mime-10k_20200331.htm
false FY 0001644675 --03-31 Large Accelerated Filer 00-0000000 P12M P24M P1Y true P6M P5Y P3Y P3Y P5Y P6Y1M6D P6Y1M6D P6Y1M6D P6M P6M P6M P10Y P7Y P1Y P8Y P5Y P3Y P9Y P6Y P1Y P3Y P6Y5M15D P1Y3M21D P7Y6M29D P7Y6M18D P6Y2M26D 0001644675 2019-04-01 2020-03-31 iso4217:USD 0001644675 2019-09-30 xbrli:shares 0001644675 2020-05-08 0001644675 2020-03-31 0001644675 2019-03-31 iso4217:USD xbrli:shares 0001644675 2018-04-01 2019-03-31 0001644675 2017-04-01 2018-03-31 0001644675 us-gaap:CommonStockMember 2017-03-31 0001644675 us-gaap:AdditionalPaidInCapitalMember 2017-03-31 0001644675 us-gaap:RetainedEarningsMember 2017-03-31 0001644675 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2017-03-31 0001644675 2017-03-31 0001644675 us-gaap:AdditionalPaidInCapitalMember us-gaap:AccountingStandardsUpdate201609Member 2017-03-31 0001644675 us-gaap:RetainedEarningsMember us-gaap:AccountingStandardsUpdate201609Member 2017-03-31 0001644675 us-gaap:AdditionalPaidInCapitalMember 2017-04-01 2018-03-31 0001644675 us-gaap:RetainedEarningsMember 2017-04-01 2018-03-31 0001644675 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2017-04-01 2018-03-31 0001644675 us-gaap:CommonStockMember 2017-04-01 2018-03-31 0001644675 us-gaap:CommonStockMember 2018-03-31 0001644675 us-gaap:AdditionalPaidInCapitalMember 2018-03-31 0001644675 us-gaap:RetainedEarningsMember 2018-03-31 0001644675 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2018-03-31 0001644675 2018-03-31 0001644675 us-gaap:RetainedEarningsMember us-gaap:AccountingStandardsUpdate201409Member 2018-03-31 0001644675 us-gaap:AccountingStandardsUpdate201409Member 2018-03-31 0001644675 us-gaap:RetainedEarningsMember 2018-04-01 2019-03-31 0001644675 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2018-04-01 2019-03-31 0001644675 us-gaap:CommonStockMember 2018-04-01 2019-03-31 0001644675 us-gaap:AdditionalPaidInCapitalMember 2018-04-01 2019-03-31 0001644675 us-gaap:CommonStockMember 2019-03-31 0001644675 us-gaap:AdditionalPaidInCapitalMember 2019-03-31 0001644675 us-gaap:RetainedEarningsMember 2019-03-31 0001644675 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2019-03-31 0001644675 us-gaap:RetainedEarningsMember us-gaap:AccountingStandardsUpdate201602Member 2019-03-31 0001644675 us-gaap:AccountingStandardsUpdate201602Member 2019-03-31 0001644675 us-gaap:RetainedEarningsMember 2019-04-01 2020-03-31 0001644675 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2019-04-01 2020-03-31 0001644675 us-gaap:CommonStockMember 2019-04-01 2020-03-31 0001644675 us-gaap:AdditionalPaidInCapitalMember 2019-04-01 2020-03-31 0001644675 us-gaap:CommonStockMember 2020-03-31 0001644675 us-gaap:AdditionalPaidInCapitalMember 2020-03-31 0001644675 us-gaap:RetainedEarningsMember 2020-03-31 0001644675 us-gaap:AccumulatedOtherComprehensiveIncomeMember 2020-03-31 0001644675 us-gaap:AccountingStandardsUpdate201602Member 2019-04-01 2020-03-31 0001644675 srt:RestatementAdjustmentMember 2018-04-01 2019-03-31 0001644675 srt:RestatementAdjustmentMember 2017-04-01 2018-03-31 0001644675 mime:USTreasurySecuritiesDueInOneYearOrLessMember 2019-03-31 0001644675 mime:NonUSGovernmentSecuritiesDueInOneYearOrLessMember 2019-03-31 0001644675 mime:CorporateSecuritiesDueInOneYearOrLessMember 2019-03-31 xbrli:pure 0001644675 us-gaap:AccountingStandardsUpdate201409Member 2019-04-01 2020-03-31 mime:Customer 0001644675 srt:MaximumMember 2019-04-01 2020-03-31 0001644675 us-gaap:CorporateDebtSecuritiesMember srt:MinimumMember 2019-04-01 2020-03-31 0001644675 us-gaap:CorporateDebtSecuritiesMember srt:MaximumMember 2019-04-01 2020-03-31 0001644675 mime:NonUSGovernmentSecuritiesMember srt:MinimumMember 2019-04-01 2020-03-31 0001644675 mime:NonUSGovernmentSecuritiesMember srt:MaximumMember 2019-04-01 2020-03-31 0001644675 us-gaap:USTreasurySecuritiesMember 2019-04-01 2020-03-31 0001644675 us-gaap:ComputerEquipmentMember srt:MinimumMember 2019-04-01 2020-03-31 0001644675 us-gaap:ComputerEquipmentMember srt:MaximumMember 2019-04-01 2020-03-31 0001644675 us-gaap:LeaseholdImprovementsMember 2019-04-01 2020-03-31 0001644675 us-gaap:FurnitureAndFixturesMember 2019-04-01 2020-03-31 0001644675 us-gaap:OfficeEquipmentMember 2019-04-01 2020-03-31 0001644675 us-gaap:SoftwareAndSoftwareDevelopmentCostsMember 2019-04-01 2020-03-31 0001644675 us-gaap:EmployeeStockOptionMember 2019-04-01 2020-03-31 0001644675 us-gaap:EmployeeStockOptionMember 2018-04-01 2019-03-31 0001644675 us-gaap:EmployeeStockOptionMember 2017-04-01 2018-03-31 0001644675 us-gaap:RestrictedStockUnitsRSUMember 2019-04-01 2020-03-31 0001644675 us-gaap:RestrictedStockUnitsRSUMember 2018-04-01 2019-03-31 0001644675 us-gaap:RestrictedStockUnitsRSUMember 2017-04-01 2018-03-31 0001644675 us-gaap:EmployeeStockMember 2019-04-01 2020-03-31 0001644675 us-gaap:EmployeeStockMember 2018-04-01 2019-03-31 0001644675 us-gaap:EmployeeStockMember 2017-04-01 2018-03-31 0001644675 us-gaap:EmployeeStockOptionMember 2019-04-01 2020-03-31 0001644675 us-gaap:EmployeeStockOptionMember 2018-04-01 2019-03-31 0001644675 us-gaap:EmployeeStockOptionMember 2017-04-01 2018-03-31 0001644675 mime:MimecastLimitedTwoThousandAndFifteenEmployeeSharePurchasePlanMember 2019-04-01 2020-03-31 0001644675 mime:MimecastLimitedTwoThousandAndFifteenEmployeeSharePurchasePlanMember 2018-04-01 2019-03-31 0001644675 mime:MimecastLimitedTwoThousandAndFifteenEmployeeSharePurchasePlanMember 2017-04-01 2018-03-31 0001644675 2020-04-01 2020-03-31 0001644675 2021-04-01 2020-03-31 0001644675 us-gaap:BuildingAndBuildingImprovementsMember 2019-03-31 0001644675 us-gaap:ComputerEquipmentMember 2020-03-31 0001644675 us-gaap:ComputerEquipmentMember 2019-03-31 0001644675 us-gaap:LeaseholdImprovementsMember 2020-03-31 0001644675 us-gaap:LeaseholdImprovementsMember 2019-03-31 0001644675 us-gaap:FurnitureAndFixturesMember 2020-03-31 0001644675 us-gaap:FurnitureAndFixturesMember 2019-03-31 0001644675 us-gaap:OfficeEquipmentMember 2020-03-31 0001644675 us-gaap:OfficeEquipmentMember 2019-03-31 0001644675 country:US mime:ConstructionCostsCapitalizedUnderFinancingLeaseObligationsRelatedToBuildToSuitFacilityMember 2019-03-31 0001644675 us-gaap:BuildingImprovementsMember country:US 2019-03-31 0001644675 mime:AssetsHeldUnderFinanceLeasesMember 2020-03-31 0001644675 mime:AssetsHeldUnderFinanceLeasesMember 2019-03-31 0001644675 mime:WatertownMACorporateOfficeMember 2018-01-01 2018-03-31 0001644675 mime:WatertownMACorporateOfficeMember 2018-07-01 2018-09-30 0001644675 mime:WatertownMACorporateOfficeMember 2018-03-31 0001644675 mime:SegasecLabsLtdMember stpr:IL 2020-01-02 2020-01-03 0001644675 mime:SegasecLabsLtdMember stpr:IL 2020-01-03 0001644675 mime:SegasecLabsLtdMember 2020-01-03 0001644675 us-gaap:DevelopedTechnologyRightsMember mime:SegasecLabsLtdMember 2020-01-03 0001644675 us-gaap:CustomerRelationshipsMember mime:SegasecLabsLtdMember 2020-01-03 0001644675 us-gaap:DevelopedTechnologyRightsMember mime:SegasecLabsLtdMember 2020-01-02 2020-01-03 0001644675 us-gaap:CustomerRelationshipsMember mime:SegasecLabsLtdMember 2020-01-02 2020-01-03 0001644675 mime:DMARCAnalyzerBVMember country:NL 2019-11-12 2019-11-13 0001644675 mime:DMARCAnalyzerBVMember 2019-11-13 0001644675 us-gaap:DevelopedTechnologyRightsMember mime:DMARCAnalyzerBVMember 2019-11-13 0001644675 us-gaap:CustomerRelationshipsMember mime:DMARCAnalyzerBVMember 2019-11-13 0001644675 us-gaap:DevelopedTechnologyRightsMember mime:DMARCAnalyzerBVMember 2019-11-12 2019-11-13 0001644675 us-gaap:CustomerRelationshipsMember mime:DMARCAnalyzerBVMember 2019-11-12 2019-11-13 0001644675 mime:SolebitLabsLtdMember stpr:IL 2018-07-30 2018-07-31 0001644675 mime:SolebitLabsLtdMember 2018-07-30 2018-07-31 0001644675 mime:SolebitLabsLtdMember 2018-07-31 0001644675 us-gaap:DevelopedTechnologyRightsMember mime:SolebitLabsLtdMember 2018-07-31 0001644675 us-gaap:CustomerRelationshipsMember mime:SolebitLabsLtdMember 2018-07-31 0001644675 us-gaap:TradeNamesMember mime:SolebitLabsLtdMember 2018-07-31 0001644675 us-gaap:DevelopedTechnologyRightsMember mime:SolebitLabsLtdMember 2018-07-30 2018-07-31 0001644675 us-gaap:CustomerRelationshipsMember mime:SolebitLabsLtdMember 2018-07-30 2018-07-31 0001644675 us-gaap:TradeNamesMember mime:SolebitLabsLtdMember 2018-07-30 2018-07-31 0001644675 mime:SolebitLabsLtdMember 2018-04-01 2019-03-31 0001644675 mime:AtaataMember country:US 2018-07-08 2018-07-09 0001644675 mime:AtaataMember 2018-07-09 0001644675 us-gaap:DevelopedTechnologyRightsMember mime:AtaataMember 2018-07-09 0001644675 us-gaap:CustomerRelationshipsMember mime:AtaataMember 2018-07-09 0001644675 us-gaap:DevelopedTechnologyRightsMember mime:AtaataMember 2018-07-08 2018-07-09 0001644675 us-gaap:CustomerRelationshipsMember mime:AtaataMember 2018-07-08 2018-07-09 0001644675 mime:SimplyMigrateLtdMember 2019-01-25 2019-01-25 0001644675 mime:SimplyMigrateLtdMember 2019-01-25 0001644675 mime:SimplyMigrateLtdMember us-gaap:DevelopedTechnologyRightsMember 2019-01-25 2019-01-25 0001644675 us-gaap:DevelopedTechnologyRightsMember 2019-04-01 2020-03-31 0001644675 us-gaap:CustomerRelationshipsMember 2019-04-01 2020-03-31 0001644675 mime:CapitalizedSoftwareAndOtherIntangibleAssetsMember 2019-04-01 2020-03-31 0001644675 us-gaap:DevelopedTechnologyRightsMember 2020-03-31 0001644675 us-gaap:CustomerRelationshipsMember 2020-03-31 0001644675 us-gaap:TradeNamesMember 2020-03-31 0001644675 mime:CapitalizedSoftwareAndOtherIntangibleAssetsMember 2020-03-31 0001644675 us-gaap:DevelopedTechnologyRightsMember 2018-04-01 2019-03-31 0001644675 us-gaap:CustomerRelationshipsMember 2018-04-01 2019-03-31 0001644675 us-gaap:TradeNamesMember 2018-04-01 2019-03-31 0001644675 us-gaap:ComputerSoftwareIntangibleAssetMember 2018-04-01 2019-03-31 0001644675 us-gaap:DevelopedTechnologyRightsMember 2019-03-31 0001644675 us-gaap:CustomerRelationshipsMember 2019-03-31 0001644675 us-gaap:TradeNamesMember 2019-03-31 0001644675 us-gaap:ComputerSoftwareIntangibleAssetMember 2019-03-31 0001644675 mime:VideoProductionCostsMember 2020-03-31 0001644675 mime:VideoProductionCostsMember 2019-03-31 0001644675 mime:InternetProtocolAddressMember 2020-03-31 0001644675 mime:PurchasedIntangibleAssetsMember 2020-03-31 0001644675 us-gaap:ComputerSoftwareIntangibleAssetMember 2020-03-31 0001644675 mime:StrategicInvestmentsMember 2020-03-31 0001644675 mime:StrategicInvestmentsMember 2019-03-31 0001644675 us-gaap:FairValueInputsLevel3Member us-gaap:FairValueMeasurementsRecurringMember 2019-03-31 0001644675 us-gaap:FairValueInputsLevel3Member us-gaap:FairValueMeasurementsRecurringMember 2020-03-31 0001644675 us-gaap:FairValueInputsLevel1Member us-gaap:FairValueMeasurementsRecurringMember us-gaap:MoneyMarketFundsMember 2020-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember us-gaap:MoneyMarketFundsMember 2020-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember us-gaap:MoneyMarketFundsMember us-gaap:FairValueInputsLevel1Member 2019-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember us-gaap:MoneyMarketFundsMember 2019-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember us-gaap:USTreasurySecuritiesMember us-gaap:FairValueInputsLevel2Member 2019-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember us-gaap:USTreasurySecuritiesMember 2019-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember mime:NonUSGovernmentSecuritiesMember us-gaap:FairValueInputsLevel2Member 2019-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember mime:NonUSGovernmentSecuritiesMember 2019-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember us-gaap:CorporateDebtSecuritiesMember us-gaap:FairValueInputsLevel2Member 2019-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember us-gaap:CorporateDebtSecuritiesMember 2019-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember us-gaap:FairValueInputsLevel1Member 2019-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember us-gaap:FairValueInputsLevel2Member 2019-03-31 0001644675 us-gaap:FairValueMeasurementsRecurringMember 2019-03-31 0001644675 srt:MinimumMember 2019-04-01 2020-03-31 0001644675 us-gaap:AccountingStandardsUpdate201602Member srt:RestatementAdjustmentMember 2019-04-01 0001644675 us-gaap:AccountingStandardsUpdate201602Member 2019-04-01 0001644675 mime:DataCentersMember 2019-03-31 0001644675 mime:CreditAgreementWithCertainLendersMember mime:SeniorSecuredTermLoanMember 2018-07-23 0001644675 mime:CreditAgreementWithCertainLendersMember mime:SeniorSecuredRevolvingCreditFacilityMember 2018-07-23 0001644675 mime:CreditAgreementWithCertainLendersMember srt:MinimumMember us-gaap:LondonInterbankOfferedRateLIBORMember 2018-07-23 2018-07-23 0001644675 mime:CreditAgreementWithCertainLendersMember srt:MaximumMember us-gaap:LondonInterbankOfferedRateLIBORMember 2018-07-23 2018-07-23 0001644675 mime:CreditAgreementWithCertainLendersMember us-gaap:LondonInterbankOfferedRateLIBORMember 2018-04-01 2019-03-31 0001644675 mime:CreditAgreementWithCertainLendersMember us-gaap:LondonInterbankOfferedRateLIBORMember 2019-04-01 2020-03-31 0001644675 mime:CreditAgreementWithCertainLendersMember 2018-07-23 2018-07-23 0001644675 mime:CreditAgreementWithCertainLendersMember 2018-07-23 0001644675 mime:SeniorSecuredTermLoanMember 2020-03-31 0001644675 mime:SeniorSecuredTermLoanMember 2019-03-31 0001644675 mime:SeniorSecuredRevolvingCreditFacilityMember us-gaap:OtherAssetsMember 2020-03-31 0001644675 mime:SeniorSecuredRevolvingCreditFacilityMember us-gaap:OtherAssetsMember 2019-03-31 0001644675 mime:SeniorSecuredRevolvingCreditFacilityMember 2019-04-01 2020-03-31 0001644675 mime:SeniorSecuredRevolvingCreditFacilityMember 2018-04-01 2019-03-31 0001644675 mime:SeniorSecuredRevolvingCreditFacilityMember 2020-03-31 0001644675 mime:SeniorSecuredRevolvingCreditFacilityMember 2019-03-31 0001644675 mime:SeniorSecuredRevolvingCreditFacilityMember us-gaap:LetterOfCreditMember 2020-03-31 0001644675 mime:SeniorSecuredRevolvingCreditFacilityMember us-gaap:LetterOfCreditMember 2019-03-31 0001644675 mime:TwoThousandAndFifteenPlanMember 2020-03-31 0001644675 us-gaap:EmployeeStockMember 2020-03-31 mime:CompensationPlan 0001644675 mime:TwoThousandAndFifteenPlanMember us-gaap:EmployeeStockOptionMember 2020-03-31 0001644675 mime:TwoThousandAndFifteenPlanMember us-gaap:EmployeeStockOptionMember 2019-04-01 2020-03-31 0001644675 mime:MimecastLimitedTwoThousandAndFifteenEmployeeSharePurchasePlanMember 2020-03-31 0001644675 srt:MinimumMember mime:MimecastLimitedTwoThousandAndFifteenEmployeeSharePurchasePlanMember 2019-04-01 2020-03-31 0001644675 us-gaap:CostOfSalesMember 2019-04-01 2020-03-31 0001644675 us-gaap:CostOfSalesMember 2018-04-01 2019-03-31 0001644675 us-gaap:CostOfSalesMember 2017-04-01 2018-03-31 0001644675 us-gaap:ResearchAndDevelopmentExpenseMember 2019-04-01 2020-03-31 0001644675 us-gaap:ResearchAndDevelopmentExpenseMember 2018-04-01 2019-03-31 0001644675 us-gaap:ResearchAndDevelopmentExpenseMember 2017-04-01 2018-03-31 0001644675 us-gaap:SellingAndMarketingExpenseMember 2019-04-01 2020-03-31 0001644675 us-gaap:SellingAndMarketingExpenseMember 2018-04-01 2019-03-31 0001644675 us-gaap:SellingAndMarketingExpenseMember 2017-04-01 2018-03-31 0001644675 us-gaap:GeneralAndAdministrativeExpenseMember 2019-04-01 2020-03-31 0001644675 us-gaap:GeneralAndAdministrativeExpenseMember 2018-04-01 2019-03-31 0001644675 us-gaap:GeneralAndAdministrativeExpenseMember 2017-04-01 2018-03-31 0001644675 mime:ServiceBasedVestingConditionsMember 2020-03-31 0001644675 mime:ServiceBasedVestingConditionsMember 2019-04-01 2020-03-31 0001644675 us-gaap:RestrictedStockUnitsRSUMember mime:NonEmployeeDirectorMember 2019-04-01 2020-03-31 mime:Installment 0001644675 us-gaap:RestrictedStockUnitsRSUMember mime:EmployeesMember 2019-04-01 2020-03-31 0001644675 us-gaap:RestrictedStockUnitsRSUMember 2019-03-31 0001644675 us-gaap:RestrictedStockUnitsRSUMember 2019-04-01 2020-03-31 0001644675 us-gaap:RestrictedStockUnitsRSUMember 2020-03-31 0001644675 us-gaap:PatentedTechnologyMember 2019-04-01 2020-03-31 0001644675 us-gaap:PatentedTechnologyMember 2018-04-01 2019-03-31 0001644675 us-gaap:PatentedTechnologyMember 2020-03-31 0001644675 country:GB 2019-04-01 2020-03-31 0001644675 country:GB 2018-04-01 2019-03-31 0001644675 country:GB 2017-04-01 2018-03-31 0001644675 country:ZA 2019-04-01 2020-03-31 0001644675 stpr:DE 2019-04-01 2020-03-31 0001644675 country:NL 2019-04-01 2020-03-31 mime:Segment 0001644675 country:US 2019-04-01 2020-03-31 0001644675 country:US 2018-04-01 2019-03-31 0001644675 country:US 2017-04-01 2018-03-31 0001644675 country:GB 2019-04-01 2020-03-31 0001644675 country:GB 2018-04-01 2019-03-31 0001644675 country:GB 2017-04-01 2018-03-31 0001644675 country:ZA 2019-04-01 2020-03-31 0001644675 country:ZA 2018-04-01 2019-03-31 0001644675 country:ZA 2017-04-01 2018-03-31 0001644675 mime:OtherGeographicalAreasMember 2019-04-01 2020-03-31 0001644675 mime:OtherGeographicalAreasMember 2018-04-01 2019-03-31 0001644675 mime:OtherGeographicalAreasMember 2017-04-01 2018-03-31 0001644675 country:US 2020-03-31 0001644675 country:US 2019-03-31 0001644675 country:GB 2020-03-31 0001644675 country:GB 2019-03-31 0001644675 country:ZA 2020-03-31 0001644675 country:ZA 2019-03-31 0001644675 mime:OtherGeographicalAreasMember 2020-03-31 0001644675 mime:OtherGeographicalAreasMember 2019-03-31 0001644675 us-gaap:AccountingStandardsUpdate201609Member 2019-04-01 2020-03-31 0001644675 us-gaap:HerMajestysRevenueAndCustomsHMRCMember us-gaap:DomesticCountryMember 2020-03-31 0001644675 us-gaap:InternalRevenueServiceIRSMember us-gaap:ForeignCountryMember 2020-03-31 0001644675 us-gaap:InternalRevenueServiceIRSMember us-gaap:ForeignCountryMember mime:ExpiresAtVariousDatesMember 2020-03-31 0001644675 us-gaap:InternalRevenueServiceIRSMember us-gaap:ForeignCountryMember mime:ExpiresAtVariousDatesMember 2019-04-01 2020-03-31 0001644675 us-gaap:InternalRevenueServiceIRSMember us-gaap:ForeignCountryMember mime:DoNotExpireMember 2020-03-31 0001644675 mime:UnitedStatesStateAndLocalIncomeTaxMember us-gaap:ForeignCountryMember 2020-03-31 0001644675 mime:UnitedStatesStateAndLocalIncomeTaxMember us-gaap:ForeignCountryMember 2019-04-01 2020-03-31 0001644675 us-gaap:AustralianTaxationOfficeMember us-gaap:ForeignCountryMember 2020-03-31 0001644675 us-gaap:FederalMinistryOfFinanceGermanyMember us-gaap:ForeignCountryMember 2020-03-31 0001644675 us-gaap:IsraelTaxAuthorityMember us-gaap:ForeignCountryMember 2020-03-31 0001644675 us-gaap:TaxAndCustomsAdministrationNetherlandsMember us-gaap:ForeignCountryMember 2020-03-31 0001644675 us-gaap:TaxAndCustomsAdministrationNetherlandsMember us-gaap:ForeignCountryMember srt:MinimumMember 2019-04-01 2020-03-31 0001644675 us-gaap:TaxAndCustomsAdministrationNetherlandsMember us-gaap:ForeignCountryMember srt:MaximumMember 2019-04-01 2020-03-31 0001644675 us-gaap:IsraelTaxAuthorityMember us-gaap:ForeignCountryMember srt:MinimumMember 2019-04-01 2020-03-31 0001644675 us-gaap:IsraelTaxAuthorityMember us-gaap:ForeignCountryMember srt:MaximumMember 2019-04-01 2020-03-31 0001644675 us-gaap:EmployeeStockOptionMember us-gaap:SubsequentEventMember 2020-04-01 2020-04-01 0001644675 us-gaap:RestrictedStockUnitsRSUMember us-gaap:SubsequentEventMember 2020-04-01 2020-04-01 0001644675 us-gaap:EmployeeStockOptionMember us-gaap:SubsequentEventMember 2020-04-01 0001644675 us-gaap:RestrictedStockUnitsRSUMember us-gaap:SubsequentEventMember 2020-04-01 0001644675 2020-01-01 2020-03-31 0001644675 2019-10-01 2019-12-31 0001644675 2019-07-01 2019-09-30 0001644675 2019-04-01 2019-06-30 0001644675 2019-01-01 2019-03-31 0001644675 2018-10-01 2018-12-31 0001644675 2018-07-01 2018-09-30 0001644675 2018-04-01 2018-06-30

