What changed in CyberArk Software Ltd.'s 2024 10-K compared to 2023?

Across the narrative sections we track, CyberArk Software Ltd. (CYBR) added 747 paragraphs, removed 747, and edited 543 between the 2023 and 2024 10-K filings. The biggest movers are Item 3. Legal Proceedings (+289/−300), Item 4. Mine Safety Disclosures (+182/−141), Item 6. [Reserved] (+125/−163).

Did CyberArk Software Ltd.'s Legal Proceedings (Item 3) change in 2024?

Item 3 shows 289 added/edited paragraphs and 300 removed paragraphs — usually indicating new litigation disclosed or settled cases removed.

Where does this CYBR 10-K diff come from?

The source filings are CyberArk Software Ltd.'s official 2023 and 2024 Form 20-F annual reports from SEC EDGAR. 10q10k.net parses each filing, aligns paragraphs by section (Item 1, 1A, 1C, 2, 3, 7, 7A), and highlights every added, removed and edited sentence side-by-side.

CyberArk Software Ltd.CYBR決算レポート

Nasdaq · 情報技術 · サービス-オフィス用ソフトウェア

CyberArk Software Ltd. is an Israeli publicly traded information security company offering identity management. The company's technology is utilized primarily in the financial services, energy, retail, healthcare and government markets. CyberArk is headquartered in Petach-Tikva. The company also has offices throughout the Americas, EMEA, Asia Pacific and Japan.

What changed in CyberArk Software Ltd.'s 20-F — 2023 vs 2024

Top changes in CyberArk Software Ltd.'s 2024 20-F

747 paragraphs added · 747 removed · 543 edited across 4 sections

Item 3. Legal Proceedings+289 / −300 · 200 edited
Item 4. Mine Safety Disclosures+182 / −141 · 122 edited
Item 6. [Reserved]+125 / −163 · 104 edited
Item 5. Market for Registrant's Common Equity+151 / −143 · 117 edited

Item 3. Legal Proceedings

Legal Proceedings — active lawsuits and investigations

200 edited+89 added−100 removed135 unchanged

2023 filing

2024 filing

Data Protection Act 2018 (UK DPA) and the UK General Data Protection Regulation (together with the UK DPA, the UK GDPR), and, national privacy laws of EU Member States and other laws relating to privacy, data protection, and cloud computing.

Data Protection Act 2018 (UK DPA), the UK General Data Protection Regulation (together with the UK DPA, the UK GDPR), and, national privacy laws of EU Member States and other laws relating to privacy, data protection, and cloud computing.

We depend significantly on our sales force and go-to-market organization to execute our sales and marketing strategies, attract new customers, provide a positive customer experience, deliver a high level of customer service and support and expand sales to existing customers.

We depend significantly on our sales force and go-to-market organization to execute our sales and marketing strategies, attract new customers, provide positive customer experience, deliver a high level of customer service and support and expand sales to existing customers.

In addition, due to our continued investment in the growth of our business, we expect our operating expenses to increase over the next several years as we hire additional personnel, retain existing personnel in a competitive market and continue to enhance our solutions and identity security platform and deliver new services to market.

In the past, following periods of volatility in the market price of a company’s securities, securities class action litigation has often been instituted against that company. If we are involved in any similar litigation, we could incur substantial costs and our management’s attention and resources could be diverted, which could materially adversely affect our business.

In addition, we are unable to ensure that any limitations of liability provisions in our customer contracts with respect to our information security operations or our product liability would be enforceable, adequate, or would otherwise protect us from any liabilities or damages with respect to any particular claim (including in cases where existing customers purchase new solutions based on previously agreed contractual terms).

In addition, we are unable to ensure that any limitations of liability provisions in our customer contracts with respect to our information security operations or our liability would be enforceable, adequate, or would otherwise protect us from any liabilities or damages with respect to any particular claim (including in cases where existing customers purchase new solutions based on previously agreed contractual terms).

Security breaches, bugs, vulnerabilities, gaps, defects or improper configuration of our solutions, cloud accounts or production and development environments (including those embedded in third-party technology, such as SaaS solutions, used in our products or by our customers) could result in loss or alteration of, or unauthorized access to this data and compromise of our networks or our customers’ networks secured by our SaaS solutions.

Security breaches, bugs, vulnerabilities, gaps, defects or improper configuration of our solutions, cloud accounts or production and development environments (including those embedded in third-party technology, such as SaaS solutions, used in our solutions or by our customers) could result in loss or alteration of, or unauthorized access to this data and compromise of our networks or our customers’ networks secured by our SaaS solutions.

Given the nature of complex systems, software, services and operations like ours and certain of our providers, we are unable to ensure that all vulnerabilities and gaps are mitigated at all times or to guarantee that effective mitigating measures will be applied before the foregoing can be exploited by a threat actor.

Given the nature of complex systems, software, services and operations like ours and certain of our providers, we are unable to ensure that all vulnerabilities and gaps are mitigated or fixed at all times or to guarantee that effective mitigating measures will be applied before the foregoing can be exploited by a threat actor.

In addition, due to our ongoing introduction of new solutions and features to meet market demands, our teams may have difficulty selling, supporting, developing and maintaining multiple license models, product environments and code bases which may negatively impact our operations, such as in sales execution, customer experience, or efficiencies of scale.

In addition, due to our ongoing introduction of new solutions and features to meet market demands, our teams may have difficulty selling, supporting, developing and maintaining multiple license models, environments and code bases which may negatively impact our operations, such as in sales execution, customer experience, or efficiencies of scale.

Prolonged economic uncertainties or downturns, globally or in certain regions or industries, could materially adversely affect our business. Our business depends on our current and prospective customers’ ability and willingness to invest money in information security, which in turn is dependent upon their overall economic health and the strength of the broader macroeconomic environment.

Economic uncertainties or downturns, globally or in certain regions or industries, could materially adversely affect our business. Our business depends on our current and prospective customers’ ability and willingness to invest money in information security, which in turn is dependent upon their overall economic health and the strength of the broader macroeconomic environment.

ITEM 3. KEY INFORMATION A. [Reserved] B. Capitalization and Indebtedness Not applicable. C. Reasons for the Offer and Use of Proceeds Not applicable. D. Risk Factors Risks Related to Our Business and Our Industry The information security market is rapidly evolving within the increasingly challenging cyber threat landscape.

ITEM 3. KEY INFORMATION A. [Reserved] B. Capitalization and Indebtedness Not applicable. 2 C. Reasons for the Offer and Use of Proceeds Not applicable. D. Risk Factors Risks Related to Our Business and Our Industry The information security market is rapidly evolving within the increasingly challenging cyber threat landscape.

If any of the services provided by the Cloud Service Providers fail, become unavailable, or experience service degradation due to earthquakes, flooding, fires, heatwaves, power loss, telecommunication failures, natural disasters, extended outages, cyberattacks, or other interruptions or similar events, our ability to operate our platform and deliver our SaaS solutions to customers could be materially negatively impacted, and the quality or perception of the quality, of our products and services could be diminished, which may result in a decrease in revenues, damage to our reputation, contractual liability, including for failure to meet service level agreements, regulatory actions and interruption of our ability to manage our finances and our processes for managing sales of our offerings.

If any of the services provided by the Cloud Service Providers fail, become unavailable, or experience service degradation due to earthquakes, flooding, fires, heatwaves, power loss, telecommunication failures, natural disasters and other catastrophic events, extended outages, cyberattacks, or other interruptions or similar events, our ability to operate our platform and deliver our SaaS solutions to customers could be materially negatively impacted, and the quality or perception of the quality of our solutions could be diminished, which may result in a decrease in revenues, damage to our reputation, contractual liability, including for failure to meet service level agreements, regulatory actions and interruption of our ability to manage our finances and our processes for managing sales of our offerings.

Failure to do so may result in decreased market share, reduced revenue, and hindered business growth. In 2024, we began transitioning our go-to-market strategy from traditional, siloed, product-specific licensing to a solutions-based framework to provide our customers with a unified user experience.

Failure to do so may result in decreased market share, reduced revenue, and hindered business growth. In 2024, we began transitioning our go-to-market strategy from a traditional, siloed, product-specific licensing approach to a solutions-based framework to provide our customers with a unified user experience.

Security products, solutions and services such as ours are complex in development, design and deployment and are subject to errors, bugs, gaps, design failures, misconfigurations or security vulnerabilities, some of which are potentially incapable of being remediated or detected until after their deployment, if at all.

Security solutions and services such as ours are complex in development, design and deployment and are subject to errors, bugs, gaps, design failures, misconfigurations or security vulnerabilities, some of which are potentially incapable of being remediated or detected until after their deployment, if at all.

As a result, we may not be able to obtain adequate protection or to effectively enforce our issued patents or other intellectual property rights. In addition to patents, we rely on trade secret rights, copyrights and other rights to protect our unpatented proprietary intellectual property and technology.

As a result, we may not be able to obtain adequate protection or to effectively enforce our issued patents or other intellectual property rights. 19 In addition to patents, we rely on trade secret rights, copyrights and other rights to protect our unpatented proprietary intellectual property and technology.

If we are unable to adapt our solutions to changing government regulations and industry standards in a timely manner, or if our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our products and could switch to products offered by our competitors.

If we are unable to adapt our solutions to changing government regulations and industry standards in a timely manner, or if our solutions fail to expedite our customers’ compliance initiatives, our customers may lose confidence in our solutions and could switch to solutions offered by our competitors.

Such claims also could require us to cease making, licensing, or using solutions that are alleged to infringe or misappropriate the intellectual property of others, to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology, to enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights, and to indemnify our customers and channel partners (and parties associated with them).

Such claims also could require us to cease making, licensing, or using solutions that are alleged to infringe or misappropriate the intellectual property of others, to expend additional development resources to attempt to redesign our solutions or otherwise to develop non-infringing technology, to enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual property rights, and to indemnify our customers and channel partners (and parties associated with them).

Furthermore, organizations continuously evaluate their security priorities and investments and may allocate their information security budgets to other solutions and strategies, including solutions offered by our competitors, and may not adopt or expand use of our solutions.

Our collaborative efforts with our technology partners could also change if they develop and market competitive solutions, thus intensifying the competitive landscape, while adversely affecting our partnership efforts and their resale and marketing of our products.

A meaningful portion of our quarterly bookings is typically generated through transactions of significant size. In addition, purchases of our solutions and services often occur at the end of each quarter.

A meaningful portion of our quarterly bookings is typically generated through transactions of significant size. In addition, purchases and renewals of our solutions and services often occur at the end of each quarter.

We may also be contractually required to notify customers or other counterparties of a security incident, including a data security breach. 9 Compliance with privacy and data protection laws and contractual obligations may require changes in services, business practices, or internal systems resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with firms that are not subject to these laws and regulations.

We may also be contractually required to notify customers or other counterparties of a security incident, including a data security breach. 10 Compliance with privacy and data protection laws and contractual obligations may require changes in services, business practices, or internal systems resulting in increased costs, lower revenue, reduced efficiency, or greater difficulty in competing with firms that are not subject to these laws and regulations.

Accordingly, we may also compete for budget priority, to a certain extent, with other cybersecurity solutions offered by Microsoft, Palo Alto Networks, and CrowdStrike Holdings.

Accordingly, we may also compete for budget priority, to a certain extent, with other cybersecurity solutions offered by Microsoft, Palo Alto Networks, and CrowdStrike.

Some open-source software licenses require, among other things, that users who distribute or make available as a service, open-source software with their own software products, add appropriate copyright notices and disclaimers, publicly disclose all or part of the source code of the users’ developed software or make available any derivative works of the open-source code under open-source license terms or at no cost.

Some open-source software licenses require, among other things, that users who distribute or make available as a service, open-source software with their own software solutions, add appropriate copyright notices and disclaimers, publicly disclose all or part of the source code of the users’ developed software or make available any derivative works of the open-source code under open-source license terms or at no cost.

The mix of our SaaS and self-hosted subscriptions, the mix of subscription and perpetual bookings and the duration of self-hosted subscriptions in any given quarter may be difficult to predict and may cause trends in revenue recognition to lag those in sales, potentially causing us to fall short of investor expectations for revenue and profitability metrics, even while meeting or exceeding periodic sales targets.

The mix of our SaaS and self-hosted subscriptions, the mix of subscription and perpetual bookings and the duration of self-hosted subscriptions in any given quarter may be difficult to predict and may cause trends in revenue recognition to lag those in bookings, potentially causing us to fall short of investor expectations for revenue and profitability metrics, even while meeting or exceeding periodic booking targets.

Successful claims of infringement or misappropriation by a third party against us or a third party that we indemnify, could prevent us from distributing certain products or performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees.

Successful claims of infringement or misappropriation by a third party against us or a third party that we indemnify, could prevent us from distributing certain solutions or performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees.

In accordance with the provisions of the Companies Law, approval of our directors’ and officers’ insurance is limited to the terms of our duly approved compensation policy, unless otherwise approved by our shareholders. 28 Provisions of Israeli law and our articles of association may delay, prevent, or otherwise impede a merger with or an acquisition of us, even when the terms of such a transaction are favorable to us and our shareholders.

In accordance with the provisions of the Companies Law, approval of our directors’ and officers’ insurance is limited to the terms of our duly approved compensation policy, unless otherwise approved by our shareholders. 25 Provisions of Israeli law and our articles of association may delay, prevent, or otherwise impede a merger with or an acquisition of us, even when the terms of such a transaction are favorable to us and our shareholders.

If we do not meet the conditions stipulated in the Investment Law and the regulations promulgated thereunder, as amended, for the Preferred Enterprise, any of the associated tax benefits may be canceled, and we would be required to repay the amount of such benefits, in whole or in part, including interest and CPI linkage (or other monetary penalties).

If we do not meet the conditions stipulated in the Investment Law and the regulations promulgated thereunder, as amended, for the Preferred Enterprise, any of the associated tax benefits may be cancelled, and we would be required to repay the amount of such benefits, in whole or in part, including interest and CPI linkage (or other monetary penalties).

If our products are late in achieving or failing to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our products to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.

If our solutions are late in achieving or failing to achieve or maintain compliance with these certifications and standards, or our competitors achieve compliance with these certifications and standards, we may be disqualified from selling our solutions to such customers, or may otherwise be at a competitive disadvantage, either of which would harm our business, results of operations, and financial condition.

Our policy is to require our employees (and our consultants and service providers that develop intellectual property included in our products) to execute written agreements in which they assign to us their rights, if such exist, in potential inventions and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such intellectual property.

Our policy is to require our employees (and our consultants and service providers that develop intellectual property included in our solutions) to execute written agreements in which they assign to us their rights, if such exist, in potential inventions and other intellectual property created within the scope of their employment (or, with respect to consultants and service providers, their engagement to develop such intellectual property.

In addition, any acquired technology or product may not comply with legal or regulatory requirements and may expose us to regulatory risk and require us to make additional investments to make them compliant. Further, we may not be able to provide the same support service levels to the acquired technology or product that we generally offer with our other products.

Accordingly, if there were technical problems with open-source software that we used in our products, or if such open-source software infringed third-party intellectual property rights, we could have a warranty obligation or infringement indemnity obligation to our customer without a corresponding warranty or indemnification obligation from the owner of the open-source software.

Accordingly, if there were technical problems with open-source software that we used in our solutions, or if such open-source software infringed third-party intellectual property rights, we could have a warranty obligation or infringement indemnity obligation to our customer without a corresponding warranty or indemnification obligation from the owner of the open-source software.

If a U.S. person is treated as owning (directly, indirectly or constructively) at least 10% of the value or voting power of our ordinary shares, such person may be treated as a “U.S. shareholder” with respect to each controlled foreign corporation (“CFC”), in our group (if any).

As we increase our developers’ workforce globally to meet our business goals, including by engaging external developers or through mergers and acquisitions, the risk of errors, misconfigurations, vulnerabilities or intentional misconduct, may be heightened due to governance difficulties and limited centralized oversight.

As we increase our developers’ workforce globally to meet our business goals, including by engaging external developers or through mergers and acquisitions, or partnerships and collaborations, the risk of errors, misconfigurations, vulnerabilities or intentional misconduct, may be heightened due to governance difficulties and limited centralized oversight.

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations. Our functional and reporting currency is the U.S. dollar. In 2023, most of our revenues were denominated in U.S. dollars and the remainder was primarily in Euros and British pounds.

We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations. Our functional and reporting currency is the U.S. dollar. In 2024, most of our revenues were denominated in U.S. dollars and the remainder was primarily in Euros and British pounds.

If we are unable to protect our intellectual property, we may find ourselves at a competitive disadvantage to others who do not incur the additional expense, time and effort to create the innovative products nevertheless benefiting from such innovation due to misappropriation.

If we are unable to protect our intellectual property, we may find ourselves at a competitive disadvantage to others who do not incur the additional expense, time and effort to create the innovative solutions nevertheless benefiting from such innovation due to misappropriation.

In addition, there is growing pressure in many jurisdictions and from multinational organizations such as the Organization for Economic Cooperation and Development (“OECD”) and the EU to amend existing international taxation rules in order to align the tax regimes with current global business practices.

In addition, there is growing pressure in many jurisdictions and from multinational organizations such as the Organization for Economic Cooperation and Development (OECD) and the EU to amend existing international taxation rules in order to align the tax regimes with current global business practices.

For example, we face the risk of malicious third parties injecting malicious code into our products’ source code, disrupting our research and development pipelines and production environments and/or using our solutions and network as a point-of-entry to infiltrate our customers’ IT systems.

For example, we face the risk of malicious third parties injecting malicious code into our solutions’ source code, disrupting our research and development pipelines and production environments and/or using our solutions and network as a point-of-entry to infiltrate our customers’ IT systems.

In addition, the laws of some foreign countries where we sell our products do not protect intellectual property rights and technology to the same extent as the laws of the United States, and these countries may not enforce these laws as diligently as government agencies and private parties in the United States.

In addition, the laws of some foreign countries where we sell our solutions do not protect intellectual property rights and technology to the same extent as the laws of the United States, and these countries may not enforce these laws as diligently as government agencies and private parties in the United States.

Several of our solutions are made available to our customers as SaaS and involve our use of third-party cloud and SaaS infrastructure and related services. Providing SaaS solutions involves storage and transmission of customers’ proprietary information, including personal data, related to their assets, employees and users.

Many of our solutions are made available to our customers as SaaS and involve our use of third-party cloud and SaaS infrastructure and related services. Providing SaaS solutions involves storage and transmission of customers’ proprietary information, including personal data, related to their assets, employees and users.

The application of these laws and regulations to our business is often unclear, subject to interpretation and may, at times, conflict. Compliance with these laws and regulations may involve significant costs or require changes in our business practices or products, resulting in reduced revenue and profitability.

The application of these laws and regulations to our business is often unclear, subject to interpretation and may, at times, conflict. Compliance with these laws and regulations may involve significant costs or require changes in our business practices or solutions, resulting in reduced revenue and profitability.

Specifically, in October 2015, the OECD published its final package of measures for reform of the international tax rules as a product of its Base Erosion and Profit Shifting (“BEPS”) initiative, which was endorsed by the G20 finance ministers.

Specifically, in October 2015, the OECD published its final package of measures for reform of the international tax rules as a product of its Base Erosion and Profit Shifting (BEPS) initiative, which was endorsed by the G20 finance ministers.

Our reliance on channel partners could also subject us to lawsuits or reputational harm if, for example, a channel partner misrepresents the functionality of our solutions to customers, fails to appropriately implement our solutions, or violates applicable laws, and, in addition, this may result in termination of such partner’s agreement and potentially curb future revenues associated with this channel partner.

The potential for robust regulation around AI systems may necessitate substantial resources for the design, development, testing, and maintenance of our platform and products, including appropriate protections and safeguards for handling the use of customer data with such technologies.

The potential for robust regulation around AI systems may necessitate substantial resources for the design, development, testing, and maintenance of our platform and solutions, including appropriate protections and safeguards for handling the use of customer data with such technologies.

In addition, we are not required under the Exchange Act to file annual, quarterly, and current reports and financial statements with the SEC, as frequently or as promptly as domestic companies whose securities are registered under the Exchange Act. We are also exempt from the provisions of Regulation FD, which prohibits issuers from making selective disclosure of material nonpublic information.

Additionally, while we intend to continue incorporating AI and generative AI capabilities into our products, if we fail to differentiate ourselves from, or otherwise successfully compete against, other information security vendors that have incorporated AI technology into their products and services, or if we fail to continue to release AI capabilities that our customers find useful, our business, operating results, and financial condition may be harmed.

Additionally, while we intend to continue incorporating AI and generative AI capabilities into our solutions, if we fail to differentiate ourselves from, or otherwise successfully compete against, other information security vendors that have incorporated AI technology into their solutions, or if we fail to continue to release AI capabilities that our customers find useful, our business, operating results, and financial condition may be harmed.

The tax benefits that are available to us require us to continue to meet various conditions and may be terminated or reduced in the future, which could increase our costs and taxes. We were granted an Approved Enterprise status under the Israeli Law for the Encouragement of Capital Investments, 5719-1959 (the “Investment Law”).

Since the CCPA went into effect, comprehensive privacy statutes that share similarities with the CCPA are now in effect and enforceable in Virginia, Colorado, Connecticut, and Utah, and similar laws will soon be enforceable in other states.

Since the CCPA and related legislation went into effect, comprehensive privacy statutes that share similarities with the CCPA are now in effect and enforceable in Virginia, Colorado, Connecticut, and Utah, and similar laws will soon be enforceable in other states.

If our group includes one or more U.S. subsidiaries (as has been the case for 2023), certain of our non-U.S. subsidiaries will be treated as CFCs regardless of whether we are treated as a CFC.

