe search capabilities. Cyren provides dozens of URL categories and classifications, with a unique capability for security-based
URL classifications. Use cases for Cyren web security engine include UTM and firewall appliances, endpoint filtering software
applications, and cloud-based web filtering.
Threat Analysis Service
– Cyren’s Threat Analysis Service delivers outstanding detection of the most advanced cyber threats. Cyren’s technology
uses a patented, cloud-based, multi-sandbox array which includes multi-stage hash threat lookup, file analysis, and full sandbox detonation.
Threat Analysis Services include file analysis and threat reporting on an individual file or aggregate basis and can be used by OEMs as
well as enterprise customers.
Cyren
Threat Intelligence Data Products
Cyren’s
Threat Detection Services generate billions of security transactions each day within the GlobalView network. OEM partners and
enterprise customers can benefit from the millions of unique threats that are detected each day by subscribing to Cyren’s
real-time Threat Intelligence Data feeds to supplement their security solutions and improve their overall threat posture. Cyren’s
Threat Intelligence Data feeds include the following discrete offerings:
|
●
|
Real-Time
Phishing Intelligence
|
|
●
|
Real-Time
Malware File Intelligence
|
|
●
|
Real-Time
IP Reputation Intelligence
|
|
●
|
Real-Time
Malware URL Intelligence
|
|
●
|
Real
Time Zombie Host Intelligence
|
Cyren
Enterprise Security Products
Cyren
has historically provided SMB and enterprise customers a broad set of internet security services from a common integrated platform
called Cyren Cloud Security (CCS). CCS applications included Cyren Web Security (a SaaS secure web gateway), Cyren Email Security
(a SaaS secure email gateway), Cyren DNS Security (a SaaS DNS web filtering solution), and Cyren Cloud Sandboxing (an advanced
threat protection service integrated into Cyren Web Security and Cyren Email Security, and also available as a standalone service).
These products were available on the CCS platform, leveraging shared threat detection services, a common policy framework, integrated
reporting, customer onboarding and license management. All products were sold on a per-user SaaS subscription model, providing
customers with a quick-to-deploy, easy-to-manage solution and a low total cost of ownership.
During
2019, Cyren revised its enterprise product strategy to focus on email security solutions, threat detection services and threat
intelligence data products.
Cyren’s
current Enterprise Security products include:
Cyren
Email Security (CES) – a cloud-based secure email gateway that works well with both on premise and cloud-based business
email, Cyren Email Security filters an organization’s inbound and outbound email to protect users from security threats
and spam. Inbound email security protects against malware, phishing, business email compromise, and more, with advanced threat
protection from cloud sandboxing, malware outbreak protection and time-of-click analysis. Support for SPF (Sender Policy Framework)
provides sender validation to prevent email spoofing, while policy-based encryption protects sensitive email communications. Outbound
protections block botnet-infected devices from sending malware or spam from a customer’s domain.
Cyren Inbox Security (CIS)
– Cyren developed an anti-phishing solution targeted at enterprise customers using the Microsoft 365 email platform that was launched
in the second quarter of 2020.
By
utilizing the native API integration offered by Microsoft 365, Cyren Inbox Security is able to detect email-based phishing threats
on a continuous basis, as well as provide a powerful set of remediation capabilities to identify and mitigate the types of phishing
messages which legacy perimeter defenses find challenging to stop, including:
|
●
|
Phishing
emails utilizing evasive techniques, like delayed URL activation, URLs hidden in attachments, use of strong encryption, use
of real and valid SSL certificates, etc.;
|
|
●
|
Spoofed
spear phishing messages impersonating employees or trusted partners;
|
|
●
|
BEC
and CEO fraud and other targeted social engineering attacks; and
|
|
●
|
New
zero-day phishing campaigns and account takeovers.
|
Figure 2: Cyren
Inbox Security offers advanced phishing security for Microsoft 365 – continuously monitors, detects, and remediates user
inboxes for today’s evasive phishing attacks.
Cyren Threat InDepth
– Threat InDepth is contextualized, correlated threat intelligence that allows enterprise security teams and security executives
to gain a comprehensive and multi-dimensional view of evolving email-borne threats and make meaningful decisions to mitigate them.
This high-fidelity, actionable intelligence is gathered by analyzing, processing, and correlating billions of daily transactions
across email content, suspicious files, and web traffic to provide unique, timely insights. Threat InDepth is available to enterprises
as – Phishing & Fraud URL Intelligence, Malware URL Intelligence, Malware File Intelligence, and IP Reputation Intelligence.
Threat InDepth assists security executives in making smart and effective business decisions that protect their enterprise while
ensuring maximum business productivity.
Sales
and Marketing
Cyren’s
cloud security solutions are sold into two markets:
|
●
|
OEM/Embedded
Security (Security product vendors, email providers, MSPs/MMSPs)
|
|
◌
|
In this market segment, our customers embed Cyren Threat Detection Services and Threat Intelligence Data into their infrastructure and/or products to protect their customers and their end users.
|
|
◌
|
In this market segment, Cyren provides enterprise customers Email Security products and Threat Intelligence Data to protect their employees, data, and IP.
|
OEM/Embedded
Security Market
Sales
We
target two primary segments to sell our Threat Detection Services and Threat Intelligence Data:
|
●
|
Service
providers. Organizations offering internet access or email services that need to protect their customers from internet
threats. For these partners, we offer carrier-class email security, web security, and advanced threat protection services
that can be integrated into their large-scale, high performance infrastructures.
|
|
●
|
Security
vendors. Network equipment and security vendors offering endpoint, gateway, and cloud-based solutions that need to augment
their security capabilities or integrate third party best-of-breed internet security capabilities into their products. For
these partners, we offer cloud-based APIs and SDKs for email security, web security, endpoint protection, and advanced threat
protection that can be integrated into their on-premise appliances or cloud solutions.
|
Our
sales team for these segments are organized by geographic regions, including Europe, the Middle East and Africa (EMEA), North
America, and Asia Pacific. The sales process for these segments entails consultative, technical business development engagements
working with partner product management and engineering teams to architect and integrate our solutions into their products.
Enterprise
Market
Sales
Our
sales and marketing programs are organized by geographic regions, including EMEA and North America.
We
sell through both direct and indirect channels, including distributors, value added resellers and managed service providers:
|
●
|
Direct
sales. We market and sell our solutions to enterprise customers directly through our direct sales teams, as well as indirectly
through channels where our sales organization actively works with our network of distributors and resellers. Our sales personnel
are located in North America and EMEA.
|
|
●
|
Indirect
channel. We engage value-added resellers via a two-tier distribution model, where resellers purchase Cyren services through
their distribution partner, as opposed to directly from us, and distributors provide sales support services such as technical
support, education, training, and financial services. Our reseller partners maintain relationships with their customers throughout
the territories in which they operate, providing them with services and third-party solutions to help meet their evolving
security requirements. As such, these partners act as a direct conduit through which we can connect with these prospective
customers to offer our solutions.
|
|
|
|
|
●
|
Managed
service providers. Unlike many other security products on the market today, Cyren’s platform is architected as an
integrated platform offering multi-tenant cloud services and delegated administration. This enables MSPs to operate our services
on behalf of multiple customers, allowing them to deliver turnkey internet security services to their customer bases.
|
Marketing
We
execute marketing programs to build awareness and encourage customer adoption of our solutions. Our marketing programs include
a variety of digital marketing, advertising, conferences, events, public relations activities, and web-based seminar campaigns
targeted at key decision makers within our prospective customers. We offer free product trials to allow prospective customers
to experience the capabilities of our products, to learn in detail about the features of our products and to quantify the potential
benefits.
Intellectual
Property
We
regard our patented and patent pending anti-spam and antivirus technology, copyrights, service marks, trademarks, trade secrets
and similar intellectual property as critical to our success, and rely on patent, trademark and copyright law, trade secret protection
and confidentiality and/or license agreements with our employees, customers, partners and others to protect our proprietary rights.
In
2004, we purchased a United States patent, U.S. Patent No. 6,330,590 that relates to the Recurrent Pattern Detection (RPD)
technology used in many of our security solutions. During 2006, we filed a provisional patent application in the United
States relating to the prevention of spam in streaming systems or, in other words, unwanted conversational media sessions
(i.e., voice and video related). This provisional application was converted to a full patent application
and that application was then divided into three applications. The United States Patent and Trademark
Office granted the original application as United States Patent No. 7,849,186. The three divisional patents were also
subsequently granted as United States Patent No. 7,991,919, United States Patent No. 8,190,737, and United States Patent No.
8,195,795, all of which have a term concurrent with US Patent No. 7,849,186. In 2016, we filed a provisional patent
application in the United States relating to a multi-sandbox array that utilizes unique intellectual property we developed in
support of our cyber threat protection capabilities. In February 2017, we converted this provisional application into full
patent applications for the multi-sandbox array in the United States, Europe, and Israel. The resulting US patent No.
10,482,243 was issued in November 2019, and Israel patent application 250797 was allowed in January 2020. The European
sandbox patent application is still in stages of prosecution. In July 2018 we filed a provisional patent application in the
United States relating to phishing detection systems and methods we developed in support of our anti-phishing capabilities.
In July 2019, we converted this provisional application into full patent applications for phishing detection in the United
States, Europe, and Israel. In 2019 U.S. Patent No. 6,330,590 expired after completion of its full 20-year term. We may seek
to patent certain additional software or other technology in the future.
We
have registered trademarks for our company name “Cyren” in the US and Europe and we are also maintaining our registered
trademark for “Commtouch” in the U.S. Through acquisition, we also acquired registered trademarks such as “FRISK”,
“F-PROT”, “eleven”, “Expurgate” and “Command Antimalware”. We may allow certain
of these trademarks to lapse over time. Since at least September 2003, we have claimed common law trademark rights in “RPD”
and “Recurrent Pattern Detection”, as applicable to our messaging security solutions. We have also been claiming common
law trademark rights in “Zero-Hour” in relation to our virus outbreak detection product (and more recently one
of our web security products) and “GlobalView” in relation to our Internet Protocol, or IP, reputation and web security
products, as well as our “cloud computing” network infrastructure.
It
may be possible for unauthorized third parties to copy or reverse engineer certain portions of our products or obtain and use
information that we regard as proprietary. In addition, the laws of some foreign countries do not protect proprietary rights to
the same extent as do the laws of the United States. There can be no assurance that our means of protecting our proprietary rights
in the United States, Europe or elsewhere will be adequate or that competing companies will not independently develop similar
technology.
Other
parties may assert infringement claims against us. We may also be subject to legal proceedings and claims from time to time in
the ordinary course of our business, including claims of alleged infringement by us and/or our customers of the trademarks and
other intellectual property rights of third parties. Our customer agreements typically include indemnity provisions so we may
be obligated to defend against third party intellectual property rights infringement claims on behalf of our customers. Such claims,
even if not meritorious, could result in the expenditure of significant financial and managerial resources.
Government
Programs
Under the R&D Law,
research and development programs approved by the Research Committee (the “Research Committee”) of the Israeli Innovation
Authority (the “IIA”) are eligible for “Benefits” which include grants, loans, exemptions, discounts, guarantees
and additional means of assistance, but with the exclusion of purchase of shares, provided under various tracks promulgated by
the Council Body (the “Tracks”). Most Tracks require the repayment of the Benefits in the form of the payment of royalties
from the sale of the product developed in accordance with the published Track guidelines and subject to other restrictions. Once
a project is approved, the IIA awards grants of up to 50% of the project’s expenditures in return for royalties, usually
at the rate of 3% of sales of products developed with such grants. For projects approved after January 1, 1999, the amount of royalties
payable was up to a dollar-linked amount equal to 100% of such grants plus interest at LIBOR. Our total commitment for royalties
payable with respect to future sales, based on IIA participations received, net of royalties paid or accrued, totaled $2,714 as
of December 31, 2020.
The
terms of these grants prohibit the manufacturing outside of Israel of the product developed in accordance with the program without
the prior consent of the Research Committee. Such approval is generally subject to an increase in the total amount to be repaid
to the IIA to between 120% and 300% of the amount granted, depending on the extent of the manufacturing that is conducted outside
of Israel.
The
R&D Law, also provides that know-how from the research and development and any derivatives thereof, cannot be transferred
or licensed to Israeli third parties without the approval of the Research Committee. The R&D Law stresses that it is not just
transfer of know-how that was prohibited, but also transfer of any rights in such know-how. Approval of the transfer and/or license
could be granted only if the Israeli transferee undertook to abide by all of the provisions of the R&D Law and regulations
promulgated thereunder, including the restrictions on the transfer of know-how and the obligation to pay royalties, if applicable.
