Table of Contents

UNITED STATES

Form 10-K

FOR ANNUAL AND TRANSITION REPORTS PURSUANT TO SECTIONS 13 OR

[X]	ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE

FOR THE FISCAL YEAR ENDED DECEMBER 31, 1999

OR

[   ]	TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE

Commission File No. 000-25120

RSA Security Inc.

Registrant’s telephone number, including area code: (781) 301-5000

Securities Registered Pursuant to Section 12(b) of the Act:  None

Securities Registered Pursuant to Section 12(g) of the Act:

Table of Contents

      Indicate by check mark whether the registrant:  (1) has filed all reports required to be filed by Section 13 or
15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.     Yes [X]     No [   ]

      Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K is not contained herein, and will not be contained, to the best of the registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K. [   ]

      The approximate aggregate market value of the Common Stock held by non-affiliates of the registrant was $2,798,499,044 based on the last reported sale price of the registrant’s Common Stock on the Nasdaq National Market as of the close of business on March 3, 2000. There were 39,772,538 shares of Common Stock outstanding as of March 3, 2000.

DOCUMENTS INCORPORATED BY REFERENCE

      This Annual Report on Form 10-K contains forward-looking statements within the meaning of Section 21E of the Securities Exchange Act of 1934, as amended, and Section 27A of the Securities Act of 1933, as amended. For this purpose, any statements contained herein that are not statements of historical fact may be deemed to be forward-looking statements. Without limiting the foregoing, the words “believes,” “anticipates,” “plans,” “expects” and similar expressions are intended to identify forward-looking statements. The factors discussed under the caption “Certain Factors That May Affect Future Results,” among others, could cause actual results to differ materially from those indicated by forward-looking statements made herein and presented elsewhere by management. Such forward-looking statements represent management’s current expectations and are inherently uncertain. Investors are warned that actual results may differ from management’s expectations.

      SecurID, BSAFE, ACE/ Server, ACE/ Sentry, SoftID, WebID, RSA SecurPC, RC2 and RC4 are registered trademarks, and RSA, Keon, RSA Security, RSA Secured, RC5, RC6, The Most Trusted Name in e-Security and BoKs are trademarks of RSA Security Inc. All other trademarks or trade names referred to in this Annual Report on Form 10-K are the property of their respective owners.

2

PART I

ITEM 1.  BUSINESS

      The Company is a leading provider of electronic security (“e-security”) solutions. The Company helps organizations build secure, trusted foundations for electronic business (“e-business”) through use of the Company’s two-factor user authentication, encryption and public key management products and solutions. The Company sells to enterprise customers seeking turnkey security solutions, and to original equipment manufacturers (“OEMs”) and developers seeking software development components for embedding security in a range of applications. As used in this Annual Report on Form 10-K, the term “the Company” refers to RSA Security Inc. (formerly Security Dynamics Technologies, Inc.) and its subsidiaries.

INDUSTRY BACKGROUND

      Historically, e-security solutions were deployed primarily to protect corporate networks from erroneous and possibly malicious intrusion, and to preserve the integrity of data as it passed over insecure networks. It was typically the focus of businesses in security-conscious or -dependent industries such as banking, telecommunications, aerospace and defense. However, today e-security has become a fundamental requirement for conducting all forms of e-business, including but not limited to commerce and communications conducted through corporate intranets, extranets and other Internet-based applications. Many organizations, in a wide range of industries, are conducting e-business as a means of reducing costs, competing more aggressively, and more efficiently meeting increased business demands for speed, accuracy and delivery of information.

      E-business requires e-security to create and ensure the same trust relationships that currently exist on paper in the brick-and-mortar world, so organizations can conduct e-business with the same confidence with which they conduct traditional commerce. There are several essential requirements for e-security:

	•	User Identification and Authentication.  First, a user’s identity must be reliably authenticated. This ensures that unauthorized users do not gain access to computer networks and applications, and also ensures that organizations are certain of the identities of those with whom they are doing business. There are a number of generally accepted methods of user identification, including: (i)  something secret the user knows, such as a word, phrase, PIN, code or fact; (ii) something physical the user possesses, such as a key, token, smart card, badge or other form of discrete “authenticator,” which is resistant to counterfeiting; or (iii)  something unique to the user, such as a fingerprint, signature, retinal pattern, voice print or other measurable personal characteristic or “biometric.” The Company believes that the use of a strong, two-factor user authentication system, combining two of the three generally accepted methods of user identification, is required for reliable e-security.
	•	Access Control and Privilege Management.  Once the user’s identity has been established, an organization must verify that the user is authorized to access the specific information he or she is seeking. One of the key challenges facing organizations is the proliferation of passwords required for users to access disparate operating systems, applications and databases. Products providing access control and privilege management must protect and manage access to corporate information and applications, and control user privileges at multiple levels within the enterprise, including networks, applications and data levels. The Company believes that through the use of public key infrastructure management systems, these criteria can be met.
	•	Data Privacy, Integrity and Authentication.  In addition to authenticating the identity of users and ensuring that only authorized users access, view or modify certain data, a comprehensive e-security solution must ensure that the data transmitted over networks are not disclosed to unauthorized persons (data privacy), have not been altered or compromised by unauthorized manipulation (data integrity) and were actually transmitted by the purported sender (data authentication). Data authentication devices, such as digital signatures, also allow for non-repudiation of transactions, and thereby create an electronic trust environment that enables legally binding transactions online. Such data privacy, integrity and authentication solutions are provided by encryption technologies.