If our group includes one or more U.S. subsidiaries (as has been the case for 2024), certain of our non-U.S. subsidiaries will be treated as CFCs regardless of whether we are treated as a CFC.

We offer our customers multiple software and delivery models, including SaaS, self-hosted subscriptions, and perpetual licenses, whose revenues are recognized differently based on the composition of the selected offering. In 2023, the majority of our annualized software sales were subscriptions or recurring revenue and only a declining, single digit, percentage of our annualized bookings were from perpetual licenses.

We offer our customers multiple software and delivery models, including SaaS, self-hosted subscriptions, and perpetual licenses, whose revenues are recognized differently based on the composition of the selected offering. In 2024, the majority of our annualized software bookings were subscriptions or recurring revenue, and only a declining, single-digit, percentage of our annualized bookings were from perpetual licenses.

If customers trend towards consolidating with a vendor or vendors providing multiple cybersecurity capabilities and we fail to successfully execute our development and sales strategy of delivering our products and services on a solutions-based framework that can compete effectively against such cybersecurity vendors, this may place us at a competitive disadvantage.

If customers trend towards consolidating with a vendor or vendors providing multiple cybersecurity capabilities and we fail to successfully execute our development and sales strategy of delivering our solutions on a framework that can compete effectively against such cybersecurity vendors, this may place us at a competitive disadvantage.

Being a prominent Israeli security company that provides solutions centered on privileged access security and identity management to leading global enterprises, we are and will remain an attractive target for cyber attackers and malicious actors, including insiders, as well as cyber terrorists, sophisticated criminal groups or nation-state affiliated actors.

Being a prominent Israeli security company that provides identity security solutions centered on privileged controls to leading global enterprises, we are and will remain an attractive target for cyber attackers and malicious actors, including insiders, as well as cyber terrorists, sophisticated criminal groups or nation-state affiliated actors.

Based on our market capitalization and the nature of our income, assets and business, we believe that we should not be classified as a PFIC for the taxable year that ended December 31, 2023.

Based on our market capitalization and the nature of our income, assets and business, we believe that we should not be classified as a PFIC for the taxable year that ended December 31, 2024.

We could be found to not be in compliance with obligations or suffer from adverse interpretations of such legal requirements either as directly relating to our business or in the context of legal developments impacting our customers or other businesses, which could impact our ability to offer our products or services, impact operating results, or reduce demand for our products or services.

We could be found to not be in compliance with obligations or suffer from adverse interpretations of such legal requirements either as directly relating to our business or in the context of legal developments impacting our customers or other businesses, which could impact our ability to offer our solutions, impact operating results, or reduce demand for our solutions.

Defending against claims of infringement, regardless of their validity, or being deemed to be infringing the intellectual property rights of others could be very expensive and time-consuming to defend, harm our reputation, and impair our ability to innovate, develop, distribute, and sell our current and planned products and services.

Unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our products or obtain and use our trade secrets or other confidential information.

Unauthorized parties, including our employees, consultants, service providers or customers, may attempt to copy aspects of our solutions or obtain and use our trade secrets or other confidential information.

Security solutions such as ours, which aim to disrupt cyberattacks by insiders and external perpetrators that have penetrated an organization’s IT environment, represent a security layer designed to respond to advanced threats and meet certain compliance standards and audit requirements.

Security solutions such as ours, which aim to disrupt and prevent cyberattacks by insiders and external perpetrators that have penetrated an organization’s information technology (IT) environment, represent a security layer designed to respond to advanced threats and meet certain compliance standards and audit requirements.

Further, some of our products and services include other software or intellectual property licensed from third parties, and we also use software and other intellectual property licensed from third parties for our own business operations. This exposes us to risks over which we may have little or no control.

Further, some of our solutions include other software or intellectual property licensed from third parties, and we also use software and other intellectual property licensed from third parties for our own business operations. This exposes us to risks over which we may have little or no control.

We cannot be certain we will achieve the required renewal rates, increase sales from existing and new customers nor generate or collect based on the contract terms for the sales, which will improve our cash flow from operating activities.

Additionally, our solutions have limitations in functionality and scope and cannot guarantee protection against any and all threats, specifically those outside the product’s boundary.

Additionally, our solutions have limitations in functionality and scope and cannot guarantee protection against any and all threats, specifically those outside the solution’s boundary.

In 2023, most of our cost of revenues and operating expenses were denominated in U.S. dollars and New Israeli Shekels (NIS) and the remainder primarily in Euros and British pounds. Our foreign currency-denominated expenses consist primarily of personnel, facilities, consulting and travel costs.

In 2024, most of our cost of revenues and operating expenses were denominated in U.S. dollars and New Israeli Shekels (NIS) and the remainder primarily in Euros and British pounds. Our foreign currency-denominated expenses consist primarily of personnel, facilities and travel costs.

Governments and other customers may require our products to comply with certain privacy, security or other certifications and standards with respect to those solutions utilized by them as a control demonstrating compliance with government regulations and industry standards. We have maintained a SOC 2 accreditation for multiple products since 2019.

Governments and other customers may require our solutions to comply with certain privacy, security or other certifications and standards with respect to those solutions utilized by them as a control demonstrating compliance with government regulations and industry standards. We have maintained SOC 2 and SOC 3 accreditation for multiple solutions since 2019 and 2022, respectively.

We generate a substantial portion of our revenues from our products and services that enable our customers to achieve and maintain compliance with certain government regulations and industry standards, and we expect that to continue for the foreseeable future.

We generate a substantial portion of our revenues from our solutions that enable our customers to achieve and maintain compliance with certain government regulations and industry standards, and we expect that to continue for the foreseeable future.

If our products or services are found insufficient to meet these standards in the context of an investigation into us or our customers, or we are unable to engineer products that meet these standards, we could experience reduced demand for our products or services.

If our solutions are found insufficient to meet these standards in the context of an investigation into us or our customers, or we are unable to engineer solutions that meet these standards, we could experience reduced demand for our solutions.

Uncertain economic conditions in the global economy or certain regions, including conditions resulting from financial and credit market fluctuations (including rising interest rates), exchange rate fluctuations, or inflation, and the potential for regional or global recessions, could cause a decrease in corporate spending on cybersecurity software.

Uncertain economic conditions in the global economy or certain regions, including conditions resulting from financial and credit market fluctuations (including rising interest rates), exchange rate fluctuations, tariffs or other trade restrictions or inflation, and the potential for regional or global recessions, could cause a decrease in corporate spending on cybersecurity software.

There is no guarantee that we will identify all vulnerabilities and gaps in our products or that our products will be free of flaws or vulnerabilities, and we may not correct all known vulnerabilities, gaps, or errors promptly, fully, or at all. 5 Further, our solutions serve as mission-critical applications in our customers’ operational environments, allowing them to manage access and privileges in their systems and networks.

There is no guarantee that we will identify all vulnerabilities and gaps in our solutions or that our solutions will be free of flaws or vulnerabilities, and we may not correct all known vulnerabilities, gaps, or errors promptly, fully, or at all. 4 Further, our solutions serve as mission-critical applications in our customers’ operational environments, allowing them to manage access, privileges and digital certificates in their systems and networks.

As a company that focuses on identity security with a foundation in Privilege Access Management, our customers may rely on our products and services as part of their own efforts to comply with security control obligations under GDPR, CCPA, HIPAA and other laws and contractual commitments.

As a company that focuses on identity security with a foundation in Privilege Access Management, our customers may rely on our solutions as part of their own efforts to comply with security control obligations under GDPR, CCPA, HIPAA, DORA and other laws and contractual commitments.

The confidentiality, integrity and availability of our IT network systems and of our third-party providers, and the perception thereof, is critical to our ability to deliver products and services to customers as well as to run internal operations.

The confidentiality, integrity and availability of our IT network systems and of our third-party providers, and the perception thereof, is critical to our ability to deliver solutions to customers as well as to run internal operations.

There is limited case law available to assist us in understanding the nature of this duty or the implications of these provisions. These provisions may be interpreted to impose additional obligations and liabilities on holders of our ordinary shares that are not typically imposed on shareholders of U.S. corporations. See “Item 6.C.

We attempt to protect our intellectual property under patent, copyright, trademark and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection. As of December 31, 2023, we had 147 issued patents in the United States and 48 pending U.S. patent applications.

We attempt to protect our intellectual property under patent, copyright, trademark and trade secret laws, and through a combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection. As of December 31, 2024, we had 189 issued patents in the United States and 46 pending U.S. patent applications.

We have no assurance that any open-source software that we use in our products and may patch will be free from vulnerabilities or malicious code.

We have no assurance that any open-source software that we use in our solutions and any patch will be free from vulnerabilities or malicious code.

The loss of any of our current product certificates, or the failure to obtain new ones, could result in the imposition of various penalties, reputational harm, loss of existing customers, or could deter new and existing customers from purchasing our solutions, additional products or our services, any of which could adversely affect our business, operating results or financial condition.

The loss or suspension of any of our current certificates, or the failure to obtain new ones, could result in the imposition of various penalties, reputational harm, loss of existing customers, or could deter new and existing customers from purchasing our solutions, any of which could adversely affect our business, operating results or financial condition.

We and our third-party providers are also vulnerable to information technology system failures or network disruptions caused by a variety of factors, including pandemics, natural disasters (such as increased frequency and severity of storms, earthquakes, flooding, fires, heatwaves or drought), accidents, power disruptions, telecommunications failures, acts of terrorism, wars (including the conflicts between Israel and Hamas and Ukraine and Russia), computer viruses and malware (such as ransomware), or other events or disruptions.

We and our third-party providers are also vulnerable to information technology system failures, service outages or network disruptions caused by a variety of factors, including pandemics, natural disasters and other catastrophic events (such as increased frequency and severity of storms, earthquakes, flooding, fires, heatwaves or drought), accidents, power disruptions, telecommunications failures, acts of terrorism, wars (including the conflicts between Israel and Hamas and Ukraine and Russia), computer viruses and malware (such as ransomware), outages caused by technical failures or errors in system maintenance or upgrades, or other events or disruptions.

Further, our failure to provide our customers and channel partners with adequate services or accurate product documentation and training related to the use, implementation and maintenance of our solutions, could lead to claims against us.

Further, our failure to provide our customers, channel partners and advisory firms with adequate services or accurate solution documentation and training related to the use, implementation and maintenance of our solutions, could lead to claims against us.

The affected solutions may not fulfill their primary security functions, falsely identify threats or create new security threats, and be vulnerable to security attacks.

The affected solutions may not fulfill some of their security functions, falsely identify threats or create new security threats, and be vulnerable to security attacks.

We expect to file additional patent applications in the future. 19 The process of obtaining patent protection is expensive and time-consuming, and we may not be able to complete all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way to the successful issuance of a patent.

The process of obtaining patent protection is expensive and time-consuming, and we may not be able to complete all necessary or desirable patent applications at a reasonable cost or in a timely manner all the way to the successful issuance of a patent.

An actual or perceived failure, disruption, or breach of our network, our operations or privileged account security in our systems could adversely affect the market perception of our products and services, or of our expertise in this field.

From time to time, industry analysts may review our products and services either independently or against other cybersecurity solutions offered by our competitors.

From time to time, industry analysts may review our solutions either independently or against other cybersecurity solutions offered by our competitors.

For example, the ongoing conflicts between Israel and Hamas, as well as other hostile countries, such as Iran, and Ukraine and Russia may result, and in certain cases have resulted, in a heightened threat environment and create unknown cyber risks, including increased risk of actors against Israeli companies, institutions and governmental bodies, or the proliferation of nation-state capabilities to non-state attack groups (see “—Conditions in Israel, including the ongoing war between Israel and Hamas and other conflicts in the region, as well as political and economic instability, may adversely impact our business operations.”) As many companies continue to provide workers with the ability to operate remotely or in a hybrid environment the attack surface possibilities for cyberattacks against us, our customers, and third-party providers increases due the challenges associated with managing remote computing assets and security vulnerabilities inherent in many non-corporate and home networks.

For example, the conflicts between Israel and Hamas, as well as other hostile countries, such as Iran, and Ukraine and Russia may result, and in certain cases have resulted, in a heightened threat environment and create unknown cyber risks, including increased risk of actors against Israeli companies, institutions and governmental bodies, or the proliferation of nation-state capabilities to non-state attack groups. 6 As many companies continue to provide workers with the ability to operate remotely or in a hybrid environment the attack surface possibilities for cyberattacks against us, our customers, and third-party providers increases due to the challenges associated with managing remote computing assets and security vulnerabilities inherent in many non-corporate and home networks.

Provisions in our agreements and documentation that attempt to limit our liability towards our customers, channel partners, and relevant third parties may not withstand legal challenges, and certain liabilities may not be limited or capped.

The dynamic regulatory environment around privacy, data protection, and AI may limit our offering or require modification of our products and services, which could limit our ability to attract new customers and support our current customers and increase our operational expenses.

The dynamic regulatory environment around privacy, data protection, and AI may limit our offerings or require modification of our solutions, which could limit our ability to attract new customers and support our current customers and increase our operational expenses.

Since the portion of our expenses generated in NIS and British pounds is greater than our revenues in NIS and British pounds, respectively, any appreciation of the NIS or the British pounds relative to the U.S. dollar could adversely impact our operating loss.

Since the portion of our expenses denominated in NIS and British pounds is greater than our revenues in NIS and British pounds, respectively, any appreciation of the NIS or the British pound relative to the U.S. dollar could adversely impact our operating results.

… 309 more changes not shown on this page.

Item 4. Mine Safety Disclosures

Mine Safety Disclosures — required of mining issuers

122 edited+60 added−19 removed55 unchanged

2023 filing

2024 filing

Secure Browser The CyberArk Secure Browser is a hardened and purpose-built technology that further extends the CyberArk Identity Security Platform to the web browser. It provides enhanced security, privacy and productivity across the enterprise, while delivering a familiar and customized user experience.

The CyberArk Secure Browser is a hardened and purpose-built technology that further extends the CyberArk Identity Security Platform to the web browser. It provides enhanced security, privacy and productivity across the enterprise, while delivering a familiar and customized user experience.

The principal competitive factors in our market include: o the breadth and completeness of a security solution; o reliability and effectiveness in protecting, detecting and responding to cyberattacks; o analytics and accountability at an individual user level; o the ability of customers to achieve and maintain compliance with compliance standards and audit requirements; o strength of sale and marketing efforts, including advisory firms and channel partner relationships; o global reach and customer base; o scalability and ease of integration with an organization’s existing IT infrastructure and security investments; o brand awareness and reputation; o innovation, including AI and generative AI capabilities, and thought leadership; o quality of customer support and professional services; o the speed at which a solution can be deployed and implemented; and o the price of a solution, including bundled or free offerings, and cost of maintenance and professional services.

The principal competitive factors in our market include: • the breadth and completeness of a security solution; • reliability and effectiveness in protecting, detecting and responding to cyberattacks; • analytics and accountability at an individual user level; • the ability of customers to achieve and maintain compliance with compliance standards and audit requirements; • strength of sale and marketing efforts, including advisory firms and channel partner relationships; • global reach and customer base; • scalability and ease of integration with an organization’s existing IT infrastructure and security investments; • brand awareness and reputation; • innovation, including AI and generative AI capabilities, and thought leadership; • quality of customer support and professional services; • the speed at which a solution can be deployed and implemented; and • the price of a solution, including bundled or free offerings, and cost of maintenance and professional services.

Risk Factors— Real or perceived security vulnerabilities and gaps in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, may result in significant reputational, financial, and legal adverse impact” and “—If our IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially adversely affected.” By staying informed on the latest cybersecurity threats and trends, we continuously focus on implementing and maintaining technologies and solutions to assist in the prevention of potential cyberattacks, as well as protective measures and contingency plans in the event of an actual attack.

Risk Factors— Real or perceived security vulnerabilities and gaps in our solutions or services or the failure of our customers or third parties to correctly implement, manage and maintain our solutions, may result in significant reputational, financial, and legal adverse impact” and “—If our IT network systems, or those of our third-party providers, are compromised by cyberattacks or other security incidents, or by a critical system disruption or failure, then our reputation, financial condition and operating results could be materially adversely affected.” 42 By staying informed on the latest cybersecurity threats and trends, we continuously focus on implementing and maintaining technologies and solutions to assist in the prevention of potential cyberattacks, as well as protective measures and contingency plans in the event of an actual attack.

Developers The CyberArk Identity Security Platform provides extensive controls to secure native access to every layer of a cloud environment – from Cloud Native services to dynamic workloads running on the cloud, to lift-and-shift workloads and SaaS applications. The solution helps organizations to better control and secure multi-cloud environments, using elevating just-in-time access with Zero Standing Privileges.

Developers The CyberArk Identity Security Platform provides extensive controls to secure native access to every layer of a cloud environment – from Cloud Native services to dynamic workloads running on the cloud, to lift-and-shift workloads and SaaS applications. The solution helps organizations to better control and secure multi-cloud environments, elevating just-in-time access with Zero Standing Privileges.

With the CyberArk Identity Application Gateway service, customers can enable secure remote access and expand SSO benefits to on-premises web apps — like SharePoint and SAP — without the complexity of installing and maintaining VPNs. o Identity Lifecycle Management. This module enables CyberArk Identity customers to automate the joiner, mover, and leaver processes within the organization.

With the CyberArk Identity Application Gateway service, customers can enable secure remote access and expand SSO benefits to on-premises web apps, like SharePoint and SAP, without the complexity of installing and maintaining VPNs. • Identity Lifecycle Management. This module enables CyberArk Identity customers to automate the joiner, mover, and leaver processes within the organization.

For cloud-native applications built using DevOps methodologies, Conjur Enterprise and Conjur Cloud provide a secrets management solution tailored specifically to the unique requirements of these environments delivered either on-premises or in the cloud. We also provide an open-source version to better meet the needs of the developer community. o Secrets Hub.

For organizations looking to combine secure access for developers, cloud teams and the secrets that they use, our developer solution can be combined with our machine solutions to secure access to all layers of the cloud environment and provide a centralized secrets management capability to ensure developers can continue to move at the speed of the business while remaining secure.

For organizations looking to combine secure access for developers, cloud teams and the secrets that they use, our developer solution can be combined with our machine solutions to secure access to the layers of the cloud environment and provide a centralized secrets management capability to ensure developers can continue to move at the speed of the business while remaining secure.

CyberArk Workforce Password Management is an enterprise-focused password manager providing a user-friendly solution to store data from business applications -like website URLs, usernames, passwords and notes – in a centralized vault and securely share it with other users in the organization. o Application Gateway .

CyberArk Workforce Password Management is an enterprise-focused password manager providing a user-friendly solution to store data from business applications -like website URLs, usernames, passwords and notes, in a centralized vault and securely share it with other users in the organization. • Application Gateway .

Professional Services Our products are designed to allow for online trials, or to allow customers to download, install and deploy them on their own or with training and professional assistance. Our solutions are highly configurable, and many customers will select either one of our many trained channel partners or our CyberArk Security Services team to provide expert professional services.

Professional Services Our solutions are designed to allow for online trials, or to allow customers to download, install and deploy them on their own or with training and professional assistance. Our solutions are highly configurable, and many customers will select either one of our many trained channel partners or our CyberArk Security Services team to provide expert professional services.

In the Identity and Access Management (IAM) market, the silos of Access Management (AM), Privileged Access Management (PAM) and Identity Governance and Administration (IGA) overlap and thus there may be inefficiencies if they are provided by separate vendors, or from vendors who bundle discreet solutions without the benefit of a unified platform.

In the Identity and Access Management (IAM) market, the silos of Access Management (AM), PAM and Identity Governance and Administration (IGA) overlap and thus there may be inefficiencies if they are provided by separate vendors, or from vendors who bundle discreet solutions without the benefit of a unified platform.

We believe an Identity Security Platform must do far more than manage one group of identities; it must provide solutions to secure all identities, across all environments. Our goal is to reinvent and modernize capabilities across the established silos while inventing new ways to secure modern identities.

We believe an Identity Security Platform must do far more than manage one group of identities; it must provide solutions to secure and govern all identities, across all environments. Our goal is to reinvent and modernize capabilities across the established silos while inventing new ways to secure modern identities.

Our new secured identity framework and solutions are expected to help our GTM teams to take full advantage of the market opportunity while delivering value-based solutions for customers. In order to facilitate this new framework, we have identified and designed eight solutions taken from our platform capabilities.

Our research and development efforts are focused primarily on improving and continuing to enhance existing products and services, as well as developing new solutions, services, products, features and functionality to meet market needs. We believe the timely development of new products and capabilities is essential to maintaining our competitive position.

Our research and development efforts are focused primarily on improving and continuing to enhance existing solutions, as well as developing new solutions, services, features and functionality to meet market needs. We believe the timely development of new solutions and capabilities is essential to maintaining our competitive position.

The solution uses a browser extension on an end-user’s endpoint to monitor and segregate web apps that are accessed through SSO and deemed sensitive by business application owners, enterprise IT and security administrators. o Workforce Password Management.

Customers benefit from being able to prioritize quick wins, progressively address advanced Identity Security use cases, and align security controls to digital transformation efforts across hybrid environments. 40 Research and Development Continued investment in research and development is critical to our business.

Customers benefit from being able to prioritize quick wins, progressively address advanced Identity Security use cases, and align security controls to digital transformation efforts across hybrid environments. Research and Development Continued investment in research and development is critical to our business.

The majority of our newly released products are delivered as SaaS, but we continue to invest in both our self-hosted and SaaS solutions, in which we regularly incorporate new features and enhancements to existing features.

The majority of our newly released solutions are delivered as SaaS, but we continue to invest in both our self-hosted and SaaS solutions, in which we regularly incorporate new features and enhancements to existing features.