 

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

 

FORM 10-K

 

(Mark One)

 

ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

 

For the fiscal year ended March 31, 2020

OR

 

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE TRANSITION PERIOD FROM                      TO                          .

 

Commission File Number 001-37637

 

MIMECAST LIMITED

(Exact name of Registrant as specified in its Charter)

 

 

Bailiwick of Jersey

 

Not Applicable

(State or other jurisdiction of

incorporation or organization)

 

(I.R.S. Employer

Identification No.)

1 Finsbury Avenue

London EC2M 2PF

United Kingdom

 

EC2M 2PF

(Address of principal executive offices)

 

(Zip Code)

 

Registrant’s telephone number, including area code: (781) 996-5340

 

Securities registered pursuant to Section 12(b) of the Act:

 

(Title of each class)

(Trading Symbol)

(Name of each exchange on which registered)

Ordinary Shares, nominal value $0.012 per share

MIME

The Nasdaq Global Select Market

 

Securities registered pursuant to Section 12(g) of the Act:

None

(Title of class)

 

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes  No 

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Act. Yes  No 

Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes  No 

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes  No 

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act.

 

Large accelerated filer

 

  

Accelerated filer

 

Non-accelerated filer

 

  

Smaller reporting company

 

 

 

 

 

Emerging growth company

 

 

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.  

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).    Yes     No 

The aggregate market value of the voting and non-voting common equity held by non-affiliates of the registrant, based on the closing price of our ordinary shares on the Nasdaq Global Select Market on September 30, 2019, the last business day of the registrant’s second fiscal quarter, was $1,990,718,872. This calculation does not reflect a determination that certain persons or entities are affiliates of the registrant for any other purpose.

The number of registrant’s ordinary shares outstanding as of May 8, 2020 was 62,965,224.

DOCUMENTS INCORPORATED BY REFERENCE

Portions of the registrant’s Definitive Proxy Statement relating to the 2020 Annual General Meeting of Shareholders of Mimecast Limited, scheduled to be held on October 8, 2020, are incorporated by reference into Part III of this Annual Report on Form 10-K. The Definitive Proxy Statement will be filed with the Securities and Exchange Commission within 120 days of the registrant’s fiscal year ended March 31, 2020. Except with respect to information specifically incorporated by reference into this Annual Report on Form 10-K, the Definitive Proxy Statement is not deemed to be filed as part of this Annual Report on Form 10-K.

 


Table of Contents

 

 

 

Page

PART I

 

 

 

Special Note Regarding Forward-Looking Statements

1

Item 1.

Business

3

Item 1A.

Risk Factors

15

Item 1B.

Unresolved Staff Comments

32

Item 2.

Properties

32

Item 3.

Legal Proceedings

33

Item 4.

Mine Safety Disclosures

33

 

 

 

PART II

 

 

Item 5.

Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

34

Item 6.

Selected Financial Data

35

Item 7.

Management’s Discussion and Analysis of Financial Condition and Results of Operations

40

Item 7A.

Quantitative and Qualitative Disclosures About Market Risk

58

Item 8.

Financial Statements and Supplementary Data

60

Item 9.

Changes in and Disagreements With Accountants on Accounting and Financial Disclosure

98

Item 9A.

Controls and Procedures

98

Item 9B.

Other Information

100

 

 

 

PART III

 

 

Item 10.

Directors, Executive Officers and Corporate Governance

101

Item 11.

Executive Compensation

101

Item 12.

Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters

101

Item 13.

Certain Relationships and Related Transactions, and Director Independence

101

Item 14.

Principal Accounting Fees and Services

101

 

 

 

PART IV

 

 

Item 15.

Exhibits, Financial Statement Schedules

102

Item 16.

Form 10-K Summary

107

 

Signatures

108

 

 

 


 

SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS

This Annual Report on Form 10-K contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. All statements contained in this Annual Report on Form 10-K other than statements of historical fact, including statements regarding our future results of operations and financial position, our business strategy and plans, and our objectives for future operations, are forward-looking statements. These statements involve known and unknown risks, uncertainties and other important factors that may cause our actual results and performance to be materially different from any future results or performance expressed or implied by the forward-looking statements. The words “believe,” “may,” “will,” “estimate,” “guidance,” “continue,” “anticipate,” “intend,” “expect,” “predict,” “probable,” “potential,” “can,” “could,” “should,” “contemplate,” “would,” “project,” “seek,” “target,” “might,” “explore,” “plan,” “strategy,” and similar expressions or variations that are not statements of historical fact are intended to identify forward-looking statements, although not all forward-looking statements contain these identifying words. Forward-looking statements set forth in this Annual Report on Form 10-K include, but are not limited to, statements about the following:

 

the impact that the global COVID-19 pandemic may have on our business, financial position and results of operations;

 

our expectations regarding our revenue, expenses and other results of operations;

 

our plans to invest in sales and marketing efforts, increase the size of our sales and marketing team, and expand our channel partnerships;

 

our ability to attract new customers in each of our markets, retain existing customers, and maintain a relatively consistent revenue retention rate over the next twelve months;

 

our plans to continue to invest in the research and development of technology for both existing and new products, and increase the size of our research and development team;

 

the potential impact of foreign currency exchange rates on our results of operations;

 

the growth rates of the markets in which we compete;

 

our liquidity and working capital requirements;

 

our anticipated strategies for growth;

 

our ability to anticipate market needs, develop new and enhanced solutions to meet those needs, and market acceptance of any new and enhanced solutions;

 

our ability to compete in our industry and innovation by our competitors;

 

our ability to adequately protect our intellectual property and risks we face from organizations that claim we are infringing their intellectual property;

 

our ability to respond to evolving regulatory requirements regarding data protection and privacy, including the European Union’s General Data Protection Regulation and the California Consumer Privacy Act of 2018;

 

the effects of the United Kingdom exiting from the European Union; and

 

our plans to pursue strategic acquisitions and our ability to use the technology we acquire to enhance the products and services we offer to our customers.

We caution you that the foregoing list does not contain all of the forward-looking statements made in this Annual Report on Form 10-K.

1


 

You should not rely on forward-looking statements as predictions of future events. We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition, operating results and prospects. The outcome of the events described in these forward-looking statements are subject to risks, uncertainties and other factors described in Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K. Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time, and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements contained in this Annual Report on Form 10-K. We cannot assure you that the results, events and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in the forward-looking statements.

The forward-looking statements made in this Annual Report on Form 10-K relate only to events as of the date on which the statements are made. We undertake no obligation to update any forward-looking statements made in this Annual Report on Form 10-K to reflect events or circumstances after the date of this Annual Report on Form 10-K or to reflect new information or the occurrence of unanticipated events, except as required by law. We may not actually achieve the plans, intentions, or expectations disclosed in our forward-looking statements and you should not place undue reliance on our forward-looking statements. Our forward-looking statements do not reflect the potential impact of any future acquisitions, mergers, dispositions, joint ventures, or investments we may make.

As used in this Annual Report on Form 10-K, the terms “Mimecast,” “Company,” “Registrant,” “we,” “us,” and “our” mean Mimecast Limited and its subsidiaries, unless the context indicates otherwise.

Certain amounts and percentages that appear in this Annual Report on Form 10-K have been subject to rounding adjustments. As a result, certain numerical figures shown as totals, including in tables, may not be exact arithmetic aggregations of the figures that precede or follow them.

2


 

PART I

Item 1. Business.

Overview

We are a leading global provider of next generation cloud security and risk management services for email and corporate information. Our integrated suite of proprietary cloud services protects customers of all sizes from the significant business and data security risks to which their email and other corporate systems expose them. Our Email Security 3.0 and Cyber Resilience Extension offerings are designed to protect customers from today’s rapidly changing security environment.  

The threat landscape and the resulting opportunity for disruption have evolved significantly over the last several years.  Organizations of all sizes are increasingly dependent on digital technology and corporate systems that often extend beyond the perimeter of the organization.  These systems typically do not operate in a stand-alone environment but instead are connected with and rely upon other systems, many of which are outside the control of the organization.  Finally, an everchanging and increasingly complex regulatory environment places significant compliance burdens on organizations and subjects them to harsh penalties in the event of failure. These evolving trends, dependencies, interdependencies and regulatory burdens, have only increased the potential impact of disruption caused by perennial risks, such as malicious action, human error and technological failure.

We developed our proprietary cloud architecture to offer customers a comprehensive cyber resilience strategy. Our Email Security 3.0 strategy addresses threats in three distinct zones: at the email perimeter (Zone 1); inside the network and the organization (Zone 2); and beyond the perimeter (Zone 3).  Our Cyber Resilience Extensions expand resilience to other critical elements of an organization’s digital infrastructure.  

Our primary offerings include the following features and functionality:

 

Email security, which provides a critical defense against hackers seeking to capture and exploit valuable organizational information and disrupt business operations. Email is a powerful attack vector and data leak concern.

 

 

Continuity, which ensures employees can continue using email during unexpected and planned outages.

 

 

Archiving, which unifies email data to support e-discovery, forensic analysis, and compliance initiatives, while also giving employees fast access to their personal archive, which improves productivity.

 

 

Awareness training, which addresses security risks associated with the activities of employees by combining effective, modern, and engaging training techniques with predictive analytics.  Employee errors are one of the leading causes of cybersecurity incidents.

 

 

Web security, which protects against malicious web activity and enables customers to block access to inappropriate websites.

 

 

DMARC analyzer, which allows our customers to more effectively implement and manage complex domain-based message authentication reporting and conformance, or DMARC, deployments by providing greater visibility and improved governance across all email channels.

 

 

Brand exploit protection, which provides integrated brand protection that helps prevent attackers from tricking customers and partners with fake websites by detecting brand attacks in their early stages, blocking them before they can launch, and quickly remediating them if they have gone live.

Our historical focus has been email security.  Email is a critical tool for organizations of all sizes. Protecting and managing email has become more complicated due to expanding security and compliance requirements and the rapid increase in both the volume and the importance of the information transmitted via email. Organizations are increasingly at risk from security breaches of sensitive data as sophisticated email-based attacks or data leaks have become far more common than in the past. Additionally, organizations are not just using email for communication. Email archives are used as an active repository of vital corporate information needed to meet compliance and regulatory requirements and ensure employee productivity. As a result, email represents one of the highest concentrations of business risk that organizations face.

Traditional approaches to addressing these risks leave customers managing disparate point products from multiple vendors that are often difficult to use, costly to manage, and difficult to scale; that can fail to fully address advanced threats; and that limit the use of corporate information to enhance productivity. The resulting infrastructure complexity caused by disparate products and legacy architectures also makes it difficult to move more IT workloads to the cloud, which continues to be an increasing priority for organizations of all sizes.

3


 

Our offerings are delivered from an easy-to-use single platform, and our integrated services also simplify ongoing management and service deployment. As a result, our customers can decommission the often costly and complex point products and on-premises technology they have traditionally used to address these risks, which also makes it easier for them to move more of their IT workloads to the cloud.

We serve approximately 38,100 customers and protect millions of their employees around the world. Our services scale effectively to meet the needs of customers of all sizes. We sell our services through direct sales efforts and through our channel partners. Our sales model is designed to meet the needs of organizations of all sizes across a wide range of industries and in over 140 countries. For the fiscal years ended March 31, 2020, 2019 and 2018, our revenue was $427.0 million, $340.4 million and $261.9 million, respectively.

Our Growth Strategy

We will continue to invest in our cloud security, data, and risk management services. As more organizations move IT workloads such as email to the cloud, we believe we are well positioned to continue capitalizing on this growing opportunity globally.

Our growth strategy is focused on acquiring new customers, driving revenue growth from our existing customer base, developing our technology and releasing new services, actively investing in our channel partner network, continuing to strategically expand our geographic presence, and pursuing growth and technology through acquisitions.

Our Solutions

Our integrated suite of cloud services is designed to offer true cyber resilience for email and web and delivers comprehensive email risk management beyond the primary mail server. We protect customers and their data from the growing threat of email attacks through malware, spam, data leaks, and advanced threats such as phishing and impersonation attacks. Our continuity services ensure email and corporate information remain available in the event of a primary system failure or scheduled maintenance downtime. We also help organizations securely and cost effectively archive their growing email and file repositories to support employee productivity, compliance, and e-discovery.

Our customers benefit from:

 

Comprehensive Email, Web, and Data Risk Management in a Single, Unified Cloud Service. Our services integrate a range of technologies into a comprehensive service that would otherwise require an array of individual devices or services from multiple vendors.

 

 

Best-of-Breed Security, Continuity, Awareness Training, and Archiving Services. We believe our customers should not have to compromise on the quality of their email and web security, continuity, archiving or awareness training services in order to benefit from integration.

 

 

Web Scale Performance for Organizations of All Sizes. Our cloud service is built to address the most demanding scale, performance, and availability requirements of large enterprises through a subscription-based cloud service that also puts these capabilities within reach of small and mid-market organizations. We meet demanding continuity service commitments with data centers that are replicated in each of our primary geographies and operate in active-active mode, enabling fast failover and fail-back as required.