The
know-how from the research and development and any derivatives thereof, cannot be transferred or licensed to non-Israeli third
parties without the approval of the Research Committee, which approval is generally contingent on payment of a significant penalty
of up to six times the grant amount plus LIBOR and minus any royalties paid. Such restriction does not apply to exports from Israel
of final products developed with such technologies. On May 7, 2017, the IIA published the Rules for Granting Authorization for
Use of Know-How Outside of Israel (the “Licensing Rules”). The Licensing Rules enable the approval of out-licensing
arrangements and other arrangements for granting of an authorization to an entity outside of Israel to use know-how developed
under research and development programs funded by the IIA and any derivatives thereof. Subject to payment of a “License
Fee” to the IIA, at a rate that will be determined by the IIA in accordance with the Licensing Rules, the IIA may now approve
arrangements for the license of know-how outside of Israel. This allows companies that have received IIA support to commercialize
know-how in a manner which was not previously available.
Government
Regulation
Laws
aimed at curtailing the spread of spam have been adopted by the United States federal government, i.e., the CAN-SPAM Act, and
certain individual U.S. states, with the CAN-SPAM Act superseding some state laws or certain elements thereof. The Israel government
has also adopted an amendment to the Communications Law, 1982, aimed at curtailing the spread of spam transmittal of commercial
advertisements by email, fax, SMS, or automated dialing systems without the consent of the recipient. Such laws may impact our
marketing activities. The law sets punitive fines for advertisers of spam, who may also be subject to civil lawsuits and class
actions.
The
propagation of email viruses, whether through email or websites, which are aimed at destroying or stealing third party data, is
illegal under standard state and federal law outlawing theft, misappropriation, conversion, etc., without the need for special
legislation prohibiting such activities on the internet. Despite the existence of these laws, sources for internet viruses continue
to spread multi-variant viruses seemingly without much fear of recrimination. New laws providing for more stringent penalties
could be adopted in various jurisdictions, but it is unclear what, if any, affect these would have on the antivirus industry in
general and our solutions in particular.
The EU enacted the
General Data Protection Regulation (GDPR), which took effect on May 25, 2018 and carries with it significantly increased responsibilities
and potential penalties for companies that process EU personal data. In connection with GDPR, we expect increased regulatory and
customer attention surrounding data privacy in the EU. In connection with GDPR, we experience increased customer attention surrounding
data privacy in the EU. In February 2016, the U.S. and E.U. announced an agreement on framework for transatlantic data flows entitled
the EU-US Privacy Shield (“Privacy Shield”) which we had previously relied in part as a mechanism to transfer personal
data from the EU to the U.S. However, on July 16, 2020, the European Court of Justice (the “CJEU”) invalidated the
Privacy Shield (which took effect immediately). In addition, the CJEU made clear that while it upheld the adequacy of the EU Standard
Contractual Clauses (“SCCs”) issued by the European Commission for the transfer of personal data to data processors
established outside of the EU, reliance on SCCs alone may not necessarily be sufficient in all circumstances and that their use
must be assessed on a case-by-case basis. The Company is currently evaluating what additional mechanisms may be required to establish
adequate safeguards for the further transfer of personal data, in addition to the SCC. If we are unable to transfer personal data
between and among countries and regions in which we operate, or if we are restricted from sharing personal data among our products
and services, it could affect the manner in which we provide our services. Furthermore, outside of the EU, we continue to
see increased regulation of data privacy and security, including the adoption of more stringent state privacy laws, national laws
regulating the collection and use of data, and security and data breach obligations. We have invested heavily in data sovereignty
features to ensure that Cyren customer data is handled in accordance with applicable law.
We
will continue to monitor legal requirements and will follow additional legal requirements for customer data privacy as they evolve.
Segments
We
conduct our business on the basis of one reportable segment.
Research
and Development
We
invest substantial resources in research and development to enhance our products and services, build new products and improve
our core technology. We invest heavily in our cloud infrastructure and our new product offerings such as Cyren Inbox Security.
Our engineering team has deep security expertise and works closely with customers to identify their current and future needs.
In addition to our focus on hardware and software, our research and development team is focused on research into next-generation
threats, which is required to respond to the rapidly changing threat landscape. We plan to continue to significantly invest in
resources to conduct our research and development effort.
Customers
As of December 31,
2020, we had customers of all sizes across a wide variety of industries. During the year ended December 31, 2020, one customer
accounted for approximately 23% of total revenue. No other individual customer accounted for more than 10% of total revenue.
During the year ended December 31, 2019, the same customer accounted for approximately 20% of total revenue.
In the fourth quarter
of 2020, we received notification that this customer will renew one of their contracts for another three years through the first
quarter of 2024, but that it does not intend to renew its largest contract with the Company beginning April 2021. As a result,
we anticipate that quarterly revenues from this customer will drop from over 20% currently to approximately 14% of quarterly revenue
beginning in the second quarter of 2021.
Competitive
Landscape
The
markets in which Cyren competes are intensely competitive and rapidly changing. However, we believe there are few competitors
that offer a range of threat detection services, threat intelligence data, and email security products that Cyren provides.
The
principal competitive factors in our industry include price, product functionality, product integration, platform coverage and
ability to scale, worldwide sales infrastructure and global technical support. Some of our competitors have greater financial,
technical, sales, marketing, and other resources than we do, as well as greater name recognition and a larger installed customer
base. Additionally, some of these competitors have more significant research and development capabilities that may allow them
to develop new or improved products that may compete with product lines and services we market and distribute, possibly at
a lower cost. Our success will depend on our ability to adapt to these competing forces, to develop more advanced products more
rapidly and less expensively than our competitors and/or to purchase new products by way of strategic acquisitions, and to educate
potential OEM customers as to the benefits of using our products rather than developing their own products.
In
the market for email security solutions, there are sophisticated offerings that compete with our solutions. Email security providers
offering forms of Software-as-a-Service email gateways, multi-functional appliances, and managed service solutions and which may
be viewed as both competitors and potential customers to Cyren include Google, Symantec, McAfee, Cisco, Proofpoint, and Mimecast.
Email security providers offering solutions on an OEM basis similar to Cyren’s business model, and which may be viewed as
direct competitors, include Proofpoint (via the Cloudmark acquisition), Sophos, Mailshell and Vade Secure.
The
market for real-time virus protection products is also constantly evolving, as those designing and proliferating viruses and other
malware seek new vulnerabilities and distribution techniques, and also continue to leverage email distribution as a cost-effective
medium for accurately targeting broad, numerous potential victims. Cyren’s real-time offering differs from traditional antivirus
solutions by leveraging our global footprint and detection technology to rapidly detect outbreaks, often hours or days before
traditional antimalware solutions; it thereby offers a complementary solution to signature and heuristic-based antivirus
engines. For this reason, our virus outbreak detection engine has been deployed by many security companies and service providers.
In
the market for antimalware solutions, there are vendors offering reasonably effective solutions using various technologies based
on signatures, emulation, and heuristics. Cyren has a targeted OEM/service provider focus, plus an increasing focus on heuristics
and zero-day effectiveness. Most companies in this space provide endpoint products and, in some cases, make software development
kits available on an OEM basis. Competitors to Cyren include Sophos, Bitdefender, Kaspersky, McAfee, Symantec, and open source
software such as Clam-AV (now part of Cisco).
In
the market for anti-phishing solutions targeted at enterprise customers, Gartner has defined a competitive category called Cloud
Email Security Supplements (CESS) for providers of cloud delivered supplementary email security solutions such as Cyren Inbox
Security(1). Although this is an early stage market, Gartner has identified several competitors to Cyren such as Agari,
Avanan, GreatHorn, Graphus, Inky, Ironscales and Vade Secure.
We
expect that the markets for internet security solutions will continue to become more consolidated, with companies increasing their
presence in this market or entering ancillary markets by acquiring or forming strategic alliances with our competitors or business
partners. Industry analyst Momentum Cyber noted that the cybersecurity industry saw a record 188 mergers and acquisitions totaling
$27.6 billion dollars in 2019, including several multi-billion dollar deals such as the acquisition of Symantec by Broadcom, the
acquisition of Sophos by Thoma Bravo and the acquisition of Carbon Black by VMware(2). See also disclosure under “Risk
Factors—Business Risks— we face intense competition and could lose market share to our competitors, which could adversely
affect our business, financial condition and results of operations.”
Threat
Landscape
The
last several years have possibly experienced the greatest amount of dramatic global incidents directly related to malware and
cyber threats since the advent of the internet. From election hacks to global ransomware attacks, malware threats are at an all-time
high. As long as these activities prove lucrative, we expect these incidents to get worse.
In
this “cyber-war”, with respect specifically to malware, three battlefronts stand out: ransomware, hyper-evasive malware,
and malware distribution via HTTPS.
Ransomware
has become especially lucrative for cybercriminals. Massive scale ransomware attacks have spread extremely quickly around the
globe targeting governments, corporations, and private citizens. With hyper-evasive malware, cybercriminals are using codes designed
to specifically detect and evade conventional sandbox detection and analysis. With respect to encrypted HTTPS traffic from “secure”
web sites, a 2017 Cyren study of traffic passing through the Cyren security cloud found that almost 40% of all malware being disseminated
is utilizing HTTPS connections for distribution or communications, yet surveys show that many companies around the globe are not
inspecting that traffic.
It
has become clear that cybercriminals know the weak points in standard corporate defenses and are optimizing their attacks to leverage
these security gaps in every possible way.
Today,
no item or user connected to the internet is immune to attack. While many businesses are still studying what security measures
might be necessary, cybercriminals are “all in”, creating dangerous new tools to target companies, governments, and
private citizens. We need to be mindful that the world has changed, hyper-evasive malware and threat distribution via HTTPS are
growing rapidly; mobile devices— both Android and Apple—are increasingly targets; and Internet of Things (IoT) devices,
from refrigerators to televisions, are an inviting new vector for criminal purposes.
|
(1)
|
Gartner
Market Guide for Email Security (Neil Wynne, Peter Firstbrook, Published 6 June 2019).
|
|
(2)
|
Momentum
Cyber Cybersecurity Almanac (Published 18 February 2020).
|
Cloud
and Mobility
Businesses
are going through a massive change in their IT strategies as they look to drive more business value, agility, and better customer
experiences.
|
●
|
Business
internet traffic continues to increase every year – executives, employees, partners, contractors, and customers
are accustomed to transacting online. As a result, individuals are far more comfortable opening emails, clicking on links
and providing sensitive data and information without questioning the authenticity of the applicable request. The simple organic
growth in this usage of the internet is taxing existing legacy appliance solutions that have built-in capacity restrictions
limiting their ability to scale.
|
|
●
|
Data
and applications are increasingly moving to the cloud – where we used to protect the servers, data and applications
we ran in our data centers behind an appliance-based security perimeter, today these apps and data have moved outside of this
security perimeter and into the cloud.
|
|
●
|
More
and more users are working remotely — users have left the perimeter, and are working from home offices, airports,
hotels, and coffee shops, accessing the internet without protection from our perimeter security appliances.
|
As
organizations go through this transition, many are finding it increasingly difficult to protect their users, data, and networks
with traditional on-premise security solutions.
|
●
|
Buyers
continue to move away from traditional on-premise solutions — preference for service-based security solutions are
growing, driven by innovations, increasing need for security beyond the perimeter, and lower total cost of ownership.
|
|
●
|
Mature
and legacy on premise deployments are reaching end of life — and these are increasingly being replaced by SaaS alternatives.
|
|
●
|
IT
security staffing shortages – driving products with lower management overhead, as well as some outsourcing to key
technology partners.
|
|
●
|
Increasingly
fast, sophisticated, expensive, and high-profile attacks target organizations of all sizes – attacks are increasingly
focused on small companies, less-regulated and less-security aware industries, dictating increased security investment.
|
|
●
|
Compliance
and regulatory mandates are creating increased concern among buyers, especially as the cost of failure becomes more painful.
Continued, large-scale breaches — themselves a driver for security purchases — will bring about even more stringent
levels of regulation.
|
|
●
|
Heightened
cybercrime activity among commercial enterprises and nation states – political and economic motivations are driving
cyberattacks of both private enterprises and government entities.
|
|
●
|
Automation
is increasingly considered critical to accelerating detection and protection, and to countering IT talent shortages.
|
These
reasons explain why Cyren’s vision for 100% cloud security is compelling to IT security teams looking to protect their businesses
in today’s cloud-centric mobile-first world.
Human
Capital Resources
Effective
management of our human capital is essential to the success of our Company. It is vital that we recruit, train, develop, motivate,
and retain employees with the skills to execute our strategy and tactical plans across the Company.
As of December 31,
2020, the Company employed 222 employees. As of December 31, 2020, our employee population is dispersed across the globe with 36%
in Israel, 25% in Germany, 16% in the United States, 16% in Iceland, and 7% in the United Kingdom.
Except
for our employees in Iceland, which in accordance with standard local practices are represented by labor unions, none of our employees
are represented by a labor union and are not subject to a collective bargaining agreement. We believe our employee relations are
good and we have not experienced any work stoppages.
Approximately 53% of
our employees were part of our research and development teams, with the remainder of our employees comprising our sales and marketing,
operations and customer support, and administrative teams.
In addition to our
employees, we engage independent contractors who primarily provide services to the R&D team in order to meet staffing needs,
as it is more cost-effective. As of December 31, 2020, we engaged approximately 56 contractors on a full-time equivalency.