This automation is critical to ensure that privileges don’t accumulate, and a user’s access is turned off as soon as the individual changes roles or leaves the organization. o Directory Services. Allows customers to use identity where they control it. In other words, we do not force our customers to synchronize their on-premises Active Directory implementation with our cloud.

This automation is critical to ensure that privileges do not accumulate, and a user’s access is turned off as soon as the individual changes roles or leaves the organization. • Directory Services. Allows customers to use identity where they control it. In other words, we do not force our customers to synchronize their on-premises Active Directory implementation with our cloud.

Accordingly, we may also compete for budget priority, to a certain extent, with other cybersecurity solutions offered by Microsoft, Palo Alto Networks, and CrowdStrike Holdings.

Accordingly, we may also compete for budget priority, to a certain extent, with other cybersecurity solutions offered by Microsoft, Palo Alto Networks, and CrowdStrike.

Our on-premises and SaaS PAM solutions use the highly secured Digital Vault to safely store, audit and manage passwords, privileged credentials, policy information and privileged access session data. Privileged Session Recording and Controls. Our innovative privileged session recording and control mechanisms provide the ability to isolate an organization’s IT systems from end-user desktops, while monitoring and auditing privileged session activities.

Our on-premises and SaaS PAM offerings use the highly secured Digital Vault to safely store, audit and manage passwords, privileged credentials, policy information and privileged access session data. Privileged Session Recording and Controls. Our innovative privileged session recording and control mechanisms provide the ability to isolate an organization’s IT systems from end-user desktops, while monitoring and auditing privileged session activities.

Successful claims of infringement or misappropriation by a third party could prevent us from developing, distributing, licensing, using certain products, performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees.

Successful claims of infringement or misappropriation by a third party could prevent us from developing, distributing, licensing, using certain solutions, performing certain services or could require us to pay substantial damages (including, for example, treble damages if we are found to have willfully infringed patents and increased statutory damages if we are found to have willfully infringed copyrights), royalties or other fees.

Zero Trust is not a single technology, but an approach that ensures every user’s identity is verified, their device is validated, and their access is intelligently limited to just what they need – and taken away when they no longer need it. CyberArk’s Identity Security solutions deliver capabilities that are foundational to adopting a Zero Trust approach.

“Zero trust” is not a single technology, but an approach that ensures every user’s identity is verified, their device is validated, and their access is intelligently limited to just what they need – and taken away when they no longer need it. CyberArk’s Identity Security solutions deliver capabilities that are foundational to adopting a zero trust approach.

With CyberArk, organizations can establish strong machine authentication, provide secure standing access or just-in-time access, and centrally rotate and manage credentials. By replacing hardcoded and static secrets with rotated and dynamic secrets, the platform dramatically increases security while avoiding any change to developer workflows.

Our Growth Strategy The key elements of our long-term growth strategy include: • Strengthening our Identity Security leadership position by delivering ongoing innovation. We intend to extend our leadership position by enhancing our solutions, including utilization of AI, introducing new functionality and developing new offerings to address additional use cases.

For example, we assess the impact of emerging technologies such as AI on our cybersecurity posture and adjust our security policies and security measures accordingly, including through the incorporation of advanced AI technologies into our products and systems like AI-powered threat detection and behavioral analytics.

For example, we assess the impact of emerging technologies such as AI on our cybersecurity posture and adjust our security policies and security measures, accordingly, including through the incorporation of advanced AI technologies into our solutions and systems like AI-powered threat detection and behavioral analytics.

As the category-defining leader in Privileged Access Management, we are uniquely positioned to deliver on Identity Security because our core competency is securing the “keys to the kingdom.” These “keys to the kingdom” enable our customers to control access to sensitive infrastructure and applications; keeping them out of the hands of malicious or careless insiders or external attackers and preventing disruption to the business.

As the category-defining leader in PAM, we are uniquely positioned to deliver on Identity Security because our core competency is securing the “keys to the kingdom.” These “keys to the kingdom” enable our customers to control access to sensitive infrastructure and applications; keeping them out of the hands of malicious or careless insiders or external attackers and preventing disruption to the business.

As our market position continues to grow, we believe that competitors will be more likely to try to develop products that are like ours and that may infringe our proprietary rights. It may also be more likely that competitors or third parties will claim that our products infringe their proprietary rights.

As our market position continues to grow, we believe that competitors will be more likely to try to develop solutions that are like ours and that may infringe our proprietary rights. It may also be more likely that competitors or third parties will claim that our solutions infringe their proprietary rights.

This includes securing our customers’ workforce, information technology (IT), developers, and machine identities by replacing complex, patchworked and siloed legacy access and privileged access management solutions to improve security and operational efficiencies. With the increase in identity-related incidents over the past year, it is imperative for organizations to secure every identity with the right level of privilege controls.

This includes securing our customers’ workforce, information technology (IT), developers, and machine identities by replacing complex, patchworked and siloed legacy access and PAM solutions to improve security and operational efficiencies. With the increase in identity-related incidents over the past year, it is imperative for organizations to secure every identity with the right level of privilege controls.

Government Regulations For information regarding the material effects of government regulations, see “—Industry Background” above, “Item 3.D. Risk Factors— The dynamic regulatory environment around privacy, data protection, and AI may limit our offering or require modification of our products and services, which could limit our ability to attract new customers and support our current customers and increase our operational expenses.

Government Regulations For information regarding the material effects of government regulations, see “—Industry Background” above, “Item 3.D. Risk Factors— The dynamic regulatory environment around privacy, data protection, and AI may limit our offering or require modification of our solutions, which could limit our ability to attract new customers and support our current customers and increase our operational expenses.

These companies were each among our top 15 channel partners in 2022 and 2023 by revenues, and we have derived a meaningful amount of revenues from sales to each of them during the last two years.

These companies were each among our top 15 channel partners in 2023 and 2024 by revenues, and we have derived a meaningful amount of revenues from sales to each of them during the last two years.

Such claims also could require us to expend additional development resources to attempt to redesign our products or services or otherwise to develop non-infringing technology; enter into potentially unfavorable royalty or license agreements to obtain the right to use necessary technologies or intellectual property rights; and to indemnify our customers and partners (and parties associated with them).

Such claims also could require us to expend additional development resources to attempt to redesign our solutions or otherwise to develop non-infringing technology; enter into potentially unfavorable royalty or license agreements to obtain the right to use necessary technologies or intellectual property rights; and to indemnify our customers and partners (and parties associated with them).

Credential Providers can be used to provide and manage the credentials used by third-party solutions such as security tools, RPA, and IT management software, and also supports internally developed applications built on traditional monolithic application architectures. Credential Providers works with CyberArk’s on-premises and SaaS based solutions. o Conjur Enterprise and Conjur Cloud.

Credential Providers can be used to provide and manage the credentials used by third-party solutions such as security tools, RPA, and IT management software, and can also support internally developed applications built on traditional monolithic application architectures. Credential Providers works with CyberArk’s on-premises and SaaS-based solutions. • Conjur Enterprise and Conjur Cloud.

Our sales cycle varies by customer size, the number of products purchased and the complexity of the customer’s IT infrastructure, ranging from several weeks for incremental sales to existing customers to several months for large deployments.

Our sales cycle varies by customer size, the number of solutions purchased and the complexity of the customer’s IT infrastructure, ranging from several weeks for incremental sales to existing customers to several months for large deployments.

While traditional, perimeter-based security relies on a strategy of trying to separate legitimate users from threat actors and assumes that systems and traffic within the corporate networks and datacenters can be trusted, Zero Trust assumes that the threat actors have already established a network presence and have access to an organization’s applications and systems.

While traditional, perimeter-based security relies on a strategy of trying to separate legitimate users from threat actors and assumes that systems and traffic within the corporate networks and data centers can be trusted, zero trust assumes that the threat actors have already established a network presence and have access to an organization’s applications and systems.

CyberArk session monitoring solutions support native connectivity, whether from browser, native RDP or SSH tools, and via the CLI. Risk scoring can be applied to each recorded session, automating the review of all privileged sessions and enabling auditors to prioritize and deprioritize workloads based on risk. Secure Remote Access .

CyberArk session monitoring solutions support native connectivity, whether from browser, native remote desktop protocol or SSH tools, and via the CLI. Risk scoring can be applied to each recorded session, automating the review of all privileged sessions and enabling auditors to prioritize and deprioritize workloads based on risk. Secure Remote Access .

We execute our strategy by leveraging a combination of internal marketing professionals and a network of channel partners to communicate our value proposition and differentiation for our products, generating qualified leads for our sales force and channel partners.

We execute our strategy by leveraging a combination of internal marketing professionals and a network of channel partners to communicate our value proposition and differentiation for our solutions, generating qualified leads for our sales force and channel partners.

We will continue to deliver high levels of customer service and support and invest in our Customer Success team to help ensure that our customers are up and running quickly and derive benefit from our software, which we believe will result in higher customer retention rates. • Attracting, developing and retaining a diverse and inclusive employee base.

We will continue to deliver high levels of customer service and support and invest in our Customer Success team to help ensure that our customers are up and running quickly and derive benefit from our software, which we believe will result in higher customer retention rates . • Attracting, developing and retaining our employee base.

As we continue to sell more subscription licenses and services, we expect perpetual licenses to continue to decline as a percentage of overall sales. Throughout 2024, we will continue to build on this momentum and operate as a subscription company.

As we continue to sell more subscription licenses and services, we expect perpetual licenses to continue to decline as a percentage of overall sales. Throughout 2025, we will continue to build on this momentum and operate as a subscription company.

We believe this provides access to world class engineering talent. Our research and development expenses were $142.1 million, $190.3 million, and $211.4 million in 2021, 2022, and 2023, respectively. Intellectual Property We rely on a combination of patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions to protect our technology and the related intellectual property.

We believe this provides access to world class engineering talent. Our research and development expenses were $190.3 million, $211.4 million and $243.1 million in 2022, 2023, and 2024, respectively. Intellectual Property We rely on a combination of patent, trademark, copyright and trade secret laws, confidentiality procedures and contractual provisions to protect our technology and the related intellectual property.

Having users operate in a least privilege mode together with our agent-based technology effectively reduces the attack surface that attackers or malware can exploit. The solution leverages third-party threat and reputation information to further strengthen controls and block bad or malicious applications based on such security intelligence. Adaptive Multi-factor Authentication .

Recently, CyberArk has taken steps to focus its GTM strategy on a solution-based framework that will enable CyberArk to evolve from product-focused sales to solution selling, which is expected to better align with our customers’ problems.

Since 2024, CyberArk has taken steps to focus its GTM strategy on a solution-based framework that will enable CyberArk to evolve from product-focused sales to solution selling, which is expected to better align with our customers’ problems.

Skills Gap : The skills gap in cybersecurity creates meaningful challenges, not only for Chief Information Security Officers (CISOs), but also for implementing mission-critical strategic initiatives. As cloud adoption accelerates the speed of business, companies are relying more heavily on applications, technology and automation to compete.

Skills Gap: The skills gap in cybersecurity creates meaningful challenges, not only for Chief Information Security Officer (CISO), but also for implementing mission-critical strategic initiatives. As cloud adoption accelerates the speed of business, companies are relying more heavily on applications, technology and automation to compete.

Application control, with automatic policy creation, allows organizations to prevent malicious applications from executing, and runs unknown applications in a restricted mode. This, combined with credential theft protection, helps prevent malware such as ransomware from gaining a foothold and contains attacks on the endpoint. o Secure Desktop.

Application control, with automatic policy creation, allows organizations to prevent malicious applications from executing, and runs unknown applications in a restricted mode. This, combined with credential theft protection, helps prevent malware such as ransomware from gaining a foothold and designed to contain attacks on the endpoint. • Secure Desktop.

Furthermore, we monitor cybersecurity risks, certifications or assessments at our third-party cloud infrastructure providers and other IT service providers, and reevaluate those contractual relationships as appropriate. The audit committee of our board periodically reviews our cybersecurity risks and controls with senior management, keeping our board informed of key issues.

Furthermore, we monitor cybersecurity risks, certifications or assessments at our third-party cloud infrastructure providers and other IT service providers and re-evaluate those contractual relationships as appropriate. The audit committee of our Board of directors periodically reviews our cybersecurity risks and controls with senior management, keeping our Board of directors informed of key issues.

We also typically experience seasonality in our sales, particularly demonstrated by increased sales in the last month of a quarter and the last quarter of the year. To support our broadly dispersed global channel partners and customer base in our hybrid model, we had sales personnel in 42 countries as of December 31, 2023.

The maturity and growth of the information security market could also make it appealing for new players, such as large or emerging cybersecurity vendors or those in related markets (Endpoint, Cloud Security, DevOps or IaaS), to enter markets where we specialize.

CyberArk’s self-hosted Privileged Access Manager solution can be deployed in a self-hosted data center or in a hybrid cloud or a public cloud environment. CyberArk Privileged Cloud is a SaaS solution. o Vendor Privileged Access Manager .

Our channel partners generally complement our sales efforts by helping identify potential sales targets, maintaining relationships with certain customers, introducing new products to existing customers, and offering post-sale professional services and technical support. In 2023, we generated approximately 20% of our revenues from direct sales from our field offices located throughout the world.

Our channel partners generally complement our sales efforts by helping identify potential sales targets, maintaining relationships with certain customers, introducing new solutions to existing customers, and offering post-sale professional services and technical support. In 2024, we generated approximately 19% of our revenues from direct sales from our field offices located throughout the world.

As of December 31, 2023, our global network of channel partners consisted of more than 1,300 global system integrators, managed service providers, solution providers, strategic outsourcers, advisories and distributors, as well as global and regional marketplaces.

As of December 31, 2024, our global network of channel partners consisted of more than 1,500 global system integrators, managed service providers, solution providers, strategic outsourcers, advisories and distributors, as well as global and regional marketplaces.

We also maintain a dedicated CyberArk Labs team that research reported cyberattacks, emerging attack techniques and post-exploit methods that lead to new security development initiatives for our products, and provides thought-leadership on new product capabilities and targeted attack mitigation.

We also maintain a dedicated CyberArk Labs team that researches reported cyberattacks, emerging attack techniques and post-exploit methods that lead to new security development initiatives for our solutions, and provides thought-leadership on new solutions capabilities and targeted attack mitigation.

Our CyberArk Labs research team is also taking part in certain AI-related research, supported and funded by the Israeli Innovation Agency. As of December 31, 2023, we had 922 employees focused on research and development. We conduct our research and development activities primarily in Israel, as well as other locations such as the United States and India.

Our CyberArk Labs research team is also taking part in certain AI-related research, supported and funded by the Israeli Innovation Authority. As of December 31, 2024, we had 1,205 employees focused on research and development. We conduct our research and development activities primarily in Israel, as well as other locations such as the United States and India.

We plan to pursue new customers in the enterprise and corporate segments of the market with our sales and partner teams, as well as through our brand awareness and lead generation campaigns. • Expanding our relationships with existing customers. As of December 31, 2023, we had more than 8,800 customers.

We plan to pursue new customers in the enterprise and corporate segments of the market with our sales and partner teams, as well as through our brand awareness and lead generation campaigns . • Expanding our relationships with existing customers. As of December 31, 2024, we had more than 9,700 customers.

CyberArk Vendor Privileged Access Manager combines Privileged Access Manager or Privilege Cloud and Remote Access, a SaaS solution, to provide fast, easy and secure privileged access to third-party vendors who need access to critical internal systems via CyberArk, without the need to use passwords.

CyberArk Remote Access is a SaaS solution that integrates with Privileged Access Manager or Privilege Cloud to provide fast, easy and secure privileged access to third-party vendors who need access to critical internal systems via CyberArk, without the need to use passwords.

Our workforce solutions not only reimagine what it means to protect users beyond legacy access management capabilities like MFA & SSO, but also add additional, modern access management capabilities like secure browsing and workforce password management.

Our workforce solutions not only reimagine what it means to protect users beyond legacy access management capabilities like Multi-factor Authentication (MFA) and Single Sign-on (SSO), but also add additional, modern access management capabilities like secure browsing and workforce password management.

Governance and Compliance : Industry regulations such as Sarbanes Oxley, Payment Card Industry Data Security Standard, SWIFT Customer Security Controls Framework, HIPAA, GDPR, U.K. Data Protection Act 2018 (UK DPA) and the UK General Data Protection Regulation, California Privacy Rights Act, and industry frameworks, such as U.S.

Governance and Compliance: Industry regulations such as the Sarbanes Oxley Act, HIPAA, GDPR, U.K. Data Protection Act 2018 (UK DPA) and the UK GDPR, Digital Operational Resilience Act, California Privacy Rights Act, EU AI Act, and industry frameworks, such as the Payment Card Industry Data Security Standard, SWIFT Customer Security Controls Framework, U.S.

We believe we compete favorably with our competitors based on these factors. However, some of our current competitors may enjoy one or some combination of potential competitive advantages, such as greater name recognition, longer operating history, larger market share, larger existing user base and greater financial, technical, and operational capabilities.

Privileged Access Management CyberArk’s Privileged Access Management products can be used to secure, manage, and monitor privileged access. Privileged accounts can be found on endpoints, in applications, and from hybrid to multi-cloud environments. o Privileged Access Manager. CyberArk Privileged Access Manager and CyberArk Privilege Cloud include risk-based credential security and session management to protect against attacks involving privileged access.

Privileged accounts can be found on endpoints, in applications, and from hybrid to multi-cloud environments. • Privileged Access Manager. CyberArk Privileged Access Manager and CyberArk Privilege Cloud include risk-based credential security and session management to protect against attacks involving privileged access.

We plan to expand our sales reach by adding new direct sales capacity, expanding our indirect channels by deepening our relationships with existing partners and by adding new partners, including value-added resellers, system integrators, managed security service providers, distributors, and C 3 Alliance partners.

The inventions for which we have sought patent protection relate to current and future elements of our products and technology.

The inventions for which we have sought patent protection relate to current and future elements of our solutions and technologies.

CyberArk Secrets Hub enables security teams to have centralized visibility and management across secrets in native vaults, such as AWS Secrets Manager and Azure Key Vault, without impacting developer workflows. Cloud Security o Secure Cloud Access.

We have worked hard to develop strong relationships with our customers. Our Customer Success team will focus on expanding these relationships by growing the number of users who access our solutions and cross-selling additional products and services. • Driving strong adoption of our solutions and retaining our customer base.

We work diligently to develop and continually strengthen relationships with our customers. Our Customer Success team will focus on expanding these relationships by growing the number of users who access our solutions and cross-selling additional solutions . • Driving strong adoption of our solutions and retaining our customer base.

Until a few years ago, organizations would typically prioritize protection of their most critical systems and data, with a particular focus on protecting privileged access. “Privileged users” were understood at the time to be mostly IT administrators accessing shared administrative accounts in systems and applications. However, in today’s cloud and SaaS environment, every identity can become privileged under certain conditions.

All identities operating in a modern environment (such as employees, partners, IT administrators, DevOps team members and developers, applications and robots, vendors and customers) might have some level of privilege that, if improperly secured, can provide an attack path into an organization’s most valuable assets.

However, in today’s cloud and SaaS environment, every identity can become privileged under certain conditions. 30 All identities operating in a modern environment (such as employees, partners, IT administrators, DevOps team members and developers, applications and robots, vendors and customers) might have some level of privilege that, if improperly secured, can provide an attack path into an organization’s most valuable assets.

We plan to continue investing in our sales organization to support both the growth of our channel partners and our direct sales organization. 39 Professional and Support Services Maintenance and Support Our maintenance and support program provides all customers who purchase maintenance and support in conjunction with their perpetual licenses, and customers who purchase self-hosted and SaaS subscriptions, the right to software bug repairs, the latest software enhancements, and updates on an if-and-when available basis during the maintenance period or subscription term, and access to our technical support services.

Professional and Support Services Maintenance and Support Our maintenance and support program provides all customers who purchase maintenance and support in conjunction with their perpetual licenses, and customers who purchase self-hosted and SaaS subscriptions, the right to software bug repairs, the latest software enhancements, and updates on an if-and-when available basis during the maintenance period or subscription term, and access to our technical support services.

As part of the expansion of our research and development and product development resources, we also established an Artificial Intelligence Center of Excellence to advance the use of AI and machine learning to improve security and productivity for our customers, by exploring opportunities to embed AI into our existing products, as well as researching the impact of generative AI on attacker innovation to help evolve AI-powered defenses.

As part of the expansion of our research and development and solutions development resources, we also have dedicated teams to advance the use of AI and machine learning to improve security and productivity for our customers, by exploring opportunities to embed AI into our existing solutions, as well as researching the impact of generative AI on attacker innovation to help evolve AI-powered defenses.

As of December 31, 2023, we had 147 issued patents in the U.S., and 48 pending U.S. patent applications. We also had 62 issued patents and 18 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications in the future.

As of December 31, 2024, we had 189 issued patents in the U.S., and 46 pending U.S. patent applications. We also had 92 issued patents and 13 applications pending for examination in non-U.S. jurisdictions, all of which are counterparts of our U.S. patent applications. We expect to file additional patent applications in the future.

In 2005, we introduced our Privileged Access Management Solution, upon which we built our leadership position in the Privileged Access Management market, providing a layer of security that protects high-level and high-value access across an organization. In September 2014, we listed our ordinary shares on the Nasdaq Stock Market LLC (Nasdaq).

In 2005, we introduced our PAM Solution, upon which we built our leadership position in the PAM market, providing critical security controls that protect high-level and high-value access across an organization. On September 23, 2014, we listed our ordinary shares on the Nasdaq Stock Market LLC (Nasdaq).

Specifically, our Identity Security Platform competes across a variety of markets and competitors, including, but not limited to: • PAM, including Endpoint Privilege Management, such as Delinea and BeyondTrust; • IAM, such as Okta and Microsoft; and • Secrets Management, including broad DevOps solutions, such as Hashi Corporation.