 

 

Easy to Deploy and Manage. Our service is designed to be easy to deploy. Customers simply route their email traffic through our cloud and can be up and running in a matter of days and sometimes less. We then enable our customers to add or delete new services and manage all security and other policies centrally via a single web-based administration console that significantly simplifies the ongoing management of their email and data environment.

 

 

Highly Agile and Adaptable Service. We are continually improving our cloud architecture and services. Our common code base and multi-tenant cloud architecture enables us to perform maintenance updates and add new features or products without interruption to our customers. Continuous service development and multi-tenant rapid deployment also allows us to keep pace with emerging threats to protect customers and respond quickly to changing needs.

 

4


 

 

Facilitate the Movement of Additional Critical Workloads to the Cloud. For those customers that want to put more workloads into the cloud, our technology facilitates the migration of email by removing the complexity that has stalled many customers to date. Our interoperability with cloud-based email servers, such as Microsoft® Office® 365®, makes this easier to achieve and helps mitigate remaining concerns about the reliance of single-vendor security, data integrity, and continuity. Our data ingestion offering also allows customers to more easily migrate legacy data into our cloud archive to ensure it is a complete record of current and historic data.

 

 

Compelling Return on Investment. Our unified, cloud-based services enable our customers to decommission a range of legacy and disparate technologies that support their email server and data environment and recover these costs. We utilize hardware efficiently and share a single instance of operating software, as well as storage and processing hardware, securely across the whole customer base within each data center, allowing us to deliver cloud-scale economic and performance benefits to our customers.

Our Technology

We have developed a native cloud architecture, including our own proprietary software-as-a-service, or SaaS, operating system, known as Mime | OS™, and customer-facing services to address the specific risks and functional limitations of business email and data.

We have a proven record of performing successfully at considerable scale and addressing rapidly growing customer demands. We process approximately 655 million emails per day and manage approximately 386 billion emails in total with our service. We archive approximately 85 petabytes of customer data and add approximately 132 terabytes of customer data per month.

Our Proprietary Native Cloud Architecture— Mime | OS™

We developed our proprietary operating system, Mime | OS™, for native cloud services. Mime | OS™ enables secure multi-tenancy and takes advantage of the cost and performance benefits of using industry-standard hardware and resource sharing specifically for the secure management of email and data. This enables us to provision efficiently and securely across our customer base, minimizing the impact of spare or over-provisioned processing and storage capacity and reducing the cost of providing our services.

Mime | OS™ comprises 20+ microservices that control the hardware, storage, indexing, processing, services, administrator, and user interface layers of our cloud environment. We designed it to enable us to scale our storage, processing, and services to meet large enterprise-level email and data demands, while retaining the cost and performance benefits of a native cloud environment.

Mime | OS™ also streamlines our customer application development and enables strong integration across our services. All of our customer applications and services, except DMARC Analyzer and Brand Exploit Protect, use Mime | OS™ to interact with our data stores and processing technology, as well as interoperate effectively with each other.

Continuous Development Methodology and Multi-Tenancy Advantage

As we enhance and expand our technology, we can update services centrally with little or no intervention required by the customer, as each customer shares the same core operating and application software. Improvements, upgrades, new products or patches are applied once and are available immediately across our whole service to all customers. That means we have only one up-to-date version of our service to maintain and support, as well as a common data store for all customers that simplifies management, support, and product development.

Our commitment to continual improvement in Mime | OS™, our customer applications, and our hardware infrastructure means we are constantly strengthening the performance of our service as we scale. Each week, we roll out upgrades and enhancements centrally that benefit our customers without the need for additional infrastructure investment on their part.

Our Global Data Center Grid and Points of Presence

We operate eight highly available grids in fourteen locations around the world to deliver our services. This gives customers geographic and jurisdictional control over data location, which enables them to address data privacy concerns. Each grid is exclusive to a region and comprises two identical data centers that function in active-active mode in different locations and are built with N+1 resiliency to meet our continuity of service commitments. Because of this redundancy, we can switch operations from one data center to another to maintain our customers’ email and data services in the event of downtime or maintenance for one of the data centers. We have developed a modular approach to provisioning a new data center and can transition among data centers as needed in existing or new geographies.

5


 

Each of the above fourteen locations, along with an additional dedicated fifteenth location, also operate as an individual point of presence, or PoP, to deliver our Web Security services. These services are delivered to customers from the geographically closest PoP within their region. In the event of a PoP outage, customers are served from next closest PoP within their region to maintain continuity of service.

We use other third-party cloud hosting providers to support certain of our services, including DMARC Analyzer and Brand Exploit Protect.

Our Services

The offerings within the Mimecast Solution Framework, which include Email Security 3.0 and Cyber Resilience Extensions, including continuity, web security, and archiving, are designed to protect customer data and provide organizations with comprehensive risk management in a single, cloud-based, integrated service, which is licensed on a subscription basis.

 

          

 

Our primary offerings include:

 

Mimecast Email Security 3.0 service protects against the delivery of malware, malicious URLs and attachments, spam, viruses, impersonation attacks, phishing, and spear-phishing attacks, including business email compromise, identity theft, extortion, fraud, and other emerging attacks, while also preventing data leaks and other internal threats. Our Email Security 3.0 offerings also include awareness training, which addresses security risks associated with the activities of employees by combining effective, modern, and engaging training techniques with predictive analytics, DMARC Analyzer, which allows our customers to more effectively implement and manage complex DMARC deployments, and Brand Exploit Protect, which provides integrated brand exploitation protection.

 

Mimecast Mailbox Continuity service ensures employees can continue using email during unexpected and planned outages such as system maintenance, whether their email is managed in the cloud or on-premises.

 

Mimecast Enterprise Information Archiving unifies email data to support e-discovery, forensic analysis, and compliance initiatives, and gives employees fast access to their personal archive via PC, Mac® and mobile apps.

 

Mimecast Web Security service protects against malicious web activity initiated by user action or malware and blocks access to inappropriate websites based on acceptable use policies.

Mimecast Email Security 3.0

Our Email Security 3.0 offering provides a comprehensive form of protection against email attacks by helping customers advance from perimeter email security to a comprehensive, more pervasive discipline. Our approach addresses threats in three distinct zones: at the email perimeter (Zone 1); inside the network and the organization (Zone 2); and beyond the perimeter (Zone 3).  

6


 

Zone 1: The Perimeter

Mimecast Secure Email Gateway provides a critical defense against hackers seeking to capture and exploit valuable organizational information and disrupt business operations. Our Mimecast Email Security services block spam, malware, malicious URLs, spear-phishing, and defined content from entering or exiting the organization. Further, these services provide administrators granular security and content policy control for inbound and outbound email traffic to help protect against cyber threats and data leaks. Integration into Microsoft Outlook® and via mobile apps provides employees the freedom to be self-sufficient and to manage their quarantines, personal blacklists, and many other aspects of their email security and management. Through our advanced data leak protection and content controls, organizations can prevent the inadvertent or malicious loss of sensitive corporate data. Policies using keywords, pattern matching, file hashes, and dictionaries actively scan all email communications, including file attachments, to stop data leakage and support compliance. Suspect emails can be blocked, quarantined for review by administrators, or sent securely.

We protect inbound and outbound email from malware, spam, advanced persistent threats, email denial of service and distributed denial of service, or DDoS, data leaks, and other security threats.

Inbound email is directed through Mimecast Email Security, which performs comprehensive security checks before the email is delivered to the customer’s email infrastructure. This prevents unwanted email from reaching the customer in the first place and cluttering their infrastructure, unlike on-premises services from competitors. Each day, we monitor approximately 1.2 billion messages and deliver, on average, less than 31% of those messages to the customer.

Outbound email sent from the customer also passes through our service and is checked before being sent on to prevent it from presenting a security threat to the recipient. Outbound email can also be encrypted and scanned by our comprehensive content controls to prevent confidential documents or data leaving the business. Data leak prevention is a key consideration for all organizations.

Customers can benefit from the following Mimecast Email Security services:

 

Targeted Threat Protection: Highly sophisticated targeted attacks, including spear-phishing, are using email to successfully infiltrate organizations, exploit users, and steal valuable intellectual property, customer data, and money.

 

URL Protect addresses the threat from emails containing malicious links. It automatically checks hyperlinks each time they are clicked, preventing employees from visiting malicious websites regardless of what email client or device they are using. It also includes innovative user awareness capabilities so IT teams can raise the security awareness of employees as part of their daily email activities.

 

Attachment Protect reduces the threat from weaponized or malware-laden attachments used in spear-phishing and other advanced attacks. It includes pre-emptive sandboxing to automatically security check email attachments before they are delivered to employees. It also includes the option of an innovative safe file conversion capability that automatically converts attachments into a safe file format, neutralizing any chance of malware.

 

Impersonation Protect gives instant and comprehensive protection from malware-less social engineering attacks, often called CEO fraud, whaling, impersonation, or business email compromise. Impersonation Protect detects and prevents these types of attacks by identifying combinations of key indicators in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment. Impersonation Protect blocks or flags suspicious email by using advanced scanning techniques to identify elements commonly used by criminals, including employee, domain, or reply-to names, and other keywords such as ‘wire transfer,’ ‘tax form’, or ‘urgent.’

Zone 2: Inside the Perimeter

Internal Email Protect, or IEP, allows customers to monitor, detect, and remediate security threats that originate from within their internal email systems. This capability provides for the scanning of attachments, URLs, and content in internally generated email. In addition, IEP includes the ability to automatically remediate infected email from a user’s inbox.

Mimecast Awareness Training allows our customers to address security risks associated with the activities of their employees. Mimecast Awareness Training addresses a customer’s vulnerability to human error by combining effective, modern, and engaging training techniques with predictive analytics. By leveraging advanced risk scoring, customers can deliver personalized training regimens or tailor system permissions and access for individual employees based on risky behavior and the likelihood of being targeted for attack.

Zone 3: Beyond the Perimeter

DMARC Analyzer allows our customers to more effectively implement and manage complex DMARC deployments, providing greater visibility and improved governance across all email channels.  

7


 

Brand Exploit Protect provides customers with an integrated brand exploitation protection solution that helps prevent attackers from tricking customers and partners with fake websites by detecting brand attacks in their early stages, blocking them before they can launch, and quickly remediating them if they have gone live.

Cyber Resilience Extensions

Mimecast Enterprise Information Archiving

Our cloud archive consolidates into one store all inbound, outbound, and internal email, including attachments in a perpetual, indexed, and secure archive. Using our Mimecast Enterprise Information Archiving service, customers can also incorporate legacy data from additional archives into the same searchable store.

All data is encrypted and preserved within a Write Once Read Many, or WORM, state. Proprietary indexing and retrieval solutions allow customers to search individual mailboxes or the entire corporate archive. Our mobile, tablet, desktop, and web applications ensure that employees can search and make the best use of their entire corporate archive in a fast, reliable, and informative way. Intensive logging services cover the use of the archive, and roles and permissions govern what employees can see in the archive based on their role. Our purpose-built ingestion and export services support rapid high-volume extraction, scrubbing, and loading of significant quantities of data. Our archive solution retains metadata that arises from gateway and continuity operations and we preserve both received and altered variants of emails that pass through our secure email gateway. Retention options for customers range from individual retentions to data retained for an entire customer on a perpetual basis.

Customers can also purchase the following additional services as part of our Mimecast Enterprise Information Archiving offering:

 

Recoverability: Mimecast Sync & Recover, which works with Microsoft Exchange® and Microsoft Office® 365®, offers three key capabilities on top of the built-in tools provided by Mimecast Archiving, including Sync & Recover, Granular Retention Management, and Mailbox Storage, or Stubbing, Management. Sync & Recover delivers rapid and granular recovery of mailboxes, calendar items, and contacts lost through inadvertent or malicious deletion or corruption.

 

Archive Power Tools: This is a series of advanced archiving tools including:

 

Mimecast Storage Management for Exchange: This enables active mailbox size management, so administrators can optimize email system performance, control costs, and support archive policy enforcement.

 

Mailbox and Folder Tools for Exchange: In an email continuity event or when searching for archived content, access to folder structures and shared mailbox content is key to productivity. This tool makes it easy to replicate individual and shared mailbox folders.

 

Granular Retention Management: Mimecast Granular Retention Management enables IT teams to centrally apply policies to manage the retention of email content and related metadata.

 

Mimecast Compliance Protect: This feature helps customers in highly regulated industries comply with the significant record retention requirements of various regulatory agencies, such as the Securities and Exchange Commission, or the SEC, and the Financial Industry Regulatory Authority, Inc.

Our Mimecast Enterprise Information Archiving service also empowers IT and legal teams with self-service search, case review and legal hold tools to quickly and defensibly perform early case assessments and set case strategy earlier in the litigation process.

As email, file attachments, and associated critical metadata that identifies activity are sent or received, they can be saved in a secure, tamper-proof archive in the Mimecast cloud automatically and indefinitely. Our employee mobile and desktop search tools and administration console then allow for detailed investigation of the archive. Our Mimecast Enterprise Information Archiving service offers secure lifetime storage of email, files, and instant messaging conversations paid for on a per-employee basis and not on a data usage basis. Our search tools make it easy for legal and compliance staff and employees to quickly find data without the need to turn to the IT team. Finally, our archive can also include legacy data that would otherwise be held in additional storage. Using our Legacy Data Migration service, this data can be ingested over-the-wire or via encrypted physical drives sent from the customer to us.

Mimecast Business Continuity

Email continuity protects email and data against the threat of downtime as a result of system failure, natural disasters, planned maintenance, system upgrades, and migrations. Mimecast Mailbox Continuity significantly reduces the cost and complexity of mitigating these risks and provides uninterrupted access to live and historic email and calendar information. During an outage, our service provides real-time inbound, outbound, and internal email delivery. The continuity service can be activated and deactivated directly and instantly from the Mimecast console by administrators for the complete organization or for specific groups affected by

8


 

limited outages. All outage events are fully logged. We also support email top-up services for customers who have to recover their Microsoft Exchange® environments from backups. The continuity service is capable of reliably and securely supporting customers during short or long-term continuity events. Integration with Microsoft Outlook®, a native app for Mac® users, and a full suite of mobile apps means employees have seamless access to their email in the event of a disruption or outage.

As all customer outbound and inbound email is directed to our servers, if a customer’s primary email service fails, Mimecast Mailbox Continuity takes over the delivery and sending of email in real time or at the request of the administrator, offering immediate fail-over and fail-back. When the primary service is re-established, the customer is reassured that there has been no loss of data and that the archive is maintained.

Mimecast Web Security

As the workplace has changed and the how, when, and where of the way employees work has become increasingly flexible, users want to work anytime, anywhere, and on any device. The global COVID-19 pandemic has only increased the requirement that organizations accommodate a remote work force. As a result, the landscape for how our customers manage risk, from cloud applications and the use of unsanctioned IT systems to guest or public Wi-Fi networks, has become increasingly challenging. Email and the web are the sources of nearly all data security incidents and breaches that occur. Most organizations do not monitor domain name system, or DNS, activity, leaving them vulnerable to this communications path. The Mimecast Web Security service protects against malicious web activity initiated by user action or malware, ransomware and other malicious software, and blocks access to inappropriate websites, based on business polices. Our Mimecast Web Security Service adds strong security at the DNS layer of the web and is easy to implement and manage. When combined with the Mimecast Secure Email Gateway, organizations can use a single, cloud-based service that protects against the two dominant cyberattack vectors: email and the web. The combined solution is also built to leverage each customer’s existing configurations for directory synchronization, branding, role-based access control, and other core platform features to help reduce both set-up time and maintenance.

When a user makes a request for a web-based resource (typically in a browser) by clicking a link or typing in an address, that request is then forwarded to the service for resolution and inspection or filtering. The service applies the customer’s acceptable use controls, as well as any bypass exceptions, and evaluates the site’s classification to determine if the site is safe or unsafe. Access to unsafe web resources is blocked, and the user is notified via a block page. Access to safe web resources is immediately allowed, with the IP address of the requested site being returned to the user’s browser so the content can be accessed. Access logs and associated reports generated by the service are available for review by a system administrator with the appropriate privileges.

Mimecast Secure Messaging

Email containing sensitive or confidential information requires appropriate security and control to prevent inadvertent or deliberate data leaks and to protect the information while in transit. Mimecast Secure Messaging is a secure and private channel to share sensitive information with external contacts via email without the need for additional client or desktop software. Sensitive information is kept within our cloud service, strengthening information security, data governance, and compliance without the added IT overhead and complexity of traditional email secure messaging or encryption solutions.

Mimecast Privacy Pack

Mimecast’s Privacy Pack and Data Loss Prevention, or DLP, capabilities allow customers to set DLP policies at the gateway to help prevent breaches and protect against data exfiltration transmissions, while also applying policies inside an organization to help prevent careless, compromised, or malicious employees from sending information to people who should not receive it. Customers can also better support compliance efforts and enforce policies with our managed DLP dictionaries that identify key words related to such topics as protected health information under the Health Insurance Portability and Accountability Act of 1996, personally identifiable information, Payment Card Industry data security standards, and profanity.

Mimecast Large File Send

Employees can create security and compliance risks when they turn to file sharing services to overcome email size limits imposed by their email infrastructure. Mimecast Large File Send enables PC and Mac® users to send and receive large files directly from Microsoft Outlook® or a native Mac® app. It protects attachments in line with customer security and content policies by (i) using encryption, optional access keys, and custom expiration dates; (ii) supporting audit, e-discovery, and compliance by archiving all files and notifications according to email retention policies; and (iii) protecting email system performance from the burden of large file traffic.

9


 

Threat Intelligence and APIs

Our Threat Intelligence Dashboard displays cyber threat data specific to an organization by identifying users who pose the greatest cyber risk, providing recently observed indicators of exploitation, and showing detailed information about detected malware, including origins by region. This threat intelligence data is used to enhance our Email Security 3.0 protections across all three zones.  Our library of application programming interfaces, or APIs, enables integrations with third-party tools to further enhance the cyber threat information available through the dashboard.  

Service Bundles

Many of our customers take advantage of the ability to combine our services and capabilities into a unified service managed from a single administration console. Most customers purchase bundles from the outset, but some prefer to start with specific packages, then upgrade to additional products over time. Our service range continues to respond to the changing threat landscape and reflect customers’ requests for combinations of services across advanced security. Service bundles offer different combinations of core email and web security, continuity, archiving, awareness training and brand protection beyond the traditional security perimeter.

Mimecast Mobile and Desktop Apps

Mobile, PC and Mac® users get self-service access to security features, including spam reporting and managed sender lists, the ability to send and receive email during a primary email system outage, and access to their personal email archive to run searches on its content. Administrators can use granular permissions to activate functions for individual employees or groups of users, while centralized security and policy management means IT teams can retain control over default settings.

Sales and Marketing

Our sales and marketing teams work together to build a strong sales pipeline, cultivate and retain customers, and drive market awareness of our current and future products and services.