Work Environment
We are committed to
a safe work environment for our employees, whether in person or virtually. We adhere and expect all of our employees to adhere
to our Code of Business Conduct, which, among other things, sets forth numerous policies designed to provide a safe, ethical, respectful,
and compliant work environment. In response to the COVID-19 pandemic, we made significant decisions that we determined were in
the best interest of the Company and are vital to protect our employees, including restricting travel and directing most of our
employees to work from home. For employees continuing critical on-site work, we have implemented additional safety measures such
as limiting the number of people present each day on-site, social distancing, use of face masks, and frequent disinfection of shared
spaces. We continue to monitor the impact of the pandemic on our employees and contractors and to track national and local conditions
and governmental guidance where our employees are located, thus ensuring that we make decisions that are aimed at promoting their
health and safety based upon each specific locality. We have been very encouraged by the way our employees have responded to the
challenges caused by the COVID-19 pandemic. Our employees and contractors have generally maintained their productivity under virtual
working conditions.
We believe that we
offer a competitive and varied selection of compensation and benefits programs to support our employees. We are committed to their
overall well-being and to providing programs that are competitive in our industry. Our compensation programs consist primarily
of base salary, and dependent upon level, may include a corporate bonus, and equity awards. We periodically conduct pay equity
surveys to ensure our compensation programs are applied equitably for all our employees. Consistent with local practices, we generally
offer benefits programs that consist of comprehensive health, dental, and welfare benefits, and where applicable, retirement savings
and life insurance options.
Communication
and Engagement
We
believe that our success depends upon our employees’ understanding of how their work results contribute to our overall strategy
and plans. To this end, we communicate with our workforce through a variety of channels and encourage open and direct communication,
including periodic Company-wide CEO update meetings which include a variety of topics of interest and frequent email corporate
communications.
Diversity
and Inclusion
We strive to promote and advance
diversity and inclusion across the Company. We value diverse perspectives and life experiences. We believe that everyone deserves respect
and equal treatment, regardless of gender, race, ethnicity, age, disability, sexual orientation, gender identity, cultural background,
or religious belief. As of December 31, 2020, approximately 25% of our employees were female and across all management roles, approximately
31% of leadership is female.
Corporate
Information
We
were incorporated as a private company under the laws of the State of Israel on February 10, 1991 and our legal form is a company
limited by shares. We became a public company on July 15, 1999 under the name Commtouch Software Ltd. In January 2014, we changed
our legal name to Cyren Ltd. Our website is https://www.cyren.com. The SEC maintains an internet site that contains reports, proxy
and information statements and other information regarding issuers that file electronically with the SEC. Our filings under the
Exchange Act are available on our website and are also available electronically from the website maintained by the SEC at www.sec.gov.
Our
principal executive offices are located at 10 Ha-Menofim St., 5th Floor, Herzliya, Israel 4672561, where our telephone
number is +972–9–863–6888.
ITEM 1A.
RISK FACTORS
Business
Risks
We
may not be able to continue as a going concern.
As
of December 31, 2020, we had an accumulated deficit of $248.7 million, cash and cash equivalents of $9.3 million, current liabilities
of $24.9 million and generated a net loss of $17.3 million. We have incurred losses since inception and expect to continue to
incur losses for the foreseeable future. As of December 31, 2020, our cash and cash equivalents balance is not sufficient to fund
our planned operations for at least a year beyond the date of the financial statements included in this report. These factors
raise doubt about our ability to continue as a going concern and therefore it may be more difficult for us to attract investors.
The ability to continue as a going concern is dependent upon our ability to obtain the necessary financing to meet our obligations
and repay our liabilities arising from normal business operations when they become due. Despite our ability to secure capital
in the past, we cannot assure you that we will be able to obtain additional debt or equity financing on favorable terms, if at
all. Furthermore, if we raise additional equity financing, our shareholders may experience significant dilution of their ownership
interests. If we engage in debt financing, we may be required to accept terms that restrict our ability to incur additional indebtedness,
force us to maintain specified liquidity or other ratios or restrict our ability to pay dividends or make acquisitions.
We
have a history of losses and may not be able to achieve or maintain profitability.
We
have a history of incurring net losses, including net losses of $17.3 million and $18.0 million in 2020 and 2019,
respectively. As a result, we had an accumulated deficit of $248.7 million as of December 31, 2020. Achieving
profitability will require us to increase revenue, manage our cost structure, and avoid unanticipated liabilities. We have made
and expect to continue to make significant expenditures to develop and expand our business and we do not expect to be profitable
in the near term. Revenue growth may slow or revenue may decline for a number of possible reasons, including slowing demand for
our solutions, increasing competition, expense reductions, a decrease in the growth of our overall market, the impact of the COVID-19
pandemic, or if we fail for any reason to continue to capitalize on growth opportunities. Any failure by us to obtain and sustain
profitability, or to continue our revenue growth, could cause the price of our ordinary shares to decline significantly.
Our
indebtedness may have an adverse effect on our business or limit our ability to take advantage of business, strategic or financing
opportunities; our debt instruments contain certain events of default which, if triggered, may result in acceleration of our debt.
On
March 19, 2020, we issued $10.25 million aggregate principal amount of our 5.75% convertible debentures due March 19, 2024 (the
“Convertible Debentures”). On December 5, 2018, we issued $10.0 million aggregate principal amount of 5.75% convertible
notes due December 5, 2021 (the “Convertible Notes”). Our Convertible Debentures and Convertible Notes contain certain
covenants with which we must comply and events of default which, if triggered, may result in the Convertible Debentures and/or
Convertible Notes becoming immediately due and payable. These events of default include, but are not limited to, failure to pay
interest and principal when due, failure to perform any term, covenant or agreement contained in the Convertible Debentures or
Convertible Notes, certain events of bankruptcy, insolvency or reorganization, and certain defaults on our obligations under other
debt instruments. In addition, as long as the Convertible Debentures and Convertible Notes are outstanding, we must obtain consent
of the holders in order to take the following actions as required by the respective debt instruments:
|
●
|
incur
certain additional indebtedness or guarantee indebtedness;
|
|
●
|
make
certain amendments to our charter documents;
|
|
●
|
repay,
repurchase, or acquire ordinary shares or indebtedness except under certain circumstances;
|
|
●
|
pay
cash dividends or distributions on any equity securities; or
|
|
●
|
enter
into transactions with affiliates, with certain exceptions.
|
These
consent requirements could restrict us from taking any of the above actions that we believe to be in our best interests and could
adversely affect our ability to obtain additional financing, engage in certain business activities, take advantage of business
opportunities, or otherwise execute our business strategies. In addition, our ability to comply with the terms of the Convertible
Debentures and the Convertible Notes may be affected by general economic conditions, industry conditions, and other events beyond
our control. As a result, we cannot assure you that we will be able to comply with these terms. Failure to comply with the terms
of the Convertible Debentures or the Convertible Notes could result in a default under these debt instruments, upon which the
outstanding debt would become immediately due and payable. This could have serious consequences to our financial condition and
results of operations. We cannot assure you that our assets or cash flow would be sufficient to repay our obligations under the
Convertible Debentures or the Convertible Notes if accelerated upon an event of default, or that we would be able to borrow sufficient
funds to refinance these debt instruments.
We do not anticipate that we will have sufficient
funds to pay the principal of the Convertible Notes on their maturity date in December 2021, and the inability to restructure or refinance
the Convertible Notes on commercially reasonable terms, or at all, would have a material adverse effect on our financial condition.
The Convertible Notes ($10.0
million aggregate principal amount) mature in December 2021. We do not anticipate that we will have sufficient funds to pay the principal
of the Convertible Notes on their maturity date. The inability to restructure or borrow sufficient funds to refinance the Convertible
Notes on commercially reasonable terms, or at all, would have serious consequences to our financial condition and results of operations.
If
the internet security market does not accept our cloud-based product offerings, our sales will not grow as quickly as anticipated,
or at all, and our business, results of operations and financial condition would be harmed.
Our
success will depend to a substantial extent on the willingness of enterprises to increase their acceptance and use of cloud computing
services. The market for email security solutions delivered as a service is still at an early stage relative to on-premise solutions,
and these applications may not achieve and sustain high levels of demand and market acceptance. In particular, there is no assurance
that our recently released Cyren Inbox Security will generate a high level of demand or achieve market acceptance.
Historically,
companies have used appliance-based security products, such as firewalls, intrusion prevention systems, or IPS, anti-virus, or
AV, and web and messaging gateways, for their IT security. These enterprises may be hesitant to purchase our cloud-based security
offering if they believe that signature-based products, or our competitors’ products, are more cost-effective, provide substantially
the same functionality or otherwise provide a sufficient level of IT security. Many enterprises have invested substantial personnel
and financial resources to integrate traditional enterprise software or hardware appliances for these applications into their
businesses, and currently, most enterprises have not allocated a fixed portion of their budgets to protect against next-generation
advanced cyber attacks. As a result, to expand our customer base, we need to convince potential customers to allocate a portion
of their discretionary budgets to purchase our products and services. If we do not succeed in convincing customers that our offerings
should be an integral part of their overall approach to IT security, our sales will not grow as quickly as anticipated, or at
all, which would have an adverse impact on our business, results of operations and financial condition.
In
addition, many enterprises may be reluctant or unwilling to use cloud computing services because they have concerns regarding
the risks associated with its reliability and security, among other things, of this delivery model, or its ability to help them
comply with applicable laws and regulations. If enterprises do not perceive the benefits of this delivery model, then the market
for our services and our sales would not grow as quickly as we anticipate or at all and our business, results of operations and
financial condition would be harmed.
If
the market does not continue to respond favorably to our traditional Threat Intelligence Service security solutions, including
our Threat Detection Services and Threat Intelligence Feeds, or future services do not gain acceptance, we will fail to generate
sufficient revenues.
Our
success depends on the continued acceptance and use of our Threat Intelligence Service security solutions by current and new businesses,
Original Equipment Manufacturers (“OEMs”), and service provider customers, plus the interest of such customers in
our newest offerings. As the markets for email, antivirus and web security products continue to mature and consolidate, we are
seeing increasing competitive pressures and demands for even higher quality products at lower prices. This increasing demand
comes at a time when internet security threats are more varied and intensive, challenging top end solutions to keep their performance
at an industry-acceptable level of accuracy. If our solutions do not continue to evolve to meet market demand, or newer products
on the market prove more effective, our business could fail. Also, if growth in the markets for these solutions begins to slow,
our business, results of operations and financial condition will suffer dramatically.
If
we are unable to effectively integrate future investments and acquisitions, our business operations and financial results will
suffer.
Our
success will depend, in part, on our ability to expand our service and product offerings and grow our business in response to
changing technologies, customer demands and competitive pressures. In some circumstances, we may decide to do so through the acquisition
of complementary businesses and technologies rather than through internal development, including, for example, our 2012 acquisition
of the antivirus business of the Icelandic company, Frisk Software International (“Frisk”) and the German internet
security company eleven GmbH (“eleven”).
If
we encounter further difficulties or unforeseen expenditures in integrating the business, technologies, products, personnel, or
operations of any company that we acquire, the revenue and operating results of the combined company could be adversely affected.
The risks we face in connection with acquisitions include:
|
●
|
disruption
of our ongoing business, diversion of resources, increased expenses, and distraction of our management from operating our
business to addressing acquisition integration challenges;
|
|
●
|
additional
legal and regulatory compliance;
|
|
●
|
cultural
challenges associated with integrating employees from the acquired companies into our organization;
|
|
●
|
inability
to retain key employees from the acquired companies;
|
|
●
|
inability
to strengthen our competitive position, achieve our strategic goals, generate sufficient financial return to offset acquisition
costs or realize the expected benefits of the acquisition;
|
|
●
|
failure
to identify significant problems or liabilities, including liabilities resulting from the acquired companies’ pre-acquisition
failure to comply with applicable laws, during our pre-acquisition due diligence;
|
|
●
|
difficulties
related to our entry into geographic or business markets in which we have little or no prior experience or where competitors
have stronger market positions;
|
|
●
|
difficulties
in, or inability to, successfully sell any acquired products or services;
|
|
●
|
difficulties
with the coordination of research and development, sales and marketing, accounting, human resources, and other general and
administrative systems;
|
|
●
|
changes
in relationships with strategic partners as a result of product acquisitions or strategic positioning resulting from the acquisitions;
|
|
●
|
liability
for activities of the acquired companies before the acquisition, including intellectual property infringement claims, violations
of laws, commercial disputes, tax liabilities and litigation; and
|
|
●
|
unanticipated
write-offs or charges.
|
The
occurrence of any of these risks could have a material adverse effect on our business operations and financial results.
We
face intense competition and could lose market share to our competitors, which could adversely affect our business, financial
condition, and results of operations.
The
market for security products and services is intensely competitive and characterized by rapid changes in technology, customer
requirements, industry standards and frequent new product introductions and improvements. We anticipate continued challenges from
current competitors as well as by new entrants into the industry. If we are unable to anticipate or effectively react to these
competitive challenges, our competitive position could weaken, and we could experience a decline in our revenue that could adversely
affect our business and results of operations.