Specifically, our Identity Security Platform competes across a variety of markets and competitors, including, but not limited to: • PAM, including Endpoint Privilege Management, such as Delinea and BeyondTrust; • Access Management, such as Okta and Microsoft; • Secrets Management, such as Hashi Corporation; • Machine Identity, such as Keyfactor; and • Identity Governance and Administration, such as SailPoint and Saviynt.

Secure Cloud Access greatly reduces the risk of compromised access in the public cloud, while providing native user experiences for the Cloud Engineering and DevOps teams leading digital transformation. Identity Management Our capabilities in Identity Management include Lifecycle Management, Identity Flows, Identity Compliance and directory services.

Accordingly, if customers prefer to utilize one vendor for multiple cybersecurity capabilities and if we fail to successfully execute our sales strategy of delivering our products and services on a solutions-based framework that can compete effectively against such cybersecurity vendors, this may place us at a competitive disadvantage.

If customers trend towards consolidating with a vendor or vendors providing multiple cybersecurity capabilities and we fail to successfully execute our development and sales strategy of delivering our solutions on a framework that can compete effectively against such cybersecurity vendors, this may place us at a competitive disadvantage.

Interest in CyberArk’s Identity Security solutions is also being fueled by customers who are purchasing cyber insurance policies, engaging in diligence as part of a corporate transaction, or recovering from a major cybersecurity incident; and in each of these cases, customers need to demonstrate a sound plan to implement and manage Identity Security controls to obtain insurance coverage and lower their premiums. 33 Our Products Our Identity Security Platform provides a complete and flexible set of Identity Security capabilities across six main product areas: Workforce and Customer Access, Endpoint Privilege Security, Privileged Access Management, Secrets Management, Cloud Security, and Identity Management.

That same year, we began offering our first product, the Sensitive Information Management Solution (previously called the Sensitive Document Vault), which provided a secure platform for our customers’ employees to share sensitive files.

That same year, we released our first product, the Sensitive Information Management Solution (previously called the Sensitive Document Vault), which provided a secure platform that enabled our customers’ employees to share sensitive files. From there, we evolved our offering into a comprehensive solution to secure identities anchored on PAM.

We are also expanding our routes to market to include cloud provider marketplaces. • Growing our customer base. The global threat landscape, digitalization of the enterprise, cloud migration and the broad security skills shortage are contributing to the need for Identity Security solutions. We believe that every organization, regardless of size or vertical, needs Identity Security.

We will leverage this elite ecosystem to further extend our reach and strengthen our offerings . • Growing our customer base. The global threat landscape, digitalization of the enterprise, cloud migration and the broad security skills shortage are contributing to the need for Identity Security solutions. We believe that every organization, regardless of size or vertical, needs Identity Security.

Our Customers As of December 31, 2023, we had more than 8,800 customers. Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies. Our business is not dependent on any particular customer.

Our customers include leading organizations in a diverse set of industries, including financial services, manufacturing, insurance, healthcare, energy and utilities, transportation, retail, technology and telecommunications, as well as government agencies. Our business is not dependent on any particular customer. No customer or channel partner accounted for more than 10% of our revenues in the last three years.

The following list of products identifies some of those with patent-protected features, but other products may also be the subject matter of one or more patents: Privileged Access Security (PAS) solutions, including Privileged Access Manager, Vendor Privileged Access Manager, Privileged Session Manager (PSM), Enterprise Password Vault (EPV), Privilege Cloud, Dynamic Privilege Access (DPA), CyberArk DNA (Discovery and Audit), Privileged Threat Analytics (PTA), Endpoint Privilege Manager (EPM), Sensitive Information Management (SIM) and Cloud Entitlements Manager (CEM); Secret Management Solutions, including Conjur Enterprise, Conjur Open Source, Conjur Cloud, Credential Providers, Secretless and Secretless Broker; and Access Management Solutions, including CyberArk Identity, Workforce Identity, Customer Identity and Secure Web Sessions.

The following list of solutions identifies some of those with patent-protected features, but other solutions may also be the subject matter of one or more patents: Privileged Access Security (PAS) solutions, including Privileged Access Manager, Remote Access (Vendor Privileged Access Manager), Privileged Session Manager (PSM), Enterprise Password Vault (EPV), Privilege Cloud, Secure Infrastructure Access (SIA), CyberArk DNA (Discovery and Audit), Privileged Threat Analytics (PTA), Endpoint Privilege Manager (EPM), Sensitive Information Management (SIM) and Cloud Entitlements Manager (CEM); Secret Management Solutions, including Conjur Enterprise, Conjur Open Source, Conjur Cloud, Credential Providers, Secretless and Secretless Broker; Access Management Solutions, including CyberArk Identity, Workforce Identity, Customer Identity and Secure Web Sessions; and Machine Identity Solutions, including Venafi TLS Protect. 40 We generally enter into confidentiality agreements with our employees, consultants, service providers, resellers and customers and generally limit internal and external access to, and distribution of, our proprietary information and proprietary technology through certain procedural safeguards.

Companies are adopting DevOps methodologies to speed up the pace of innovation. Hybrid and multi-cloud adoption drive the need for centralized solutions that help secure access to all types of identities enterprise-wide. This trend has continued as companies provide hybrid and remote capabilities for the workforce and look for additional online options to stay viable.

With more than 3,000 attendees in-person, IMPACT and IMPACT World Tour represent the largest Identity Security conference worldwide. Sales We believe that our hybrid sales model, which combines the leverage of high-touch, channel sales with the account control of direct sales, has played an important role in the growth of our customer base to date.

Sales We believe that our hybrid sales model, which combines the leverage of high-touch, channel sales with the account control of direct sales, has played an important role in the growth of our customer base to date.

Our marketing efforts include global inbound and outbound demand generation campaigns, account-based marketing, highly targeted brand awareness campaigns, public relations in multiple geographies and the publication of a broad array of content made available through our website. We also participate in key industry events around the world, engaging with audiences through exhibits and demonstrations, speaking sessions and executive meetings.

In 2021, we introduced new professional services solutions aimed at delivering faster time to value and helping customers streamline the deployment of certain CyberArk SaaS products, while providing a resource to help to implement a phased approach to a Privileged Access Management program, from planning, to pilot, to production.

This was done to complement our existing professional services solutions, which are aimed at delivering faster time to value and helping customers streamline the deployment of certain CyberArk SaaS solutions, while providing a resource to help to implement a phased approach to a PAM program, from planning, to pilot, to production.

By providing the right level of privilege control with the right type of access, organizations can protect the working environment of the most targeted users in the organization.

Additionally, the Platform offers role-specific least privilege, just-in-time and Zero Standing Privilege workflows. By providing the right level of privilege control with the right type of access, organizations can protect the working environment of the most targeted users in the organization.

Italy CyberArk Software (France) SARL France CyberArk Software (Netherlands) B.V. Netherlands CyberArk Software (Australia) Pty Ltd. CyberArk Software (Japan) K.K. CyberArk Software Canada Inc. CyberArk USA Engineering, GP, LLC Australia Japan Canada Delaware, United States CyberArk Software (Spain), S.L. Spain CyberArk Software (India) Private Limited C3M India Private Limited CyberArk Turkey Siber Güvenlik Yazılımı Anonim Şirketi India India Turkey D.

Canada CyberArk USA Engineering, GP, LLC Delaware, United States CyberArk Software (Spain), S.L. Spain CyberArk Software (India) Private Limited India C3M India Private Limited India CyberArk Turkey Siber Güvenlik Yazılımı Anonim Şirketi Turkey Venafi, Inc. Delaware, United States Venafi Ltd. United Kingdom Venafi EOOD Bulgaria Zilla Security, Inc. Delaware, United States D.

… 121 more changes not shown on this page.

Item 5. Market for Registrant's Common Equity

Market for Common Equity — stock, dividends, buybacks

117 edited+34 added−26 removed94 unchanged

2023 filing

2024 filing

We monitor Net cash provided by operating activities as a measure of the amount of cash generated by the business and our overall business performance. Our cash provided by operating activities is driven in part by up-front payments for subscription, maintenance and professional services offerings.

Net cash provided by operating activities. We monitor Net cash provided by operating activities as a measure of the amount of cash generated by the business and our overall business performance. Our cash provided by operating activities is driven in part by up-front payments for subscription, maintenance and professional services offerings.

The following tax benefits, among others, are available to Industrial Companies: o amortization of the cost of purchased know-how, patents and rights to use a patent and know-how which are used for the development or promotion of the Industrial Enterprise, over an eight-year period commencing on the year in which such rights were first exercised; o under limited conditions, an election to file consolidated tax returns together with Israeli Industrial Companies controlled by it; and o expenses related to a public offering of shares in a stock exchange are deductible in equal amounts over three years commencing on the year of offering.

The following tax benefits, among others, are available to Industrial Companies: • amortization of the cost of purchased know-how, patents and rights to use a patent and know-how which are used for the development or promotion of the Industrial Enterprise, over an eight-year period commencing on the year in which such rights were first exercised; • under limited conditions, an election to file consolidated tax returns together with Israeli Industrial Companies controlled by it; and • expenses related to a public offering of shares in a stock exchange are deductible in equal amounts over three years commencing on the year of offering.

Expense for awards with performance conditions is estimated and adjusted on a quarterly basis based upon the assessment of the probability that the performance condition will be met. 57 We selected the Black-Scholes-Merton option-pricing model as the most appropriate fair value method for our option awards and Employee Share Purchase Plan (ESPP).

Expense for awards with performance conditions is estimated and adjusted on a quarterly basis based upon the assessment of the probability that the performance condition will be met. We selected the Black-Scholes-Merton option-pricing model as the most appropriate fair value method for our option awards and Employee Share Purchase Plan (ESPP).

Business combination We account for our business combinations in accordance with ASC No. 805, “Business Combinations” using the acquisition method of accounting, which requires, among other things, allocation of the fair value of purchase consideration to the tangible and intangible assets acquired and liabilities assumed at their estimated fair values on the acquisition date.

Business combinations We account for our business combinations in accordance with ASC No. 805, “Business Combinations” using the acquisition method of accounting, which requires, among other things, allocation of the fair value of purchase consideration to the tangible and intangible assets acquired and liabilities assumed at their estimated fair values on the acquisition date.

This visibility allows us to make informed decisions about our capital allocation and level of investment. Subscription Portion of Annual Recurring Revenue. The subscription portion of ARR is a performance indicator that provides more visibility into the area of the business that will drive the long-term growth of our recurring business.

This visibility allows us to make informed decisions about our capital allocation and level of investment. 45 Subscription Portion of Annual Recurring Revenue. The subscription portion of ARR is a performance indicator that provides more visibility into the area of the business that will drive the long-term growth of our recurring business.

The 2017 Amendment introduced new benefits for Technological Enterprises that meet certain conditions, alongside the existing tax benefits. 60 Tax Benefits Prior to the 2005 Amendment An investment program that is implemented in accordance with the provisions of the Investment Law prior to the 2005 Amendment, referred to as an “Approved Enterprise,” is entitled to certain benefits.

The 2017 Amendment introduced new benefits for Technological Enterprises that meet certain conditions, alongside the existing tax benefits. Tax Benefits Prior to the 2005 Amendment An investment program that is implemented in accordance with the provisions of the Investment Law prior to the 2005 Amendment, referred to as an “Approved Enterprise,” is entitled to certain benefits.

At the same time, we expect our sales and marketing expenses as a percentage of revenue to decline, as we recognize the benefits of being a recurring revenue company and as we scale the organization. We continue to expect sales and marketing expenses will remain our largest category of operating expenses. General and Administrative.

At the same time, we expect our sales and marketing expenses as a percentage of revenue to decline, as we recognize the benefits of being a recurring revenue company and as we scale the organization. We continue to expect that sales and marketing expenses will remain our largest category of operating expenses. General and Administrative.

Expenditures are deemed related to scientific research and development projects if: o the expenditures are approved by the relevant Israeli government ministry, determined by the field of research; o the research and development is for the promotion or development of the company; and o the research and development is carried out by or on behalf of the company seeking the deduction.

Expenditures are deemed related to scientific research and development projects if: • the expenditures are approved by the relevant Israeli government ministry, determined by the field of research; • the research and development is for the promotion or development of the company; and • the research and development is carried out by or on behalf of the company seeking the deduction.

We increasingly leverage partners to provide services around implementation and ongoing management of our solutions and we are shifting our service delivery team toward higher value services that are often recurring in nature, like technical account management. 47 Geographic Breakdown of Revenues The United States is our biggest market, with the balance of our revenues generated from the EMEA region and the rest of the world, which includes Canada, Central and South America, and the Asia Pacific and Japan region.

We increasingly leverage partners to provide services around implementation and ongoing management of our solutions and we are shifting our service delivery team toward higher value services that are often recurring in nature, like technical account management. 46 Geographic Breakdown of Revenues The United States is our biggest market, with the balance of our revenues generated from the EMEA region and the rest of the world, which includes Canada, Central and South America, and the Asia Pacific and Japan region.

Trend Information Other than as disclosed elsewhere in this annual report, we are not aware of any trends, uncertainties, demands, commitments or events since December 31, 2023, that are reasonably likely to have a material adverse effect on our net revenue, income, profitability, liquidity or capital resources, or that caused the disclosed financial information to be not necessarily indicative of future operating results or financial condition.

Trend Information Other than as disclosed elsewhere in this annual report, we are not aware of any trends, uncertainties, demands, commitments or events since December 31, 2024, that are reasonably likely to have a material adverse effect on our net revenue, income, profitability, liquidity or capital resources, or that caused the disclosed financial information to be not necessarily indicative of future operating results or financial condition.

Components of Statements of Operations Revenues Our revenues consist of the following: o Subscription Revenues . Subscription revenues include SaaS and self-hosted subscription revenues, as well as maintenance and support services associated with self-hosted subscriptions.

Components of Statements of Operations Revenues Our revenues consist of the following: • Subscription Revenues . Subscription revenues include SaaS and self-hosted subscription revenues, as well as maintenance and support services associated with self-hosted subscriptions.

Payment is typically due within 30 to 90 calendar days of the invoice date. 56 We recognize revenues in accordance with ASC No. 606 “Revenue from Contracts with Customers.” As such, we identify a contract with a customer, identify the performance obligations in the contract, determine the transaction price, allocate the transaction price to each performance obligation in the contract and recognize revenues when (or as) we satisfy a performance obligation.

Payment is typically due within 30 to 90 calendar days of the invoice date. 55 We recognize revenues in accordance with ASC No. 606 “Revenue from Contracts with Customers.” As such, we identify a contract with a customer, identify the performance obligations in the contract, determine the transaction price, allocate the transaction price to each performance obligation in the contract and recognize revenues when (or as) we satisfy a performance obligation.

The accounting guidance gives the option to perform a qualitative assessment to determine whether further impairment testing is necessary. The qualitative assessment includes judgement and considers events and circumstances that might indicate that a reporting unit’s fair value is less than its carrying amount. For the years ended December 31, 2021, 2022 and 2023, no impairment losses were identified.

The accounting guidance gives the option to perform a qualitative assessment to determine whether further impairment testing is necessary. The qualitative assessment includes judgement and considers events and circumstances that might indicate that a reporting unit’s fair value is less than its carrying amount. For the years ended December 31, 2022, 2023 and 2024, no impairment losses were identified.

(2) Consists of accruals for certain income tax positions under ASC 740 that are paid upon settlement, and for which we are unable to reasonably estimate the ultimate amount and timing of settlement. See Note 13(j) to our consolidated financial statements included elsewhere in this annual report for further information regarding our liability under ASC 740.

(2) Consists of accruals for certain income tax positions under ASC 740 that are paid upon settlement, and for which we are unable to reasonably estimate the ultimate amount and timing of settlement. See Note 15(j) to our consolidated financial statements included elsewhere in this annual report for further information regarding our liability under ASC 740.

During the measurement period, not to exceed one year from the date of acquisition, we may record adjustments to the assets acquired and liabilities assumed, with a corresponding offset to goodwill if new information is obtained related to facts and circumstances that existed as of the acquisition date. Acquisition costs, such as legal and consulting fees, are expensed as incurred.

During the measurement period, not to exceed one year from the date of acquisition, we may record adjustments to the assets acquired and liabilities assumed, with a corresponding offset to goodwill if new information is obtained related to facts and circumstances that existed as of the acquisition date. Acquisition-related expenses, such as legal and consulting fees, are expensed as incurred.

These obligations are payable only upon the termination, retirement or death of the respective employee and may be reduced if the employee’s termination is voluntary. These obligations are partially funded through accounts maintained with financial institutions and recognized as an asset on our balance sheet. As of December 31, 2023, $3.2 million is unfunded.

With the continued decline of new perpetual licenses and related new maintenance contracts, we are expecting our total maintenance revenues to decline in the near and long term in absolute dollars. We also offer advanced services, including professional services and technical account management, for consulting, deployment and training of our customers to fully leverage the use of our products.

The cost of maintenance related to perpetual license contracts and professional services revenues primarily consists of allocated personnel costs for our global customer support and professional services organization. Such costs consist primarily of salaries, benefits, bonuses, share-based compensation and subcontractors’ fees.

The cost of maintenance related to perpetual license contracts and professional services revenues primarily consists of allocated personnel costs for our global customer support, customer success and professional services organization. Personnel costs consist primarily of salaries, benefits, bonuses, share-based compensation and subcontractors’ fees.

As the category-defining leader in Privileged Access Management, we are uniquely positioned to deliver on Identity Security because our core competency is securing the “keys to the kingdom.” These “keys to the kingdom” enable our customers to control access to sensitive infrastructure and applications, keeping them out of the hands of malicious or careless insiders or external attackers and preventing disruption to the business.

As the category-defining leader in PAM, we are uniquely positioned to deliver on Identity Security because our core competency is securing the “keys to the kingdom.” These “keys to the kingdom” enable our customers to control access to sensitive infrastructure and applications, keeping them out of the hands of malicious or careless insiders or external attackers and preventing disruption to the business.

We expect that our research and development expenses will continue to increase in absolute dollars as we continue to grow our research and development headcount to further strengthen our technology platform and invest in the development of both existing and new solutions, products and services.

In instances of contracts where revenue recognition differs from the timing of invoicing, we generally determined that those contracts do not include a significant financing component. The primary purpose of the invoicing terms is to provide customers with simplified and predictable ways of purchasing our products and services, not to receive or provide financing.

During the year ended December 31, 2023, operating activities provided $56.2 million in cash as a result of $66.5 million of net loss, adjusted by $140.1 million of non-cash charges related to share-based compensation expense, $19.3 million related to depreciation and amortization expenses, $3.0 million in non-cash interest expense related to the amortization of debt discount and issuance costs and a net change of $9.2 million in non-cash working capital, partially offset by a $41.0 million net change from other long-term assets and liabilities and a $7.9 million increase in deferred tax assets.

During the year ended December 31, 2023, operating activities provided $56.2 million in cash as a result of $66.5 million of net loss, adjusted by $140.1 million of non-cash charges related to share-based compensation expense, $19.3 million related to depreciation and amortization expenses, $3.0 million in non-cash interest expense related to the amortization of issuance costs and a net change of $9.2 million in non-cash working capital, partially offset by a $41.0 million net change from other long-term assets and liabilities and a $7.9 million increase in deferred income taxes.

Our future capital requirements will depend on many factors, including our revenue growth rate, renewal rates and timing of renewals, the expansion of our sales and marketing activities, the timing and extent of spending to support product development efforts and expansion into new geographic locations, the timing of introductions of new products and enhancements to existing products, the timing and extent of additional expenditures to invest in scaling our operations and the continuing market acceptance of our offerings.

Our future capital requirements will depend on many factors, including our revenue growth rate, renewal rates and timing of renewals, the expansion of our sales and marketing activities, including hiring, the timing and extent of spending to support solutions development efforts and expansion into new geographic locations, the timing of introductions of new solutions, enhancements to existing solutions, the timing and extent of additional expenditures to invest in scaling our operations and the continuing market acceptance of our offerings.

Operating Results For a discussion of our results of operations for the year ended December 31, 2021, including a year-to-year comparison between 2022 and 2021, refer to Item 5. “Operating and Financial Review and Prospects” in our annual report on Form 20-F for the fiscal year ended December 31, 2022, filed with the SEC on March 2, 2023.

Operating Results For a discussion of our results of operations for the year ended December 31, 2022, including a year-to-year comparison between 2023 and 2022, refer to Item 5. “Operating and Financial Review and Prospects” in our annual report on Form 20-F for the fiscal year ended December 31, 2023, filed with the SEC on March 13, 2024.

These transitional provisions provide, among other things, that unless an irrevocable request is made to apply the provisions of the Investment Law as amended in 2011 with respect to income to be derived as of January 1, 2011: (i) the terms and benefits included in any certificate of approval that was granted to an Approved Enterprise which chose to receive grants before the 2011 Amendment became effective will remain subject to the provisions of the Investment Law as in effect on the date of such approval, and subject to certain other conditions; (ii) the terms and benefits included in any certificate of approval that was granted to an Approved Enterprise which had participated in an alternative benefits track before the 2011 Amendment became effective will remain subject to the provisions of the Investment Law as in effect on the date of such approval, provided that certain conditions are met; and (iii) a Benefited Enterprise can elect to continue to benefit from the benefits provided to it before the 2011 Amendment became effective, provided that certain conditions are met. 62 From time to time, the Israeli Government has discussed reducing the benefits available to companies under the Investment Law.

Revenue Recognition We substantially generate revenues from providing the right to access SaaS solutions and licensing the rights to use software products, as well as from maintenance and professional services. Subscription revenues include SaaS offerings and on-premises subscription (“Self-hosted subscription”). We sell products through our direct sales force and indirectly through resellers.