Sales

We sell our services through direct sales efforts and through our channel partners. Our sales model is designed to meet the needs of organizations of all sizes across a wide range of industries and in over 140 countries. Our sales team is based in offices in Boston, Chicago, Dallas, and San Francisco, United States; London, United Kingdom; Johannesburg and Cape Town, South Africa; Melbourne and Sydney, Australia; Amsterdam, the Netherlands; Dubai, UAE; and Munich, Germany. We maintain a highly-trained sales force of approximately 510 employees as of March 31, 2020, which is responsible for acquiring and developing new business.

We also have an experienced sales team focused on developing and strengthening our channel partner relationships. Many organizations work with third-party IT channel partners to meet their security, IT, and cloud service needs, so we have formed relationships with a variety of the leading partners to target large enterprises, mid-market, and small organizations. For large enterprises, we work with international partners including CDW and Dimension Data. In the mid-market, we work with leading national partners, including Softchoice, SHI, CDW, and Softcat. The small business market is primarily served by the reseller community and by managed service providers, who typically provide or host email services.

Sales to our channel partners are generally subject to our standard, non-exclusive channel partner agreement, meaning our channel partners may offer customers the products of several different companies. These agreements are generally for a term of one year with a one-year renewal term and can be terminated by us or the channel partner. Payment to us from the channel partner is typically due within 30 calendar days of the date we issue an invoice for such sales. In our fiscal year ended March 31, 2020, while no individual channel partner accounted for 10% or more of our revenue, in the aggregate, our channel partners accounted for 75% of our revenue. We expect that sales to channel partners will continue to account for a substantial portion of our revenue for the foreseeable future.

Our sales cycle varies by size and sophistication of customer, the number of products purchased and the complexity of the project, ranging from several days for incremental sales to existing customers, to many months for sales to new customers or for large deployments with enterprise customers.

We plan to continue to invest in our sales organization to take advantage of a large market opportunity through both the growth of our direct sales organization and investment in our channel partners.

10


 

Marketing

Our marketing strategy is designed to meet the specific needs of each of our customer segments. We are focused on building the Mimecast brand and product awareness, increasing customer adoption of our products, communicating the advantages of our solution and its benefit to organizations, and generating leads for our channel partners and direct sales force. We also invest in public relations and thought leadership content to build our overall brand and visibility. We execute our marketing strategy by using a combination of internal marketing professionals and a network of global channel partners. We invest in field, channel, product and brand marketing, digital marketing, virtual conferences, and web-based seminar campaigns targeting key decision makers within our target customers. We additionally offer free trials and email security risk assessments, known as Email Security Risk Assessments, which provides prospective customers the ability to identify and understand the gaps in their existing email security strategy.

Customer Service and Support

We maintain our strong customer retention rate through the strength and quality of our products, our commitment to our customers’ success, and our award-winning global Customer Success and Support teams, which consist of approximately 380 employees dedicated to ensuring a superior experience for our customers. For each of the fiscal years ended March 31, 2020, 2019 and 2018, our customer retention rate has been consistently greater than 90%. We calculate our annual customer retention rate as the percentage of paying customers on the last day of the prior year who remain paying customers on the last day of the current year. We have designed a comprehensive monitoring methodology that measures and evaluates the interactions we have with our customers, from sales and on-boarding to support and renewal.

Our Legacy Data Migration service helps solve the problems customers face when extracting data and getting it into the right format for importing to the cloud, which can be expensive, time-consuming, and require interactions with multiple vendors. In addition, we offer a full range of support services to our global customer base, including comprehensive online resources and email support with no outsourcing of support or account management to third parties. Our comprehensive education and consultancy offerings include administrator training and certification, end-user training, and e-discovery training for compliance teams, all of which are available in-person and online. Beyond customer support and training, we also provide a range of services that are designed to provide additional enablement to customers who require it, especially larger enterprises with more complex email infrastructure and legacy data.

We offer a service level agreement as part of our standard contract that contains commitments regarding the delivery of email messages to and from our servers, the speed at which our archive can produce search results, and our ability to correctly identify and isolate spam and viruses. If we do not achieve these levels, the customer can request a credit. Payment of the credit will be made subject to verification of the problem. These credits are tiered according to the extent of the service issued. The amount of credits provided to customers to date has been immaterial in all historical periods.

Customers

As of March 31, 2020, we had approximately 38,100 customers and protected millions of their employees in over 140 countries. Our diverse global footprint is evidenced by the fact that in the fiscal year ended March 31, 2020, we generated 51% of our revenue from the United States, 29% from the United Kingdom, 12% from South Africa, and 8% from the rest of the world. Our customers range from large enterprises with over 500,000 employees to small organizations with less than 50 employees and represent a diverse set of industries. For example, in the fiscal year ended March 31, 2020, we generated 14% of our revenue from customers in the professional, scientific and technical services industry, 13% from customers in the finance and insurance industry, 9% from customers in the legal services industry, and 9% from customers in the manufacturing industry. Our business is not dependent on any single customer. No single customer represented more than 1% of our annual revenue in the fiscal years ended March 31, 2020, 2019 or 2018. See Item 6, “Selected Financial Data” in this Annual Report on Form 10-K for our definition of “customer.”

Research and Development

Our engineering, operations, product, and development teams work together to enhance our existing products, technology infrastructure, and the underlying Mime | OS™ cloud architecture, as well as develop our new product pipeline. Our research and development and product management teams interact with our customers and partners to address emerging market needs, counter developing threats, and drive innovation in risk management and data protection. We operate a continuous delivery model for improvements to our infrastructure and products to ensure customers benefit from regular updates in protection and functionality without the need for significant intervention on their part. Our research and development and product management efforts give prominence to services that enhance our unification commitment and allow customers to displace point solutions or on-premises products.

 

11


 

Intellectual Property

Our success is dependent, in part, on our ability to protect our proprietary technologies and other intellectual property rights. We primarily rely on a combination of trade secrets, copyrights, and trademarks, as well as contractual protections, to establish and protect our intellectual property rights. As of March 31, 2020, we had 18 patents issued and 13 patent applications pending in the United States. We also have 5 patents issued in non-U.S. jurisdictions. We intend to pursue additional patent protection to the extent that we believe it would be beneficial and cost effective.

We have registered “Mimecast” and certain other marks as trademarks in the United States and several other jurisdictions. We also have a number of registered and unregistered trademarks in the United States and certain other jurisdictions and will pursue additional trademark registrations to the extent we believe it would be beneficial and cost effective. We are the registered holder of a variety of domestic and international domain names that include “mimecast.com,” “mimecast.co.uk,” “mimecast.co.za,” and similar variations.

In addition to the protection provided by our intellectual property rights, as part of our confidentiality procedures, all of our employees and independent contractors are required to sign agreements acknowledging that all inventions, trade secrets, works of authorship, developments, and other processes generated by them on our behalf are our property, and they assign to us any ownership that they may claim in those works. We also generally enter into confidentiality agreements with our employees, consultants, partners, vendors, and customers, and generally limit access to and distribution of our proprietary information.

Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products and services that compete with ours. Some contractual restrictions protecting against unauthorized use, copying, transfer, and disclosures of our products may be unenforceable under the laws of certain jurisdictions and foreign countries. In addition, the laws of some countries do not protect proprietary rights to as great of an extent as the laws of the United States, and many foreign countries do not enforce these laws as diligently as government agencies and private parties in the United States. Our exposure to unauthorized copying and use of our products and misappropriation of our proprietary information may increase as a result of our foreign operations.

We expect that software and other solutions in our industry may be increasingly subject to third-party infringement claims as the number of competitors grow and the functionality of products in different industry segments overlaps. Moreover, many of our competitors and other industry participants have been issued patents, or filed patent applications, and have asserted claims and related litigation regarding patent and other intellectual property rights. Third parties, including non-practicing patent entities, have from time to time claimed, are claiming, and could claim in the future, that our technologies infringe patents they now hold or might obtain or be issued in the future. See Part I, Item 1A, “Risk Factors — We are currently being sued, have been sued in the past and may in the future be sued by third parties for alleged infringement of their proprietary rights” and Part I, Item 3, “Legal Proceedings” in this Annual Report on Form 10-K.

Competition

Our market is large, highly competitive, fragmented, and subject to rapidly evolving technology and security threats, shifting customer needs, and frequent introductions of new products and services. We do not believe that any specific competitor offers the fully unified service and integrated technology that we do. However, we do compete with companies that offer products that target email, web and data security, awareness training, continuity, archiving, DMARC reporting, and digital brand protection, as well as large providers such as Google Inc. and Microsoft Corporation, who offer functions and tools as part of their core mailbox services that may be, or be perceived to be, similar to our offerings.

Our current and potential future competitors include:

 

Security: Barracuda Networks, Inc., Google, Microsoft Exchange Online Protection, Proofpoint, Inc., Symantec Corporation, Agari Data, Inc., and Cisco Systems Inc.;

 

Archiving: Dell EMC, Microsoft Office® 365®, Proofpoint, Inc., Veritas Technologies LLC, Smarsh Inc., and Barracuda;

 

Awareness Training: KnowBe4, Inc., Cofense Inc., and Wombat Security, a division of Proofpoint, Inc.;

 

Web security: Cisco, Webroot Inc., TitanHQ’s Webtitan, SafeDNS, Inc., Akamai Technologies, Inc, Infoblox Inc., Forcepoint LLC, Trustwave Holdings, Inc., and Zscaler, Inc.;

 

DMARC reporting: Agari, Valimail Inc., dmarcian, Inc., Ondemarc by Redsift Limited, and ReturnPath’s email fraud protection, a division of Proofpoint, Inc.; and

 

Digital brand protection: RSA Security LLC, a division of Dell EMC, RiskIQ, Inc., and MarkMonitor Inc.

12


 

Some of our current and future competitors may have certain competitive advantages such as greater name recognition, longer operating history, larger market share, larger existing user base, and greater financial, technical, and other resources. Some competitors may be able to devote greater resources to the development, promotion, and sale of their products than we can to ours, which could allow them to respond more quickly than we can to new technologies, threats, and changes in customer needs. We cannot provide any assurance that our competitors will not offer or develop products or services that are superior to ours or achieve greater market acceptance.

The principal competitive factors in our market include, but are not limited to:

 

reliability and effectiveness in protecting, detecting, and responding to cyberattacks;

 

scalability and multi-tenancy of our system;

 

breadth and unification of our services;

 

cloud-only delivery;

 

total cost of ownership;

 

speed, availability, and reliability;

 

integration into office productivity, desktop, and mobile tools;

 

speed at which our services can be deployed;

 

ease of user experience for IT administrators and employees; and

 

superior customer service and commitment to customer success.

We believe that we compete favorably based on these factors. Our ability to remain competitive will depend to a great extent upon our ongoing performance in the areas of product and cloud architecture development, core technical innovation, channel management, and customer support.

Employees

As of March 31, 2020, we had 1,800 employees and subcontractors, including 718 in sales and marketing, 408 in research and development, 384 in services and support and 290 in general and administrative. While we have operations in the United Kingdom, the United States, South Africa, Australia, Germany, and Israel, most of our employees are based in the United Kingdom and the United States. None of our employees are represented by a labor union or covered by a collective bargaining agreement. We have never experienced a strike or similar work stoppage, and we consider our relations with our employees to be good.

Corporate Information

Mimecast Limited was incorporated under the laws of the Bailiwick of Jersey with company number 119119 on July 28, 2015 as a public company limited by shares. On November 4, 2015, Mimecast Limited became the holding company of Mimecast UK Limited, a private limited company incorporated in 2003 under the laws of England and Wales and its subsidiaries by way of a share-for-share exchange in which the shareholders of Mimecast UK Limited exchanged their shares in Mimecast UK Limited for an identical number of shares of the same class in Mimecast Limited. Following the exchange, the historical consolidated financial statements of Mimecast UK Limited became the historical consolidated financial statements of Mimecast Limited. Mimecast Limited has 13 subsidiaries.  Our principal operating companies are Mimecast UK Limited, a company organized under the laws of England and Wales; Mimecast Services Ltd., a company organized under the laws of England and Wales; Mimecast North America, Inc., a Delaware, United States corporation; Mimecast South Africa (Pty) Ltd., a South African corporation; Mimecast Australia Pty. Ltd., an Australian corporation; and Mimecast Germany GmbH, a German corporation, each of which is a wholly-owned subsidiary of Mimecast Limited. Our principal executive office is located at 1 Finsbury Avenue, London, EC2M 2PF, United Kingdom.

Our ordinary shares are traded on The Nasdaq Global Select Market under the symbol “MIME.”

Geographic Information

For financial reporting purposes, total revenue, and property and equipment, net attributable to geographic areas are presented in Note 16, “Segment and Geographic Information”, to the consolidated financial statements, included elsewhere in this Annual Report on Form 10-K.

13


 

Available Information

We maintain an Internet website at www.mimecast.com. The information on, or that can be accessed through, our website is not incorporated by reference into this Annual Report on Form 10-K and should not be considered to be a part of this Annual Report on Form 10-K. Our website address is included in this Annual Report on Form 10-K as inactive textual reference only. Our reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended, or the Exchange Act, including our Annual Reports on Form 10-K, our Quarterly Reports on Form 10-Q and our Current Reports on Form 8-K, and amendments to those reports, are accessible through our website, free of charge, as soon as reasonably practicable after these reports are filed electronically with, or otherwise furnished to, the SEC. The SEC maintains an internet site that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC, including us, at http://www.sec.gov. We also make available on our website the charters of our audit committee, compensation committee and nominating and corporate governance committee, as well as our corporate governance guidelines and our code of business conduct and ethics. You may request copies of our reports and the other documents referenced above, at no cost, by writing to or telephoning us as follows:

Mimecast Limited

Attention: Investor Relations

191 Spring Street

Lexington, Massachusetts 02421

Telephone: 617-393-7050

14


 

Item 1A. Risk Factors.

Our business, financial condition, results of operations and future growth prospects could be materially and adversely affected by the following risks or uncertainties. The risks and uncertainties described below are those that we have identified as material, but they are not the only risks and uncertainties we face. Our business is also subject to general risks and uncertainties that affect many other companies, including overall economic and industry conditions, as well as other risks not currently known to us or that we currently consider immaterial. If any of such risks and uncertainties actually occurs, our business, financial condition, results of operations and prospects could differ materially from the plans, projections and other forward-looking statements included in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and elsewhere in this Annual Report on Form 10-K and in our other public filings.

Risks Related to Our Business and Our Industry

The global COVID-19 pandemic, including the related containment efforts, has had, and we expect will continue to have, certain negative impacts on our business and operations, and we are unable to predict with certainty the extent to which it may continue to adversely affect our business, results of operations and financial condition.

In December 2019, a novel strain of coronavirus, or COVID-19, was reported to have surfaced in Wuhan, China. As of May 2020, COVID-19 has spread to Europe, the United States and most other countries, and has been declared a pandemic by the World Health Organization. The COVID-19 pandemic is evolving, and to date has led to the implementation of various responses, including global government-imposed quarantines, stay-at-home orders, travel restrictions, mandated business closures and other public health safety measures. Such containment efforts have caused significant societal and economic disruption worldwide, including in all of the regions in which we operate our business and sell our products and services. To date, we have taken a number of actions as a result of the COVID-19 pandemic. Our actions include, among others: (i) a decision to close all of our global offices, including our global headquarters in London, United Kingdom, and the resulting shift to a virtual work environment where all of our employees, including our global sales and customer support staff, are working remotely; (ii) a decision to limit and then ultimately ban all non-essential travel, including international travel; (iii) a decision to cancel or shift to virtual-only certain customer, industry and employee events; and (iv) the establishment of an employee support fund, funded in part by executive and employee donations, to offset the impact of the pandemic on our more vulnerable employees. The expected duration of these actions is uncertain, and we expect that the transition back to normal operations will take time, perhaps several months. We believe that the COVID-19 pandemic has negatively impacted and will continue to negatively impact our business and results of operations in a number of ways, including (i) an impact on the demand for our products and services caused by a decline in the rate of IT spending and a delay in purchasing decisions as IT and security staff focus on addressing the disruption to their businesses, which will impact sales to prospects and existing customers and increase customer attrition, (ii) restrictions on our global sales and marketing operations, including eliminating in-person sales activities, (iii) our employees’ ability to perform necessary business functions, including as a result of illness, family illness and general economic hardship, or as a result of restrictions on movement, including the necessity of working from home for an extended period, (iv) customers seeking extended payment terms or declaring bankruptcy or seeking to liquidate making collectability of accounts receivables difficult or impossible, (v) a disruption to our supply chain, particularly as it relates to hardware needed to expand existing data centers and planned data centers, (vi) continued currency volatility, and (vii) an increased risk of information or cybersecurity incidents and a failure to maintain the uninterrupted operation of our information systems due to, among other things, an increase in remote work. In addition, governmental authorities both in the United States and in Europe have adopted or proposed measures to provide economic assistance to businesses, to stabilize the markets and to support economic stability.  The future success of these measures is unknown, and they may not be sufficient to mitigate the negative impact of the global COVID-19 pandemic. We have been closely monitoring the impact of the COVID-19 pandemic on all aspects of our business, including how it will impact our operations and the operations of our customers, suppliers, vendors and business partners, and may take further precautionary and preemptive actions as may be required by government authorities.

Any of the negative impacts of the global COVID-19 pandemic, including those described above, alone or in combination with others, may have a material adverse effect on our results of operations and financial condition. The extent to which the global COVID-19 pandemic will continue to adversely affect our business and results of operations will depend on numerous evolving factors and future developments that we are not able to predict, including the duration, spread and severity of the outbreak, including the potential that there could be recurring outbreaks in the future, the nature and effectiveness of containment measures, the effect on the economy, unemployment, and IT and security spending in particular, and how quickly and to what extent normal economic and business operations can resume. Because our services are offered on a subscription basis, the effect of the pandemic may not be fully reflected in our operating results until future periods. If the global COVID-19 pandemic is prolonged, it could amplify the negative impacts on our business and results of operations, and may also heighten many of the other risks, including risk factors, described in this section and elsewhere in this Annual Report on Form 10-K. It is also possible that any adverse impacts of the pandemic and containment measures may continue once the pandemic is controlled and the containment measures are lifted.

15


 

If we are unable to attract new customers and retain existing customers, our business and results of operations will be affected adversely.

To succeed, we must continue to attract new customers and retain existing customers who desire to use our existing security, continuity and archiving offerings and new products we introduce from time to time. Acquiring new customers is a key element of our continued success, growth opportunity and future revenue. We will continue to invest in a direct sales force combined with a focused channel strategy designed to serve the various requirements of small, mid-market and large enterprises and to bring new customers onto our cloud architecture. Any failures by us to execute in these areas will negatively impact our business.  The rate at which new and existing customers purchase our products depends on a number of factors, including those outside of our control. For example, a deterioration in macroeconomic conditions in the markets we operate in as a result of the global COVID-19 pandemic or for other reasons could have a negative impact on our customers, which could adversely impact our ability to attract new customers and retain existing customers.  In the past, negative macroeconomic conditions resulted in reductions in demand for IT-related capital spending generally and security solutions specifically, particularly in the financial services, legal and other industries that we target. Also, in the fiscal year ended March 31, 2017, we benefited from the decision by Intel Corporation to end-of-life its McAfee MX Logic email protection product.  Our future success also depends on retaining our current customers at acceptable retention levels. Our retention rates may decline or fluctuate as a result of a number of factors, some of which may be outside our control, including competition, customers’ budgeting and spending priorities, and overall general economic conditions in the geographic regions in which we operate. For example, the impact of the COVID-19 pandemic on the current economic environment has caused, and may in the future cause, such customers to request concessions including extended payment terms or better pricing. Customers may delay or cancel information technology projects or seek to lower their costs by renegotiating existing vendor contracts. If our customers do not renew their subscriptions for our products and services, our revenue would decline and our business would suffer. In future periods, our total customers and revenue could decline or grow more slowly than we expect.