Many
of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages such as:
|
●
|
greater
name recognition and larger customer bases;
|
|
●
|
larger
sales and marketing budgets and resources;
|
|
●
|
broader
distribution and established relationships with channel and distribution partners and customers;
|
|
●
|
greater
customer support resources;
|
|
●
|
lower
labor and research and development costs; and
|
|
●
|
substantially
greater financial, technical, and other resources.
|
In
addition, some of our larger competitors have substantially broader product offerings and may be able to leverage their relationships
with distribution partners and customers based on other products or incorporate functionality into existing products to gain business
in a manner that may discourage users from purchasing our products, subscriptions and services, including by selling at zero or
negative margins, product bundling or offering closed technology platforms.
Potential
customers may also prefer to purchase from their existing suppliers rather than a new supplier regardless of product performance
or features. As a result, even if the features of our offerings are superior, customers may not purchase our services or products.
In addition, innovative start-up companies, and larger companies that are making significant investments in research and development,
may invent similar or superior products and technologies that compete with our product and services. Our current and potential
competitors may also establish cooperative relationships among themselves or with third parties that may further enhance their
resources. If we are unable to compete successfully, or if competing successfully requires us to take costly actions in response
to the actions of our competitors, our business, financial condition, and results of operations could be adversely affected.
Some
of our competitors have acquired businesses that may allow them to offer more directly competitive and comprehensive solutions
than they had previously offered. As a result of such acquisitions, our current or potential competitors might be able to adapt
more quickly to new technologies and end user needs, devote greater resources to the promotion or sale of their products and services,
initiate or withstand substantial price competition, take advantage of acquisitions or other opportunities more readily, or develop
and expand their product and service offerings more quickly than we can. Due to various reasons, organizations may be more willing
to incrementally add solutions to their existing security infrastructure from competitors than to replace it with our solutions.
These competitive pressures in our market or our failure to compete effectively may result in price reductions, fewer orders,
reduced revenue and gross margins, and loss of market share. Any failure to meet and address these factors could seriously harm
our business and operating results.
Also,
many of our smaller competitors that specialize in providing protection from a single type of business security threat may deliver
these specialized business security products to the market more quickly than we can or may introduce innovative new products or
enhancements before we do. Conditions in our markets could change rapidly and significantly as a result of technological advancements.
If
we are unable to enhance our existing solutions and develop new solutions, our growth will be impeded.
Our
ability to attract new customers and increase revenue from existing customers will depend in large part on our ability to enhance
and improve our existing solutions and to introduce new solutions. The success of any enhancement or new solution depends on several
factors, including the timely completion, introduction and market acceptance of the enhancement or solution. Any enhancement or
solution we develop or acquire may not be introduced in a timely or cost-effective manner and may not achieve the broad market
acceptance necessary to generate significant revenue. If we are unable to successfully develop or acquire new solutions or enhance
our existing solutions to meet customer requirements, we may not grow as expected.
We
cannot be certain that our development activities will be successful or that we will not incur delays or cost overruns. Furthermore,
we may not have sufficient financial resources to identify and develop new technologies and bring enhancements or new solutions
to market in a timely and cost-effective manner. New technologies and enhancements could be delayed or cost more than we expect,
and we cannot ensure that any of these solutions will be commercially successful if and when they are introduced.
A
loss of any of our large customers could have a material adverse effect on our financial condition and results of operations.
In the year ended December
31, 2020, our three largest customers accounted for approximately 34% of our annual revenues (including our largest customer that
accounted for approximately 23% of total revenue). A significant reduction in revenue in the future from these major customers
could have a material adverse effect on our financial condition, results of operations and cash flow. In the fourth quarter of
2020, we received notification that our largest customer will renew one of their contracts for another three years through the
first quarter of 2024, but that it does not intend to renew its largest contract with the Company beginning April 2021. As a result,
we anticipate that quarterly revenues from this customer will drop from over 20% currently to approximately 14% of quarterly revenue
beginning in the second quarter of 2021. In addition, if one or more of our major customers were to develop its own competing technology
or to experience economic difficulties, changes in purchasing policies or difficulties in fulfilling their obligations to us, our
financial condition could be materially and adversely affected.
Adverse
conditions in the national and global financial markets could have a material adverse effect on our business, operating results,
and financial condition.
Our
financial performance depends, in part, on the state of the economy, which may deteriorate in the future including, as a result
of the spread or fear of spread of contagious diseases (such as the COVID-19 pandemic). Challenging economic conditions worldwide
have from time to time contributed, and may continue to contribute, to slowdowns in the information technology industry, resulting
in reduced demand for our solutions as a result of continued constraints on IT-related capital spending by our customers and increased
price competition for our solutions. Additionally, concerns regarding the effects of the “Brexit” decision, uncertainties
related to changes in public policies such as domestic and international regulations, taxes or international trade agreements
as well as geopolitical turmoil and other disruptions to global and regional economies and markets in many parts of the world,
have and may continue to put pressure on global economic conditions and overall spending on IT security.
If
the economies of countries in which our customers and potential customers are located weaken, our customers may reduce or postpone
their spending significantly. This could result in reductions in sales of our services and longer sales cycles, slower adoption
of new technologies and increased price competition. In addition, weakness in the end user market could negatively affect the
cash flow of our OEM and service provider partners, distributors and resellers who could, in turn, delay paying their obligations
to us. This would increase our credit risk exposure and cause delays in our recognition of revenues on future sales to these customers.
Specific economic trends, such as declines in the demand for PCs, servers, and other computing devices, or weakness in corporate
information technology spending, could have a more direct impact on our business. Any of these events would likely harm our business,
operating results, and financial condition.
The
outbreak of COVID-19 and its international spread has affected how we operate our business, and the duration and the extent to
which it will impact future results of operations and overall financial performance is unknown.
Pandemics and epidemics
such as the current COVID-19 outbreak or other widespread public health problems could negatively impact our business. The
current outbreak of COVID-19 has had widespread impacts on the overall economy, buying patterns of partners and potential customers,
and business operations and continues to present concerns that may dramatically affect our ability to conduct our business effectively,
including, but not limited to, our inability to travel to various destinations due to travel restrictions and quarantine requirements,
attend certain industry-related conferences and effectively maintain ongoing sales operations. For employees continuing critical
on-site work, we have implemented additional safety measures such as limiting the number of people present each day on-site, social
distancing, use of face masks, and frequent disinfection of shared spaces. Any additional precautionary measures may negatively
impact our sales, operating results and business.
A significant reduction in
global economic activity may result in reduced IT budgets, including for cyber security software. While the ultimate impact of the COVID-19
outbreak is highly uncertain and subject to change, a significant duration of the COVID-19 outbreak and related government actions will
impact many aspects of our business. Additionally, if the COVID-19 pandemic has had or continues to have a substantial impact on our partners
and customers, our overall financial performance and operations may be negatively impacted. If a significant percentage of our workforce
is unable to work, either because of illness or travel or government restrictions in connection with the COVID-19 outbreak, our operations
may be negatively impacted.
If
the perceived general level of advanced cyber attacks declines, demand for our solutions may decrease, our cost of doing business
may increase and our business could be harmed.
Our
business is substantially dependent on enterprises recognizing that advanced cyber attacks are pervasive and are not effectively
prevented by legacy security solutions. High visibility attacks on prominent enterprises and governments have increased market
awareness of the problem of advanced cyber attacks and help to provide an impetus for enterprises to devote resources to protecting
against advanced cyber attacks, such as purchasing our services and products and broadly deploying our services and products within
their organizations. If advanced cyber attacks were to decline, or enterprises perceived that the general level of advanced cyber
attacks have declined, our ability to attract new customers and expand our offerings within existing customers could be materially
and adversely affected and harm our business, results of operations and financial condition.
In
addition, various state legislatures have enacted laws aimed at regulating the distribution of unsolicited email. These and similar
legal measures, both in the United States and worldwide, may have the effect of reducing the amount of unsolicited email and malicious
software that is distributed and hence diminish the need for our internet security solutions. Any such developments would have
an adverse impact on our revenues.
We
depend upon our OEM customers for the majority of our revenue and if our OEM customers do not renew existing subscriptions or
buy additional services, our operating results will be harmed.
We expect to continue
to be dependent upon OEM partners and service providers for a significant portion of our revenues.
Our operating results and financial condition
may be materially adversely affected if:
|
●
|
anticipated orders or
payments from these partners fail to materialize;
|
|
●
|
our partners cease the
promotion of our business or begin to promote solutions other than ours;
|
|
●
|
our partners are acquired
by larger companies who may have other relationships or technologies that lead to the displacement or termination of Cyren contracts;
|
|
●
|
our partners do not live
up to their contractual agreements or fail to pay for services rendered; or
|
|
●
|
our partners’ businesses
fail.
|
We
regularly have discussions with our customers regarding the renewal of their contracts and the renegotiation of the terms of such
contracts at the time of renewal. In the fourth quarter of 2020, we received notification that our largest customer will renew
one of their contracts for another three years through the first quarter of 2024, but that it does not intend to renew its largest
contract with the Company beginning April 2021. As a result, we anticipate that quarterly revenues from this customer will drop
from over 20% currently to approximately 14% of quarterly revenue beginning in the second quarter of 2021. For additional information,
please refer to Note 11b of the consolidated financial statements included elsewhere in this Annual Report.
Our
quarterly operating results may fluctuate, which could adversely affect our share price.
Our
revenues and operating results could vary significantly from period to period as a result of a variety of factors, many of which
are outside of our control. As a result, comparing our revenues and operating results on a period-to-period basis may not be meaningful,
and shareholders should not rely on our past results as an indication of our future performance. We may not be able to accurately
predict our future revenues or results of operations. We base our current and future expense levels on our operating plans and
sales forecasts, and our operating costs are relatively fixed in the short-term. As a result, we may not be able to reduce our
costs sufficiently to compensate for an unexpected shortfall in revenues, and even a small shortfall in revenues could disproportionately
and adversely affect financial results for that quarter. If our revenues or operating results fall below the expectations of investors
or any securities analysts that cover our stock, our share price could decline substantially.
A
number of factors, many of which are enumerated in this “Risk Factors” section, are likely to cause fluctuations in
our operating results or cause our share price to decline. These factors include:
|
●
|
our
ability to successfully market both our traditional email, antivirus and web security solutions and our newer cloud-based
internet security solutions in new markets, both domestic and international;
|
|
●
|
our
ability to successfully develop and market new, modified or upgraded solutions, as may be needed;
|
|
●
|
demand
for, and the continued acceptance of our solutions by our current partners and customer base and the level of perceived urgency
regarding security threats and compliance requirements;
|
|
●
|
our
ability to expand our workforce with qualified personnel, as may be needed;
|
|
●
|
unanticipated
bugs or other problems affecting the delivery of our solutions to customers;
|
|
●
|
the
success of our partners’ sales efforts to their customer base;
|
|
●
|
the
solvency of our partners and their ability to allocate sufficient resources towards the marketing of our products;
|
|
●
|
our
partners’ ability to effectively integrate our solutions into their product offerings;
|
|
●
|
the
substantial decrease in information technology spending;
|
|
●
|
the
pricing of our products;
|
|
●
|
our
ability to timely collect fees owed by our customers and partners;
|
|
●
|
general
economic conditions, including a global slowdown (for example, as a result of the COVID-19 outbreak);
|
|
●
|
sudden,
dramatic fluctuations in exchange rates of currencies covering the fees we collect from our foreign customers versus the currencies
utilized in our business (namely, the Israeli Shekel (“ILS”), the U.S. Dollar (“USD”), the Euro (“EUR”)
and the British Pound (“GBP”);
|
|
●
|
our
ability to add cost-effective space and equipment to our current data centers in a timely and effective manner to match the
rate of growth in our business, plus our ability to build new, cost-effective data centers as worldwide demand for our products
may require;
|
|
●
|
the
effectiveness of our end user support, whether provided by our customers or directly by Cyren;
|
|
●
|
customer
budgeting cycles and seasonal buying patterns;
|
|
●
|
the
extent to which customers subscribe for additional solutions or increase the number of users;
|
|
●
|
any
disruption in our sales channels or termination of our relationship with strategic channel partners;
|
|
●
|
insolvency
or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions; and
|
|
●
|
price
competition or any changes in the competitive landscape of our industry, including consolidation among our competitors, customers,
partners, or resellers.
|
Our
ability to continue to increase our revenues will depend on our ability to successfully execute our sales and business development
plan.
The
complexity of the underlying technological base of email, antivirus and web security solutions, and the current landscape of the
markets, require highly trained sales and business development personnel to educate prospective distributors, resellers, OEM and
service provider partners and customers regarding the use and benefits of our solutions. We continue to be substantially dependent
on our sales force to obtain new customers and to drive additional use cases and adoption among our existing customers. We believe
that there is significant competition for sales personnel with the skills and technical knowledge that we require. Our ability
to achieve significant revenue growth will depend, in large part, on our success in recruiting, training, and retaining sufficient
numbers of sales personnel to support our growth. New hires require significant training and may take significant time before
they achieve full productivity. Our recent hires and planned hires may not become productive as quickly as we expect, and we may
be unable to hire or retain sufficient numbers of qualified individuals in the markets where we do business or plan to do business.