Revenue Recognition We generate substantially all our revenues from providing the right to access SaaS solutions and licensing the rights to use software solutions, as well as from maintenance and professional services. Subscription revenues include SaaS offerings and on-premises subscription (Self-hosted subscription). We sell solutions through our direct sales force and indirectly through resellers.

See Note 2(l) to our consolidated financial statements included elsewhere in this annual report for further information. (4) For additional information, see Note 11 to our consolidated financial statements included elsewhere in this annual report. (5) Consists of agreements related to the receipt of cloud infrastructure services and subscription-based cloud services. 55 C. Research and Development, Patents and Licenses, etc.

See Note 2(l) to our consolidated financial statements included elsewhere in this annual report for further information. (4) Consists of agreements related to the receipt of cloud infrastructure services and subscription-based cloud services. 54 C. Research and Development, Patents and Licenses, etc.

A company that wished to receive benefits as an Approved Enterprise must have received approval from the Israeli Authority for Investments and Development of the Industry and Economy (the “Investment Center”).

The tax benefits under the alternative benefits track include an exemption from corporate tax on undistributed income which was generated from an Approved Enterprise for between two and 10 years from the first year of taxable income, depending on the geographic location of the Approved Enterprise facility within Israel, and the taxation of income generated from an Approved Enterprise at a reduced corporate tax rate of between 10% to 25% for the remainder of the benefits period, depending on the level of foreign investment in the company in each year, as detailed below.

Income derived from activity that is not integral to the activity of the Approved Enterprise will not enjoy tax benefits. 59 The tax benefits under the alternative benefits track include an exemption from corporate tax on undistributed income which was generated from an Approved Enterprise for between two and 10 years from the first year of taxable income, depending on the geographic location of the Approved Enterprise facility within Israel, and the taxation of income generated from an Approved Enterprise at a reduced corporate tax rate of between 10% to 25% for the remainder of the benefits period, depending on the level of foreign investment in the company in each year, as detailed below.

We are seeing an increasing percentage of our business coming from our SaaS solutions, which have ratable revenue recognition, increasing our total deferred revenue that will be recognized over time. Our SaaS and self-hosted subscriptions represented over 60% of our total revenues in 2023, and we expect our subscription revenues to continue to grow in the near and long term.

We see an increasing percentage of our business coming from our SaaS solutions, which have ratable revenue recognition, increasing our total deferred revenue that will be recognized over time. Our SaaS and self-hosted subscriptions represented 73% of our total revenues in 2024, and we expect our subscription revenues to continue to grow in the near and long term.

Our gross margin has historically fluctuated from period to period as a result of changes in the mix of revenues between SaaS, self-hosted Subscriptions and Perpetual Licenses, as well as maintenance and professional services revenues, cloud infrastructure costs and personnel costs. We expect our gross margin to be relatively consistent in the near term.

We have obtained a comprehensive tax ruling confirming, among others, that we generally qualify as a PTE since 2017 onwards and this status was acknowledged by the Israeli Tax Authority in corporate tax audit assessment agreements reached in 2021 and in 2022.

We have obtained a comprehensive tax ruling confirming, among others, that we generally qualify as a PTE from 2018 until 2023 and this status was acknowledged by the Israeli Tax Authority in corporate tax audit assessment agreements reached in 2021 and in 2022.

CyberArk’s vision is to deliver an Identity Security Platform that contextually authenticates each identity, dynamically authorizes the least amount of privilege required, secures credentials, and thoroughly audits the entire cycle – giving organizations peace of mind to drive their businesses fearlessly forward.

Our Identity Security Platform contextually authenticates each identity, dynamically authorizes the least amount of privilege required, secures credentials, and thoroughly audits the entire cycle – giving organizations peace of mind to drive their businesses fearlessly forward.

Revenues from SaaS contracts and maintenance and support contracts are recognized ratably on a straight-line basis over the term of the related contract, which is typically one year or three years, and revenues from professional services are recognized as services are performed.

Revenues from SaaS contracts and maintenance and support associated with self-hosted subscription and perpetual license contracts are recognized ratably on a straight-line basis over the term of the related contract, which is typically one year or three years, and revenues from professional services are substantially recognized as services are performed.

We conduct our research and development activities primarily in Israel as well as other locations such as India and the United States. As of December 31, 2023, our research and development department included 922 employees and contractors. In 2023, research and development costs accounted for 28.1% of our total revenues.

We conduct our research and development activities primarily in Israel as well as other locations such as India, the United States and Bulgaria. As of December 31, 2024, our research and development department included 1,205 employees and contractors. In 2024, research and development costs accounted for 24.3% of our total revenues.

The transaction price is determined based on the consideration to which we will be entitled in exchange for transferring goods or services to the customer. We do not grant a right of return to our customers.

For options to provide additional services, we determine whether the option provides a material right to the customer. The transaction price is determined based on the consideration to which we will be entitled in exchange for transferring goods or services to the customer. We do not grant a right of return to our customers.

During the years ended December 31, 2021, 2022 and 2023, our revenues were $502.9 million, $591.7 million and $751.9 million, respectively, representing year-over-year growth of 17.7% and 27.1% in 2022 and 2023, respectively. Our net loss for the years ended December 31, 2021, 2022 and 2023 was $(83.9) million, $(130.4) million and $(66.5) million, respectively.

During the years ended December 31, 2022, 2023 and 2024, our revenues were $591.7 million, $751.9 million and $1.0 billion, respectively, representing year-over-year growth of 27.1% and 33.1% in 2023 and 2024, respectively. Our net loss for the years ended December 31, 2022, 2023 and 2024 was $(130.4) million, $(66.5) million and $(93.5) million, respectively.

We believe that annual recurring revenue (ARR), subscription portion of ARR, recurring revenues, Remaining Performance Obligations (RPO), deferred revenue and Net cash provided by operating activities are indicators of the overall health of the business. For the full year 2023, we increased our ARR by 36% to $774 million as of December 31, 2023.

We believe that ARR, subscription portion of ARR, recurring revenues, Remaining Performance Obligations (RPO), deferred revenue and Net cash provided by operating activities are indicators of the overall health of the business. For the full year 2024, we increased our ARR by 51% to $1.169 billion as of December 31, 2024.

We have, and may in the future, acquire or invest in complementary businesses and technologies. 53 The following table presents the major components of net cash flows for the periods presented: Year Ended December 31, 2022 2023 ($ in thousands) Net cash provided by operating activities $ 49,708 $ 56,204 Net cash used in investing activities (68,392 ) (85,828 ) Net cash provided by financing activities 12,225 38,084 A substantial source of our net cash provided by operating activities is our deferred revenue, which is included on our consolidated balance sheet as a liability.

We have, and may in the future, acquire or invest in complementary businesses and technologies. 52 The following table presents the major components of net cash flows for the periods presented: Year Ended December 31, 2023 2024 ($ in thousands) Net cash provided by operating activities $ 56,204 $ 231,887 Net cash used in investing activities (85,828 ) (346,262 ) Net cash provided by financing activities 38,084 288,806 A substantial source of our net cash provided by operating activities is our deferred revenue, which is included on our consolidated balance sheet as a liability.

The Investment Law was significantly amended effective April 1, 2005 (the “2005 Amendment”), further amended as of January 1, 2011 (the “2011 Amendment”), and further amended as of January 1, 2017 (the “2017 Amendment”).

The Investment Law was significantly amended effective April 1, 2005 (the 2005 Amendment), further amended as of January 1, 2011 (the 2011 Amendment), and further amended as of January 1, 2017 (the 2017 Amendment).

For SaaS, self-hosted subscriptions and perpetual licenses, we determine the standalone selling prices by taking into account available information such as historical selling prices, contract value, geographic location, and our price list and discount policy.

For professional services, we determine the standalone selling prices based on the prices at which we separately sell those services. For SaaS, self-hosted subscriptions and perpetual licenses, we substantially determine the standalone selling prices by taking into account available information such as historical selling prices, contract value, geographic location, and our price list and discount policy.

Net cash provided by financing activities was $12.2 million and $38.1 million for the years ended December 31, 2022 and 2023, respectively.

Net cash provided by financing activities was $38.1 million and $288.8 million for the years ended December 31, 2023 and 2024, respectively.

The reduced rate of 15% is limited to dividends and distributions out of income attributed to a Beneficiary Enterprise during the benefits period and actually paid at any time up to 12 years thereafter except with respect to a FIC, in which case the 12-year limit does not apply. 61 The benefits available to a Benefited Enterprise are subject to the continued fulfillment of conditions stipulated in the Investment Law and its regulations.

Maintenance revenue related to perpetual license contracts and the maintenance component of the self-hosted subscription offering as well as SaaS revenues are recognized ratably, on a straight-line basis over the term of the related contract, which is generally one to three years. Professional services revenues are substantially recognized as the services are performed.

Maintenance and support revenue related to perpetual license contracts and the maintenance component of the self-hosted subscription offering, as well as SaaS revenues, are recognized ratably, on a straight-line basis over the term of the related contract, which is generally one to three years, as the services have a consistent continuous pattern of transfer to a customer during the contract period.

As of December 31, 2023, approximately $14.0 million was derived from tax exempt profits earned under the "Approved Enterprises" and "Beneficiary Enterprise." If the retained tax-exempt income is distributed, the income would be taxed at the applicable corporate tax rate as if it had not elected the alternative tax benefits under the Investment Law and an income tax liability of up to $3.4 million would be incurred as of December 31, 2023.

As of December 31, 2024, approximately $13.9 million was derived from tax exempt profits earned under the “Approved Enterprises” and “Beneficiary Enterprise.” If the retained tax-exempt income is distributed, the income would be taxed at the applicable corporate tax rate as if it had not elected the alternative tax benefits under the Investment Law and an income tax liability of up to $3.4 million would have been incurred as of December 31, 2024.

Net Cash Provided by Financing Activities Our financing activities have consisted of proceeds from shares issued in connection with our ESPP (defined below), proceeds from the exercise of share options, payments of contingent consideration related to acquisitions and proceeds from (payments of) withholding tax related to employee stock plans.

Net Cash Provided by Financing Activities Our financing activities have consisted of proceeds from settlement of capped call transactions, proceeds from shares issued in connection with our ESPP, proceeds from the exercise of share options, payments of contingent consideration related to acquisitions, payment of convertible notes, proceeds from (payments of) withholding tax related to employee stock plans and payment of equity issuance costs.

Income Taxes We calculate income tax provisions based on our results in each jurisdiction in which we operate. The calculation is based on estimated tax consequences and on assumptions as to our entitlement to various benefits under the applicable local tax laws. Significant judgment is required in evaluating our uncertain tax positions.

The calculation is based on estimated tax consequences and on assumptions as to our entitlement to various benefits under the applicable local tax laws. Significant judgment is required in evaluating our uncertain tax positions.

Law for the Encouragement of Industry (Taxes), 5729-1969 The Law for the Encouragement of Industry (Taxes), 5729-1969, generally referred to as the Industry Encouragement Law, provides several tax benefits for “Industrial Companies.” The Industry Encouragement Law defines an “Industrial Company” as an Israeli resident company which was incorporated in Israel, of which 90% or more of its income in any tax year, other than income from certain government loans, is derived from an “Industrial Enterprise” owned by it and located in Israel or in the “Area,” in accordance with the definition in the section 3A of the Israeli Income Tax Ordinance (New Version) 1961 (the “Ordinance”).

As currently implemented by us, expenditures not so approved are deductible over a three-year period from the first year that the expenditures were made if the research or development is for the promotion or development of the company. 58 Law for the Encouragement of Industry (Taxes), 5729-1969 The Law for the Encouragement of Industry (Taxes), 5729-1969, generally referred to as the Industry Encouragement Law, provides several tax benefits for “Industrial Companies.” The Industry Encouragement Law defines an “Industrial Company” as an Israeli resident company which was incorporated in Israel, of which 90% or more of its income in any tax year, other than income from certain government loans, is derived from an “Industrial Enterprise” owned by it and located in Israel or in the “Area,” in accordance with the definition in the section 3A of the Israeli Income Tax Ordinance (New Version) 1961 (the Ordinance).

The following table sets forth the geographic breakdown of our revenues by region for the periods indicated: Year ended December 31, 2021 2022 2023 Amount % of Revenues Amount % of Revenues Amount % of Revenues ($ in thousands) United States $ 253,811 50.5 % $ 312,816 52.9 % $ 393,355 52.3 % EMEA 163,328 32.5 178,344 30.1 225,738 30.0 Rest of World 85,778 17.0 100,550 17.0 132,795 17.7 Total revenues $ 502,917 100.0 % $ 591,710 100.0 % $ 751,888 100.0 % Cost of Revenues Our total cost of revenues consists of the following: o Cost of Subscription Revenues.

The following table sets forth the geographic breakdown of our revenues by region for the periods indicated: Year ended December 31, 2022 2023 2024 Amount % of Revenues Amount % of Revenues Amount % of Revenues ($ in thousands) United States $ 312,816 52.9 % $ 393,355 52.3 % $ 503,359 50.3 % EMEA 178,344 30.1 225,738 30.0 311,595 31.1 Rest of World 100,550 17.0 132,795 17.7 185,788 18.6 Total revenues $ 591,710 100.0 % $ 751,888 100.0 % $ 1,000,742 100.0 % Cost of Revenues Our total cost of revenues consists of the following: • Cost of Subscription Revenues.

The tax benefits available under any certificate of approval relate only to taxable income attributable to the specific program and are contingent upon meeting the criteria set out in such certificate. Income derived from activity that is not integral to the activity of the Approved Enterprise will not enjoy tax benefits.

The largest increase in revenue occurred in United States, where revenues increased by $80.5 million, while the increase in EMEA and the rest of the world was $47.4 million and $32.2 million, respectively. We increased our number of customers from over 8,000 as of December 31, 2022, to more than 8,800 as of December 31, 2023.

The largest increase in revenue occurred in the United States, where revenues increased by $110.0 million, while the increase in EMEA and the rest of the world was $85.9 million and $53.0 million, respectively. We increased our number of customers from over 8,800 as of December 31, 2023, to more than 9,700 as of December 31, 2024.

Our general and administrative headcount grew from 217 at the end of 2022 to 242 at the end of 2023. Financial Income, Net . Financial income, net increased by $37.8 million, or 245%, from $15.4 million in 2022 to $53.2 million in 2023.

Our general and administrative headcount grew from 242 at the end of 2023 to 319 at the end of 2024. Financial Income, Net . Financial income, net increased by $3.6 million, or 6.8%, from $53.2 million in 2023 to $56.8 million in 2024.

However, the effective tax rate payable by a company that derives income from an Approved Enterprise, a Benefited Enterprise, a Preferred Enterprise or a Preferred Technology Enterprise (as discussed below) may be considerably lower. Capital gains derived by an Israeli company are generally subject to tax at the prevailing ordinary corporate tax rate.

ARR is a performance indicator that provides more visibility into the growth of our recurring business in the upcoming year. ARR is defined as the annualized value of active SaaS, self-hosted subscriptions and their associated maintenance and support services, and maintenance contracts related to the perpetual licenses in effect at the end of the reported period.

ARR is defined as the annualized value of active SaaS, self-hosted subscriptions and their associated maintenance and support services, and maintenance contracts related to the perpetual licenses in effect at the end of the reported period.

The decline in perpetual license revenue is consistent with our transition from selling perpetual licenses to selling SaaS and self-hosted subscription licenses. Maintenance and professional services revenues declined by $2.3 million, or 0.9%, from $261.1 million in 2022 to $258.8 million in 2023. Maintenance revenues declined by $10.1 million from $217.7 million in 2022 to $207.6 million in 2023.

The decline in perpetual license revenue is consistent with our transition from selling perpetual licenses to selling SaaS and self-hosted subscription licenses. Maintenance and professional services revenues declined by $5.8 million, or 2.2%, from $258.8 million in 2023 to $253.0 million in 2024, which includes $5.6 million in revenues from the Venafi acquisition.

The change of $109.1 million in non-cash working capital was due to a $97.0 million increase in short-term deferred revenue, an increase of $0.7 million in employees and payroll accruals, an increase of $4.1 million in trade payables, an $8.8 million net change from other current assets and a decrease of $6.1 million in other current liabilities, partially offset by an increase of $7.6 million in trade receivables.

The change of $78.9 million in non-cash working capital was due to a $135.2 million increase in short-term deferred revenue, an increase of $22.0 million in employees and payroll accruals, an increase of $13.3 million in other current liabilities, and an increase of $11.0 million in trade payables, partially offset by an increase of $93.3 million in trade receivables, and a $9.3 million net change from other current assets.

Sales and marketing expenses are the largest component of our operating expenses and consist primarily of personnel costs, including commissions, as well as marketing programs and general sales costs, software and related expenses, travel expenses and allocated overhead costs.

Sales and marketing expenses are the largest component of our operating expenses and consist primarily of personnel costs, including commissions, as well as marketing programs and promotional activities, software and related expenses, travel related expenses, amortization expense associated with acquired customer relationships and trade names and allocated overhead costs.

The increase in cost of maintenance and professional services revenues was primarily driven by a $2.0 million increase in personnel costs and related expenses, a $1.0 million increase in the use of third-party consultants for services rendered, and a $0.5 million increase in software and cloud infrastructure costs, partially offset by a decrease of $0.3 million in travel expenses.

The increase in cost of maintenance and professional services revenues was primarily driven by an $11.8 million increase in personnel costs and related expenses, including employees from the Venafi acquisition, partially offset by a $2.1 million decrease in the use of third-party consultants for services rendered.

We recognize forfeitures of equity-based awards as they occur. For graded vesting awards subject to service conditions, the Company recognizes compensation cost using the straight-line attribution method. These estimates involve uncertainties and the application of judgment. If circumstances are changed and different estimates are used, our expenses could materially differ in the future.

We recognize forfeitures of equity-based awards as they occur. For graded vesting awards subject to service conditions, the Company recognizes compensation cost using the straight-line attribution method. For graded vesting awards subject to market or performance conditions, we recognize compensation cost using the accelerated attribution method. These estimates involve uncertainties and the application of judgment.

We use the practical expedient and do not assess the existence of a significant financing component when the difference between payment and revenue recognition is a year or less. We allocate the transaction price to each performance obligation based on its relative standalone selling price.

We use the practical expedient and do not assess the existence of a significant financing component when the difference between payment and revenue recognition is a year or less.

We are seeing a single digit percentage of our business coming from perpetual licenses, which have upfront revenue recognition. We expect revenues from perpetual licenses to continue to decrease as a percentage of total revenue as we continue to operate as a subscription company. o Maintenance and Professional Services Revenues .

We expect revenues from perpetual licenses to continue to decrease as a percentage of total revenue as we continue to operate as a subscription company. • Maintenance and Professional Services Revenues .

This increase was primarily attributable to an increase of $11.8 million in personnel costs and related expenses due to increased headcount and a $1.1 million increase in software expenses, partially offset by a decrease of $0.7 million in services fees for external legal counsel, accounting advisors and patent administration.

This increase was primarily attributable to an increase of $20.0 million in personnel costs and related expenses due to increased headcount. The increase was also attributable to an increase of $21.8 million due to acquisition-related expenses and a $2.8 million increase in services fees for external legal counsel and accounting advisors.

The growth in ARR was driven by an increase in bookings from self-hosted and SaaS subscriptions. Our subscription revenues increased by 68% to $472.0 million in 2023, and recurring revenues increased by 36% to $679.6 million in 2023.

The growth in ARR was driven by an increase in bookings from SaaS and self-hosted subscriptions. Our subscription revenues increased by 55% to $733.3 million in 2024, and recurring revenues increased by 37% to $930.3 million in 2024.

The increase in cost of subscription revenues was primarily driven by a $13.9 million increase in personnel costs and related expenses, an $8.7 million increase in cloud infrastructure costs to support the growth in our SaaS and subscription revenues, a $2.1 million impairment of capitalized software development costs, a $1.1 million increase in the use of third-party consultants for services rendered, a $0.9 million increase in amortization of intangible assets, and a $0.4 million increase in amortization of capitalized software costs.

The increase in cost of subscription revenues was primarily driven by a $19.3 million increase in amortization of intangible assets for acquired technology, mainly related to the Venafi acquisition, a $13.1 million increase in personnel costs and related expenses due to increased headcount, including employees from the Venafi acquisition, a $7.8 million increase in cloud infrastructure costs to support the growth in our SaaS revenues, and a $1.8 million increase in the use of third-party consultants for services rendered, partially offset by a $2.1 million decrease in impairment of capitalized software development costs recognized in 2023, compared to no impairment costs recognized in 2024.

Subscription revenues are generated primarily from sales of our Privileged Access Manager (Privilege Cloud and self-hosted), Endpoint Privilege Manager, Conjur Enterprise and Credential Providers, Vendor Privileged Access Manager, Workforce and Customer Access, Secure Cloud Access and Identity Management.

Subscription revenues are generated primarily from sales of our PAM (Privilege Cloud and self-hosted), EPM, Secrets Manager, Machine Identity Management, Remote Access, Workforce and Customer Access, Secure Cloud Access and Identity Management.

Capital gains derived by an Israeli company are generally subject to tax at the prevailing ordinary corporate tax rate. 59 Tax Benefits for Research and Development Israeli tax law allows, under certain conditions, a tax deduction for research and development expenditures, including capital expenditures, for the year in which they are incurred.

Tax Benefits for Research and Development Israeli tax law allows, under certain conditions, a tax deduction for research and development expenditures, including capital expenditures, for the year in which they are incurred.