If we are unable to sell additional services, features and products to our existing customers, our future revenue and operating results will be harmed.

A significant portion of our revenue growth is generated from sales of additional services, features and products to existing customers. Our future success depends, in part, on our ability to continue to sell such additional services, features and products to our existing customers. We devote significant efforts to developing, marketing and selling additional services, features and products and associated support services to existing customers and rely on these efforts for a portion of our revenue. These efforts require a significant investment in building and maintaining customer relationships, as well as significant research and development efforts in order to provide upgrades and launch new services, features and products. The rate at which our existing customers purchase additional services, features and products depends on a number of factors, including the perceived need for additional security, continuity and archiving services, the efficacy of our current services, the perceived utility and efficacy of our new offerings, our customers’ IT budgets and general economic conditions in the geographic regions in which we operate, which may be impacted by the economic uncertainty resulting from the global COVID-19 pandemic. If our efforts to sell additional services, features and products to our customers are not successful, our future revenues and operating results will be harmed.

Our business depends substantially on customers renewing their subscriptions with us and a decline in our customer renewals would harm our future operating results.

In order for us to maintain or improve our operating results, it is important that our customers renew their subscriptions with us when the existing subscription term expires. Although the majority of our customer contracts include auto-renew provisions, our customers have no obligation to renew their subscriptions upon expiration, and we cannot provide assurance that customers will renew subscriptions at the same or higher level of service, if at all, particularly given the economic uncertainty resulting from the global COVID-19 pandemic. For each of the fiscal years ended March 31, 2020, 2019 and 2018, our customer retention rate has been consistently greater than 90%. We calculate customer retention rate as the percentage of paying customers on the last day of the relevant period in the prior year who remain paying customers on the last day of the relevant period in the current year. The rate of customer renewals may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction or dissatisfaction with our solutions, outages impacting our service, the effectiveness of our customer support services, our pricing, the prices of competing products or services, mergers and acquisitions affecting our customer base, or reductions in our customers’ spending levels or general economic conditions in the geographic regions in which we operate. If our customers do not renew their subscriptions, or renew on less favorable terms, our revenue may decline, and we may not realize improved operating results from our customer base.

16


 

The markets in which we participate are highly competitive, with several large established competitors, and our failure to compete successfully would make it difficult for us to add and retain customers and would reduce or impede the growth of our business.

Our market is large, highly competitive, fragmented and subject to rapidly evolving technology, shifting customer needs and frequent introductions of new products and services. We currently compete with companies that offer products that target email, web and data security, awareness training, continuity, archiving, DMARC reporting, and digital brand protection, as well as large providers such as Google Inc. and Microsoft Corporation, which offer functions and tools as part of their core mailbox services that may be, or be perceived to be, similar to ours.

Our current and potential future competitors include:

 

Security: Barracuda Networks, Inc., Google, Microsoft Exchange Online Protection, Proofpoint, Inc., Symantec Corporation, Agari Data, Inc., and Cisco Systems Inc.;

 

Archiving: Dell EMC, Microsoft Office® 365®, Proofpoint, Inc., Veritas Technologies LLC, Smarsh Inc., and Barracuda;

 

Awareness training: KnowBe4, Inc., Cofense Inc., and Wombat Security, a division of Proofpoint, Inc.;

 

Web security: Cisco, Webroot Inc., TitanHQ’s Webtitan, SafeDNS, Inc., Akamai Technologies, Inc, Infoblox Inc., Forcepoint LLC, Trustwave Holdings, Inc., and Zscaler, Inc.;

 

DMARC reporting: Agari, Valimail Inc., dmarcian, Inc., Ondemarc by Redsift Limited, and ReturnPath’s email fraud protection, a division of Proofpoint, Inc.; and

 

Digital brand protection: RSA Security LLC, a division of Dell EMC, RiskIQ, Inc., and MarkMonitor Inc.

In addition, as we launch new products and services, we will face competition from new and existing competitors. We expect competition to increase in the future from both existing competitors and new companies that may enter our markets. Additionally, some potential customers, particularly large enterprises, may elect to develop their own internal products. If two or more of our competitors were to merge or partner with one another, the change in the competitive landscape could reduce our ability to compete effectively. Our continued success and growth depends on our ability to out-perform our competitors at the individual service level as well as increasing demand for a unified service infrastructure. We cannot guarantee that we will out-perform our competitors at the product level or that the demand for a unified service technology will increase.

Some of our current competitors have, and our future competitors may have, certain competitive advantages such as greater brand and name recognition, longer operating history, larger market share, larger existing user base and greater financial, technical and other resources. Some competitors may be able to devote greater resources to the development, promotion and sale of their products and services than we can to ours, which could allow them to respond more quickly than we can to new technologies and changes in customer needs. We cannot assure you that our competitors will not offer or develop products or services that are superior to ours or achieve greater market acceptance.

Failure to effectively expand our sales and marketing capabilities could harm our ability to acquire new customers and achieve broader market acceptance of our services.

Acquiring new customers and expanding sales to existing customers will depend to a significant extent on our ability to expand our sales and marketing operations. We generate approximately one-fourth of our revenue from direct sales and we expect to continue to rely on our sales force to obtain new customers and grow revenue from our existing customer base. We expect to expand our global sales force, and we face a number of challenges in achieving our hiring goals. For instance, there is significant competition for sales personnel, including sales engineers, with the sales skills and technical knowledge that we require. In addition, training and integrating a large number of sales and marketing personnel in a short period of time requires the allocation of significant internal resources. Our ability to achieve projected growth in revenue in the future will depend, in large part, on our success in recruiting, training and retaining sufficient numbers of sales personnel, all of which may be negatively impacted by the global COVID-19 pandemic. We invest significant time and resources in training new sales personnel to understand our solutions. In general, new hires require significant training and substantial experience before becoming productive. Our recent hires and planned hires may not become as productive as we require, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the markets where we currently operate or where we seek to conduct business. Our growth may be materially and adversely impacted if the efforts to expand our sales and marketing capabilities are not successful or if they do not generate a sufficient increase in revenue.

Data security and integrity are critically important to our business, and breaches of our information and technology networks and unauthorized access to a customer’s data could harm our business and operating results.

We have experienced, and will continue to experience, cyberattacks and other malicious internet-based activity, which continue to increase in sophistication, frequency and magnitude. Because our services involve the storage of large amounts of our customers’ sensitive and proprietary information, solutions to protect that information from cyberattacks and other threats, data security and integrity are critically important to our business. Also, as more of our customers move to working remotely for extended periods of time during the global COVID-19 pandemic we expect there will be an increased amount of sensitive and proprietary information that

17


 

is stored in our solutions, which increases the exposure and risk of cyberattacks and other malicious internet-based activity. Despite all of our efforts to protect this information, we cannot provide assurance that systems that access our services and databases will not be compromised or disrupted, whether as a result of criminal conduct, DDoS, attacks, such as the significant attack we experienced in September 2015, or other advanced persistent attacks by malicious actors, including hackers, state-backed hackers and cybercriminals, breaches due to employee error or malfeasance, or other disruptions during the process of upgrading or replacing computer software or hardware, power outages, computer viruses, hardware and software errors by the vendors we rely upon, telecommunication or utility failures or natural disasters or other catastrophic events. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently or may be designed to remain dormant until a predetermined event and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. Though it is difficult to determine what harm may directly result from any specific interruption or breach, unauthorized access to or disclosure of confidential information, disruption, including DDoS attacks, or the perception that the confidential information of our customers is not secure, any of these events could result in (i) a material loss of business and revenue, (ii) significant remediation costs such as liability for stolen assets or information and repairs of system damage, (iii) substantial legal liability and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities, (iv) significant harm to our reputation, (v) increased cybersecurity protection costs and insurance premiums and (vi) damage to our competitiveness. Further, any mandatory regulatory disclosures regarding a security breach, unauthorized access to or disclosure of confidential information often lead to widespread negative publicity, which may cause our customers to lose confidence in the effectiveness of our data security measures.

We must continually monitor and develop our information technology networks and infrastructure to prevent, detect, address and mitigate the risk of unauthorized access and expend significant resources to respond to threats to security. However, despite our efforts, we may fail to identify these new and complex methods of attack or fail to invest sufficient resources in security measures. In addition, as we increase our customer base and our brand becomes more widely known and recognized, we may become a more attractive target for malicious third parties. Any breach of our security measures as a result of third-party action, employee negligence and/or error, malfeasance, defects or otherwise that compromises the confidentiality, integrity or availability of our data or our customers’ data could result in:

 

severe harm to our reputation or brand, or materially and adversely affect the overall market perception of the security and reliability of our services;

 

individual customer and/or class action lawsuits, which could result in financial judgments against us and which would cause us to incur legal fees and costs;

 

legal or regulatory enforcement action, which could result in fines and/or penalties and which would cause us to incur legal fees and costs; and/or

 

additional costs associated with responding to the interruption or security breach, such as investigative and remediation costs, the costs of providing individuals and/or data owners with notice of the breach, legal fees, the costs of any additional fraud detection activities, or the costs of prolonged system disruptions or shutdowns.

Any of these events could materially adversely impact our business and results of operations.

Data privacy concerns, evolving regulations of cloud computing, cross-border data transfer restrictions and other domestic or foreign laws and regulations may limit the use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers or support existing customers thus reducing our revenues, harming our operating results and adversely affecting our business.

 

Laws and regulations related to the provision of services on the internet are increasing, as federal, state and foreign governments continue to adopt new laws and regulations addressing data privacy and the collection, processing, storage and use of personal information. For example, in the United States, these include laws and regulations promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, the Graham-Leach-Bliley Act of 1999, and state breach notification and data privacy laws, as well as regulator enforcement positions and expectations reflected in federal and state regulatory actions, settlements, consent decrees and guidance documents. On June 28, 2018, the State of California enacted the California Consumer Privacy Act of 2018, or CCPA, which became effective on January 1, 2020. The CCPA governs the collection, sale and use of California consumers’ (i.e., California residents’) personal information (as that term is broadly defined by the CCPA), and it has significant impacts on businesses’ handling of personal information and existing privacy policies and procedures. The CCPA gives California consumers expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used by requiring covered companies to provide new disclosures to California consumers (as that term is broadly defined) and provide such consumers new ways to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation.  The CCPA, as well as data privacy laws that have been proposed in other U.S. states, may limit our ability to use, process

18


 

and store certain data, which may decrease adoption of our services, increase our costs for compliance, and harm our business, financial condition, cash flows and results of operations. In addition, the CCPA may subject us to regulatory fines by the State of California, individual claims, and increased commercial liabilities. Internationally, virtually every jurisdiction in which we operate has established its own data security, data protection and privacy legal frameworks with which we, or our customers, must comply, including the European Union General Data Protection Regulation, or GDPR. The GDPR applies to any company established in the European Union as well as to those outside the European Union if they collect and use personal data in connection with the offering of goods or services to individuals in the European Union or the monitoring of their behavior. The GDPR has enhanced data protection obligations for controllers of personal data, including, for example, expanded disclosures about how personal information is to be used, limitations on retention of information, mandatory data breach notification requirements and has created onerous new obligations and liabilities on service providers or data processors. Under GDPR, fines of up to 20,000,000 Euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be imposed. Moreover, data subjects can claim damages resulting from violations of the GDPR. The GDPR further grants non-profit organizations the right to bring claims on behalf of data subjects. In addition, further to the United Kingdom’s exit from the European Union on January 31, 2020, the GDPR will continue to apply in the United Kingdom until the end of the transition period on December 31, 2020. Unless the transition period is extended, as of January 1, 2021, the GDPR will be brought into UK law as the ‘UK GDPR’, but there may be further developments about the regulation that may impact certain issues such as data transfers between the United Kingdom and the European Union.  We may be required to take steps to ensure the lawfulness of our data transfers, particularly if by the end of the transition period the European Union Commission has not made an adequacy decision regarding the United Kingdom’s data protection regime.

 

Given the breadth and depth of changes in data protection obligations, complying with its requirements has caused us to expend significant resources and such expenditures are likely to continue into the future as we respond to new interpretations and enforcement actions and as we continue to negotiate data processing agreements with our customers and business partners.

To facilitate and legitimize the transfer of both customer and personnel data from the European Union and the United Kingdom to the United States, in the past we have relied on the EU-U.S. Safe Harbor Framework, which required U.S.-based companies to provide assurance that they were adhering to relevant European standards for data protection. In October 2015, the Court of Justice of the European Union invalidated the EU-U.S. Safe Harbor Framework. In February 2016, the U.S. and European Union announced agreement on a new framework for transatlantic data flows entitled the EU-U.S. Privacy Shield and on July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under European Union law. On January 12, 2017, the Swiss Government approved the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States.  We are currently certified under the EU-US and the Swiss-US Privacy Shield frameworks. However, the Privacy Shield continues to be subject to legal challenges and, as a result, there is some uncertainty regarding its future validity and our ability to rely on it for European to US data transfers.  If the Privacy Shield is ultimately invalidated, we will be required to identify and implement alternative solutions to ensure that we are in compliance with European data transfer requirements.  If we fail to comply fully with European privacy laws, European Union data protection authorities might impose upon us a number of different sanctions, including fines and restrictions on transfers.

Given the nature of our business and the types of information our customers store on our systems and the global reach of our business, including our operations in the U.S., our corporate headquarters in London, United Kingdom, our German operations and our customers throughout the rest of Europe, evolving data privacy and data protection laws and regulations in the U.S., the United Kingdom and the European Union and elsewhere may significantly impact our business.

Privacy and data protections laws and regulations are subject to new and differing interpretations and there may be significant inconsistency in laws and regulations among the jurisdictions in which we operate or offer our SaaS solutions.  Legal and other regulatory requirements could restrict our ability to store and process data as part of our SaaS solutions, or, in some cases, impact our ability to offer our SaaS products in certain jurisdictions. Such laws may also impact our customers' ability to deploy certain of our solutions globally, to the extent they utilize our products for storing personal information that they store and process. In addition, in many cases these privacy laws apply not only to transfers of information to third parties, but also within an enterprise, including our company or our customers. Additionally, if third parties that we work with violate applicable laws or our policies, such violations may also put our customers’ information at risk and could in turn have an adverse effect on our business. The costs of compliance with, and other burdens imposed by, data privacy laws, regulations and standards may require resources to create new products or modify existing products, could lead to us being subject to significant fines, penalties or liabilities for noncompliance, and may slow the pace at which we close sales transactions, any of which could harm our business.

 

 

 

 

19


 

Our business and results of operations may be negatively impacted by the United Kingdom’s withdrawal from the European Union

In June 2016, the United Kingdom held a referendum in which a majority of voters approved an exit from the European Union, or Brexit. After nearly three years of negotiation and political and economic uncertainty, the United Kingdom’s withdrawal from the European Union became effective on January 31, 2020. Under the terms of the withdrawal agreement, the United Kingdom and the European Union will continue to negotiate the terms of trade and other matters during a transition period that will end on December 31, 2020.  Negotiations between the United Kingdom and the European Union are expected to continue in relation to the customs and trading relationship between the United Kingdom and the European Union following the expiration of the Brexit transition period. During the Brexit transition period, the United Kingdom will continue to be subject to the laws and obligations applicable to all European Union members, including laws related to trade and data privacy.  As a result, there still remains considerable uncertainty regarding the ultimate terms of the withdrawal. Brexit, including developments that occur during the Brexit transition period, may affect our results of operations in a number of ways, including increasing currency exchange risk and disruptions in trade and the free movement of goods and services to and from the United Kingdom, generating instability in the global financial markets or negatively impacting the economies of the United Kingdom and Europe.  In addition, because of our significant presence in the United Kingdom, it is possible that Brexit may impact some or all of our current operations.  For example, some of our European customers that are not based in the United Kingdom may require that we move their data from our United Kingdom data centers to our data centers based in Germany.  Brexit may also impact our ability to freely move employees from our London headquarters to our other locations in Europe. The long-term effects of Brexit will depend in part on any agreements the United Kingdom makes to retain access to markets in the European Union during the Brexit transition period.  We expect that Brexit could lead to legal uncertainty and potentially divergent national laws and regulations as the United Kingdom determines which European Union laws to replicate or replace, including those related to data privacy as described above.  Any of these effects of Brexit, and others we cannot anticipate, could negatively impact our business and results of operations.

Any serious disruptions in our services caused by defects in our software or otherwise may cause us to lose revenue and market acceptance.

Our customers use our services for the most critical aspects of their business, and any disruptions to our services or other performance problems with our services, however caused, could hurt our brand and reputation and may damage our customers’ businesses. We provide regular updates, which may contain undetected errors when first introduced or released. In the past, we have discovered software errors, failures, vulnerabilities and bugs in our services after they have been released and new errors in our existing services may be detected in the future. Real or perceived errors, failures, system delays, interruptions, disruptions or bugs could result in negative publicity, loss of or delay in market acceptance of our services, loss of competitive position, delay of payment to us, lower renewal rates, or claims by customers for losses sustained by them. In such an event, we may be required, or may choose, for customer relations or other reasons, to expend additional resources in order to mitigate or correct the problem. We seek to cap the liability to which we are exposed in the event of losses or harm to our customers, but we cannot be certain that we will obtain these caps or that these caps, if obtained, will be enforced in all instances. We carry insurance; however, the amount of such insurance may be insufficient to compensate us for any losses that may result from claims arising from defects or disruptions in our services. As a result, we could lose future sales and our reputation and our brand could be harmed.

 

If we are unable to effectively increase sales of our services to large enterprises while mitigating the risks associated with serving such customers, our business, financial position and results of operations may suffer.

As we seek to increase our sales to large enterprise customers, we may face longer sales cycles, more complex customer requirements, unfavorable contractual terms, substantial upfront sales costs and less predictability in completing some of our sales than we do with smaller customers. In addition, our ability to successfully sell our services to large enterprises is dependent on us attracting and retaining sales personnel with experience in selling to large organizations. Also, because security breaches and disruptions of larger, more high-profile enterprises are likely to be heavily publicized, there is increased reputational risk associated with serving such customers. If we are unable to increase sales of our services to large enterprise customers while mitigating the risks associated with serving such customers, our business, financial position and results of operations may suffer.

If we are unable to maintain successful relationships with our channel partners, our ability to acquire new customers could be adversely affected.