Our
future success depends on our ability to sell additional solutions to our customers, such as our CIS solution which was made generally
available for purchase in the second quarter of 2020. This may require increasingly sophisticated and costly sales efforts and
may not result in additional sales. In addition, the rate at which our customers purchase additional solutions depends on a number
of factors, including the perceived need for additional solutions, growth in the number of end users, and general economic conditions.
If our efforts to sell additional solutions to our customers are not successful, our business, financial condition and/or results
of operations may suffer.
We
rely on our management team and other key employees and will need additional personnel to grow our business, and the loss of one
or more key employees or our inability to attract and retain qualified personnel could harm our business.
Our
success is substantially dependent on our ability to attract, retain and motivate the members of our management team and other
key employees throughout our organization. Competition for highly skilled personnel is intense in Israel, Germany, Iceland, the
United Kingdom, Sunnyvale, Austin, and the Washington D.C. metro area, where we have offices and a need for highly skilled
personnel. We may not be successful in attracting qualified personnel to fulfill our current or future needs. Our competitors
may be successful in recruiting and hiring members of our management team or other key employees, and it may be difficult for
us to find suitable replacements on a timely basis, on competitive terms, or at all. Also, to the extent we hire employees from
mature public companies with significant financial resources, we may be subject to allegations that such employees have been improperly
solicited, that they have divulged proprietary or other confidential information or that their former employers own such employees’
inventions or other work product.
In
addition, we believe that it is important to establish and maintain a corporate culture that facilitates the maintenance and transfer
of institutional knowledge within our organization and also fosters innovation, teamwork, a passion for customers and a focus
on execution.
The
loss of our software developers or senior operations personnel may also adversely affect the continued development and support
of both our current messaging, antivirus and web security solutions and future solutions presently included in our roadmap for
development, thereby causing our operating results to suffer and the value of your investment to decline.
We
do not have employment agreements inclusive of set periods of employment with any of our key personnel. We cannot prevent them
from leaving at any time. We do not maintain key-person life insurance policies, listing us as a beneficiary, on any of our employees.
If one or more of our key employees resigns or otherwise ceases to provide us with their service, our business, financial condition
and/or results of operations could be harmed.
Our
business and operating results could suffer if we do not successfully address potential risks inherent in doing business overseas.
We
market and sell our products worldwide and have personnel in many parts of the world. In addition, we have sales offices and research
and development facilities outside the United States, and we conduct, and expect to continue to conduct, a significant amount
of our business with companies that are located outside the United States, particularly in Europe, Israel, and Asia. We also enter
into strategic distributor and reseller relationships with companies in certain international markets where we do not have a local
presence. If we are not able to maintain successful strategic distributor relationships internationally or recruit additional
companies to enter into strategic distributor relationships, our future success in these international markets could be limited.
Business practices and regulations in the international markets that we serve differ from those in the United States and Israel
and periodically require us to include terms other than our standard terms in customer contracts. To the extent that we enter
into customer contracts that include non-standard terms related to payment, warranties, or performance obligations, our operating
results may be adversely impacted.
Additionally,
our international sales and operations are subject to a number of risks, including the following:
|
●
|
greater
difficulty in enforcing contracts and accounts receivable collection and longer collection periods;
|
|
●
|
the
uncertainty of protection for intellectual property rights in some countries;
|
|
●
|
greater
risk of changes in regulatory practices, tariffs, and tax laws and treaties;
|
|
●
|
risks
associated with trade restrictions and foreign legal requirements, including the importation, certification, and localization
of our products required in foreign countries;
|
|
●
|
the
potential that our operations in Israel and the U.S. may limit the acceptability of our products to some foreign governments,
and vice versa;
|
|
●
|
greater
risk of a failure of foreign employees, partners, distributors, and resellers to comply with both U.S. and foreign laws, including
antitrust regulations, and any trade regulations ensuring fair trade practices;
|
|
●
|
heightened
risk of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that
may impact financial results and result in restatements of, or irregularities in, financial statements;
|
|
●
|
the
potential for acts of terrorism, hostilities, or war;
|
|
●
|
the
impact of COVID-19 on the economic conditions in these foreign markets and the travel restrictions in and between various
geographic regions;
|
|
●
|
increased
expenses incurred in establishing and maintaining office space and equipment for our multinational operations;
|
|
●
|
greater
difficulty in recruiting local experienced personnel, and the costs and expenses associated with such activities;
|
|
●
|
management
communication and integration problems resulting from cultural and geographic dispersion;
|
|
●
|
fluctuations
in exchange rates between the U.S. Dollar, Shekel, Euro, Pound, and other foreign currencies in markets where we do business;
and
|
|
●
|
general
economic and political conditions and uncertainties in these foreign markets.
|
These
factors and other factors could harm our ability to gain future international revenues and, consequently, materially impact our
business, operating results, and financial condition. The expansion of our existing international operations and entry into additional
international markets will require significant management attention and financial resources.
Changes
in the tax treatment of companies engaged in internet commerce may adversely affect the commercial use of our services and our
financial results.
Due
to the global nature of the internet and the global reach of our network, it is possible that various states or countries might
attempt to regulate our transmissions or levy sales, income, consumption, use or other taxes relating to our services or activities,
or impose obligations on us to collect such taxes. Tax authorities in many jurisdictions are currently reviewing the appropriate
treatment of companies engaged in internet commerce such as the provision of cloud computing services and other online services.
The imposition of new or revised tax laws or regulations may subject us to additional sales, income, consumption, use or other
taxes. We cannot predict the effect of current attempts to impose such taxes on commerce over the internet. New or revised taxes
and, in particular, sales, use or consumption taxes, the Value Added Tax and similar taxes would likely increase the cost of doing
business online. New taxes could also create significant increases in internal costs necessary to capture data, and collect and
remit taxes. Any of these events could have an adverse effect on our business and results of operations.
The
application of tax laws is subject to interpretation and if tax authorities challenge our methodologies or our analysis of our
tax rates it could result in an increase to our worldwide effective tax rate and cause us to change the way we operate our business.
The
application of the tax laws of various jurisdictions to our international business activities is subject to interpretation and
also depends on our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements.
The tax authorities of the jurisdictions in which we operate may challenge our methodologies for valuing developed technology
or intercompany arrangements, including our transfer pricing, or determine that the manner in which we operate our business does
not achieve the expected tax consequences, which could increase our worldwide effective tax rate and adversely affect our financial
position and results of operations.
A
certain degree of judgment is required in evaluating our tax positions and determining our provision for income taxes. In the
ordinary course of business, there are many transactions and calculations for which the ultimate tax determination is uncertain.
For example, our effective tax rates could be adversely affected by earnings being lower than anticipated in countries where we
have lower statutory rates and higher than anticipated in countries where we have higher statutory rates, by changes in foreign
currency exchange rates or by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations.
As we operate in numerous taxing jurisdictions, the application of tax laws can be subject to diverging and sometimes conflicting
interpretations by tax authorities of these jurisdictions. It is not uncommon for tax authorities in different countries to have
conflicting views, for instance, with respect to, among other things, the manner in which the arm’s length standard is applied
for transfer pricing purposes, or with respect to the valuation of intellectual property. In addition, tax laws are dynamic and
subject to change as new laws are passed and new regulations or interpretations of the law are issued or applied. For example,
the work being carried out by the OECD on base erosion and profit shifting as a response to increasing globalization of trade
could result in changes in tax treaties or the introduction of new legislation that could impose an additional tax on businesses.
As a result of changes to laws or interpretations, our tax positions could be challenged, and our income tax expenses could increase
in the future.
For
instance, if tax authorities in any of the countries in which we operate were to successfully challenge our transfer prices, they
could require us to reallocate our income (or part of our income) to reflect transfer pricing adjustments, which could result
in an increased tax liability to us. In addition, if the country from which the income was reallocated did not agree with the
reallocation asserted by the first country, we could become subject to tax on the same income in both countries, resulting in
double taxation. If tax authorities were to allocate income to a higher tax jurisdiction, subject our income to double taxation
or assess interest and penalties, it could increase our tax liability, which could adversely affect our financial position and
results of operations.
We
are subject to privacy and data protection laws and regulations in various jurisdictions, including the EU General Data Protection
Regulation, as well as contractual privacy and data protection obligations, which may limit the use and adoption of, or require
modification of, our products and services and could affect our marketing activities. Our failure to comply with such laws,
regulations or obligations could subject us to liability and could harm our reputation and business. In addition, the invalidation
of the EU-US Privacy Shield by the European Court of Justice (“CJEU”), which we had previously relied on in part as
a mechanisms to transfer personal data from the EU to the U.S and the uncertainty regarding reliance on the EU Standard Contractual
Clauses (“SCCs”) may have an adverse effect on the manner in which we provide our services which could harm our financial
results.
Many
federal, state, and foreign government bodies and agencies have adopted, or are adopting, laws and regulations regarding the collection,
use, and disclosure of personal information. Some of our solutions process customer data which may contain the personal information
of end users, and any failure to adequately address privacy concerns, or to otherwise comply with applicable privacy laws and
regulations could result in liability, damage to our reputation, loss of sales, or further harm our business. Privacy concerns,
whether or not valid, may inhibit market adoption of our solutions. The costs of compliance with such laws and regulations that
apply to our customers’ business may in turn limit their use and adoption of our products and services and therefore reduce
overall demand for them.
We
are subject to the privacy and data protection laws and regulations adopted by Israel, Europe and the United States and potentially
other jurisdictions. Where the local data protection and privacy laws of a jurisdiction apply, we may be required to register
our operations in that jurisdiction or make changes to our business so that registered users’ data is only collected and
processed in accordance with applicable local law. The proliferation of such laws within the jurisdictions in which we operate
may result in conflicting and contradictory requirements, particularly in relation to evolving technologies such as cloud computing.
Any failure to successfully navigate the changing regulatory landscape could result in legal liability or impairment to our reputation
in the marketplace, which could have a material adverse effect on our business, results of operations and financial condition.
In
particular, the European Union has imposed greater obligations under their privacy and data protection laws. For example,
the European Union adopted the General Data Protection Regulation (GDPR) which took effect on May 25, 2018 and is wide ranging
in scope. GDPR replaced, to a large extent, the data protection laws of each European Union member state and imposed stringent
requirements for data processors and controllers. Such requirements include more fulsome disclosures about the processing
of personal information, data retention limits and deletion requirements, mandatory notification in the case of a data breach
and heightened standards regarding valid consent in some specific cases of data processing. The GDPR also includes substantially
higher penalties for failure to comply (a fine up to 20 million Euro or up to 4% of the annual worldwide turnover, whichever
is greater, can be imposed). Given the breadth of the GDPR, compliance with its requirements is likely to continue to require
significant expenditure of resources on an ongoing basis, and there can be no assurance that the measures we have taken for the
purposes of compliance will be successful in preventing a violation of the GDPR. Given the potential fines, liabilities, and damage
to our reputation in the event of an actual or perceived violation of the GDPR, such a violation may have an adverse effect on
our business and operations.
Similarly,
California recently enacted the California Consumer Privacy Act (“CCPA”), which, among other things, requires covered
companies to provide new disclosures to California consumers and afford such consumers new rights to opt-out of the sale of their
personal information. In addition, other states (e.g., Virginia) have enacted or proposed legislation that regulates the collection,
use, and sale of personal information, and such regimes might not be compatible with either the GDPR or the CCPA or may require
us to undertake additional practices. We cannot yet predict the impact of the CCPA or impending legislation on our business or
operations, but it may require us to further modify our data processing practices and policies and incur substantial costs and
expenses in an effort to comply; non-compliance could potentially subject us to regulatory fines and/or civil lawsuits.
Further,
“Brexit” (described below) could lead to further legislative and regulatory changes. The United Kingdom Data Protection
Act that substantially implements the GDPR became law in May 2018 and was subject to statutory amendments in 2019 that further
align it with the GDPR. Post-Brexit, the United Kingdom has enacted its own version of the GDPR. On December 24, 2020, the European
Commission announced a bridge period permitting data transfers from the EEA to the United Kingdom while the European Commission
determines whether it will recognize the United Kingdom as an adequate country for the purposes of permitting international data
transfers of EU personal data. The development of United Kingdom data protection laws or regulations and regulation of data transfers
to and from the United Kingdom in the medium to longer term, however, remains unclear.
Even
the perception of privacy, data protection or information security concerns, whether or not valid, may harm our reputation, inhibit
adoption of our products by current and future customers, or adversely impact our ability to hire and retain workforce talent.
If our security measures are or are believed to be inadequate or breached as a result of third-party action, employee negligence,
error or malfeasance, product defects, social engineering techniques or otherwise, and this results in, or is believed to result
in, the disruption of the confidentiality, integrity or availability of our systems or networks or any data we process or maintain,
or the loss, destruction or corruption of such data, or our privacy practices are or are perceived to be inadequate, we could
incur significant liability, we could face a loss of revenues, and our business may suffer and our reputation and competitive
position may be damaged.