The decrease of $159.8 million in net cash used in investing activities in 2022 was due to a net decrease of $204.7 million in investments in short and long-term deposits, marketable securities and other, partially offset by an increase of $41.3 million in payments for business acquisitions, net of cash acquired, and an increase of $3.6 million in capital expenditures.

The increase of $260.5 million in net cash used in investing activities in 2024 was due to an increase in payments of $984.7 million, net of cash acquired, for business acquisitions in connection with the Venafi acquisition, and an increase of $6.1 million in capital expenditures, partially offset by a $730.3 million net increase in proceeds from short- and long-term deposits, marketable securities and others.

For a reconciliation of our Tax benefit (taxes on income) to the theoretical income tax benefit according to Israeli statutory rate of 23% and for further explanation of our provision for income taxes, refer to Note 13 to our consolidated financial statements included in Item 18 of this annual report. 49 Comparison of Period to Period Results of Operations The following table sets forth our results of operations in dollars and as a percentage of revenues for the periods indicated: Year ended December 31, 2021 2022 2023 Amount % of Revenues Amount % of Revenues Amount % of Revenues ($ in thousands) Revenues: Subscription $ 134,628 26.8 % $ 280,649 47.4 % $ 472,023 62.8 % Perpetual license 115,738 23.0 49,964 8.5 21,037 2.8 Maintenance and professional services 252,551 50.2 261,097 44.1 258,828 34.4 Total revenues 502,917 100.0 591,710 100.0 751,888 100.0 Cost of revenues: Subscription 25,837 5.2 46,249 7.8 74,623 9.9 Perpetual license 3,904 0.8 2,893 0.5 1,873 0.2 Maintenance and professional services 63,566 12.6 76,904 13.0 79,635 10.6 Total cost of revenues 93,307 18.6 126,046 21.3 156,131 20.7 Gross profit 409,610 81.4 465,664 78.7 595,757 79.3 Operating expenses: Research and development 142,121 28.2 190,321 32.2 211,445 28.1 Sales and marketing 274,401 54.6 345,273 58.4 405,983 54.0 General and administrative 71,425 14. 2 82,520 13.9 94,801 12.6 Total operating expenses 487,947 97. 0 618,114 104.5 712,229 94.7 Operating loss (78,337 ) (15.6 ) (152,450 ) (25.8 ) (116,472 ) (15.5 ) Financial income (expense), net (12,992 ) (2.6 ) 15,432 2.6 53,214 7.1 Loss before taxes on income (91,329 ) (18.2 ) (137,018 ) (23.2 ) (63,258 ) (8.4 ) Tax benefit (taxes on income) 7,383 1.5 6,650 1.1 (3,246 ) (0.4 ) Net loss $ (83,946 ) (16.7 )% $ (130,368 ) (22.0 )% $ (66,504 ) (8.8 )% 50 Year Ended December 31, 2022 Compared to Year Ended December 31, 2023 Revenues Year ended December 31, 2022 2023 Change Amount % of Revenues Amount % of Revenues Amount % ($ in thousands) Revenues: Subscription $ 280,649 47.4 % $ 472,023 62.8 % $ 191,374 68.2 % Perpetual license 49,964 8.5 21,037 2.8 (28,927 ) (57.9 ) Maintenance and professional services 261,097 44.1 258,828 34.4 (2,269 ) (0.9 ) Total revenues $ 591,710 100.0 % $ 751,888 100.0 % $ 160,178 27.1 % Revenues increased by $160.2 million, or 27.1%, from $591.7 million in 2022 to $751.9 million in 2023.

Comparison of Period-to-Period Results of Operations The following table sets forth our results of operations in dollars and as a percentage of revenues for the periods indicated: Year ended December 31, 2022 2023 2024 Amount % of Revenues Amount % of Revenues Amount % of Revenues ($ in thousands) Revenues: Subscription $ 280,649 47.4 % $ 472,023 62.8 % $ 733,275 73.3 % Perpetual license 49,964 8.5 21,037 2.8 14,449 1.4 Maintenance and professional services 261,097 44.1 258,828 34.4 253,018 25.3 Total revenues 591,710 100.0 751,888 100.0 1,000,742 100.0 Cost of revenues: Subscription 46,249 7.8 74,623 9.9 115,852 11.6 Perpetual license 2,893 0.5 1,873 0.2 1,594 0.2 Maintenance and professional services 76,904 13.0 79,635 10.6 90,931 9.1 Total cost of revenues 126,046 21.3 156,131 20.7 208,377 20.8 Gross profit 465,664 78.7 595,757 79.3 792,365 79.2 Operating expenses: Research and development 190,321 32.2 211,445 28.1 243,058 24.3 Sales and marketing 345,273 58.4 405,983 54.0 480,977 48.1 General and administrative 82,520 13.9 94,801 12.6 141,134 14.1 Total operating expenses 618,114 104.5 712,229 94.7 865,169 86.5 Operating loss (152,450 ) (25.8 ) (116,472 ) (15.5 ) (72,804 ) (7.3 ) Financial income, net 15,432 2.6 53,214 7.1 56,838 5.7 Loss before taxes on income (137,018 ) (23.2 ) (63,258 ) (8.4 ) (15,966 ) (1.6 ) Tax benefit (taxes on income) 6,650 1.1 (3,246 ) (0.4 ) (77,495 ) (7.7 ) Net loss $ (130,368 ) (22.0 )% $ (66,504 ) (8.8 )% $ (93,461 ) (9.3 )% 49 Year Ended December 31, 2023 Compared to Year Ended December 31, 2024 Revenues Year ended December 31, 2023 2024 Change Amount % of Revenues Amount % of Revenues Amount % ($ in thousands) Revenues: Subscription $ 472,023 62.8 % $ 733,275 73.3 % $ 261,252 55.3 % Perpetual license 21,037 2.8 14,449 1.4 (6,588 ) (31.3 ) Maintenance and professional services 258,828 34.4 253,018 25.3 (5,810 ) (2.2 ) Total revenues $ 751,888 100.0 % $ 1,000,742 100.0 % $ 248,854 33.1 % Revenues increased by $248.9 million, or 33.1%, from $751.9 million in 2023 to $1,000.7 million in 2024.

As discussed in greater detail below under “Israeli Tax Considerations and Government Programs,” we have been entitled to various tax benefits under the Investment Law. Under the Investment Law, our tax rate to be paid with respect to our eligible Israeli taxable income under these benefits programs is generally 12.0%.

As discussed in greater detail below under “Israeli Tax Considerations and Government Programs,” we have been entitled to various tax benefits under the Investment Law.

We enter into contracts that can include combinations of products and services, which are generally capable of being distinct and accounted for as separate performance obligations and may include an option to provide services. Perpetual license and self-hosted subscription are distinct as the customer can derive the economic benefit of the software without any professional services, updates or technical support.

Tax Benefits under the 2017 Amendment The 2017 Amendment was enacted as part of the Economic Efficiency Law that was published on December 29, 2016, and is effective as of January 1, 2017.

We applied the new benefits under the 2011 Amendment instead of the benefits provided to our Approved Enterprise and Benefited Enterprise as of 2013 tax year onwards through 2016 tax year. 61 Tax Benefits under the 2017 Amendment The 2017 Amendment was enacted as part of the Economic Efficiency Law that was published on December 29, 2016, and is effective as of January 1, 2017.

Interest income consists of interest earned on our cash, cash equivalents, short and long-term bank deposits, marketable securities and money market funds. We expect interest income to vary depending on our average investment balances and market interest rates during each reporting period.

Interest income consists of interest earned on our cash, cash equivalents, short- and long-term bank deposits, marketable securities and money market funds.

Deferred revenues are recognized as (or when) the Company performs under the contract. The transaction price allocated to remaining performance obligations represents non-cancelable contracts that have not yet been recognized, which includes deferred revenues and amounts not yet received that will be recognized as revenue in future periods.

The transaction price allocated to remaining performance obligations represents non-cancellable contracts that have not yet been recognized, which includes deferred revenues and amounts not yet received that will be recognized as revenue in future periods. Deferred Contract Costs The Company pays sales commissions primarily to sales and certain management personnel based on their attainment of certain predetermined sales goals.

Recently Adopted and Issued Accounting Pronouncements See Note 2(ac) and Note 2(ad) to our consolidated financial statements included elsewhere in this annual report for information regarding recent accounting standards adopted and issued. 63

We are in the process of obtaining an extension for this tax ruling, which would be relevant for future tax years. Recently Adopted and Issued Accounting Pronouncements See Note 2(ac) and Note 2(ad) to our consolidated financial statements included elsewhere in this annual report for information regarding recent accounting standards adopted and issued. 62

In addition, our strong SaaS and self-hosted subscription renewals further contributed to these results and allowed CyberArk to maintain its base of recurring business and build the foundation for growth.

In addition, our strong SaaS and self-hosted subscription renewals further contributed to the growth in 2024, and allowed CyberArk to maintain its base of recurring business and build the foundation for growth. The increase in revenues was also due to the Venafi Acquisition, which closed on October 1, 2024, and contributed $47.1 million revenue in 2024.

Despite our strong renewal rates, we did not add enough maintenance associated with new perpetual license sales to offset the customers who converted from maintenance to SaaS and self-hosted subscription contracts as well as churn. Professional services revenues increased by $7.8 million from $43.4 million in 2022 to $51.2 million in 2023.

Maintenance revenues declined by $10.6 million from $207.6 million in 2023 to $197.0 million in 2024. Despite our strong renewal rates, we did not add enough maintenance associated with new perpetual license sales to offset churn and customers transitioning from perpetual maintenance contracts to SaaS and self-hosted subscription contracts.

Under the Investment Law and other Israeli legislation, we are entitled to certain additional tax benefits, including accelerated deduction of research and development expenses, accelerated depreciation and amortization rates for tax purposes on certain intangible assets and deduction of public offering expenses in three equal annual installments.

Under the Investment Law, our tax rate to be paid with respect to our eligible Israeli taxable income under these benefits programs is generally 12%. 48 Under the Investment Law and other Israeli legislation, we are entitled to certain additional tax benefits, including accelerated deduction of research and development expenses, accelerated depreciation and amortization rates for tax purposes on certain intangible assets.

On November 15, 2021, the Investment Law was amended to provide, on a temporary basis, a reduced corporate income tax upon the distribution or release, within a year from such amendment, of tax-exempt profits derived by Approved or Benefited Enterprises.

If a company does not meet these conditions, it would be required to refund the amount of tax benefits, adjusted to the Israeli consumer price index, and interest, or other monetary penalties. 60 On November 15, 2021, the Investment Law was amended to provide, on a temporary basis, a reduced corporate income tax upon the distribution or release, within a year from such amendment, of tax-exempt profits derived by Approved or Benefited Enterprises.

Additionally, there was a $2.9 million increase in cloud and software costs and a $1.7 million increase in expenses related to consultants and contractors. Our research and development team headcount grew from 901 at the end of 2022 to 922 at the end of 2023. Sales and Marketing.

Additionally, there was a $5.8 million increase in cloud and software costs. 51 Our research and development team headcount grew from 922 at the end of 2023 to 1,205 at the end of 2024. Sales and Marketing. Sales and marketing expenses increased by $75.0 million, or 18.5%, from $406.0 million in 2023 to $481.0 million in 2024.

Such matters are subject to many uncertainties and outcomes are not predictable with assurance. We accrue for contingencies when the loss is probable and we can reasonably estimate the amount of any such loss. In determining the probability of a loss and consequently determining a reasonable estimate, we are required to use significant judgment.

Legal Contingencies From time to time, we may be subject to legal proceedings and claims arising in the ordinary course of our business. Such matters are subject to many uncertainties and outcomes are not predictable with assurance. We accrue for contingencies when the loss is probable and we can reasonably estimate the amount of any such loss.

… 97 more changes not shown on this page.

Item 6. [Reserved]

Selected Financial Data — reserved (removed by SEC in 2021)

104 edited+21 added−59 removed95 unchanged

2023 filing

2024 filing

Human Capital Management Our People strategy (also Human Capital Management) is built on four pillars: Attract, Belong, Communicate and Develop – the ABCDs. The ABCD strategy supports the wellbeing, retention, and career development of our people, since our culture continues to be a key ingredient in our success.

Our People strategy (also Human Capital Management) is built on four pillars: Attract, Belong, Communicate and Develop – the ABCDs. The ABCD strategy supports the wellbeing, retention, and career development of our people, since our culture continues to be a key ingredient in our success.

The responsibilities of the audit committee under the audit committee charter include, among others, the following: o overseeing our accounting and financial reporting process and the audits of our financial statements, the effectiveness of our internal control over financial reporting and making such reports as may be required of an audit committee under the rules and regulations promulgated under the Exchange Act; o retaining and terminating our independent registered public accounting firm subject to the approval of our board of directors and, in the case of retention, of our shareholders and recommending the terms of audit and non-audit services provided by the independent registered public accounting firm for pre-approval by our board of directors and related fees and terms; o establishing systems of internal control over financial reporting, including communication and implementation thereof and the assessment of the internal controls in accordance with the Sarbanes-Oxley Act, and any attestation by the independent registered public accounting firm; o determining whether there are deficiencies in the business management practices of our Company, including in consultation with our Head of Internal Audit or the independent registered public accounting firm, and making recommendations to the board of directors to improve such practices; o determining whether to approve certain related party transactions (see “Item 6.C.

The responsibilities of the audit committee under the audit committee charter include, among others, the following: • overseeing our accounting and financial reporting process and the audits of our financial statements, the effectiveness of our internal control over financial reporting and making such reports as may be required of an audit committee under the rules and regulations promulgated under the Exchange Act; • retaining and terminating our independent registered public accounting firm subject to the approval of our Board of directors and, in the case of retention, of our shareholders and recommending the terms of audit and non-audit services provided by the independent registered public accounting firm for pre-approval by our Board of directors and related fees and terms; • establishing systems of internal control over financial reporting, including communication and implementation thereof and the assessment of the internal controls in accordance with the Sarbanes-Oxley Act, and any attestation by the independent registered public accounting firm; • determining whether there are deficiencies in the business management practices of our Company, including in consultation with our Head of Internal Audit or the independent registered public accounting firm, and making recommendations to the Board of directors to improve such practices; • determining whether to approve certain related party transactions (see “Item 6.C.

Nominating Environmental, Sustainability and Governance Committee Role Our board of directors has a nominating, environmental, sustainability and governance committee charter that sets forth the responsibilities of the nominating, environmental, sustainability and governance committee, which include: o overseeing and assisting our board of directors in reviewing and recommending nominees for election as directors and as members of the committees of the board of directors; o establishing procedures for, and administering the performance of the members of our board and its committees; o evaluating and making recommendations to our board of directors regarding the termination of membership of directors; o reviewing, evaluating, and making recommendations regarding management succession and development; o reviewing and making recommendations to our board of directors regarding board member qualifications, composition and structure and the nature and duties of the committees and qualifications of committee members; o establishing and maintaining effective corporate governance principles and practices, including, but not limited to, developing and recommending to our board of directors a set of corporate governance guidelines applicable to our Company; and o providing oversight of the Company’s efforts with regard to ESG matters, disclosure and strategy, as well as coordinating, as necessary, with other committees of the board of directors and the Company’s ESG committee and steering committee, which are comprised of key Company employees and management.

Nominating Environmental, Sustainability and Governance Committee Role Our Board of directors has a nominating, environmental, sustainability and governance committee charter that sets forth the responsibilities of the nominating, environmental, sustainability and governance committee, which include: • overseeing and assisting our Board of directors in reviewing and recommending nominees for election as directors and as members of the committees of the board of directors; • establishing procedures for, and administering the performance of the members of our Board of directors and its committees; • evaluating and making recommendations to our Board of directors regarding the termination of membership of directors; • reviewing, evaluating, and making recommendations regarding management succession and development; • reviewing and making recommendations to our Board of directors regarding board member qualifications, composition and structure and the nature and duties of the committees and qualifications of committee members; • establishing and maintaining effective corporate governance principles and practices, including, but not limited to, developing and recommending to our Board of directors a set of corporate governance guidelines applicable to our Company; and • providing oversight of the Company’s efforts with regard to ESG matters, disclosure and strategy, as well as coordinating, as necessary, with other committees of the board of directors and the Company’s ESG committee and steering committee, which are comprised of key Company employees and management.

Under the Companies Law and the Securities Law, a company may insure an office holder against the following liabilities incurred for acts performed by him or her as an office holder if and to the extent provided in the company’s articles of association: o a breach of duty of care to the company or to a third party, to the extent such a breach arises out of the negligent conduct of the office holder; o a breach of the duty of loyalty to the company, provided that the office holder acted in good faith and had a reasonable basis to believe that the act would not harm the company; o a monetary liability imposed on the office holder in favor of a third party; o a monetary liability imposed on the office holder in favor of an injured party in certain administrative proceedings; and o expenses incurred by an office holder in connection with certain administrative proceedings, including reasonable litigation expenses and reasonable attorneys’ fees.

Under the Companies Law and the Securities Law, a company may insure an office holder against the following liabilities incurred for acts performed by him or her as an office holder if and to the extent provided in the company’s articles of association: • a breach of duty of care to the company or to a third party, to the extent such a breach arises out of the negligent conduct of the office holder; • a breach of the duty of loyalty to the company, provided that the office holder acted in good faith and had a reasonable basis to believe that the act would not harm the company; • a monetary liability imposed on the office holder in favor of a third party; • a monetary liability imposed on the office holder in favor of an injured party in certain administrative proceedings; and • expenses incurred by an office holder in connection with certain administrative proceedings, including reasonable litigation expenses and reasonable attorneys’ fees.

However, if an undertaking to indemnify an office holder with respect to such liability is provided in advance, then such undertaking must be limited to certain events which, in the opinion of the board of directors, can be foreseen based on the company’s activities when the undertaking to indemnify is given, and to an amount or according to criteria determined by the board of directors as reasonable under the circumstances, and such undertaking shall detail the foreseen events and described above amount or criteria; o reasonable litigation expenses, including reasonable attorneys’ fees, incurred by the office holder (1) as a result of an investigation or proceeding instituted against him or her by an authority authorized to conduct such investigation or proceeding, provided that (i) no indictment was filed against such office holder as a result of such investigation or proceeding; and (ii) no financial liability was imposed upon him or her as a substitute for the criminal proceeding as a result of such investigation or proceeding or, if such financial liability was imposed, it was imposed with respect to an offense that does not require proof of criminal intent; or (2) in connection with a monetary sanction or liability imposed on him or her in favor of an injured party in certain administrative proceedings; 80 o expenses incurred by an office holder in connection with administrative proceedings instituted against such office holder, or certain compensation payments made to an injured party imposed on an office holder by administrative proceedings, including reasonable litigation expenses and reasonable attorneys’ fees; and o reasonable litigation expenses, including attorneys’ fees, incurred by the office holder or imposed by a court in proceedings instituted against him or her by the company, on its behalf, or by a third party, or in connection with criminal proceedings in which the office holder was acquitted, or as a result of a conviction for an offense that does not require proof of criminal intent.

However, if an undertaking to indemnify an office holder with respect to such liability is provided in advance, then such undertaking must be limited to certain events which, in the opinion of the board of directors, can be foreseen based on the company’s activities when the undertaking to indemnify is given, and to an amount or according to criteria determined by the board of directors as reasonable under the circumstances, and such undertaking shall detail the foreseen events and described above amount or criteria; • reasonable litigation expenses, including reasonable attorneys’ fees, incurred by the office holder (1) as a result of an investigation or proceeding instituted against him or her by an authority authorized to conduct such investigation or proceeding, provided that (i) no indictment was filed against such office holder as a result of such investigation or proceeding; and (ii) no financial liability was imposed upon him or her as a substitute for the criminal proceeding as a result of such investigation or proceeding or, if such financial liability was imposed, it was imposed with respect to an offense that does not require proof of criminal intent; or (2) in connection with a monetary sanction or liability imposed on him or her in favor of an injured party in certain administrative proceedings; • expenses incurred by an office holder in connection with administrative proceedings instituted against such office holder, or certain compensation payments made to an injured party imposed on an office holder by administrative proceedings, including reasonable litigation expenses and reasonable attorneys’ fees; and • reasonable litigation expenses, including attorneys’ fees, incurred by the office holder or imposed by a court in proceedings instituted against him or her by the company, on its behalf, or by a third party, or in connection with criminal proceedings in which the office holder was acquitted, or as a result of a conviction for an offense that does not require proof of criminal intent.

Our audit committee consists of three independent directors, Ron Gutler (Chairperson), Kim Perdikou, and François Auque. 74 Audit Committee Composition Under Nasdaq corporate governance rules, we are required to maintain an audit committee consisting of at least three independent directors, each of whom is financially literate and one of whom has accounting or related financial management expertise.

Our audit committee consists of three independent directors, Ron Gutler (Chairperson), Kim Perdikou, and François Auque. Audit Committee Composition Under Nasdaq corporate governance rules, we are required to maintain an audit committee consisting of at least three independent directors, each of whom is financially literate and one of whom has accounting or related financial management expertise.

Camacho holds a certificate from Harvard Business School Executive Education and attended Communication Science at Universidade Nova de Lisboa. 65 Directors Gadi Tirosh has served as a member of our board of directors since June 2011, as chairman of the board between July 2013 and June 2016 and as lead independent director since June 2016. Since 2020, Mr.

Camacho holds a certificate from Harvard Business School Executive Education and attended Communication Science at Universidade Nova de Lisboa. Directors Gadi Tirosh has served as a member of our Board of directors since June 2011, as chairman of the Board of directors between July 2013 and June 2016 and as lead independent director since June 2016. Since 2020, Mr.

An internal auditor may not be: o a person (or a relative of a person) who holds more than 5% of the company’s outstanding shares or voting rights; o a person (or a relative of a person) who has the power to appoint a director or the general manager of the company; o an office holder (including a director) of the company (or a relative thereof); or o a member of the company’s independent accounting firm, or anyone on his or her behalf.