In order to grow our business, we anticipate that we will continue to depend on our relationships with our channel partners who we rely on, in addition to our direct sales force, to sell and support our services. In our fiscal year ended March 31, 2020, while no individual channel partner accounted for 10% or more of our revenue, in the aggregate, our channel partners accounted for 75% of our revenue. We expect that sales to channel partners will continue to account for a substantial portion of our revenue for the foreseeable future. We utilize channel partners to efficiently increase the scale of our marketing and sales efforts, increasing our market penetration to customers which we otherwise might not reach on our own. Our ability to achieve revenue growth in the future will depend, in part, on our success in maintaining successful relationships with our channel partners.

20


 

Our agreements with our channel partners are generally non-exclusive, meaning our channel partners may offer customers competitive services from different companies. If our channel partners do not effectively market and sell our services, choose to use greater efforts to market and sell their own products or services or those of others, or fail to meet the needs of our customers, our ability to grow our business, sell our services and maintain our reputation may be adversely affected. Our agreements with our channel partners generally allow them to terminate their agreements for any reason upon 90 days’ notice. The loss of key channel partners, our possible inability to replace them, or the failure to recruit additional channel partners could materially adversely affect our results of operations. If we are unable to maintain our relationships with these channel partners, our business, results of operations, financial condition or cash flows could be adversely affected.

We provide service level commitments under our subscription agreements and service disruptions could obligate us to provide refunds and we could face subscription terminations, which could adversely affect our revenue.

Our subscription agreements with customers provide certain service level commitments. If we are unable to meet the stated service level commitments or suffer extended periods of downtime that exceed the periods allowed under our customer agreements, we could be required to pay refunds or face subscription terminations, either of which could significantly impact our revenue.

To date, we have suffered two significant service disruptions. The first occurred in 2013 and was a result of an equipment failure. Many of our customers in the United Kingdom experienced service disruptions for several hours. We also experienced a service disruption in September 2015 as a result of an external network DDoS attack. Customers using our Secure Email Gateway service in the United States experienced downtime related to the delivery and receipt of external emails for several hours. The scope of the incident was limited to network traffic and no customer data was lost or compromised. As a result of the service disruption, we voluntarily provided service credits to affected customers in the fiscal year ended March 31, 2016, totaling approximately $0.4 million. While we have undertaken substantial remedial efforts to prevent future incidents like these, we cannot guarantee that future attacks or service disruptions will not occur. Any future attacks or service disruptions could adversely affect our reputation, our relationships with our existing customers and our ability to attract new customers, all of which would impact our future revenue and operating results.

We have acquired, and may acquire in the future, other businesses, products or technologies, which could require significant management attention, disrupt our business, dilute shareholder value and adversely affect our results of operations.

As part of our business growth strategy and in order to remain competitive, we may acquire, or make investments in, complementary companies, products or technologies. Since fiscal 2017, we have completed several acquisitions. Notwithstanding these acquisitions, our acquisition experience to date remains relatively limited, and as a result, our ability as an organization to acquire and integrate other companies, products or technologies, particularly when the acquired entities are located in geographies where we have not previously done business, in a successful manner is unproven. We may not be able to find suitable acquisition targets, and we may not be able to complete such acquisitions on favorable terms, if at all. If we do complete acquisitions, we may not ultimately strengthen our competitive position or achieve our goals, and any acquisitions we complete could be viewed negatively by our customers, analysts and investors. In addition, if we are unsuccessful at integrating such acquisitions or the technologies associated with such acquisitions, our revenue and results of operations could be adversely affected. We may only be able to conduct limited due diligence on an acquired company’s technology, products and operations. Following an acquisition, we may be subject to liabilities arising from an acquired company’s past or present technology, product and operations, including liabilities related to data security and privacy of customer data and infringement of the intellectual property rights of others, and these liabilities may be greater than the warranty and indemnity limitations that we negotiate. Any liability that is greater than these warranty and indemnity limitations could have a negative impact on our financial condition. Any integration process may require significant time and resources, and we may not be able to manage the process successfully. We may not successfully evaluate or utilize the acquired technology or personnel, or accurately forecast the financial impact of an acquired business, including accounting charges. We may have to pay cash, incur additional debt, or issue equity securities to pay for any such acquisitions, each of which could adversely affect our financial condition or the value of our ordinary shares. The sale of equity or issuance of debt to finance any such acquisitions could result in dilution to our shareholders. The incurrence of additional indebtedness would result in increased fixed obligations and could also include covenants or other restrictions that would impede our ability to manage our operations. See risk factors – “The terms of our Credit Agreement require us to comply with certain financial covenants and impose restrictions on our business and operations, which creates default risks and reduces our flexibility” below.

In addition, as of March 31, 2020, we had $188.9 million in goodwill and intangible assets, net of accumulated amortization, recorded on our balance sheet as a result of our recent acquisitions. We will incur expenses related to the amortization of intangible assets and we may in the future need to incur charges with respect to the impairment of goodwill or intangible assets, which could adversely affect our operating results.

21


 

If we are not able to provide successful updates, enhancements and features to our technology to, among other things, keep up with emerging cyber threats and customer needs, our business could be adversely affected.

Our industry is marked by rapid technological developments and demand for new and enhanced services and features to meet the evolving IT needs of organizations. In particular, cyber threats are becoming increasingly sophisticated and responsive to the new security measures designed to thwart them. If we fail to identify and respond to new and increasingly complex methods of attack and update our products to detect or prevent such threats, our business and reputation will suffer. The success of any new enhancements, features or services that we introduce depends on several factors, including the timely completion, introduction and market acceptance of such enhancements, features or services. We may not be successful in either developing these modifications and enhancements or in bringing them to market in a timely fashion. Furthermore, modifications to existing technologies will increase our research and development expenses. If we are unable to successfully enhance our existing services to meet customer requirements, increase adoption and usage of our services, or develop new services, enhancements, features and products, our business and operating results will be harmed.

Because we recognize revenue from subscriptions for our services over the term of the agreement, downturns or upturns in new business may not be immediately reflected in our operating results and may be difficult to discern.

We generally recognize subscription revenue from customers ratably on a straight-line basis over the terms of their subscription agreements, which are typically one year in duration. As a result, most of the revenue we report in each quarter is derived from the recognition of deferred revenue relating to subscription agreements entered into during the previous fiscal year or quarter. Consequently, a decline in new or renewed subscriptions with yearly terms in any one quarter may have a small impact on our operating revenue results for that quarter. However, such decline will negatively affect our revenue in future quarters. Accordingly, the effect of significant downturns in sales and market acceptance of our services, resulting from the impact of the global COVID-19 pandemic or otherwise, and potential changes in our pricing policies, rate of expansion or retention rate may not be fully reflected in our operating results until future periods. Shifts in the mix of annual versus monthly subscription billings may also make it difficult to assess our business. We may also be unable to reduce our cost structure in line with a significant deterioration in sales. In addition, a significant majority of our costs are expensed as incurred, while revenue is recognized over the life of the agreement with our customer. As a result, increased growth in the number of our customers could continue to result in our recognition of more costs than revenue in the earlier periods of the terms of our agreements. Our subscription model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from new customers is recognized over the applicable subscription term.

We have incurred net losses in the past, and we may not be able to achieve or sustain profitability for the foreseeable future.

We have incurred net losses in each of our fiscal years since our inception in 2003 up through our fiscal year ended March 31, 2020, with the exception of our fiscal year ended March 31, 2015, in which we generated net income of $0.3 million. In our fiscal years ended March 31, 2020, 2019 and 2018, we incurred a net loss of $2.2 million, $7.0 million and $12.4 million, respectively. As of March 31, 2020, we had an accumulated deficit of $83.7 million. We have been growing rapidly, and, as we do so, we incur significant sales and marketing, support and other related expenses. Our ability to achieve and sustain profitability will depend in significant part on our obtaining new customers, expanding our existing customer relationships and ensuring that our expenses, including our sales and marketing expenses and the cost of supporting new customers, does not exceed our revenue. We also expect to make significant expenditures and investments in research and development to expand and improve our services and technical infrastructure. In addition, as a public company, we expect to continue to incur significant legal, accounting and other expenses. These increased expenditures may make it harder for us to achieve and maintain profitability and we cannot predict when we will achieve sustained profitability, if at all. We also may incur net losses in the future for a number of other unforeseen reasons. Accordingly, we may not be able to maintain profitability, once achieved, and we may incur losses in the foreseeable future.

We are subject to a number of risks associated with global sales and operations.

We operate a global business with offices located in the United States, the United Kingdom, South Africa, Australia and Germany, as well as several other locations. In the fiscal year ended March 31, 2020, we generated 51% of our revenue from the United States, 29% from the United Kingdom, 12% from South Africa and 8% from the rest of the world. As a result, our sales and operations are subject to a number of risks and additional costs, including the following:

 

fluctuations in exchange rates between currencies in the markets where we do business, which impacts our reportable revenue and expenses;

 

the disparate impact that the global COVID-19 pandemic is having on different countries and their economies;

 

risks associated with trade restrictions and additional legal requirements, including the exportation of our technology that is required in some of the countries in which we operate;

 

the need to adapt our solutions for specific countries;

22


 

 

greater risk of unexpected changes in regulatory rules, regulations and practices, tariffs and tax laws and treaties;

 

compliance with multiple anti-bribery laws, including the United States Foreign Corrupt Practices Act and the U.K. Anti-Bribery Act;

 

heightened risk of unfair or corrupt business practices in certain geographies, and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, or irregularities in, financial statements;

 

limited or uncertain protection of intellectual property rights in some countries and the risks and costs associated with monitoring and enforcing intellectual property rights abroad;

 

greater difficulty in enforcing contracts and managing collections in certain jurisdictions, as well as longer collection periods;

 

potential changes in trade relations arising from policy initiatives or other political factors that could negatively impact our purchases of technology among other things;

 

management communication and integration problems resulting from cultural and geographic dispersion;

 

social, economic and political instability, particularly in South Africa following the recent elections;

 

terrorist attacks and security concerns in general; and

 

potentially adverse tax consequences.

 

All of the factors described above, including the previously described risks related to Brexit, and other factors could harm our ability to generate future global revenue and, consequently, materially impact our business, results of operations and financial condition.

Fluctuations in currency exchange rates could adversely affect our business.

The functional currency of our operating subsidiaries is generally the local currency of each entity and our reporting currency is the U.S. dollar. In our fiscal year ended March 31, 2020, 54% of our revenue was denominated in U.S. dollars, 27% in British pounds, 12% in South African rand and 7% in other currencies. Given that the functional currency of our subsidiaries is generally the local currency of each entity, but our reporting currency is the U.S. dollar, fluctuations in currency exchange rates between the U.S. dollar, the British pound, the South African rand and the Australian dollar could materially and adversely affect our business. There may be instances in which costs and revenue will not be matched with respect to currency denomination. We estimate that a 10% increase or decrease in the value of the British pound against the U.S. dollar would have decreased or increased our income from operations by approximately $2.7 million in our fiscal year ended March 31, 2020 and that a 10% increase or decrease in the value of the South African rand against the U.S. dollar would have increased or decreased our income from operations by approximately $3.1 million in our fiscal year ended March 31, 2020. To date, we have not entered into any currency hedging contracts. As a result, to the extent we continue our expansion on a global basis, we expect that increasing portions of our revenue, cost of revenue, assets and liabilities will be subject to fluctuations in currency valuations. We may experience economic loss and a negative impact on earnings or net assets solely as a result of currency exchange rate fluctuations.

The global COVID-19 pandemic has had and may continue to have an impact on currency exchange rate volatility, which could impact our results of operations and make financial forecasting difficult. In addition, Brexit may continue to have a significant impact on currency exchange rates and the global and European economy generally. The outcome of the referendum and the resulting uncertainty regarding the status of the United Kingdom’s withdrawal from the European Union caused volatility in global stock markets and foreign currency exchange rate fluctuations, including the strengthening of the U.S. dollar against the British pound and the Euro, which may continue or worsen now that the withdrawal has occurred and trade and other agreements are negotiated between the United Kingdom and the European Union during the Brexit transition period, which will end on December 31, 2020. Finally, the South African economy faces a number of challenges, including slow economic growth and high unemployment. These challenges combined with the impact of the global COVID-19 pandemic have made the South African rand highly volatile over the past year.  As described above, significant fluctuations in currency exchange rates between the South African rand and the U.S. dollar will impact our results of operations.

We are dependent on the continued services and performance of our key employees, including our co-founder, the loss of whom could adversely affect our business.

Our future performance depends upon contributions from our senior management team and, in particular, our co-founder, Peter Bauer, our Chairman and Chief Executive Officer. If our senior management team, including any new hires that we may make, fails to work together effectively and to execute on our plans and strategies on a timely basis, our business could be harmed. The loss of one

23


 

or more of our executive officers or key employees could have an adverse effect on our business. The loss of services of Mr. Bauer could significantly delay or prevent the achievement of our development and strategic objectives.

We depend on highly skilled personnel to grow and operate our business, and if we are unable to hire, retain and motivate qualified personnel, our business may be adversely impacted.

Our success depends largely upon our continued ability to identify, hire, develop, motivate and retain highly skilled personnel, including senior management, engineers, software developers, sales representatives and customer support representatives. Our growth strategy also depends, in part, on our ability to continue to attract and retain highly skilled personnel. Identifying, recruiting, training and integrating qualified individuals requires significant time, expense and attention of management. Competition for these personnel is intense, especially for engineers experienced in designing and developing software and SaaS applications, and for experienced sales professionals. In addition, the global COVID-19 pandemic may make the hiring more difficult, particularly when the hiring process, from sourcing to interviewing to onboarding, must be done remotely. We have, from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. Many of the companies with which we compete for experienced personnel have greater resources than we have. If we hire employees from competitors or other companies, their former employers may assert that these employees or we have breached their legal obligations, resulting in a diversion of our time and resources. In addition, prospective and existing employees often consider the value of the equity awards they receive in connection with their employment. If the actual or perceived value of our equity awards declines, or experiences significant volatility, it may adversely affect our ability to recruit and retain key employees. If we are not able to effectively recruit and retain qualified employees, our ability to achieve our strategic objectives will be adversely impacted, and our business will be harmed.

If the prices we charge for our services are unacceptable to our customers, our operating results will be harmed.

As the market for our services matures, or as new or existing competitors introduce new products or services that compete with ours, we may experience pricing pressure and be unable to renew our agreements with existing customers or attract new customers at prices that are consistent with our pricing model and operating budget. If this were to occur, it is possible that we would have to change our pricing model or reduce our prices, which could harm our revenue, gross margin and operating results. Pricing decisions may also impact the mix of adoption among our subscription plans and negatively impact our overall revenue. Moreover, large enterprises, which may account for a larger portion of our business in the future, may demand substantial price concessions. Finally, the economic impact of the global COVID-19 pandemic may cause our prospects and existing customers to request price concessions to enable them to purchase our services or renew existing services. If we are, for any reason, required to reduce our prices, our revenue, gross margin, profitability, financial position and cash flow may be adversely affected.

Our research and development efforts may not produce new services or enhancements to existing services that result in significant revenue or other benefits in the near future, if at all.

We invested 19%, 17% and 15% of our revenue in research and development in our fiscal years ended March 31, 2020, 2019 and 2018, respectively. We expect to continue to dedicate significant financial and other resources to our research and development efforts in order to maintain our competitive position. However, investing in research and development personnel, developing new services and enhancing existing services is expensive and time-consuming, and there is no assurance that such activities will result in significant new marketable services, enhancements to existing services, design improvements, cost savings, revenue or other expected benefits. If we spend significant time and effort on research and development and are unable to generate an adequate return on our investment, our business and results of operations may be materially and adversely affected.

We employ third-party licensed software for use in or with our services, and the inability to maintain these licenses or errors in the software we license could result in increased costs, or reduced service levels, which would adversely affect our business.

Our services incorporate and rely on certain third-party software obtained under licenses from other companies. We anticipate that we will continue to rely on such third-party software and development tools in the future. Although we believe that there are commercially reasonable alternatives to the third-party software we currently license, this may not always be the case, or it may be difficult or costly to replace. In addition, integration of the software used in our services with new third-party software may require significant work and require substantial investment of our time and resources and delays in the release of our services until equivalent technology is either developed by us, or, if available, is identified, obtained and integrated, which could harm our business. A licensor may have difficulties keeping up with technological changes or may stop supporting the software or other intellectual property that it licensed to us. Also, to the extent that our services depend upon the successful operation of third-party software in conjunction with our software, any undetected errors or defects in this third-party software could prevent the deployment or impair the functionality of our services, delay new services introductions, result in a failure of our services, and injure our reputation. Our use of additional or alternative third-party software would require us to enter into additional license agreements with third parties on terms that may not be favorable to us.

24


 

Natural disasters, power loss, telecommunications failures and similar events could cause interruptions or performance problems associated with our information and technology infrastructure that could impair the delivery of our services and harm our business.

We currently store our customers’ information within third-party data center hosting facilities. As part of our current disaster recovery plans and arrangements, our production environment and all of our customers’ data is currently replicated in near real-time to a facility located in a different location. We cannot provide assurance that the measures we have taken to eliminate single points of failure will be effective to prevent or minimize interruptions to our operations. Our facilities are vulnerable to interruption or damage from a number of sources, many of which are beyond our control, including floods, fires, power loss, telecommunications failures, global pandemics such as COVID-19, the effects of climate change (such as drought, wildfires, increased storm severity and sea level rise), and similar events. They may also be subject to break-ins, sabotage, intentional acts of vandalism and similar misconduct. Any damage to, or failure of, our systems generally could result in interruptions to our service, which may reduce our revenue, cause customers to terminate their subscriptions and adversely affect our renewal rate and our ability to attract new customers. Our business and reputation will also be harmed if our existing and potential customers believe our service is unreliable. The occurrence of a natural disaster, an act of terrorism, a decision to close the facilities without adequate notice or other unanticipated problems at these facilities could result in lengthy interruptions in our service. Even with the disaster recovery arrangements, our service could be interrupted. As we continue to add data centers and add capacity in our existing data centers, we may move or transfer our data and our customers’ data. Any unsuccessful data transfers may impair the delivery of our service. Further, as we continue to grow and scale our business to meet the needs of our customers, additional burdens may be placed on our hosting facilities.

We are a multinational organization faced with increasingly complex tax issues in many jurisdictions, and we could be obligated to pay additional taxes in various jurisdictions.

As a multinational organization, we may be subject to taxation in several jurisdictions around the world with increasingly complex tax laws, the application of which can be uncertain. The amount of taxes we pay in these jurisdictions could increase substantially as a result of changes in the applicable tax principles, including increased tax rates, new tax laws or revised interpretations of existing tax laws and precedents, which could have a material adverse effect on our liquidity and results of operations. In addition, the authorities in these jurisdictions could review or audit our tax returns and general tax compliance and impose additional tax, interest and penalties, and the authorities could claim that various withholding requirements apply to us or our subsidiaries or assert that benefits of tax treaties are not available to us or our subsidiaries. Furthermore, one or more jurisdictions in which we do not believe we are currently subject to tax payment, withholding, or filing requirements, could assert that we are subject to such requirements. Any of these claims or assertions could have a material impact on us and the results of our operations, including our cash flow.

We are subject to governmental export controls and funds dealings restrictions that could impair our ability to compete in certain international markets and subject us to liability if we are not in full compliance with applicable laws.