3

Table of Contents

	•	Security Administration and Audit.  Finally, organizations must be able to administer, monitor and audit the flow of the entire e-business transaction. With the growth of distributed, Internet-based computing, organizations are increasingly concerned about various administrative issues relating to e-security, including the scalability of their e-security solutions and the ability of the solutions to cover multiple geographic regions. Security administration and audit solutions must also monitor user activity for purposes of detection and deterrence in order to ensure that the network or data have not been compromised.

COMPANY HISTORY

      The Company is a leading provider of e-security solutions. The Company’s products are designed to help organizations conduct e-business securely and protect corporate information assets. The Company’s core competencies are in strong, two-factor user authentication solutions, encryption technologies and public key management systems. The Company believes that through its RSA SecurID®, RSA BSAFE® and RSA Keon™ product lines it directly addresses the e-security requirements for e-business.

      Since its inception in 1986, the Company has focused on the fundamental need for user identification and authentication with an emphasis on solutions for secure remote access to enterprise networks. To further its strategy and extend its product line, in July 1996, the Company acquired RSA Data Security, Inc., a leader in cryptography, to address the need for data privacy, integrity and authentication.

      In July 1997, the Company acquired DynaSoft AB, a vendor of platform-independent security solutions for distributed client/server networks. The DynaSoft BoKS product family included public key technologies for access control and privilege management. In January 1999, the Company introduced RSA Keon, a family of public key infrastructure-based (“PKI”) products, initially based on the BoKS technology and designed to provide organizations with application security and flexible electronic commerce solutions. As part of this introduction, the Company renamed the DynaSoft BoKS product family “RSA Keon.” In September 1999, the Company introduced the next-generation, standards-based implementation of RSA Keon.

      Also in September 1999, the Company changed its name from Security Dynamics Technologies, Inc. to RSA Security Inc. The Company took this step because it had combined the management structure of Security Dynamics and RSA Data Security into a tightly integrated team, with sales executives dedicated to meeting the individual needs of both corporate and OEM/developer markets, unified marketing and engineering organizations, and a tight linkage within customer and professional services to serve customers developing solutions, deploying solutions or both. As part of the corporate renaming, all of the Company’s strategic partnership programs, including RSA Keon Ready, RSA SecurID Ready and RSA Secure, were united under the new RSA Secured™ partner program.

      In connection with the legal restructuring and promotional activity surrounding the corporate name change, the Company incurred charges in the third and fourth quarters of 1999 in the approximate aggregate amount of $12.5 million.

COMPANY STRATEGY

      The Company’s objective is to continue to be a leading provider of e-security solutions. Key elements of the Company’s strategy to achieve this objective include:

	•	Deliver e-Security Solutions.  The Company believes e-security is driven by the proliferation of Web-based applications, whether for internal network security in the enterprise, for e-business applications deployed to customers, suppliers or employees, or for e-commerce Internet sites. Further, the Company believes that traditional, fear-based security is being augmented and in many cases replaced by e-security as an enabling technology that opens up new markets and channels for communications and commerce. The Company intends to defend and grow its leading position in providing strong, two-factor user authentication and encryption, and to create a comparable position in PKI management systems as fundamental building blocks of e-security. The Company also intends to leverage its installed customer base in order to achieve this growth.