An internal auditor may not be: • a person (or a relative of a person) who holds more than 5% of the company’s outstanding shares or voting rights; • a person (or a relative of a person) who has the power to appoint a director or the general manager of the company; • an office holder (including a director) of the company (or a relative thereof); or • a member of the company’s independent accounting firm, or anyone on his or her behalf.

Our Chief Human Resource Officer, who reports directly to our Chief Executive Officer, oversees our broad and comprehensive initiatives to promote a strong culture, including employee recognition programs, matching charitable donations, a wide range of community volunteering opportunities, team building events, regular executive round table discussions and employee engagement surveys.

Our Chief Human Resource Officer, who reports directly to our CEO, oversees our broad and comprehensive initiatives to promote a strong culture, including employee recognition programs, matching charitable donations, a wide range of community volunteering opportunities, team building events, regular executive round table discussions and employee engagement surveys.

Mary Yang has served as a member of our board of directors since November 2023. Ms. Yang serves as a director and audit committee member of Sunnova Energy International Inc. (NYSE:NOVA) since October 2021. Ms. Yang served as Senior Vice President and Chief Strategy Officer of Ciena Corporation (NYSE:CIEN) between 2020 and 2022.

Mary Yang has served as a member of our Board of directors since November 2023. Ms. Yang serves as a director audit committee member and compensation committee member of Sunnova Energy International Inc. (NYSE:NOVA) since October 2021. Ms. Yang served as Senior Vice President and Chief Strategy Officer of Ciena Corporation (NYSE:CIEN) between 2020 and 2022.

Auque serves as the deputy chairman of the board of directors and chairman of the Audit and Risk Committee of Rexel SA from May 2019, after being an observer on the board from October 2018. Mr. Auque is a partner at InfraVia Capital Partners, a Private Equity firm based in Paris. Mr.

Auque serves as the deputy chairman of the board and chairman of the Audit and Risk Committee of Rexel SA from May 2019, after being an observer on the board from October 2018. Mr. Auque is a partner at InfraVia Capital Partners, a Private Equity firm based in Paris. Mr.

(Nasdaq: CSCO) between 2011 and 2014 and as Global Business Development between 2008-2011. Ms. Yang holds a Juris Doctorate from Stanford Law School and several academic degrees from Stanford University, including a Master of Business Administration, a Master of Science in Management Science and Engineering and a Bachelor of Arts in Quantitative Economics. B.

If, at any meeting of the Board the Lead Independent Director is not present, for the purpose and duration of such meeting, the Chairman of the Audit Committee, Chairman of the Compensation Committee, or an independent member of the Board appointed by a majority of the independent members of the Board present will act as the Lead Independent Director, in the order listed above.

If, at any meeting of the Board, the Lead Independent Director is not present, for the purpose and duration of such meeting, the Chairman of the Audit Committee, Chairman of the Compensation Committee, or an independent member of the Board of directors appointed by a majority of the independent members of the Board of directors present will act as the Lead Independent Director, in the order listed above.

Regev holds a BSc in Computer Sciences from Reichman University in Israel and MBA from the College of Management Academic Studies in Israel. Omer Grossman has served as our Chief Information Officer since December 2022. Prior to joining CyberArk, Mr.

Regev holds a BSc in Computer Sciences from Reichman University in Israel and MBA from the College of Management Academic Studies in Israel. Omer Grossman has served as our Chief Information Officer (CIO) since December 2022. Prior to joining CyberArk, Mr.

For the purpose of approving transactions with controlling shareholders, the term “controlling shareholder” also includes any shareholder that holds 25% or more of the voting rights of the company if no other shareholder holds more than 50% of the voting rights in the company. 73 Lead Independent Director Mr.

Mokady, our founder, who served as our CEO from 2005 until April 2023, has been on the Board since the Company’s inception and has served as chairman of our Board since June 2016. When the roles of CEO and chairman of the Board were combined, our Board appointed a lead independent director.

Mokady, our founder, who served as our CEO from 2005 until April 2023, has been on the Board of directors since the Company’s inception and has served as Chairman of the Board since June 2016. When the roles of CEO and chairman of the Board were combined, our Board of directors appointed a lead independent director.

Under the Companies Law, an extraordinary transaction is defined as any of the following: o a transaction other than in the ordinary course of business; o a transaction that is not on market terms; or o a transaction that may have a material impact on a company’s profitability, assets or liabilities.

Under the Companies Law, an extraordinary transaction is defined as any of the following: • a transaction other than in the ordinary course of business; • a transaction that is not on market terms; or • a transaction that may have a material impact on a company’s profitability, assets or liabilities.

Mokady previously served as our Chief Executive Officer from 2005 to April 2023, President from 2005 to 2016 and as our Chief Operating Officer from 1999 to 2005. Mr. Mokady has served as a member of the Board of Directors of SQream Technologies Ltd since April 2023 and of Cheq AI Technologies since December 2023.

Mokady previously served as our Chief Executive Officer (CEO) from 2005 to April 2023, President from 2005 to 2016 and as our Chief Operating Officer from 1999 to 2005. Mr. Mokady has served as a member of the board of Directors of SQream Technologies Ltd since April 2023 and of Cheq AI Technologies since December 2023.

Accordingly, following the recommendation and approval of our compensation committee and Board, our shareholders approved our compensation policy at the June 2022 annual general meeting. Compensation Committee Role Our board of directors has adopted a compensation committee charter that sets forth the responsibilities of the compensation committee.

Accordingly, following the recommendation and approval of our compensation committee and Board, our shareholders approved our compensation policy at the June 2022 annual general meeting. 73 Compensation Committee Role Our Board of directors has adopted a compensation committee charter that sets forth the responsibilities of the compensation committee.

We have obtained director and officer liability insurance for the benefit of our office holders and intend to continue to maintain such insurance as deemed adequate and to the extent permitted by the Companies Law. 81 D.

The Audit Committee of the Board of Directors has primary oversight of our Ethics and Compliance program. See “Item 16B. Code of Ethics” for additional details. 82 Environment and Climate . We recognize the importance of environmental stewardship.

The Audit Committee of the board of directors has primary oversight of our Ethics and Compliance program. See “Item 16B. Code of Ethics” for additional details. Environment and Climate . We recognize the importance of environmental stewardship.

(2) Other than our Executive Chairman of the Board, all current officers listed in the table are full-time employees. Cash compensation amounts denominated in currencies other than the U.S. dollar were converted into U.S. dollars at the average conversion rate for the year ended December 31, 2023.

The table below sets forth the compensation earned by our five most highly compensated office holders (as defined in the Companies Law and described under “Board Practices— Disclosure of Compensation of Senior Management” below) during or with respect to the year ended December 31, 2023.

Mokady continues to be employed by the Company and, as such, he does not qualify as “independent.” Accordingly, in order to facilitate strong, independent Board leadership and ensure effective independent oversight, the Board believes it is in the Company’s best interest to maintain the Lead Independent Director role.

Mokady continues to be employed by the Company and, as such, he does not qualify as “independent.” Accordingly, in order to facilitate strong, independent Board leadership and ensure effective independent oversight, the Board of directors believes it is in the Company’s best interest to maintain the Lead Independent Director role.

If, in the future, we would have a controlling shareholder, disclosure requirements regarding personal interests will apply and shareholder approval (meeting a special majority requirement) will be required with respect to transactions specified in the Companies Law involving the controlling shareholder, parties having certain relationships with the controlling shareholder and certain other specific transactions.

If, in the future, we were to have a controlling shareholder, disclosure requirements regarding personal interests will apply and shareholder approval (meeting a special majority requirement) will be required with respect to transactions specified in the Companies Law involving the controlling shareholder, parties having certain relationships with the controlling shareholder and certain other specific transactions.

Dror Bar Moshe served as our internal auditor, as Head of Internal Audit for the year ended December 31, 2023. Approval of Related Party Transactions under Israeli Law Fiduciary Duties of Directors and Office Holders The Companies Law codifies the fiduciary duties that office holders owe to a company.

Dror Bar Moshe served as our internal auditor, as Head of Internal Audit for the year ended December 31, 2024. Approval of Related Party Transactions under Israeli Law Fiduciary Duties of Directors and Office Holders The Companies Law codifies the fiduciary duties that office holders owe to a company.

(5) Amounts reported in this column represent the expense recorded in our financial statements for the year ended December 31, 2023 with respect to equity-based compensation, reflecting also equity awards made in previous years which have vested during the current year.

(5) Amounts reported in this column represent the expense recorded in our financial statements for the year ended December 31, 2024 with respect to equity-based compensation, reflecting also equity awards made in previous years which have vested during the current year.

The term “office holder” is defined under the Companies Law as a general manager, chief business manager, deputy general manager, vice general manager, any other person assuming the responsibilities of any of these positions (regardless of that person’s title), a director and any other manager directly subordinate to the general manager.

Our Governance, Ethics, and Compliance strategy is overseen by our Chief Legal Officer and supported by our VP of Compliance & Ethics. We periodically review our compliance program to ensure that risk mitigation efforts meet relevant regulatory requirements. Our progress is regularly reviewed by our Chief Financial Officer and our CEO.

Directors’ Service Contracts Other than with respect to Ehud (Udi) Mokady, our Executive Chairman of the Board and Matthew Cohen, our Chief Executive Officer, there are no arrangements or understandings between us, on the one hand, and any of our directors, on the other hand, providing for benefits upon termination of their service as directors of our Company, except that directors are permitted to exercise vested options for one year following the termination of their service.

Directors’ Service Contracts Other than with respect to Ehud (Udi) Mokady, our Executive Chairman of the Board and Matthew Cohen, our CEO, there are no arrangements or understandings between us, on the one hand, and any of our directors, on the other hand, providing for benefits upon termination of their service as directors of our Company, except that directors are permitted to exercise vested options for one year following the termination of their service.

We believe that the combined experience across the ABCD pillars, combined with the right tone at the top, enables our employees and our culture to thrive. We are committed to hiring talented, smart, bold but humble employees who love a challenge.

We believe that the combined experience across the ABCD pillars, coupled with the right tone at the top, enables our employees and our culture to thrive. We are committed to hiring talented, smart, bold and humble employees who love a challenge.

We have taken and continue to take steps to better understand our carbon footprint and this process will provide the starting point from which we can explore opportunities to identify the best ways to reduce our environmental impact.

(4) Amounts reported in this column refer to Variable Compensation, such as incentives and earned or paid bonuses as recorded in our financial statements for the year ended December 31, 2023.

(4) Amounts reported in this column refer to Variable Compensation, such as incentives and earned or paid bonuses as recorded in our financial statements for the year ended December 31, 2024.

Board Practices —Approval of Related Party Transactions under Israeli Law”); o recommending to the board of directors the retention and termination of our Head of Internal Audit, and determining the Head of Internal Audit’s remuneration, in accordance with the Companies Law; o approving the working plan proposed by the Head of Internal Audit and reviewing and discussing the work of the internal auditor on a quarterly basis; o reviewing our cybersecurity risks and controls with senior management, keeping our board informed of key issues related to cybersecurity; o establishing procedures for the handling of employees’ complaints as to the deficiencies in the management of our business and the protection to be provided to such employees; o conduct or authorize investigations into any matters within the scope of its responsibilities as it deems appropriate; and o performing such other duties consistent with the audit committee charter, our governing documents, stock exchange rules and applicable law that may be requested by the board of directors from time to time, including discussing with management policies and practices that govern the process by which the Company undertakes risk assessment and management in sensitive areas. 75 Compensation Committee Under the Companies Law, the board of directors of any public company must appoint a compensation committee.

Board Practices —Approval of Related Party Transactions under Israeli Law”); • recommending to the Board of directors the retention and termination of our Head of Internal Audit, and determining the Head of Internal Audit’s remuneration, in accordance with the Companies Law; • approving the work plan proposed by the Head of Internal Audit and reviewing and discussing the work of the internal auditor on a quarterly basis; • reviewing our cybersecurity risks and controls with senior management, keeping our Board of directors informed of key issues related to cybersecurity; • establishing procedures for the handling of employees’ complaints as to the deficiencies in the management of our business and the protection to be provided to such employees; • conducting or authorizing investigations into any matters within the scope of its responsibilities as it deems appropriate; and • performing such other duties consistent with the audit committee charter, our governing documents, stock exchange rules and applicable law that may be requested by the Board of directors from time to time, including discussing with management policies and practices that govern the process by which the Company undertakes risk assessment and management in sensitive areas. 72 Compensation Committee Under the Companies Law, the board of directors of any public company must appoint a compensation committee.

Under the Companies Law and our articles of association, nominations for directors may be made by any shareholder(s) holding together at least 1% of our outstanding voting power.

Under the Companies Law and our articles of association, nominations for directors may be made by any shareholder(s) holding together at least 5% of our outstanding voting power.

The authorities and responsibilities of the Lead Independent Director include, but are not limited to, the following: • providing leadership to the Board if circumstances arise in which the role of the Executive Chairman of the Board may be, or may be perceived to be, in conflict with the interests of the Company, and responding to any reported conflicts of interest, or potential conflicts of interest, arising for any director; • presiding as chairman of meetings of the Board at which the Executive Chairman of the Board is not present, including executive sessions of the independent members of the Board; • serving as a liaison between the CEO and the independent members of the Board; • providing feedback on Board meeting agendas, information and ongoing training provided to the Board, and requiring changes to the same; • approving meeting schedules to ensure there is sufficient time for discussion of all agenda items; • having the authority to call meetings of the independent members of the Board; • being available for consultation and direct communication with shareholders, as appropriate; • recommending that the Board retain consultants or advisers that report directly to the Board; • conferring with the Executive Chairman of the Board or CEO on important Board matters and key issues and tasks facing the Company, and ensuring the Board focuses on the same; • presiding over the Board’s annual self-assessment process and the independent directors’ evaluation of the effectiveness of the Executive Chairman of the Board, CEO, and management; and • performing such other duties as the Board may, from time to time, delegate to assist the Board in the fulfillment of its duties.

The authorities and responsibilities of the Lead Independent Director include, but are not limited to, the following: • providing leadership to the Board if circumstances arise in which the role of the Executive Chairman of the Board may be, or may be perceived to be, in conflict with the interests of the Company, and responding to any reported conflicts of interest, or potential conflicts of interest, arising for any director; • presiding as chairman of meetings of the Board at which the Executive Chairman of the Board is not present, including executive sessions of the independent members of the Board of directors; • serving as a liaison between the CEO and the independent members of the Board of directors; • providing feedback on Board meeting agendas, information and ongoing training provided to the Board, and requiring changes to the same; • approving meeting schedules to ensure there is sufficient time for discussion of all agenda items; • having the authority to call meetings of the independent members of the Board; • being available for consultation and direct communication with shareholders, as appropriate; • recommending that the Board of directors retain consultants or advisers that report directly to the Board; • conferring with the Executive Chairman of the Board or CEO on important Board of directors matters and key issues and tasks facing the Company, and ensuring the Board of directors focuses on the same; • presiding over the Board’s annual self-assessment process and the independent directors’ evaluation of the effectiveness of the Executive Chairman of the Board, CEO, and management; and • performing such other duties as the Board of directors may, from time to time, delegate to assist the Board of directors in the fulfillment of its duties. 71 Audit Committee Under the Companies Law, the board of directors of a public company must appoint an audit committee.

Our executive officers are responsible for our day-to-day management and have individual responsibilities established by our board of directors. Our Chief Executive Officer is appointed by, and serves at the discretion of, our board of directors, subject to the employment agreement that we have entered into with him.

Our executive officers are responsible for our day-to-day management and have individual responsibilities established by our Board of directors. Our CEO is appointed by, and serves at the discretion of, our Board of directors, subject to the employment agreement that we have entered into with him.

Compensation— Compensation of Directors and Senior Management.” Compensation of Directors Under the Companies Law, compensation of directors requires the approval described below under “Approval of Related Party Transactions under Israeli Law - Disclosure of Personal Interests of an Office Holder and Approval of Certain Transactions.” 77 The directors are also entitled to be paid reasonable travel, hotel and other expenses expended by them in attending board meetings and performing their functions as directors of the Company, all of which is to be determined by the board of directors.

Compensation— Compensation of Directors and Senior Management.” 74 Compensation of Directors Under the Companies Law, compensation of directors requires the approval described below under “Approval of Related Party Transactions under Israeli Law – Disclosure of Personal Interests of an Office Holder and Approval of Certain Transactions.” The directors are also entitled to be paid reasonable travel, hotel and other expenses incurred in attending board meetings and performing their functions as directors of the Company, all of which is to be determined by the board of directors.

Our board of directors has determined that all of our directors, other than our Executive Chairman of the Board and our Chief Executive Officer, are independent under such rules. Under our articles of association, our directors serve for a period of three years pursuant to the staggered board provisions of our articles of association.

Our Board of directors has determined that all of our directors, other than our Executive Chairman of the Board and our CEO, are independent under such rules. Under our articles of association, our directors serve for a period of three years pursuant to the staggered board provisions of our articles of association.

Accordingly, the CEO was awarded the following equity grants: RSUs Business PSUs Relative TSR PSUs 2023 Percentage 50% 30% 20% Amount 29,100 17,460 11,640 2024 Percentage 50% 30% 20% Amount 24,000 14,400 9,600 The performance targets for the 2024 business PSUs are annual recurring revenue and non-GAAP operating income margin, both of which are viewed as key factors in our long-term success. 2023 Executive Chairman Equity Grant In June 2023, the Company’s shareholders approved an equity grant to the Executive Chairman of the Board in respect of 2023.

Accordingly, the CEO was awarded the following equity grants: RSUs Business PSUs Relative TSR PSUs 2023 Percentage 50% 30% 20% Amount 29,100 17,460 11,640 2024 Percentage 50% 30% 20% Amount 24,000 14,400 9,600 2025 Percentage 50% 30% 20% Amount 16,900 10,140 6,760 The performance targets for the 2025 business PSUs are annual recurring revenue and non-GAAP operating income margin, both of which are viewed as key factors in our long-term success. 2024 Executive Chairman Equity Grant In June 2024, the Company’s shareholders approved an equity grant to the Executive Chairman of the Board in respect of 2024.

Grossman served as the Head of the Israel Defense Forces’ (IDF) Cyber Defense Operations Center between July 2022 and July 2023, and as Head of the Center for Computing and Information Systems (Mamram), the central Cloud Service Provider of the IDF between June 2018 and June 2020. Mr.

Grossman served as the Head of the IDF’s Cyber Defense Operations Center between July 2022 and July 2023, and as Head of the Center for Computing and Information Systems (Mamram), the central Cloud Service Provider of the IDF between June 2018 and June 2020. Mr.

Since February 1995, Mr. Shoshani has served as the Founder and Managing Partner of Cabaret Holdings Ltd. and, since March 1999, he has also served as Managing Partner of Cabaret Security Ltd., CyberArk’s founding investor and Cabaret and ArbaOne Inc. ventures activities where he had a lead role in managing the group’s portfolio companies. Since 2018, Mr.

Shoshani has served as the Founder and Managing Partner of Cabaret Holdings Ltd. and, since March 1999, he has also served as Managing Partner of Cabaret Security Ltd., CyberArk’s founding investor and Cabaret and ArbaOne Inc. ventures activities where he had a lead role in managing the group’s portfolio companies.

Compensation.” Shares Beneficially Owned Name of Beneficial Owner Number % Senior Management and Directors Ehud (Udi) Mokady (1) * * Matthew Cohen * * Joshua Siegel * * Eduarda Camacho * * Donna Rahav * * Peretz Regev * * Omer Grossman * * Gadi Tirosh * * Ron Gutler * * Kim Perdikou * * Amnon Shoshani * * François Auque * * Avril England * * Mary Yang * * All senior management and directors as a group (14 persons) 417,826 1 % *Less than 1% (1) Mr.

Compensation.” Shares Beneficially Owned Name of Beneficial Owner Number % Senior Management and Directors Ehud (Udi) Mokady (1) * * Matthew Cohen * * Erica Smith * * Eduarda Camacho * * Donna Rahav * * Peretz Regev * * Omer Grossman * * Gadi Tirosh * * Ron Gutler * * Kim Perdikou * * Amnon Shoshani * * François Auque * * Avril England * * Mary Yang * * All senior management and directors as a group (14 persons) * * *Less than 1% (1) Mr.

However, any such shareholder may make such a nomination only if a written notice of such shareholder’s intent to make such nomination has been timely and duly given to our Secretary (or, if we have no Secretary, our Chief Executive Officer), as set forth in our articles of association.

Additionally, the Companies Law provides a different, broader definition of a controlling shareholder with respect to the provisions pertaining to the approval of related party transactions. 79 Shareholder Duties Pursuant to the Companies Law, a shareholder has a duty to act in good faith and in a customary manner toward the company and other shareholders and to refrain from abusing his or her power in the company, including, among other things, in voting at a general meeting and at shareholder class meetings with respect to the following matters: o an amendment to the company’s articles of association; o an increase of the company’s authorized share capital; o a merger; or o the approval of related party transactions and acts of office holders that require shareholder approval.

Shareholder Duties Pursuant to the Companies Law, a shareholder has a duty to act in good faith and in a customary manner toward the company and other shareholders and to refrain from abusing his or her power in the company, including, among other things, in voting at a general meeting and at shareholder class meetings with respect to the following matters: • an amendment to the company’s articles of association; • an increase of the company’s authorized share capital; • a merger; or • the approval of related party transactions and acts of office holders that require shareholder approval.

Our approach to ESG is guided by an internal ESG Committee, which is led by the Senior Vice President, Finance and Investor Relations, and comprises members of key business areas including Legal and Compliance, Human Resources, Investor Relations, Information Technology and Product Management. The ESG Committee reports to an Executive Steering Committee that includes the CEO.