If
any of our customers or prospective customers decide not to purchase our products or services because of regulatory uncertainty,
our revenues could decline and our business could suffer. Any inability by us, or a third-party contractor, to adequately address
privacy concerns, whether valid or not, or to comply with applicable privacy or data protection laws, regulations and privacy
standards, could result in additional cost and liability to us, damage our reputation, inhibit sales of our solutions and harm
our business.
Uncertainty
regarding the effects of Brexit could adversely affect our future results.
The
United Kingdom (“UK”) left the European Union (“EU”) on January 31, 2020 (“Brexit”). There
was a transitional period, during which EU laws, including pharmaceutical laws, continued to apply in the UK, however this ended
on December 31, 2020. The UK and EU have signed an EU-UK Trade and Cooperation Agreement, which became provisionally applicable
on January 1, 2021 and will become formally applicable once ratified by both the UK and the EU. This agreement provides details
on how some aspects of the UK and EU’s relationship will operate, however there are still many uncertainties. The unavoidable
uncertainties related to Brexit and the new relationship between the UK and EU, which continues to be defined, could cause volatility
in currency exchange rates, in interest rates, and in EU, UK or worldwide political, regulatory, economic or market conditions;
and could contribute to instability in political institutions, regulatory agencies, and financial markets. Any of these effects
of Brexit, and others that cannot be anticipated, could adversely affect our future results.
Technology
Risks
We
may not have the resources or skills required to adapt to the changing technological requirements and shifting preferences of
our customers and their users.
The
email, antimalware and web security industries are characterized by difficult technological challenges, sophisticated distributors
of internet security threats, multiple-variant viruses, advanced persistent threats, unique phishing scams and constantly evolving
malevolent software distribution practices and targets that could render our solutions and proprietary technology ineffective.
Our success depends, in part, on our ability to continually enhance our existing messaging, antimalware and web security solutions
and to develop new solutions, functions and technology that address the potential needs of prospective and current customers and
their users.
Many
of our end users operate in markets characterized by rapidly changing technologies and business plans, which require them to adapt
to increasingly complex IT networks, incorporating a variety of hardware, software applications, operating systems, and networking
protocols. As their technologies and business plans grow more complex, we expect these customers to face new and increasingly
sophisticated methods of attack. We face significant challenges in ensuring that our solutions effectively identify and respond
to these advanced and evolving attacks without disrupting our customers’ network performance. As a result of the continued
rapid innovations in the technology industry, including the rapid growth of smart phones, tablets and other devices and the trend
of “bring your own device” in enterprises, we expect the networks of our end users to continue to change rapidly and
become more complex.
We
have identified and implemented a number of new products and enhancements to our platform that we believe are important to our
continued success in the IT security market. Going forward, we may not be successful in developing and marketing, on a timely
basis, such new products or enhancements or our new products or enhancements may not adequately address the changing needs of
the marketplace. In addition, some of our new products and enhancements may require us to develop new architectures that involve
complex, expensive, and time-consuming research and development processes. Although the market expects rapid introduction of new
products and enhancements to respond to new threats, the development of these products and enhancements is difficult and the timetable
for commercial release and availability is uncertain, as there can be significant time lags between initial beta releases and
the commercial availability of new products and enhancements. We may experience unanticipated delays in the availability of new
products and enhancements to our platform and fail to meet customer expectations with respect to the timing of such availability.
If we do not quickly respond to the rapidly changing and rigorous needs of our customers by developing, releasing and making available
on a timely basis new products and enhancements to our services and products that can adequately respond to advanced threats and
our customers’ needs, our competitive position and business prospects will be harmed. Furthermore, from time to time, we,
or our competitors, may announce new products with capabilities or technologies that could have the potential to replace or shorten
the life cycles of our existing services products. Announcements of new products could cause customers to defer purchasing our
existing services or products.
Additionally,
the process of developing new technology is expensive, complex, and uncertain. The success of new products and enhancements depends
on several factors, including appropriate component costs, timely completion and introduction, differentiation of new products
and services from those of our competitors, and market acceptance. To maintain our competitive position, we must continue to commit
significant resources to developing new products or services before knowing whether these investments will be cost-effective or
achieve the intended results. We may not be able to successfully identify new product opportunities, develop and bring new products
or services to market in a timely manner, or achieve market acceptance of our platform. Products and technologies developed by
others may render our offerings obsolete or noncompetitive. If we expend significant resources on researching and developing products
or services and such products and services are not successful, our business, financial position and results of operations may
be adversely affected. We may not be able to use new technologies effectively or adapt to OEM, service provider, customer or end
user requirements or emerging industry standards.
Our
solutions may be adversely affected by defects or denial of service attacks, which could cause our OEM and service provider partners,
customers, or end users to stop using our solutions.
Our
email, antimalware and web security products are based in part upon new and complex software and highly advanced computer systems.
Complex software and computer systems can contain defects, particularly when first introduced or when new versions are released,
and are possible targets for denial of service attacks instigated by “hackers”. Although we conduct extensive testing
and implement internet security processes, we may not discover defects or vulnerabilities in our software or systems that affect
our new or current solutions or enhancements until after they are delivered. Although we have not experienced any material defects
or vulnerabilities to date in our messaging, antimalware, and web security offerings, it is possible that, despite testing by
us, defects or vulnerabilities may exist in the solutions we provide. These defects or vulnerabilities could cause or lead to
interruptions for customers of our solutions, resulting in damage to our reputation, legal risks, loss of revenue, delays in market
acceptance and diversion of our development resources, any of which could cause our business, financial condition and/or results
of operations to suffer.
Real
or perceived defects, errors or vulnerabilities in our services or the failure of our services to block malware or prevent a cyber-attack
or security breach could harm our reputation and adversely impact our business, financial condition, and results of operations.
Because
our products and services are complex, they have contained and may contain design or manufacturing defects or errors that are
not detected until after their commercial release and deployment by our end users. For example, from time to time, certain of
our end users have reported defects in our products related to performance, scalability and compatibility that were not detected
before offering the service. Additionally, defects may cause our products or services to be vulnerable to security attacks, cause
them to fail to help secure networks or temporarily interrupt end users’ networking traffic. Because the techniques used
by computer hackers to access or sabotage networks change frequently and may not be recognized until launched against a target,
we may be unable to anticipate these techniques and provide a solution in time to protect our end users’ networks.
Furthermore,
as a well-known provider of internet security solutions, our networks, products, and services could be targeted by attacks specifically
designed to disrupt our business and harm our reputation. In addition, our data centers, which are located in various locations
worldwide, and networks may experience technical failures and downtime, may fail to distribute appropriate updates, or may fail
to meet the increased requirements of a growing end user base, any of which could temporarily or permanently expose our end users’
networks, leaving their networks unprotected against the latest security threats.
Any
real or perceived defects, errors or vulnerabilities in our services, or any other failure of our services to detect an advanced
threat, could result in certain events, including:
|
●
|
a
loss of existing or potential customers or channel partners;
|
|
●
|
delayed
or lost revenue;
|
|
●
|
a
delay in attaining, or the failure to attain, market acceptance;
|
|
●
|
the
expenditure of significant financial and product development resources in efforts to analyze, correct, eliminate, or work
around errors or defects, to address and eliminate vulnerabilities, or to identify and ramp up production with alternative
third-party manufacturers;
|
|
●
|
an
increase in service level availability or warranty claims, or an increase in the cost of servicing such claims, either of
which would adversely affect our revenue and gross margins;
|
|
●
|
negative
publicity, which could harm to our reputation or brand;
|
|
●
|
lost
market share;
|
|
|
|
|
●
|
loss
of our proprietary technology;
|
|
|
|
|
●
|
our
solutions being susceptible to hacking or electronic break-ins or otherwise failing to secure data;
|
|
●
|
loss
or disclosure of our customers’ confidential information, or the inability to access such information; and
|
|
●
|
litigation,
regulatory inquiries, or investigations that may be costly to address and further harm our reputation.
|
Data
thieves are sophisticated, often affiliated with organized crime and operate large scale and complex automated attacks. In addition,
their techniques change frequently and generally are not recognized until launched against a target. If we fail to identify and
respond to new and complex methods of attack and to update our services to detect or prevent such threats in time to protect our
end users’ systems, our business and reputation will suffer.
An
actual or perceived security breach or theft of the sensitive data of one of our end users, regardless of whether the breach is
attributable to the failure of our products or services, could adversely affect the market’s perception of our security
offerings. Despite our best efforts, there is no guarantee that our products and services will be free of flaws or vulnerabilities,
and even if we discover these weaknesses, we may not be able to correct them promptly, if at all. A breach of our systems could
also result in the disclosure of sensitive and confidential information as well as information regarding our customers, end users
and partners. Our end user customers may also misuse our products and services, which could result in a breach or theft of business
data.
If
the delivery of our services to our customers is interrupted or delayed for any reason, our business could suffer.
Any
interruption or delay in the delivery of our services will negatively impact our customers. Our solutions are deployed via the
internet, and our customers’ internet traffic is routed through our cloud platform. Our customers depend on the continuous
availability of our services, and our services are designed to operate in accordance with applicable service level commitments.
The adverse effects of any service interruptions on our reputation and financial condition may be disproportionately heightened
due to the nature of our business and the fact that our customers expect continuous and uninterrupted service and have a low tolerance
for interruptions of any duration.
The
following factors, many of which are beyond our control, can affect the delivery and availability of our services and the performance
of our cloud:
|
●
|
the
development and maintenance of the infrastructure of the internet;
|
|
●
|
the
performance and availability of third-party telecommunications services with the necessary speed, data capacity and security
for providing reliable internet access and services;
|
|
●
|
decisions
by the owners and operators of the data centers where our cloud infrastructure is deployed or by global telecommunications
service provider partners who provide us with network bandwidth to terminate our contracts, discontinue services to us, shut
down operations or facilities, increase prices, change service levels, limit bandwidth, declare bankruptcy or prioritize the
traffic of other parties;
|
|
●
|
the
occurrence of earthquakes, floods, fires, power loss, system failures, physical or electronic break-ins, acts of war or terrorism,
human error, or interference (including by disgruntled employees, former employees, or contractors) and other catastrophic
events;
|
|
●
|
failure
by us to maintain and update our cloud infrastructure to meet our traffic capacity requirements;
|
|
●
|
errors,
defects, or performance problems in our software, including third-party software incorporated in our software;
|
|
●
|
improper
deployment or configuration of our services; and
|
|
●
|
the
failure of our redundancy systems, in the event of a service disruption at one of our data centers, to provide failover to
other data centers in our data center network.
|
The
occurrence of any of these factors, or if we are unable to efficiently and cost-effectively fix such errors or other problems
that may be identified, could damage our reputation, negatively impact our relationship with our customers or otherwise materially
harm our business, results of operations and financial condition.
Our
email, antimalware and web security products may be adversely affected if we are not able to receive a sufficient sampling of
internet traffic or our data centers were to become unavailable.
Our
messaging, antimalware and web security solutions are dependent, in part, on the ability of our data centers to analyze, in an
automated fashion, live feeds of internet and web related traffic received through our services to customers and other contractual
arrangements. If we were to suffer an unanticipated, substantial decrease in such traffic or our multiple data centers become
unavailable for any significant period, the effectiveness of our technologies would drop, our product offerings would become less
attractive to customers/potential customers and revenues could decline.
False
detection of applications, viruses, malware, spyware, vulnerability exploits, data patterns or URL categories could adversely
affect our business.
Our
classifications of application type, virus, malware, spyware, vulnerability exploits, data, or URL categories may falsely detect
applications, content or threats that do not actually exist. This risk is heightened by the inclusion of a “heuristics”
feature in our products, which attempts to identify applications and other threats not based on any known signatures but based
on characteristics or anomalies which indicate that a particular item may be a threat. These “false positives”, while
typical in our industry, may impair the perceived reliability of our products and may therefore adversely impact market acceptance
of our services and products. If our services and products restrict important files or applications based on falsely identifying
them as malware or some other item that should be restricted, this could adversely affect end users’ systems and cause material
system failures. Any such false identification of important files or applications could result in damage to our reputation, negative
publicity, loss of end users and sales, increased costs to remedy any problem, and costly litigation.
Our
cloud-based enterprise SaaS security offerings include newer service offerings, so we may not see the customer traction in these
offerings that we anticipate.
During 2019, Cyren revised
its enterprise product strategy to focus primarily on email security and began to de-emphasize legacy solutions due to lack of significant
customer traction. We made Cyren Inbox Security generally available for purchase in the second quarter of 2020. The solutions we are promoting
and will promote to this market enable us to offer internet security solutions directly to our Enterprise customers or through our channel
partners. If we fall short of our expectations, and especially given the significant resources invested by us in bringing new offerings
to market, our financial results will suffer and the value of shareholder investments will decline.
If
we fail to promote, develop, or protect our Cyren brand name, our business may be harmed.