4

Table of Contents

	•	Maintain Technological Leadership.  The Company plans to continue to add new capabilities and features to its e-security products to meet its customers’ evolving needs. The Company maintains a leading role in basic cryptographic research, develops new encryption technologies and maintains close working relationships with leading academic centers and custom development teams. The Company intends to support the proliferation of PKI as a key element of e-business through the marketing of and participation in industry initiatives such as the PKI Forum. Launched in December 1999 by the Company and a number of other leading security vendors, the PKI Forum is an industry-led collaboration to accelerate the adoption of PKI technology and PKI-based solutions as a trusted, secure foundation for e-business applications.
	•	Expand Market Opportunities.  The Company intends to expand its market opportunities through strategic partnerships, industry initiatives and marketing designed to heighten awareness of e-security issues. Through its RSA Secured partner program, the Company has established strategic partnerships with more than 500 industry-leading vendors and plans to continue to foster and leverage these partnerships and enter into additional relationships with companies that can provide complementary technologies for its solutions. The Company also seeks to heighten awareness regarding e-security issues through marketing programs such as its annual RSA Security Conference.
	•	Expand Indirect Sales and Support Channel.  The Company currently sells its products through a direct sales force and through relationships with a significant number of OEMs, value-added resellers (“VARs”) and distributors. The Company believes that an expanded indirect sales and support channel enables it to enter new markets and gain access to a larger installed base of potential customers in a cost-effective manner.
	•	Expand International Presence.  The Company believes that international markets present a large, relatively new market for e-security products. Sales outside the United States as a percentage of total revenue were approximately 30.9% in 1997, 34.6% in 1998 and 30.3% in 1999. The Company has offices located throughout the United States, Canada, Europe, Asia, Japan and Australia and plans to continue to expand its international business through the establishment of new offices, hiring of additional sales personnel, establishment of additional distribution arrangements, primarily in Europe and Asia, and development of local presences in key markets. In addition, the U.S. Department of Commerce recently relaxed some of the restrictions on exports of commercial encryption products, and the Company expects that this relaxation may make it easier for the Company to sell its products into international markets. See “Government Regulation and Export Controls.”

PRODUCTS

      The Company delivers a range of products and technologies that are designed to help organizations and developers secure their computing environments and build secure, trusted platforms for electronic commerce. The Company’s core competencies are in its three major product lines — RSA SecurID, RSA BSAFE and RSA Keon — which deliver two-factor user authentication, encryption and public key management systems and solutions, respectively.

  RSA SecurID Authenticators

      The Company’s RSA SecurID solutions provide centrally managed, strong, two-factor user authentication services for enterprise networks, operating systems, e-business Web sites and other IT infrastructure, designed to ensure that only authorized users gain access to data, applications and communications. Supporting a range of authentication devices, including hardware tokens, key fobs, smart cards, cellular telephones and software tokens, RSA SecurID solutions are designed to create a barrier against unauthorized access, protecting network and data resources from potentially devastating accidental or malicious intrusion. RSA SecurID installations are managed through RSA ACE/ Server® authentication management software, which has the ability to scale deployments for hundreds of thousands of users.

      The Company’s RSA SecurID user identification and authentication products combine two methods of user identification — something secret the user knows (a personal information number or “PIN”) and

5

Table of Contents

      Each RSA SecurID authenticator contains the Company’s proprietary technology and is programmed with a secret, randomly generated seed number unique to the individual user’s authenticator. The seed number and Greenwich Mean Time are used to generate code sequences at set intervals (typically every 60 seconds) which are then matched to the RSA ACE/ Server software using the same seed number and Greenwich Mean Time to generate a server code corresponding to the user’s authenticator code.

  RSA BSAFE Cryptographic Tools

      RSA BSAFE tools are a family of platform-independent crypto-security developer tools that are designed to enable enterprise and OEM software developers to reliably incorporate e-security into a wide range of applications. The Company’s encryption components are used to secure applications for electronic commerce and services over the Internet and intranets, enterprise security, entertainment, wireless communications, delivery of digital information over cable and other uses. The Company believes that the RSA BSAFE product line is the most widely deployed cryptographic software in the world, with more than 450 million licenses in use today. RSA BSAFE products include:

	•	RSA BSAFE Crypto-C and Crypto-J, popular core cryptography components for the C and Java programming languages;
	•	RSA BSAFE Cert-C and Cert-J, X.509, standards based certificate processing tools for C and Java;
	•	RSA BSAFE S/ MIME-C tool for adding e-security to messaging applications; and
	•	RSA BSAFE SSL-C and SSL-J, protocol tools that are designed to enable secure point-to-point communications over the Internet based on C and Java.

      The Company believes that its RSA RC series of symmetric, or secret key, encryption technologies, which are available as part of the RSA BSAFE product family, are among the highest performing and most secure techniques of their class available to encrypt electronic data. RC2 and RC4 are designed to handle block and streaming data types, respectively, and are designed to provide for easy adjustment of key size for exportability as well as high performance without specialized hardware.