Our approach to ESG is guided by an internal ESG Committee, which is comprised of members of key business areas including Finance, Legal and Compliance, Human Resources, Investor Relations, Information Technology and Product Management. The ESG Committee reports to an Executive Steering Committee that includes the CEO.

The responsibilities of the committee set forth in its charter and the Companies Law include, among others, the following: o recommending to the board of directors for its approval a compensation policy and subsequently reviewing it from time to time, assessing its implementation and recommending periodic updates, whether a new compensation policy should be adopted or an existing compensation policy should continue in effect; o reviewing, evaluating, and making recommendations regarding the terms of office, compensation, and benefits for our office holders, including the non-employee directors, taking into account our compensation policy; o exempting certain compensation arrangements from the requirement to obtain shareholder approval under the Companies Law (including with respect to the Chief Executive Officer); and o reviewing and granting equity-based awards pursuant to our equity incentive plans to the extent such authority is delegated to the compensation committee by our board of directors and the reserving of additional shares for issuance thereunder. 76 Under our compensation policy, which was approved by our shareholders in June 2022, the compensation committee is responsible for the general administration of the policy.

The responsibilities of the committee set forth in its charter and the Companies Law include, among others, the following: • recommending to the board of directors for its approval a compensation policy and subsequently reviewing it from time to time, assessing its implementation and recommending periodic updates, whether a new compensation policy should be adopted or an existing compensation policy should continue in effect; • reviewing, evaluating, and making recommendations regarding the terms of office, compensation, and benefits for our office holders, including the non-employee directors, taking into account our compensation policy; • exempting certain compensation arrangements from the requirement to obtain shareholder approval under the Companies Law (including with respect to the CEO); and • reviewing and granting equity-based awards pursuant to our equity incentive plans to the extent such authority is delegated to the compensation committee by our Board of directors and the reserving of additional shares for issuance thereunder.

Compensation Compensation of Directors and Senior Management The aggregate compensation expensed, including share-based compensation and other compensation expensed by us and our subsidiaries, with respect to the year ended December 31, 2023, to our directors and senior management that served at any time during the year ended December 31, 2023 was $31.8 million.

Compensation Compensation of Directors and Senior Management The aggregate compensation expensed, including share-based compensation and other compensation expensed by us and our subsidiaries, with respect to the year ended December 31, 2024, for our directors and senior management that served at any time during the year ended December 31, 2024, was $43.2 million.

Under the Companies Law and the Securities Law, a company may indemnify an office holder in respect of the following liabilities, payments and expenses incurred for acts performed by him or her as an office holder, either pursuant to an undertaking made in advance of an event or following an event, provided its articles of association include a provision authorizing such indemnification: o a monetary liability incurred by or imposed on him or her in favor of another person pursuant to a judgment, including a settlement or arbitrator’s award approved by a court.

The company may not exculpate in advance a director from liability arising out of a prohibited dividend or distribution to shareholders. 77 Under the Companies Law and the Securities Law, a company may indemnify an office holder in respect of the following liabilities, payments and expenses incurred for acts performed by him or her as an office holder, either pursuant to an undertaking made in advance of an event or following an event, provided its articles of association include a provision authorizing such indemnification: • a monetary liability incurred by or imposed on him or her in favor of another person pursuant to a judgment, including a settlement or arbitrator’s award approved by a court.

The aggregate number of ordinary shares reserved for issuance under the ESPP, as of January 1, was 125,000 shares (the “ESPP Share Pool”).

The aggregate number of ordinary shares reserved for issuance under the ESPP, as of January 1, 2021 was 125,000 shares (the ESPP Share Pool).

(5) Independent director under the rules of Nasdaq. 64 Senior Management Ehud (Udi) Mokady is one of our founders and has served as our chairman of the board since June 2016 and became Executive Chairman of the board in April 2023. He has also served as a member of our board since November 2004. Mr.

Senior Management Ehud (Udi) Mokady is one of our founders and has served as our chairman of the Board of directors since June 2016 and became Executive Chairman of the Board of directors in April 2023. He has also served as a member of our Board of directors since November 2004. Mr.

This amount includes approximately $0.9 million set aside or accrued to provide pension, severance, retirement, or similar benefits. 67 During the year ended December 31, 2023, our directors and senior management were granted 184,500 restricted share units, some of which were subject to performance criteria, under our 2014 Share Incentive Plan.

This amount includes approximately $1.3 million set aside or accrued to provide pension, severance, retirement, or similar benefits. During the year ended December 31, 2024, our directors and senior management were granted 178,300 restricted share units, some of which were subject to performance criteria, under our 2014 Share Incentive Plan.

Each of our non-executive directors is entitled to a fixed annual fee and predetermined dollar values of initial and recurring annual equity grants of RSUs. Equity Incentive Plans 2014 Share Incentive Plan The 2014 Share Incentive Plan (the “2014 SIP”) was adopted by our board of directors and became effective on June 10, 2014.

Each of our non-executive directors is entitled to a fixed annual fee and predetermined dollar values of initial and recurring annual equity grants of RSUs. Equity Incentive Plans 2024 Share Incentive Plan The 2024 Share Incentive Plan (the 2024 SIP) was adopted by our Board of directors and became effective as of June 1, 2024.

As of December 31, 2023, 88,002 ordinary shares were reserved for issuance under the ESPP. On January 1, 2024, the aggregate number of ordinary shares reserved for issuance under the ESPP was increased by 150,000 shares. 71 The ESPP is administered by our board of directors or by a committee designated by the board of directors.

As of December 31, 2024, 132,904 ordinary shares were reserved for issuance under the ESPP. On January 1, 2025, the aggregate number of ordinary shares reserved for issuance under the ESPP was increased by 30,000 shares. The ESPP is administered by our Board of directors or by a committee designated by the Board of directors.

Under the Companies Law, a company may not indemnify, exculpate, or insure an office holder against any of the following: o a breach of the duty of loyalty, except for indemnification and insurance for a breach of the duty of loyalty to the company to the extent that the office holder acted in good faith and had a reasonable basis to believe that the act would not prejudice the company; o a breach of duty of care committed intentionally or recklessly, excluding a breach arising out of the negligent conduct of the office holder; o an act or omission committed with intent to derive illegal personal benefit; or o a civil or criminal fine, monetary sanction or forfeit levied against the office holder.

Under the Companies Law, a company may not indemnify, exculpate, or insure an office holder against any of the following: • a breach of the duty of loyalty, except for indemnification and insurance for a breach of the duty of loyalty to the company to the extent that the office holder acted in good faith and had a reasonable basis to believe that the act would not prejudice the company; • a breach of duty of care committed intentionally or recklessly, excluding a breach arising out of the negligent conduct of the office holder; • an act or omission committed with intent to derive illegal personal benefit; or • a civil or criminal fine, monetary sanction or forfeit levied against the office holder. 78 Under the Companies Law, exculpation, indemnification, and insurance of office holders in a public company must be approved by the compensation committee and the board of directors and, with respect to certain office holders or under certain circumstances, also by the shareholders.

He has served as a member of the Board of Advisors of Brandeis International Business School since September 2019. Mr. Mokady served as a member of the board of directors of Demisto, Inc. commencing in January 2018 until its acquisition by Palo Alto Networks, Inc. in March 2019. From 1997 to 1999, Mr.

He has served as a member of the board of Advisors of Brandeis International Business School since September 2019 and has served as an advisor to General Catalyst since November 2023. Mr. Mokady served as a member of the board of directors of Demisto, Inc. commencing in January 2018 until its acquisition by Palo Alto Networks, Inc. in March 2019.

Mokady’s shares include 12,600 shares held in trust for family members over which Mr. Mokady is the beneficial owner. F. Disclosure of a Registrant’s Action to Recover Erroneously Awarded Compensation None. ITEM 7 . MAJOR SHAREHOLDERS AND RELATED PARTY TRANSACTIONS A.

Directors and Senior Management The following table sets forth the name, age and position of each member of our senior management as of March 13, 2024: Name Age Position Senior Management Ehud (Udi) Mokady (4) 55 Executive Chairman of the Board and Founder Matthew Cohen 48 Chief Executive Officer and Director Joshua Siegel 60 Chief Financial Officer Eduarda Camacho 52 Chief Operating Officer Donna Rahav 45 Chief Legal Officer Omer Grossman 44 Chief Information Officer Peretz Regev 45 Chief Product Officer Directors Gadi Tirosh (1)(3)(4)(5) 57 Lead Independent Director Ron Gutler (1)(2)(4)(5) 66 Director Kim Perdikou (1)(2)(3)(4)(5) 66 Director Amnon Shoshani (3)(5) 60 Director François Auque (2)(5) 67 Director Avril England (4)(5) 55 Director Mary Yang (5) 55 Director (1) Member of our compensation committee.

Directors and Senior Management The following table sets forth the name, age and position of each member of our senior management as of March 12, 2025: Name Age Position Senior Management Ehud (Udi) Mokady (4) 56 Executive Chairman of the Board and Founder Matthew Cohen 49 Chief Executive Officer and Director Erica Smith 52 Chief Financial Officer Eduarda Camacho 53 Chief Operating Officer Donna Rahav 46 Chief Legal Officer Omer Grossman 45 Chief Information Officer Peretz Regev 46 Chief Product Officer Directors Gadi Tirosh (1)(3)(4)(5) 58 Lead Independent Director Ron Gutler (1)(2)(4)(5) 67 Director Kim Perdikou (1)(2)(3)(5) 67 Director Amnon Shoshani (3)(5) 61 Director François Auque (2)(5) 68 Director Avril England (3)(4)(5) 56 Director Mary Yang (4)(5) 56 Director (1) Member of our compensation committee.

Given its importance to our overall strategic execution, our human capital management and diversity, equity, and inclusion (DEI) program is overseen by the Compensation Committee of the Board. Our Chief Executive Officer and our Chief Human Resource Officer regularly report to the Board and the Compensation Committee on human capital and DEI matters.

Given its importance to our overall strategic execution, our human capital management and inclusion and belonging (I&B) program is overseen by the Compensation Committee of the board of directors. Our CEO and our Chief Human Resource Officer regularly report to the Board and the Compensation Committee on human capital and I&B matters.

We invest in our employees through various training and wellness programs focused on physical, emotional, and financial wellbeing, including lectures and webinars, meditation sessions, physical fitness classes and challenges, corporate and regional employee newsletters, and a variety of team-building and volunteer activities.

Ultimately, the ESG Committee is overseen by the Board’s Nominating, Environmental, Sustainability and Governance Committee and the full Board. We believe this structure increases the Board’s effectiveness as it oversees our progress, including the establishment of key metrics and targets. We continued executing our ESG program in 2023, which included conducting an ESG impacts assessment.

Any such approval is subject to the terms of the Companies Law, setting forth, among other things, the organs of the company entitled to provide such approval, and the methods of obtaining such approval. 78 Disclosure of Personal Interests of an Office Holder and Approval of Certain Transactions The Companies Law requires that an office holder promptly disclose to the board of directors any personal interest that he or she may be aware of and all related material information or documents concerning any existing or proposed transaction with the company.

Disclosure of Personal Interests of an Office Holder and Approval of Certain Transactions The Companies Law requires that an office holder promptly disclose to the board of directors any personal interest that he or she may be aware of and all related material information or documents concerning any existing or proposed transaction with the company.

Perdikou holds a Bachelor of Science degree in computing science with operational research from Paisley University (now the West of Scotland University) in Paisley, Scotland, a Post-Graduate degree in education from Jordanhill College in Glasgow, Scotland and a Master of Science in information systems from Pace University in New York, United States. 66 Amnon Shoshani has served as a member of our board of directors since November 2009.

Kim Perdikou has served as a member of our board of directors since July 2014 and served as an external director under the Companies Law between July 2014 and May 2016. Ms. Perdikou has served as Chairman of The AtSignCompany, a private startup Internet Protocol company, from December 2019. Ms.

Kim Perdikou has served as a member of our Board of directors since July 2014 and served as an external director under the Companies Law between July 2014 and May 2016. Ms.

Attract: Recruitment & Wellbeing As a growing business, we focus on attracting employees who embrace and demonstrate a commitment to our Core Values. 83 In the United States, Israel, India and Singapore, and across the Company, we welcomed approximately 60 college students to our 2023 internship program.

In 2024, across all regions, we received eight employer of choice recognitions. 80 Attract: Recruitment & Wellbeing As a growing business, we focus on attracting employees who embrace and demonstrate a commitment to our Core Values. In the United States, Israel, India and Singapore, and across the Company, we welcomed approximately 100 college students to our 2024 internship program.

Prior to joining CyberArk, Mr. Cohen held several leadership positions in PTC Inc. (Nasdaq: PTC). His most recent position was Executive Vice President of Field Operations, from February 2018 to November 2019, where he led the GTM strategy and all Sales, Commercial Marketing, Customer Success, Services, and Partner functions.

His most recent position was Executive Vice President of Field Operations, from February 2018 to November 2019, where he led the GTM strategy and all Sales, Commercial Marketing, Customer Success, Services, and Partner functions.

If such compensation arrangement or an undertaking to indemnify or insure is inconsistent with the company’s stated compensation policy then such arrangement is subject to the approval of a majority vote of the shares present and voting at a shareholders meeting, provided that either, which we refer to as the Special Approval for Compensation: (a) such majority includes at least a majority of the shares held by all shareholders who do not have a personal interest in such compensation arrangement and are not controlling shareholders, excluding abstentions; or (b) the total number of shares of shareholders who do not have a personal interest in the compensation arrangement and who vote against the arrangement does not exceed 2% of the company’s aggregate voting rights. 76 Generally, a person who has a personal interest in a matter which is considered at a meeting of the board of directors or the audit committee may not be present at such a meeting or vote on that matter, unless the chairman of the relevant committee or board of directors (as applicable) determines that he or she should be present in order to present the transaction that is subject to approval, in which case, such person may do so but may not vote on the matter.

The duty of loyalty includes a duty to: o refrain from any conflict of interest between the performance of his or her duties to the company and his or her duties or personal affairs; o refrain from any action which competes with the company’s business; o refrain from exploiting any business opportunity of the company in order to receive a personal gain for himself or herself or others; and o disclose to the company any information or documents relating to the company’s affairs which the office holder received as a result of his or her position as an office holder.

The duty of care includes a duty to use reasonable means to obtain: • information on the advisability of a given action brought for his or her approval or performed by virtue of his or her position; and • all other important information pertaining to any such action. 75 The duty of loyalty includes a duty to: • refrain from any conflict of interest between the performance of his or her duties to the company and his or her duties or personal affairs; • refrain from any action which competes with the company’s business; • refrain from exploiting any business opportunity of the company in order to receive a personal gain for himself or herself or others; and • disclose to the company any information or documents relating to the company’s affairs which the office holder received as a result of his or her position as an office holder.

In addition, we are required to provide two to six months’ notice prior to terminating the employment of our executive officers, other than in the case of a termination for cause.

The enforceability of covenants not to compete in Israel and the United States is subject to limitations. In addition, we are required to provide two to six months’ notice prior to terminating the employment of our executive officers, other than in the case of a termination for cause.

The assessment incorporated various stakeholder perspectives to better understand how ESG factors could impact our business. Our ESG highlights, as of the fiscal year ended December 31, 2023, include the following: Governance, Ethics, and Compliance . We are committed to promoting integrity, honesty, and professionalism and to maintaining the highest standards of ethical conduct in all our activities.

Our ESG highlights, as of the fiscal year ended December 31, 2024, include the following: Governance, Ethics, and Compliance We are committed to promoting integrity, honesty, and professionalism and to maintaining the highest standards of ethical conduct in all our activities.

Environmental, Social & Governance We view ESG principles as being part of our broader strategy and values and believe that transparently disclosing our initiatives related to our ESG program will allow our stakeholders to be informed about our progress.

We have never experienced labor-related work stoppages or strikes and believe that our relations with our employees are satisfactory. 79 Environmental, Social & Governance We view ESG principles as being part of our broader strategy and values and believe that transparently disclosing our initiatives related to our ESG program will allow our stakeholders to be informed about our progress.

Shoshani owned a Tel Aviv boutique law firm engaged in entrepreneurship, traditional industries and high tech, which he founded. Mr. Shoshani holds a Bachelor of Law (LL.B.) from Tel Aviv University in Israel. François Auque has served as a member of our board of directors since February 2019. Mr.

Shoshani holds a Bachelor of Law (LL.B.) from Tel Aviv University in Israel. François Auque has served as a member of our Board of directors since February 2019. Mr.

Extension orders issued by the Israeli Ministry of Economy and Industry apply to our employees in Israel and affect matters such as, living adjustments to salaries, length of working hours and week, recuperation pay, travel expenses, and pension rights. We have never experienced labor-related work stoppages or strikes and believe that our relations with our employees are satisfactory.

Shoshani has served as the President and Chairman of the Board of Smartech, a portfolio company of Cabaret and ArbaOne, that provides game changing technologies to the industrial world. Between 2005 and 2018, he served as CEO and Chairman of the Board of Smartech. From 1994 to April 2005, Mr.

Between 2005 and 2018, he served as CEO and Chairman of the board of Smartech, a portfolio company of Cabaret and ArbaOne, that provides game changing technologies to the industrial world, which was sold to Hexion in November 2024. Between 2018 and November 2024, Mr.

(2) Member of our audit committee. (3) Member of our nominating, environmental, sustainability and governance committee. (4) Member of our strategy committee.

(2) Member of our audit committee. (3) Member of our nominating, environmental, sustainability and governance committee. (4) Member of our strategy committee. (5) Independent director under the rules of Nasdaq.

The maximum aggregate number of shares that may be issued pursuant to awards under this 2014 SIP is the sum of (a) 422,000 shares plus (b) an increase of 1,220,054 shares as of January 1, 2015 plus (c) on January 1 of each calendar year commencing in 2016, a number of shares equal to the lesser of: (i) an amount determined by our board of directors, if so determined prior to the January 1 of the calendar year in which the increase will occur, (ii) 4% of the total number of shares outstanding on December 31 of the immediately preceding calendar year, and (iii) 4,000,000 shares.

The maximum number of ordinary shares available for issuance under the 2024 SIP is equal to the sum of (a) 1,786,992 ordinary shares, plus (b) on January 1 of each calendar year commencing in 2025, a number of ordinary shares equal to the lesser of: (i) an amount determined by our Board, if so determined prior to the January 1 of the calendar year in which the increase will occur, (ii) 4% of the total number of ordinary shares of the Company outstanding on December 31 of the immediately preceding calendar year, and (iii) 4,000,000 ordinary shares.

Most of these agreements contain provisions regarding non-competition and all these agreements contain provisions regarding confidentiality of information and ownership of inventions. The non-competition provision applies for a period that is generally 12 months following termination of employment, subject to applicable law. The enforceability of covenants not to compete in Israel and the United States is subject to limitations.

Employment Agreements with Executive Officers We have entered into written employment agreements with all our executive officers. Most of these agreements contain provisions regarding non-competition and all these agreements contain provisions regarding confidentiality of information and ownership of inventions. The non-competition provision applies for a period that is generally 12 months following termination of employment, subject to applicable law.

Accordingly, he was awarded the following equity grants: RSUs Business PSUs Relative TSR PSUs Percentage 50% 30% 20% Amount 21,300 12,780 8,520 Executive Chairman of the Board and CEO PSU performance In February 2024, the compensation committee certified the Company’s performance of our 2023 business PSUs performance criteria and the applicable number of PSUs earned, demonstrating our track record of paying for performance and linking the executives’ achievement rate of the performance criteria as follows: Year of Grant Performance Targets Performance Criteria Achievement Rate (Weighted Average) Earning Rate 2023 Business PSUs • Annual recurring revenue • Operating Margin 181.3% 159% Business PSUs are earned based on a one-year performance period and are subject to further time-based vesting.

Accordingly, he was awarded the following equity grants: RSUs Business PSUs Relative TSR PSUs Percentage 50% 30% 20% Amount 12,000 7,200 4,800 Executive Chairman of the Board and CEO PSU performance In February 2025, the compensation committee certified the Company’s performance of our 2024 business PSUs performance criteria and the applicable number of PSUs earned, demonstrating our track record of paying for performance and linking the executives’ achievement rate of the performance criteria as follows: Year of Grant Performance Targets Performance Criteria Achievement Rate (Weighted Average) Earning Rate 2024 Business PSUs • Annual recurring revenue • Operating Margin 129.5% 165% Business PSUs are earned based on a one-year performance period and are subject to further time-based vesting. 67 In 2022, the Executive Chairman of the Board and the CEO (in their capacity as CEO and Chief Operating Officer (COO), respectively), were awarded relative total shareholder return PSUs (rTSR PSUs) that are earned based on our total shareholder return relative to the S&P Software & Services Select Industry index over a three-year period.

(Nasdaq: NNDS), later acquired by Cisco Systems, Inc. a provider of end-to-end software solutions to the pay-television industry, including content protection and video security. Mr. Tirosh holds a Bachelor of Science in computer science and mathematics and an Executive MBA from the Hebrew University in Jerusalem, Israel.

(Nasdaq: NNDS) later acquired by Cisco Systems, Inc. a provider of end-to-end software solutions to the pay-television industry, including content protection and video security. Mr.

In such cases, the votes of a controlling shareholder and certain parties associated with it would be excluded for purposes of special majority voting requirements.

In such cases, the votes of a controlling shareholder and certain parties associated with it would be excluded for purposes of special majority voting requirements. Additionally, the Companies Law provides a different, broader definition of a controlling shareholder with respect to the provisions pertaining to the approval of related party transactions.

… 104 more changes not shown on this page.