Our software and services may be subject to export controls and we may also be subject to restrictions or prohibitions on transactions with, or on dealing in funds transfers to/from, certain embargoed jurisdictions and sanctioned persons and entities, pursuant to the U.K. Export Control Organisation’s restrictions, the U.K. Treasury’s restrictions, the European Union Council Regulations, the United States Department of Commerce’s Export Administration Regulations, the economic and trade sanctions regulations administered by the United States Treasury Department’s Office of Foreign Assets Controls and United States Department of State, and similar laws that may apply in other jurisdictions in which we operate or sell or distribute our services. Export control and economic sanctions laws include prohibitions on the sale or supply of certain products and services to certain embargoed or sanctioned countries, regions, governments, persons and entities, as well as restrictions or prohibitions on dealing in funds to/from those countries, regions, governments, persons and entities. In addition, various countries regulate the import of certain encryption items and technology through import permitting and licensing requirements and have enacted laws that could limit our ability to distribute our services or could limit our customers’ ability to implement our services in those countries.

The exportation, re-exportation, and importation of our software and services, including by our channel partners, must comply with applicable laws or else we may be adversely affected, through reputational harm, government investigations, penalties, and/or a denial or curtailment of our ability to export our services. Although we take precautions to prevent our services from being provided in violation of such laws, our services may have been in the past, and could in the future be, provided in violation of such laws.

If we are found to be in violation of U.S. sanctions or export control laws, it could result in substantial fines and penalties for us and for the individuals working for us, including civil penalties of up to $250,000 or twice the value of the transaction, whichever is greater, per violation, and in the event of conviction for a criminal violation, fines of up to $1 million and possible incarceration for responsible employees and managers for willful and knowing violations. Under the terms of applicable regulations, each instance in which a company provides goods or services may be considered a separate violation. If we are found to be in violation of U.K.

25


 

sanctions or export controls, it could also result in unlimited fines for us and responsible employees and managers, as well as imprisonment of up to two years for responsible employees and managers.

Changes in our software or services, or changes in export, sanctions or import laws, may delay the introduction and sale of our services in international markets, prevent our customers with international operations from deploying our software or services or, in some cases, prevent the export or import of our software or services to certain countries, regions, governments, persons or entities altogether, which could adversely affect our business, financial condition and operating results.

Our quarterly results may fluctuate for a variety of reasons and may not fully reflect the underlying performance of our business.

Our quarterly operating results, including the levels of our revenue, gross margin, profitability, cash flow and deferred revenue, may vary significantly in the future, and period-to-period comparisons of our operating results may not be meaningful. Accordingly, the results of any one quarter should not be relied upon as an indication of future performance. Our quarterly financial results may fluctuate as a result of a variety of factors, many of which are outside of our control and, as a result, may not fully reflect the underlying performance of our business. Fluctuations in quarterly results may negatively impact the value of our ordinary shares. Factors that may cause fluctuations in our quarterly financial results include, but are not limited to:

 

foreign currency exchange rates;

 

our ability to attract new customers;

 

our revenue retention rate;

 

the amount and timing of operating expenses related to the maintenance and expansion of our business, operations and infrastructure;

 

network outages or security breaches;

 

general economic, industry and market conditions, including the impact of the global COVID-19 pandemic, Brexit and economic conditions in South Africa;

 

expenses related to litigation matters;

 

increases or decreases in the number of features in our services or pricing changes upon any renewals of customer agreements;

 

changes in our pricing policies or those of our competitors;

 

new variations in sales of our services, which has historically been highest in the fourth quarter of a given fiscal year;

 

the timing and success of new services and service introductions by us and our competitors or any other change in the competitive dynamics of our industry, including consolidation among competitors, customers or strategic partners; and

 

the impact of acquisitions.

The terms of our Credit Agreement require us to comply with certain financial covenants and impose restrictions on our business and operations, which creates default risks and reduces our flexibility.

In July 2018, we entered into a Credit Agreement, or the Credit Agreement, by and among us, certain of our subsidiaries party thereto, as guarantors, certain financial institutions party thereto from time to time, as lenders, and JPMorgan Chase Bank, N.A., as administrative agent, or the Administrative Agent. The Credit Agreement provided us with a $100.0 million senior secured term loan, or the Term Loan, and a $50.0 million senior secured revolving credit facility, or the Revolving Facility, and together with the Term Loan, the Credit Facility. The Credit Agreement requires compliance with significant financial and non-financial covenants, including affirmative covenants relating to the provision of annual and quarterly financial statements and compliance certificates, maintenance of property, insurance, compliance with laws and environmental matters and negative covenants, including, among others, restrictions on the incurrence of certain indebtedness, granting of liens, making investments and acquisitions, mergers and consolidations, paying dividends, entering into affiliate transactions and asset sales. The Credit Agreement also provides for a number of events of default, including, among others, payment, bankruptcy, covenant, representation and warranty, default under material indebtedness (other than the Credit Agreement), change of control and judgment defaults.

 

As a result of the negative covenants, we may be restricted from engaging in business or operating activities that may otherwise improve our business or from financing future operations or capital needs. Failure to comply with the covenants, including the financial covenants, if not cured or waived, will result in an event of default that could trigger acceleration of our indebtedness, which would require us to repay all amounts owing under our Credit Agreement and could have a material adverse impact on our business.

26


 

Overdue amounts under the Credit Agreement accrue interest at a default rate. We cannot be certain that our future operating results will be sufficient to ensure compliance with the financial covenants in our Credit Agreement or to remedy any defaults. In addition, in the event of any event of default and related acceleration, we may not have or be able to obtain sufficient funds to make the accelerated payments required under the Credit Agreement.

If we need to raise additional capital to expand our operations and invest in new technologies in the future and cannot raise it on acceptable terms or at all, our ability to compete successfully may be harmed.

We believe that our existing cash and cash equivalents together with available capacity under our Credit Facility will be sufficient to meet our anticipated cash requirements for at least the next twelve months. However, unforeseen circumstances may arise which may mean that we may need to raise additional funds, and we may not be able to obtain additional debt or equity financing on favorable terms, if at all, or because of restrictions in our Credit Agreement. If we raise additional equity financing, our security holders may experience significant dilution of their ownership interests and the value of our ordinary shares could decline. If we engage in additional debt financing, we may be required to obtain the Administrative Agent’s consent and/or accept terms that are more restrictive than the terms currently applicable to us under the Credit Agreement. If we need additional capital and cannot raise it on acceptable terms, if at all, we may not be able to, among other things:

 

develop and enhance our services;

 

continue to expand our research and development, and sales and marketing organizations;

 

hire, train and retain key employees;

 

respond to competitive pressures or unanticipated working capital requirements; or

 

pursue acquisition opportunities.

Our inability to do any of the foregoing could reduce our ability to compete successfully and harm our results of operations.

Risks Related to Intellectual Property

We are currently being sued, have been sued in the past and may in the future be sued by third parties for alleged infringement of their proprietary rights.

There is considerable patent and other intellectual property development activity in our industry. Our success depends, in part, on our not infringing upon the intellectual property rights of others. Our competitors, as well as a number of other entities, including non-practicing patent entities, or NPEs, which are entities that have no operating business but exist purely as collectors of patents, and individuals, may own or claim to own intellectual property relating to our industry. Patent and other intellectual property disputes are common and third parties are currently claiming, have claimed, and may in the future claim that we are infringing upon their intellectual property rights or send us letters proposing that we license certain of their patents. In particular, there are a number of NPEs in the security industry that are particularly aggressive about pursuing alleged infringement of their patents. Given this and the proliferation of lawsuits in our industry and other similar industries by both NPEs and operating entities, we have been sued for patent infringement and expect that we may be sued by others at some point in the future, regardless of the merits of any such lawsuits. See Part 1, Item 3, “Legal Proceedings” in this Annual Report on Form 10-K. We closely monitor all such claims and respond as appropriate. We may also be unaware of the intellectual property rights that others may claim cover some or all of our technology or services. Any claims or litigation could cause us to incur significant expenses and, if successfully asserted against us, could require that we pay substantial damages or ongoing royalty payments, prevent us from offering our services, or require that we comply with other unfavorable terms. Under all of our sales contracts, we are obligated to indemnify our customers and channel partners against third-party infringement claims, and we may also be obligated to pay substantial settlement costs, including royalty payments, in connection with any such claim or litigation and to obtain licenses, modify services or refund fees, any of which could be costly. Even if we were to prevail in any such dispute, litigation regarding intellectual property is very costly and time-consuming and diverts the attention of our management and key personnel from our business operations.

 

Any failure to protect our intellectual property rights could impair our ability to protect our proprietary technology and our brand.

Our success and ability to compete depend in part on our intellectual property. We primarily rely on copyright, trade secret and trademark laws, trade secret protection and confidentiality or license agreements with our employees, customers, partners and others to protect our intellectual property rights. However, the steps we take to protect our intellectual property rights may be inadequate. As of March 31, 2020, we had 18 patents issued and 13 patent applications pending in the United States. We also had 5 patents issued in non-U.S. jurisdictions. We may not be able to obtain any further patents, and our pending applications may not result in the issuance of patents. We have issued patents and pending patent applications outside the United States, and we may have to expend significant resources to obtain additional patents as we expand our international operations due to the cost of monitoring and protecting our rights across multiple jurisdictions.

27


 

In order to protect our intellectual property rights, we may be required to spend significant resources to monitor and protect these rights. Litigation brought to protect and enforce our intellectual property rights could be costly, time-consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Failure to adequately enforce our intellectual property rights could also result in the impairment or loss of those rights. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Patent, copyright, trademark and trade secret laws offer us only limited protection and the laws of many of the countries in which we sell our services do not protect proprietary rights to the same extent as the United States and Europe. Accordingly, defense of our trademarks and proprietary technology may become an increasingly important issue as we continue to expand our operations and solution development into countries that provide a lower level of intellectual property protection than the United States or Europe. Policing unauthorized use of our intellectual property and technology is difficult and the steps we take may not prevent misappropriation of the intellectual property or technology on which we rely. For example, in the event of inadvertent or malicious disclosure of our proprietary technology, trade secret laws may no longer afford protection to our intellectual property rights in the areas not otherwise covered by patents or copyrights. Accordingly, we may not be able to prevent third parties from infringing upon or misappropriating our intellectual property. Our failure to secure, protect and enforce our intellectual property rights could materially adversely affect our brand and our business.

We may elect to initiate litigation in the future to enforce or protect our proprietary rights or to determine the validity and scope of the rights of others. That litigation may not be ultimately successful and could result in substantial costs to us, the reduction or loss in intellectual property protection for our technology, the diversion of our management’s attention and harm to our reputation, any of which could materially and adversely affect our business and results of operations.

Confidentiality arrangements with employees and others may not adequately prevent disclosure of trade secrets and other proprietary information.

We have devoted substantial resources to the development of our technology, business operations and business plans. In order to protect our trade secrets and proprietary information, we rely in significant part on confidentiality arrangements with our employees, licensees, independent contractors, advisers, channel partners, resellers and customers. These arrangements may not be effective to prevent disclosure of confidential information, including trade secrets, and may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. In addition, if others independently discover trade secrets and proprietary information, we would not be able to assert trade secret rights against such parties. Effective trade secret protection may not be available in every country in which our services are available or where we have employees or independent contractors. The loss of trade secret protection could make it easier for third parties to compete with our solutions by copying functionality. In addition, any changes in, or unexpected interpretations of, the trade secret and employment laws in any country in which we operate may compromise our ability to enforce our trade secret and intellectual property rights. Costly and time-consuming litigation could be necessary to enforce and determine the scope of our proprietary rights, and failure to obtain or maintain trade secret protection could adversely affect our competitive business position.

We may be subject to damages resulting from claims that our employees or contractors have wrongfully used or disclosed alleged trade secrets of their former employers or other parties.

We could in the future be subject to claims that employees or contractors, or we, have inadvertently or otherwise used or disclosed trade secrets or other proprietary information of our competitors or other parties. Litigation may be necessary to defend against these claims. If we fail in defending against such claims, a court could order us to pay substantial damages and prohibit us from using technologies or features that are essential to our solutions, if such technologies or features are found to incorporate or be derived from the trade secrets or other proprietary information of these parties. In addition, we may lose valuable intellectual property rights or personnel. A loss of key personnel or their work product could hamper or prevent our ability to develop, market and support potential solutions or enhancements, which could severely harm our business. Even if we are successful in defending against these claims, such litigation could result in substantial costs and be a distraction to management.

The use of open source software in our offerings may expose us to additional risks and harm our intellectual property.

Open source software is typically freely accessible, usable and modifiable. Certain open source software licenses require a user who intends to distribute the open source software as a component of the user’s software to disclose publicly part or all of the source code to the user’s software. In addition, certain open source software licenses require the user of such software to make any derivative works of the open source code available to others on unfavorable terms or at no cost. This can subject previously proprietary software to open source license terms.

28


 

We monitor and control our use of open source software in an effort to avoid unanticipated conditions or restrictions on our ability to successfully commercialize our products and solutions and believe that our compliance with the obligations under the various applicable licenses has mitigated the risks that we have triggered any such conditions or restrictions. However, such use may have inadvertently occurred in the development and offering of our products and solutions, particularly in situations where we acquired technology from third parties through acquisitions. Additionally, if a third-party software provider has incorporated certain types of open source software into software that we have licensed from such third-party, we could be subject to the obligations and requirements of the applicable open source software licenses. This could harm our intellectual property position and have a material adverse effect on our business, results of operations and financial condition.

The terms of many open source software licenses have not been interpreted by U.S. or foreign courts, and there is a risk that those licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to successfully commercialize our products and solutions. For example, certain open source software licenses may be interpreted to require that we offer our products or solutions that use the open source software for no cost; that we make available the source code for modifications or derivative works we create based upon, incorporating or using the open source software (or that we grant third parties the right to decompile, disassemble, reverse engineer, or otherwise derive such source code); that we license such modifications or derivative works under the terms of the particular open source license; or that otherwise impose limitations, restrictions or conditions on our ability to use, license, host, or distribute our products and solutions in a manner that limits our ability to successfully commercialize our products.

We could, therefore, be subject to claims alleging that we have not complied with the restrictions or limitations of the applicable open source software license terms or that our use of open source software infringes the intellectual property rights of a third party. In that event, we could incur significant legal expenses, be subject to significant damages, be enjoined from further sale and distribution of our products or solutions that use the open source software, be required to pay a license fee, be forced to reengineer our products and solutions, or be required to comply with the foregoing conditions of the open source software licenses (including the release of the source code to our proprietary software), any of which could adversely affect our business. Even if these claims do not result in litigation or are resolved in our favor or without significant cash settlements, the time and resources necessary to resolve them could harm our business, results of operations, financial condition and reputation.

Additionally, the use of open source software can lead to greater risks than the use of third-party commercial software, as open source software does not come with warranties or other contractual protections regarding indemnification, infringement claims or the quality of the code.

Risks Related to Our Ordinary Shares and Our Organization in Jersey, Channel Islands

Our share price has been and may continue to be volatile.

The market price of our ordinary shares may decline.  In addition, the market price of our ordinary shares could be highly volatile and may fluctuate substantially as a result of many factors, many of which we cannot control, including:

 

the ongoing global impact of the COVID-19 pandemic;

 

actual or anticipated fluctuations in our results of operations;

 

variance in our financial performance from the expectations of market analysts;

 

announcements by us or our competitors of significant business developments, changes in service provider relationships, acquisitions or expansion plans;

 

changes in the prices of our services or those of our competitors;

 

our involvement in litigation, including patent litigation;

 

our sale of ordinary shares or other securities in the future;

 

market conditions in our industry;

 

changes in key personnel;

 

the trading volume of our ordinary shares;

 

changes in the estimation of the future size and growth rate of our markets; and

 

general economic and market conditions, both in the U.S. and internationally.

29


 

In addition, the stock markets have recently experienced extreme price and volume fluctuations, both as a result of the global COVID-19 pandemic and for other reasons. Broad market and industry factors may materially harm the market price of our ordinary shares, regardless of our operating performance. In the past, following periods of volatility in the market price of a company’s securities, securities class action litigation has often been instituted against that company. If we were involved in any similar litigation, we could incur substantial costs and our management’s attention and resources could be diverted.

If securities or industry analysts cease to publish research or publish inaccurate or unfavorable research about our business, our share price and trading volume could decline.

The trading market for our ordinary shares depends in part on the research and reports that securities or industry analysts publish about us or our business. If one or more of the analysts who covers us downgrades our shares or publishes inaccurate or unfavorable research about our business, our share price would likely decline. If one or more of these analysts ceases coverage of us or fails to publish reports on us regularly, demand for our shares could decrease, which could cause our share price and trading volume to decline.

We do not expect to pay dividends and investors should not buy our ordinary shares expecting to receive dividends.

We do not anticipate that we will declare or pay any dividends in the foreseeable future, and our ability to do so may be constrained by restrictions in our Credit Agreement or future debt arrangements, if any, and by Jersey law. Consequently, investors will only realize an economic gain on their investment in our ordinary shares if the price appreciates. Investors should not purchase our ordinary shares expecting to receive cash dividends. Since we do not pay dividends, and if we are not successful in sustaining an orderly trading market for our shares, then investors may not have any manner to liquidate or receive any payment on their investment. Therefore, our failure to pay dividends may cause investors to not see any return on your investment even if we are successful in our business operations.

We must maintain proper and effective internal controls over financial reporting and any failure to maintain the adequacy of these internal controls may adversely affect investor confidence in our company and, as a result, the value of our ordinary shares.

We are required, pursuant to Section 404 of the Sarbanes-Oxley Act of 2002 and the related rules adopted by the SEC, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal controls are effective.

In addition, our independent registered public accounting firm must attest to the effectiveness of our internal control over financial reporting under Section 404. Our independent registered public accounting firm may issue a report that is adverse in the event it is not satisfied with the level at which our controls are documented, designed or operating. We may not be able to remediate any future material weaknesses, or to complete our evaluation, testing and any required remediation in a timely fashion. We are also required to disclose significant changes made in our internal control procedures on a quarterly basis. Our compliance with Section 404 requires that we incur substantial accounting expense and expend significant management efforts.

Any failure to maintain internal control over financial reporting could severely inhibit our ability to accurately report our financial condition or results of operations. If we are unable to assert that our internal control over financial reporting is effective or our independent registered public accounting firm is unable to express an opinion on the effectiveness of our internal controls when it is required to issue such opinion, we could lose investor confidence in the accuracy and completeness of our financial reports, the market price of our ordinary shares could decline, and we could be subject to sanctions or investigations by the Nasdaq Stock Market, the SEC or other regulatory authorities.

A change in our tax residence could have a negative effect on our future profitability.

Although we are organized under the laws of the Bailiwick of Jersey, our affairs are, and are intended to continue to be, managed and controlled in the United Kingdom for tax purposes and therefore we are resident in the United Kingdom for U.K. and Jersey tax purposes. It is possible that in the future, whether as a result of a change in law or the practice of any relevant tax authority or as a result of any change in the conduct of our affairs or for any other reason, we could become, or be regarded as having become, a resident in a jurisdiction other than the United Kingdom. If we cease to be a U.K. tax resident, we may be subject to a charge to U.K. corporation tax on chargeable gains on our assets and to unexpected tax charges in other jurisdictions on our income. Similarly, if the tax residency of any of our subsidiaries were to change from their current jurisdiction for any of the reasons listed above, we may be subject to a charge to local capital gains tax on the assets.