Developing
and maintaining awareness and integrity of our company and our new brand are important to achieving widespread acceptance of our
existing and future offerings and are important elements in attracting new customers. The importance of brand recognition will
increase as competition in our market further intensifies. Successful promotion of our brand will depend on the effectiveness
of our marketing efforts and on our ability to provide reliable and useful solutions at competitive prices. We plan to continue
investing substantial resources to promote our brand, both domestically and internationally, but there is no guarantee that our
brand development strategies will enhance the recognition of our brand. Some of our existing and potential competitors have well-established
brands with greater recognition than we have. If our efforts to promote and maintain our brand are not successful, our operating
results and our ability to attract and retain customers may be adversely affected. In addition, even if our brand recognition
and loyalty increases, this may not result in increased use of our solutions or higher revenue.
Our
use of open source technology could impose limitations on our ability to commercialize our solutions.
We
use open source software in certain of our solutions, and although we monitor our use of open source software to avoid subjecting
our solutions to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. or foreign
courts. As a result, there is a risk that these licenses could be construed in a way that could impose unanticipated conditions
or restrictions on our ability to commercialize our solutions. From time to time, we may face claims from third parties claiming
ownership of, or demanding release of, the open source software or derivative works that we have developed using such software
or otherwise seeking to enforce the terms of the applicable open source license. In such an event, we could be required to seek
licenses from third parties to continue offering our solutions, to make our proprietary code generally available in source code
form, to re-engineer our solutions or to discontinue the sale of our solutions if re-engineering could not be accomplished on
a timely basis, any of which could adversely affect our business, operating results and financial condition.
Risks
Related to our Ordinary Shares
We
may not be able to comply with all applicable listing requirements or standards of the Nasdaq Capital Market and Nasdaq could delist our
ordinary shares.
Our
ordinary shares are currently listed on the Nasdaq Capital Market. To maintain that listing, we must satisfy minimum financial
and other continued listing requirements and standards. One such requirement is that we maintain a minimum bid price of at least
$1.00 per ordinary share. On April 24, 2020, we received written notice from the Listing Qualifications Department of the Nasdaq
Stock Market informing us that because the closing bid price for our ordinary shares listed on the Nasdaq Capital Market was below
$1.00 per share for 30 consecutive business days prior to the date of the Notice, we did not meet the minimum closing bid requirement
for continued listing on the Nasdaq Capital Market set forth in Rule 5550(a)(2) of the Nasdaq Listing Rules.
Although we regained compliance
with the Nasdaq Listing Rules in 2020, our ordinary share price is currently below $1.00 and has been below $1.00 for 22 consecutive business
days. There can be no assurance that we will regain compliance with the $1.00 minimum bid price requirement or comply with Nasdaq’s
other continued listing standards in the future. In the event that our ordinary shares are not eligible for continued listing on Nasdaq
or another national securities exchange, trading of our ordinary shares could be conducted in the over-the-counter market or on an electronic
bulletin board established for unlisted securities such as the Pink Sheets or the OTC Bulletin Board. In such event, it could become more
difficult to dispose of, or obtain accurate price quotations for, our ordinary shares, and there would likely also be a reduction in our
coverage by security analysts and the news media, which could cause the price of our ordinary shares to decline further. Also, it may
be difficult for us to raise additional capital if we are not listed on a major exchange.
The
issuance of additional shares in connection with financings, acquisitions, investments, our equity incentive plans, conversion
of our convertible notes and debentures or otherwise will dilute other shareholders. In addition, our failure in the future to
raise additional capital or generate the significant capital necessary to expand our operations and invest in new services and
products could reduce our ability to compete and could harm our business. The ability to increase the authorized share count could
limit our options for continuing to support the business.
We
have made, and intend to continue to make, investments to support our business growth and may require additional funds to respond
to business challenges, including the need to develop new features to enhance our services and products, improve our operating
infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financings
to secure additional funds. For example, in December 2018, we issued $10 million aggregate principal amount of Convertible Notes
to an existing minority investor in a private placement which have a maturity of December 2021. In November 2019, we closed our
rights offering, pursuant to which we issued 4,635,584 ordinary shares at $1.73 per share, including 4,624,277 shares issued to
Warburg Pincus. In addition, in March 2020, we issued $10.25 million aggregate principal amount of our Convertible Debentures
to accredited investors in a private placement and in February 2021, we issued 12 million shares at a price of $1.15 per share
in a registered direct offering and warrants to purchase 720,000 shares.
Our shareholders have experienced
dilution of their equity interests as a result of these issuances and prior issuances. Furthermore, we do not anticipate that we will
have sufficient funds to pay the principal of the Convertible Notes when they mature in December 2021 and as a result, we will seek to
refinance or restructure the Convertible Notes, including by issuing additional shares. We may also elect to satisfy interest payments
on the Convertible Notes and Convertible Debentures by the issuance of ordinary shares based on the market price at the time of the interest
payment.
We
evaluate financing opportunities from time to time, and our ability to obtain financing will depend, among other things, on our
development efforts, business plans and operating performance and the condition of the capital markets, and available authorized
shares at the time we seek financing. If we raise additional equity or convertible debt financing, our shareholders may experience
further significant dilution of their ownership interests and the per share value of our ordinary shares could decline. Furthermore,
if we engage in debt financing, the holders of debt would have priority over the holders of our ordinary shares, and we may be
required to accept terms that restrict our ability to incur additional indebtedness or that otherwise restrict our ability to
operate our business. We may also be required to take other actions that would otherwise be in the interests of the debt holders
and force us to maintain specified liquidity or other ratios, any of which could harm our business, operating results, and financial
condition. We may not be able to obtain additional financing on terms favorable to us, if at all. If we are unable to obtain adequate
financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business growth
and to respond to business challenges could be significantly impaired, and our business may be adversely affected.
Warburg Pincus holds 43% of our
outstanding shares and is able to exercise significant influence over many matters requiring the approval of our Board and/or
shareholders; Warburg Pincus’ interest in our business may be different from yours.
Warburg Pincus holds
approximately 43% of our outstanding ordinary shares as of February 28, 2021, and has the right to nominate the number of directors
proportional to its holdings of our outstanding shares. Currently, four directors nominated by Warburg Pincus serve on our Board.
Warburg Pincus is able to exercise significant influence over many matters requiring the approval of our Board and/or shareholders,
including the election of directors and approval of significant corporate transactions. In addition, our other directors and our
executive officers that are not related to Warburg Pincus (together known as “affiliated entities”), beneficially
own, in the aggregate, approximately 5% of our outstanding ordinary shares as of February 28, 2021. If they vote together (especially
if they were to exercise all vested options into shares entitled to voting rights in the Company), these shareholders will be
able to exercise influence over matters requiring a special majority vote of our shareholders, including the compensation of directors
and approval of certain significant corporate transactions. In this regard, we know of no shareholders or voting agreement between
major shareholders or between such shareholders and directors or officers.
In
addition, conflicts of interest may arise as a consequence of the control by Warburg Pincus, including:
|
●
|
conflicts
between Warburg Pincus and our other shareholders whose interests may differ with respect to, among other things, our strategic
direction, or significant corporate transactions;
|
|
●
|
conflicts
related to corporate opportunities that could be pursued by us, on the one hand, or by Warburg Pincus, on the other hand;
or
|
|
●
|
conflicts
related to existing or new contractual relationships between us, on the one hand, and Warburg Pincus, on the other hand.
|
U.S.
holders of our shares could be subject to material adverse tax consequences if we are considered a “passive foreign investment
company” for U.S. federal income tax purposes.
We
do not believe that we are a passive foreign investment company, and we do not expect to become a passive foreign investment company.
However, our status in any taxable year will depend on our assets, income and activities in each year, and because this is a factual
determination made annually after the end of each taxable year, there can be no assurance that we will not be considered a passive
foreign investment company for the current taxable year or any future taxable years. If we were a passive foreign investment company
for any taxable year while a taxable U.S. holder held our shares, such U.S. holder could face adverse U.S. federal income tax
consequences, including having gains realized on the sale of our ordinary shares classified as ordinary income, rather than as
capital gain, the loss of the preferential rate applicable to dividends received on our ordinary shares by individuals who are
U.S. holders, and having interest charges apply to distributions by us and the proceeds of share sales.
U.S.
holders that own 10% or more of the vote or value of our ordinary shares may suffer adverse tax consequences because we and/or
any of our non-U.S. subsidiaries are expected to be characterized as a “controlled foreign corporation,” or a CFC,
under Section 957(a) of the U.S. Internal Revenue Code of 1986, as amended, or the Code.
A
non-U.S. corporation is considered a CFC if more than 50% of (1) the total combined voting power of all classes of stock of such
corporation entitled to vote, or (2) the total value of the stock of such corporation, is owned, or is considered as owned by
applying certain constructive ownership rules, by United States shareholders (U.S. persons who own stock representing 10% or more
of the vote or 10% or more of the value) on any day during the taxable year of such non-U.S. corporation. Certain United States
shareholders of a CFC generally are required to include currently in gross income such shareholders’ share of the CFC’s
“Subpart F income,” a portion of the CFC’s earnings to the extent the CFC holds certain U.S. property, and a
portion of the CFC’s “global intangible low-taxed income” (as defined under Section 951A of the Code). Such
United States shareholders are subject to current U.S. federal income tax with respect to such items, even if the CFC has not
made an actual distribution to such shareholders. “Subpart F income” includes, among other things, certain passive
income (such as income from dividends, interests, royalties, rents and annuities or gain from the sale of property that produces
such types of income) and certain sales and services income arising in connection with transactions between the CFC and a person
related to the CFC. “Global intangible low-taxed income” may include most of the remainder of a CFC’s income
over a deemed return on its tangible assets.
As
a result of certain changes in the U.S. tax law introduced by the Tax Cuts and Jobs Act, we believe that we and our non-U.S. subsidiaries
would be classified as CFCs in the current taxable year. For U.S. holders who hold 10% or more of the vote or value of our ordinary
shares, this may result in adverse U.S. federal income tax consequences, such as current U.S. taxation of Subpart F income and
of any such shareholder’s share of our accumulated non-U.S. earnings and profits (regardless of whether we make any distributions),
taxation of amounts treated as global intangible low-taxed income under Section 951A of the Code with respect to such shareholder,
and being subject to certain reporting requirements with the U.S. Internal Revenue Service, or the IRS. Any such U.S. holder who
is an individual generally would not be allowed certain tax deductions or foreign tax credits that would be allowed to a U.S.
corporation. If you are a U.S. holder who holds 10% or more of the vote or value of our ordinary shares, you should consult your
own tax advisors regarding the U.S. tax consequences of acquiring, owning, or disposing our ordinary shares and the impact of
the Tax Cuts and Jobs Act, especially the changes to the rules relating to CFCs.
We
do not intend to pay dividends for the foreseeable future.
We
have never declared or paid any dividends on our ordinary shares. We intend to retain any earnings to finance the operation and
expansion of our business, and we do not anticipate paying any cash dividends in the future. As a result, you may only receive
a return on your investment in our ordinary shares if the market price of our ordinary shares increases.
Intellectual
Property Risks
If
we fail to adequately protect our intellectual property rights or face a claim of intellectual property infringement by a third
party, we could lose our intellectual property rights or be liable for significant damages.
We
regard our patented and patent pending technology, copyrights, service marks, trademarks, trade secrets and similar intellectual
property as critical to our success, and rely on patent, trademark and copyright law, trade secret protection and confidentiality
or license agreements with our employees and customers to protect our proprietary rights. See Item 1. Business, Intellectual
Property for information pertaining to our patent activities. We may seek to patent certain additional software or other technology
in the future. Any such patent applications might not result in patents issued within the scope of the claims we seek, or at all.
Despite
our precautions, unauthorized third parties may copy certain portions of our technology, reverse engineer or obtain and use information
that we regard as proprietary or otherwise infringe or misappropriate our patent or our patent pending technology, trade secrets,
copyrights, trademarks, and similar proprietary rights. In addition, the laws of some foreign countries do not protect proprietary
rights to the same extent as do the laws of the United States. Thus, our means of protecting our proprietary rights in the United
States or abroad, as well as our financial resources, may not be adequate, and competitors may independently develop similar technology.
Given the cost, effort, risks, and downside of obtaining patent protection, including the requirement to ultimately disclose the
invention to the public, we may not choose to seek patent protection for certain innovations. However, such patent protection
could later prove to be important to our business. Even if issued, there can be no assurance that any patents will have the coverage
originally sought or adequately protect our intellectual property, as the legal standards relating to the validity, enforceability,
and scope of protection of patent and other intellectual property rights are uncertain. Any patents that are issued may be invalidated
or otherwise limited, or may lapse or may be abandoned, enabling other companies to better develop products that compete with
our solutions, which could adversely affect our competitive business position, business prospects and financial condition.
We
cannot be certain that our security solutions do not infringe issued patents in certain parts of the world. Therefore, other parties,
whether in the United States or elsewhere, may assert infringement claims against us. We may also be subject to legal proceedings
and claims from time to time in the ordinary course of our business, including claims of alleged infringement of copyrights, trademarks,
and other intellectual property rights of third parties by ourselves and our customers. Our customer agreements typically include
indemnity provisions, so we may be obligated to defend against third party intellectual property rights infringement claims on
behalf of our customers. Such claims, even if not meritorious, could result in the expenditure of significant financial and managerial
resources. We may not have the proper resources in order to adequately defend against such claims.