30


 

Taxing authorities could reallocate our taxable income among our subsidiaries, which could increase our consolidated tax liability.

We conduct operations world-wide through subsidiaries in various tax jurisdictions pursuant to transfer pricing arrangements between us and our subsidiaries. If two or more affiliated companies are located in different countries, the tax laws or regulations of each country generally will require that transfer prices be the same as those between unrelated companies dealing at arm’s length and that appropriate documentation is maintained to support the transfer pricing. While we believe that we operate in compliance with applicable transfer pricing laws and intend to continue to do so, our transfer pricing procedures are not binding on applicable tax authorities. If tax authorities in any of these countries were to successfully challenge our transfer prices as not reflecting arms’ length transactions, they could require us to adjust our transfer prices and thereby reallocate our income to reflect these revised transfer prices, which could result in a higher tax liability to us. In addition, if the country from which the income is reallocated does not agree with the reallocation, both countries could tax the same income, resulting in double taxation. If tax authorities were to allocate income to a higher tax jurisdiction, subject our income to double taxation or assess interest and penalties, it would increase our consolidated tax liability, which could adversely affect our financial condition, results of operations and cash flows. Double taxation should be mitigated in these circumstances where the affiliated parties that are subject to the transfer pricing adjustments are able to benefit from any applicable double taxation agreement.

Our ability to use our net operating loss or tax credit carry forwards may be subject to limitation.

As of March 31, 2020, we had net operating loss carryforwards in the U.K., U.S. federal and state, Australia, Germany, Israel, and the Netherlands. U.S. federal net operating losses generated through the fiscal year ending March 31, 2018 expire at various dates through 2038 while U.S. federal net operating losses generated after March 31, 2018 do not expire. Substantially all U.S. state net operating loss carryforwards expire at various dates through 2040. Net operating loss carryforwards in the Netherlands expire at various dates from 2026 through 2028. Net operating loss carryforwards in the U.K., Australia, Germany and Israel do not expire. As of March 31, 2020, we had U.K. income tax credit carryforwards that do not expire. As of March 31, 2020, we had Israel income tax credit carryforwards that expire at various dates from 2023 through 2025.

Each jurisdiction in which we operate may have its own limitations on our ability to utilize net operating loss or tax credit carryforwards generated in that jurisdiction that may increase our U.K. and/or foreign income tax liabilities.

Under Section 382 of the U.S. Internal Revenue Code, if a corporation undergoes an ownership change, the corporation’s ability to use its pre-change net operating loss carryforwards to offset its post-change income and taxes may be limited. In general, an ownership change occurs if there is a 50 percent cumulative change in ownership of the company over a rolling three-year period. Similar rules may apply under U.S. state tax laws. We believe that we have experienced an ownership change in the past and may experience ownership changes in the future resulting from future transactions in our share capital, some of which may be outside our control. The most recent analysis of our historical ownership changes was completed through March 31, 2020. Based on the analysis, we do not anticipate a material limitation on the utilization of our tax attributes. However, our ability to utilize net operating loss carryforwards or other tax attributes to offset U.S. federal and state taxable income in the future may be subject to future limitations.

U.S. holders of our ordinary shares could be subject to material adverse tax consequences if we are considered a Passive Foreign Investment Company, or PFIC, for U.S. federal income tax purposes.

We do not believe that we were a PFIC for U.S. federal income tax purposes during the tax year ending March 31, 2020 and do not expect to be a PFIC for U.S. federal income tax purposes in the current tax year. We also do not expect to become a PFIC in the foreseeable future, but the possible status as a PFIC must be determined annually and therefore may be subject to change. If we are at any time treated as a PFIC, such treatment could result in a reduction in the after-tax return to U.S. holders of our ordinary shares and may cause a reduction in the value of such shares. Furthermore, if we are at any time treated as a PFIC, U.S. holders of our ordinary shares could be subject to greater U.S. income tax liability than might otherwise apply, imposition of U.S. income tax in advance of when tax would otherwise apply and detailed tax filing requirements that would not otherwise apply. For U.S. federal income tax purposes, “U.S. holders” include individuals and various entities. A corporation is classified as a PFIC for any taxable year in which (i) at least 75% of its gross income is passive income or (ii) at least 50% of the average quarterly value of all its total gross assets is attributable to assets that produce or are held for the production of passive income. For this purpose, passive income includes certain dividends, interest, royalties and rents that are not derived in the active conduct of a trade or business. The PFIC rules are complex and a U.S. holder of our ordinary shares is urged to consult its own tax advisors regarding the possible application of the PFIC rules to it in its particular circumstances.

31


 

U.S. shareholders may not be able to enforce civil liabilities against us.

Certain of our directors and executive officers are not residents of the United States, and all or a substantial portion of the assets of such persons are located outside the United States. As a result, it may not be possible for investors to effect service of process within the United States upon such persons or to enforce against them judgments obtained in U.S. courts predicated upon the civil liability provisions of the federal securities laws of the United States.

There is also a doubt as to the enforceability in England and Wales and Jersey, whether by original actions or by seeking to enforce judgments of U.S. courts, of claims based on the federal securities laws of the United States. In addition, punitive damages in actions brought in the United States or elsewhere may be unenforceable in England and Wales and Jersey.

The rights afforded to shareholders are governed by Jersey law. Not all rights available to shareholders under English law or U.S. law will be available to shareholders.

The rights afforded to shareholders will be governed by Jersey law and by our Articles of Association, and these rights differ in certain respects from the rights of shareholders in typical English companies and U.S. corporations. In particular, Jersey law significantly limits the circumstances under which shareholders of companies may bring derivative actions and, in most cases, only the corporation may be the proper claimant or plaintiff for the purposes of maintaining proceedings in respect of any wrongful act committed against it. Neither an individual nor any group of shareholders has any right of action in such circumstances. In addition, Jersey law does not afford appraisal rights to dissenting shareholders in the form typically available to shareholders of a U.S. corporation.

Item 1B. Unresolved Staff Comments.

None.

Item 2. Properties.

Principal Office Locations  

The table below describes our existing principal office facilities, all of which are leased.

 

Location

Purpose

Square Footage

Expiration

London, United Kingdom

Global Headquarters

113,056

3/3/2029

Lexington, Massachusetts USA

North American Headquarters

99,993

1/31/2028

Watertown, Massachusetts USA

Former North American Headquarters*

44,170

10/31/2020

 

* This facility is 100% subleased through the expiration of the lease.

We maintain additional leased office facilities in Johannesburg, Cape Town and Durban, South Africa, Melbourne and Sydney, Australia, Munich, Germany, Amsterdam, the Netherlands, Torun, Poland, Dubai, UAE, Tel Aviv, Israel, as well as in Chicago, Dallas and San Francisco in the United States.  

We believe that the total space available to us in the facilities under our current leases, or obtainable by us on commercially reasonable terms, will meet our needs for the foreseeable future.

Data Centers

We utilize two data centers in each of the United Kingdom, South Africa, Australia, Jersey, Channel Islands and Germany, and five data centers in the United States. Our data center leases expire between 2020 and 2025. We have capacity headroom built into our primary data center leases to accommodate infrastructure growth within the lease periods should we need to add more space or power to our existing footprint.

For more information about our lease and data center commitments, see also Note 9, Leases, of the notes to our consolidated financial statements, included elsewhere in this Annual Report on Form 10-K.

32


 

On September 10, 2019, ZapFraud, Inc., or ZapFraud, filed a complaint in the U.S. District Court for the District of Delaware against our wholly owned subsidiaries, Mimecast North America, Inc., Mimecast Services Limited and Mimecast UK Limited. The complaint alleges that certain elements of our email security technology infringe a patent held by ZapFraud. ZapFraud seeks an award for damages in an unspecified amount, attorney’s fees and injunctive relief. On November 22, 2019, we filed a Motion to Dismiss for Failure to State a Claim. We have requested that a hearing be held on this motion, but no court date has been set. On April 24, 2020, ZapFraud amended its complaint by alleging that our email security technology infringes an additional patent that was recently issued to ZapFraud. We plan to amend our Motion to Dismiss for Failure to State a Claim to address this additional patent. This litigation is in its very early stages. As a result, neither the ultimate outcome of this litigation nor an estimate of a probable loss or any reasonably possible losses can be assessed at this time. We intend to defend the lawsuit vigorously. Regardless of the outcome, litigation can have an adverse impact on us because of defense and potential settlement costs, diversion of management resources and other factors.

From time to time, we may be involved in legal proceedings and subject to claims in the ordinary course of business. Although the results of these proceedings and claims cannot be predicted with certainty, and we do not believe the ultimate cost to resolve these matters would individually, or taken together, have a material adverse effect on our business, operating results, cash flows or financial condition. Regardless of the outcome, such proceedings can have an adverse impact on us because of defense and settlement costs, diversion of resources and other factors, and there can be no assurances that favorable outcomes will be obtained.

Item 4. Mine Safety Disclosures.

Not applicable.

33


 

PART II

Item 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities.

Market Information

Our ordinary shares are listed on The Nasdaq Global Select Market under the symbol “MIME.”

 

Shareholders

As of March 31, 2020, there were 57 holders of record of our ordinary shares, including Cede & Co., a nominee for The Depository Trust Company, or DTC, which holds our ordinary shares on behalf of an indeterminate number of beneficial owners. All of the ordinary shares held by brokerage firms, banks and other financial institutions as nominees for beneficial owners are deposited into participant accounts at DTC and are considered to be held of record by Cede & Co. as one shareholder. Because most of our shares are held by brokers and other institutions on behalf of shareholders, we are unable to estimate the total number of shareholders represented by these record holders.

Dividends

We have never declared or paid, and do not anticipate declaring or paying in the foreseeable future, any cash dividends on our ordinary shares. Any future determination as to the declaration and payment of dividends, if any, will be at the discretion of our board of directors, subject to applicable laws, including the laws of the Bailiwick of Jersey, and will depend on then existing conditions, including our financial condition, operating results, contractual restrictions, including restrictions in our Credit Agreement, capital requirements, business prospects and other factors our board of directors may deem relevant.

Recent Sales of Unregistered Securities

None.

Purchase of Equity Securities by the Issuer and Affiliated Purchasers

None.

Securities Authorized for Issuance Under Equity Compensation Plans

Information about securities authorized for issuance under our equity compensation plan is incorporated herein by reference to Item 12 of Part III of this Annual Report on Form 10-K.

Stock Performance Graph

The graph below compares the cumulative total return to shareholders on our ordinary shares for the period from November 19, 2015 (the first date that our ordinary shares were publicly traded) through March 31, 2020, against the cumulative total return of the Russell 2000® Index and the Nasdaq Computer Index. The comparison assumes $100 was invested in our ordinary shares and each of the indices and the reinvestment of dividends, if any.

34


 

The performance shown on the graph below is based on historical results and is not indicative of, nor intended to forecast, future performance of our ordinary shares.

 

 

 

11/19/15

 

3/31/16

 

3/31/17

 

3/31//18

 

3/31/19

 

3/31/20

 

Mimecast Limited

 

$

100.00

 

$

96.34

 

$

221.68

 

$

350.79

 

$

468.81

 

$

349.50

 

Russell 2000 Index

 

$

100.00

 

$

96.58

 

$

121.90

 

$

136.28

 

$

139.07

 

$

105.71

 

Nasdaq Computer Index

 

$

100.00

 

$

100.26

 

$

128.02

 

$

163.89

 

$

183.76

 

$

208.69

 

 

This performance graph and related information shall not be deemed to be “soliciting material” or “filed” for purposes of Section 18 of the Exchange Act, nor shall such information be incorporated by reference into any filing of Mimecast Limited under the Exchange Act or the Securities Act of 1933, as amended, or the Securities Act, except to the extent that we specifically incorporate it by reference in such filing.

Item 6. Selected Financial Data.

Our historical consolidated financial statements are prepared in accordance with accounting principles generally accepted in the United States of America, or GAAP, and presented in U.S. dollars. The selected historical consolidated financial information set forth below has been derived from our historical consolidated financial statements for the years presented. Historical information as of March 31, 2020 and 2019 and for the years ended March 31, 2020, 2019 and 2018 is derived from our audited consolidated financial statements included elsewhere in this Annual Report on Form 10-K. Historical financial information as of March 31, 2018, 2017 and 2016 and for the years ended March 31, 2017 and 2016 is derived from our audited consolidated financial statements not included in this Annual Report on Form 10-K. You should read the information presented below in conjunction with Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” and our consolidated financial statements and the related notes appearing in Item 8, “Financial Statements and Supplementary Data,” of this Annual Report on Form 10-K to fully understand the factors that may affect the comparability of the information presented below.

35


 

The selected consolidated financial data in this section are not intended to replace the consolidated financial statements and are qualified in their entirety by the consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10-K.

 

 

 

Year Ended March 31,

 

 

 

2020

 

 

2019

 

 

2018

 

 

2017

 

 

2016

 

 

 

(in thousands, except per share data)

 

Consolidated Statements of Operations Data:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Revenue (1)

 

$

426,963

 

 

$

340,377

 

 

$

261,897

 

 

$

186,563

 

 

$

141,841

 

Cost of revenue (2)

 

 

109,382

 

 

 

90,874

 

 

 

69,699

 

 

 

50,314

 

 

 

41,809

 

Gross profit

 

 

317,581

 

 

 

249,503

 

 

 

192,198

 

 

 

136,249

 

 

 

100,032

 

Operating expenses

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Research and development (2)

 

 

80,790

 

 

 

57,939

 

 

 

38,373

 

 

 

22,593

 

 

 

17,663

 

Sales and marketing (1) (2)

 

 

169,179

 

 

 

139,194

 

 

 

121,246

 

 

 

96,154

 

 

 

65,187

 

General and administrative (2)

 

 

65,314

 

 

 

53,759

 

 

 

36,989

 

 

 

27,875

 

 

 

19,756

 

Impairment of long-lived assets

 

 

 

 

 

 

 

 

1,712

 

 

 

 

 

 

 

Restructuring

 

 

 

 

 

(170

)

 

 

832

 

 

 

 

 

 

 

Total operating expenses

 

 

315,283

 

 

 

250,722

 

 

 

199,152

 

 

 

146,622

 

 

 

102,606

 

Income (loss) from operations

 

 

2,298

 

 

 

(1,219

)

 

 

(6,954

)

 

 

(10,373

)

 

 

(2,574

)

Other income (expense)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Interest income

 

 

3,446

 

 

 

2,515

 

 

 

1,310

 

 

 

510

 

 

 

74

 

Interest expense

 

 

(4,507

)

 

 

(5,940

)

 

 

(598

)

 

 

(268

)

 

 

(690

)

Foreign exchange (expense) income and other, net

 

 

(1,078

)

 

 

(356

)

 

 

(3,439

)

 

 

6,892

 

 

 

811

 

Total other income (expense), net

 

 

(2,139

)

 

 

(3,781

)

 

 

(2,727

)

 

 

7,134

 

 

 

195

 

Income (loss) before income taxes

 

 

159

 

 

 

(5,000

)

 

 

(9,681

)

 

 

(3,239

)

 

 

(2,379

)

Provision for income taxes

 

 

2,359

 

 

 

2,001

 

 

 

2,705

 

 

 

2,202

 

 

 

865

 

Net loss

 

$

(2,200

)

 

$

(7,001

)

 

$

(12,386

)

 

$

(5,441

)

 

$

(3,244

)

Net loss per ordinary share: (3)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Basic and diluted

 

$

(0.04

)

 

$

(0.12

)

 

$

(0.22

)

 

$

(0.10

)

 

$

(0.08

)

Weighted-average number of ordinary shares outstanding:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Basic and diluted

 

 

62,024

 

 

 

59,960

 

 

 

57,269

 

 

 

54,810

 

 

 

40,826

 

 

 

 

As of March 31,

 

 

 

2020

 

 

2019

 

 

2018

 

 

2017

 

 

2016

 

 

 

(in thousands)

 

Consolidated Balance Sheet Data:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Cash, cash equivalents and investments

 

$

173,958

 

 

$

173,517

 

 

$

137,210

 

 

$

111,666

 

 

$

106,140

 

Property and equipment, net (4) (5)

 

 

85,178

 

 

 

94,202

 

 

 

123,822

 

 

 

32,009

 

 

 

24,806

 

Total assets (1) (5)

 

 

729,834

 

 

 

554,287

 

 

 

358,398

 

 

 

205,352

 

 

 

175,127

 

Debt and finance lease obligations, current and long-term

 

 

94,212

 

 

 

99,081

 

 

 

3,515

 

 

 

2,203

 

 

 

6,891

 

Deferred revenue, current and long-term (1)

 

 

206,967

 

 

 

175,574

 

 

 

141,102

 

 

 

95,348

 

 

 

70,040

 

Total shareholders' equity (1) (5)

 

 

232,055

 

 

 

173,635

 

 

 

101,692

 

 

 

81,992

 

 

 

78,074

 

 

 

 

Year Ended March 31,

 

 

 

2020

 

 

2019

 

 

2018

 

 

2017

 

 

2016

 

 

 

(dollars in thousands)

 

Supplemental Financial and Other Data:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Revenue constant currency growth rate (6)

 

 

28

%

 

 

32

%

 

 

38

%

 

 

39

%

 

 

30

%

Revenue retention rate (7)

 

 

107

%

 

 

111

%

 

 

110

%

 

 

111

%

 

 

109

%

Total customers (8)

 

 

38,100

 

 

 

34,400

 

 

 

30,400

 

 

 

26,400

 

 

 

18,000

 

Adjusted EBITDA (9)

 

$

78,088

 

 

$

54,008

 

 

$

25,752

 

 

$

12,457

 

 

$

15,839

 

 

(1)

As of April 1, 2018, we adopted Accounting Standards Update, or ASU, No. 2014-09, Revenue from Contracts with Customers: Topic 606, or ASC 606, under the modified retrospective transition method and therefore fiscal years prior to 2019 have not been adjusted. See Note 2 of the notes to our consolidated financial statements in the Company’s Annual Report on Form 10-K for the fiscal year ended March 31, 2019 for an explanation of the impact of adoption of ASC 606.

(2)

Share-based compensation expense included in these line items was as follows:

36


 

 

 

 

Year Ended March 31,

 

 

 

2020

 

 

2019

 

 

2018

 

 

2017

 

 

2016

 

 

 

(in thousands)

 

Cost of revenue

 

$

3,445

 

 

$

1,684

 

 

$

1,053

 

 

$

1,353

 

 

$

633

 

Research and development

 

 

10,900

 

 

 

6,199

 

 

 

2,555

 

 

 

1,873

 

 

 

1,711

 

Sales and marketing

 

 

13,141

 

 

 

7,856

 

 

 

4,477

 

 

 

4,719

 

 

 

3,180

 

General and administrative

 

 

12,058

 

 

 

10,215

 

 

 

3,649

 

 

 

2,349

 

 

 

2,362