Risks
Relating to Operations in Israel
Conditions
in Israel may limit our ability to develop and sell our products, resulting in a decline in revenues.
We
are incorporated under the laws of the State of Israel. Our principal research and development facilities are located in Israel.
Since the establishment of the State of Israel in 1948, a number of armed conflicts have taken place between Israel and its neighboring
countries, as well as incidents of civil unrest, and a number of state and non-state actors have publicly committed to its destruction.
Political, economic, and military conditions in Israel could directly affect our operations. We could be adversely affected by
any major hostilities involving Israel, including acts of terrorism or any other hostilities involving or threatening Israel,
the interruption or curtailment of trade between Israel and its trading partners, a significant increase in inflation or a significant
downturn in the economic or financial condition of Israel. Any on-going or future violence between Israel and the Palestinians,
armed conflicts, terrorist activities, tension along the Israeli borders or with other countries in the region, including Iran,
or political instability in the region could disrupt international trading activities in Israel and may materially and negatively
affect our business and could harm our results of operations.
Certain
countries, as well as certain companies and organizations, continue to participate in a boycott of Israeli firms, firms with large
Israeli operations and others doing business with Israel and Israeli companies. In addition, such boycott, restrictive laws, policies,
or practices may change over time in unpredictable ways, and could, individually or in the aggregate, have a material adverse
effect on our business in the future. Should the BDS Movement, the movement for boycotting, divesting and sanctioning Israel and
Israeli institutions (including universities) and products become increasingly influential in the United States, Europe and around
the world, this may also adversely affect our business and financial condition.
Some
of our employees in Israel, including some of our executive officers, are obligated to perform annual military reserve duty in
the Israel Defense Forces, depending on their age and position in the armed forces. Furthermore, they may be called to active
reserve duty at any time under emergency circumstances for extended periods of time. Our operations could be disrupted by the
absence, for a significant period, of one or more of our executive officers or key employees due to military service, and any
significant disruption in our operations could harm our business.
Because
a substantial portion of our revenues historically have been generated in U.S. dollars (USD) and the Euro (EUR), and a significant
portion of our expenses have been incurred in Israeli Shekel (ILS), British Pound (GBP) and Icelandic Krona (ISK), our results
of operations may be adversely affected by currency fluctuations.
We
have generated a substantial portion of our revenues in USD and EUR, and incurred a substantial portion of our expenses, principally
salaries and related personnel expenses, office rent and other outside services, in currencies other than USD. Those expenses
incurred in Israel are denominated in Shekels, those incurred in the United Kingdom are denominated in GBP and those incurred
in Iceland are denominated in ISK. We anticipate that a significant portion of our expenses will continue to be denominated in
these currencies. As a result, we are exposed to risk to the extent that the value of the USD depreciates against the ILS, GBP,
and ISK or to the extent that the value of the USD appreciates against the EUR. In those events, the USD cost of Cyren’s
operations will increase and the USD value of Cyren’s revenues will decrease, respectively, and the Company’s USD
measured results of operations will be adversely affected. During 2020, the USD value of operating costs denominated in ILS and
GBP increased due to the depreciation of the USD vs. all such currencies, while the USD value of operating costs denominated in
ISK decreased due to the appreciation of the USD, and the USD value of revenues denominated in EUR increased due to the depreciation
of the USD vs the EUR. During 2019, the USD value of operating costs denominated in ILS and GBP increased due to the depreciation
of the USD vs. all such currencies, while the USD value of operating costs denominated in ISK decreased due to the appreciation
of the USD, and the USD value of revenues denominated in EUR decreased due to the appreciation of the USD vs the EUR.
We
cannot predict the trend for future years. Our operations also could be adversely affected if we are unable to guard against currency
fluctuations in the future. To date, we have not engaged in any significant hedging transactions. In the future, we may enter
into currency hedging transactions to decrease the risk of financial exposure from fluctuations in the exchange rate of the dollar
against the ILS. Foreign currency fluctuations, and our attempts to mitigate the risks caused by such fluctuations, could have
a material and adverse effect on our results of operations and financial condition.
The
government programs and benefits which we previously received require us to meet several conditions and may be terminated or reduced
in the future.
We
received grants from the Government of Israel through a program with the Israel Innovation Authority, or the IIA (formerly known
as the Office of the Chief Scientist of the Israeli Ministry of Economy and Industry), pursuant to the Israeli Law for the Encouragement
of Industrial Research Development and Technological Innovation, 1984, and related regulations (the “R&D Law”),
to finance a significant portion of our research and development expenditures in Israel.
In
order to meet specified conditions in connection with grants and programs of the IIA, we have made representations to the Israel
government about our Israeli operations. One of the grants requires a minimum commitment of three years and we are required to
share information with other companies and academics. From time to time, the conduct of our Israeli operations has deviated from
our forecasts. If we fail to meet the conditions of the grants, including the maintenance of a material presence in Israel, or
if there is any material deviation from the representations made by us to the Israeli government, we could be required to refund
the grants previously received (together with an adjustment based on the Israeli consumer price index and an interest factor)
and would likely be ineligible to receive IIA grants in the future.
In
addition, the terms of our IIA grants and programs prohibit the manufacture outside of Israel of the product developed in accordance
with the program without the prior consent of the Research Committee. Such approval is generally subject to an increase in the
total amount to be repaid to the IIA to between 120% and 300% of the amount granted, depending on the extent of the manufacturing
that is conducted outside of Israel. In addition, the R&D Law provides that know-how from the research and development and
any derivatives thereof, cannot be transferred or licensed to Israeli third parties without the approval of the Research Committee.
The R&D Law stresses that it is not just transfer of know-how that is prohibited, but also transfer of any rights in such
know-how. Approval of the transfer and/or license may be granted only if the Israeli transferee undertakes to abide by all of
the provisions of the R&D Law and regulations promulgated thereunder, including the restrictions on the transfer of know-how
and the obligation to pay royalties, if applicable.
The
know-how from the research and development and any derivatives thereof, cannot be transferred or licensed to non-Israeli third
parties without the approval of the Research Committee, which approval is generally contingent on payment of a significant penalty
of up to six times the grant amount plus LIBOR and minus any royalties paid.
You
may have difficulties enforcing a U.S. judgment against us and our executive officers and directors or asserting U.S. securities
laws claims in Israel.
Cyren
Ltd. is organized under the laws of Israel, and we maintain significant operations in Israel. In addition, a significant portion
of our assets are located outside the United States. Service of process upon our non-U.S. resident directors and enforcement of
judgments obtained in the United States against them and Cyren Ltd. may be difficult to obtain within the United States. It may
be difficult to enforce civil causes of actions under U.S. securities law in original actions instituted in Israel. Israeli courts
may refuse to hear a claim based on a violation of U.S. securities laws because Israel is not the most appropriate forum in which
to bring such a claim. In addition, even if an Israeli court agrees to hear a claim, it may determine that Israeli law and not
U.S. law is applicable to the claim. If U.S. law is found to be applicable, the substance of the applicable U.S. law must be proved
as a fact, which can be a time-consuming and costly process. Certain matters of procedure will also be governed by Israeli law.
Furthermore, there is little binding case law in Israel addressing these matters.
Israeli
courts might not enforce judgments rendered outside Israel which may make it difficult to collect on judgments rendered against
us. Subject to certain time limitations, an Israeli court may declare a foreign civil judgment enforceable only if it finds that
(a) the judgment was rendered by a court which was, according to the laws of the state of the court, competent to render the judgment;
(b) the judgment may no longer be appealed; (c) the obligation imposed by the judgment is enforceable according to the rules relating
to the enforceability of judgments in Israel and the substance of the judgment is not contrary to public policy; and (d) the judgment
is executory in the state in which it was given.
Even
if these conditions are satisfied, an Israeli court will not enforce a foreign judgment if it was given in a state whose laws
do not provide for the enforcement of judgments of Israeli courts (subject to exceptional cases) or if its enforcement is likely
to prejudice the sovereignty or security of the State of Israel. An Israeli court also will not declare a foreign judgment enforceable
if (i) the judgment was obtained by fraud; (ii) there is a finding of lack of due process; (iii) the judgment was rendered by
a court not competent to render it according to the laws of private international law in Israel; (iv) the judgment is at variance
with another judgment that was given in the same matter between the same parties and that is still valid; or (v) at the time the
action was brought in the foreign court, a suit in the same matter and between the same parties was pending before a court or
tribunal in Israel.
In
addition, if a foreign judgment is enforced by an Israeli court, it generally will be payable in ILS, which can then be converted
into foreign currency at the rate of exchange of such foreign currency on the date of payment. Pending collection, the amount
of the judgment of an Israeli court stated in ILS (without any linkage to a foreign currency) ordinarily will be linked to the
Israeli consumer price index plus interest at the annual statutory rate prevailing at such time. Judgment creditors bear the risk
of unfavorable exchange rates.
Provisions
of Israeli law may delay, prevent, or make difficult an acquisition of Cyren Ltd., which could prevent a change of control and
therefore depress the price of our shares.
Israeli
corporate law regulates mergers and acquisitions of shares through tender offers, requires special approvals for transactions
involving officers, directors or significant shareholders and regulates other matters that may be relevant to these types of transactions.
Furthermore, Israeli tax considerations may make potential transactions unappealing to us or to our shareholders whose country
of residence does not have a tax treaty with Israel exempting such shareholders from Israeli tax. For example, Israeli tax law
does not recognize tax-free share exchanges to the same extent as U.S. tax law. With respect to mergers, Israeli tax law allows
for tax deferral in certain circumstances but makes the deferral contingent on the fulfillment of a number of conditions, including
a holding period of two years from the date of the transaction during which sales and dispositions of shares of the participating
companies are subject to certain restrictions. Moreover, with respect to certain share swap transactions, the tax deferral is
limited in time, and when such time expires, the tax becomes payable even if no disposition of the shares has occurred. These
and other similar provisions could delay, prevent, or impede an acquisition of our company or our merger with another company,
even if such an acquisition or merger would be beneficial to us or to our shareholders.
Your
rights and responsibilities as a shareholder will be governed by Israeli law which differs in some respects from the rights and
responsibilities of shareholders of U.S. companies.
We
are incorporated under Israeli law. The rights and responsibilities of the holders of our ordinary shares are governed by our
Articles of Association and Israeli law. These rights and responsibilities differ in some respects from the rights and responsibilities
of shareholders in typical U.S.-based corporations. In particular, a shareholder of an Israeli company has a duty to act in good
faith toward the company and other shareholders and to refrain from abusing its power in the company, including, among other things,
in voting at the general meeting of shareholders on matters such as amendments to a company’s articles of association, increases
in a company’s authorized share capital, mergers and acquisitions and interested party transactions requiring shareholder
approval. In addition, a controlling shareholder, a shareholder who knows that it possesses the power to determine the outcome
of a shareholder vote or to appoint or prevent the appointment of a director or executive officer in the company, has a duty of
fairness toward the company. There is limited case law available to assist us in understanding the implications of these provisions
that govern shareholders’ actions. These provisions may be interpreted to impose additional obligations and liabilities
on holders of our ordinary shares that are not typically imposed on shareholders of U.S. corporations.
We
are no longer a “controlled company” within the meaning of the Nasdaq Listing Rules. However,
we will continue to qualify for, and may rely on during a one-year transition period, exemptions from certain corporate governance
requirements that would otherwise provide protection to our shareholders.
As
a result of the sale of our ordinary shares in the registered direct offering in February 2021, Warburg Pincus no longer controls
a majority of our ordinary shares. As a result, we are no longer a “controlled company” within the meaning of the
Nasdaq Listing Rules. Under these rules, a company of which more than 50% of the voting power for the election of directors is
held by an individual, a group or another company is a “controlled company” and may elect not to comply with certain
Nasdaq corporate governance requirements, including, without limitation (i) the requirement that a majority of the board of directors
consist of independent directors, (ii) the requirement that the compensation of our officers be determined or recommended to our
board of directors by a compensation committee that is comprised solely of independent directors, and (iii) the requirement that
director nominees be selected or recommended to the board of directors by a majority of independent directors or a nominating
committee comprised solely of independent directors. We nevertheless have a Compensation Committee comprised of all independent
directors. However, at present, only five out of ten directors on our board are independent. In addition, our Nominating and Governance
Committee, is not comprised solely of independent directors, although a majority of the directors on the Nominating and Governance
Committee are independent directors. Even though we are not a “controlled company,” we will continue to qualify for,
and may rely on, exemptions from certain corporate governance requirements that would otherwise provide protection to shareholders
of other companies during a one-year transition period. The Nasdaq rules require that our board be composed of a majority of “independent
directors,” and that our Nominating and Governance Committee consist entirely of independent directors by February 2021.
In addition, we may have difficulty complying with the requirements listed above and while we intend to do so, we cannot assure
you that we will be able to comply with such requirements before the end of the phase-in period for compliance.