  RSA Keon PKI Software

      RSA Keon technology is a family of interoperable, standards-based PKI software modules for managing digital certificates and providing an environment for authenticated, private and legally binding electronic communications and transactions. RSA Keon software is designed to be easy to use and interoperable with other standards-based PKI solutions, and to feature enhanced security through its integration with the RSA SecurID authentication and RSA BSAFE encryption product families.

      RSA Keon technology provides a common foundation for securing Internet and e-business applications. The RSA Keon family contains software modules for both enterprise customers who need turnkey solutions, and for enterprise customers and developers who want to build their own standards-based, native PKI applications or take advantage of PKI-aware applications. RSA Keon components include:

	•	RSA Keon Certificate Server, a powerful and flexible module for issuing digital certificates, managing their life cycle and making them available in public directories. The RSA Keon Certificate Server is an advanced system for conducting business online, and supports PKI-aware applications such as email or browsers.
	•	RSA Keon Advanced PKI, a set of software modules designed to be built on top of the RSA Keon Certificate Server, or any other standards-based certificate source, such as VeriSign Onsite or

6

Table of Contents

		Netscape Certificate Management Software. RSA Keon Advanced PKI provides a variety of services designed to remove common barriers to PKI deployment by making digital certificates transparent across multiple applications, enforcing security policies for certificate and credential use and enabling the integration of multiple certificate and directory sources. RSA Keon Advanced PKI comprises the RSA Keon Security Server and RSA Keon Desktop components, as well as RSA Keon agents, RSA Keon Application Integration software developer kits and RSA BSAFE Cert-C and Cert-J encryption tools for integrating non-PKI applications with RSA Keon software.

7

Table of Contents

STRATEGIC PARTNERS

      Historically, the Company has placed a premium on establishing interoperability between its products and those from other vendors. To that end, the Company invests in and supports several strategic partnering programs under the umbrella name of “RSA Secured.” The RSA Secured partner program is designed to help vendors integrate or establish interoperability between partner products and the Company’s products, including the RSA SecurID, RSA BSAFE and RSA Keon product families.

      The RSA Secured partner program includes specific programs for certifying interoperability between RSA SecurID and RSA ACE/ Server and the products from vendors of remote access devices, Internet firewalls, network and applications software and virtual private network products. The RSA Secured partner program also includes specific programs for licensees of its RSA BSAFE technology, who incorporate RSA BSAFE into their products. Finally, the RSA Secured partner program incorporates specific programs for vendors seeking to ensure interoperability between their products and RSA Keon. Collectively, through the RSA Secured partner programs, the Company has strategic relationships with more than 500 vendors — including AOL/ Netscape, Apple Computer, Ascend, AT&T, Check Point, Cisco Systems, Compaq, IBM, Intel, Microsoft, Nortel Networks, Novell, Oracle and others — who have integrated the Company’s technologies into more than 1,000 products. The end-user customers of the vendors who have joined the RSA Secured partner program can purchase authenticators and license RSA ACE/ Server software directly from the Company. The Company believes that these relationships help the Company and its customers to expand their enterprise network coverage and assist the Company in increasing its installed customer base and RSA SecurID authenticator usage.

      The Company has created marketing programs to foster the use of the RSA Secured logo on vendor products that incorporate the Company’s technologies or are interoperable with the Company’s products. These programs include but are not limited to listings in online directories, use of logos on product packaging and promotional materials, RSA Secured advertising, and access to marketing funds and joint promotional activities, such as tradeshows, advertising, direct mail and joint press releases. For example, in January 2000, the Company announced a strategic alliance with the member companies of American International Group, Inc. (“AIG”) under which, among other elements, the Company intends to give discounts on the Company’s products to e-business insurers of AIG member companies, and AIG intends to give discounts on e-business insurance coverage underwritten by AIG member companies to organizations that secure their e-business initiatives with the Company’s products or with third parties’ RSA Secured products.

SALES AND MARKETING

      The Company has established a multi-channel distribution and sales network to serve the e-security market. The Company sells and licenses its products directly to end users through its direct sales force and indirectly through a network of OEMs, VARs and distributors. In addition, the Company supports its direct and indirect sales efforts through strategic marketing relationships and public relations programs, trade shows and other marketing activities.

      In support of its sales efforts, the Company conducts sales training courses, comprehensive targeted marketing programs including direct mail, public relations, advertising, seminars, trade shows, interactive marketing, telemarketing and ongoing customer and third-party communications programs. The Company also seeks to stimulate interest in e-security through its public relations program, speaking engagements, white papers, technical notes and other publications.

      The Company’s direct sales staff focuses on major accounts, provides technical advice and support with respect to the Company’s products and works closely with the Company’s customers, OEMs, VARs and distributors.

      The Company also markets, sells and licenses its products indirectly through its RSA SecurWorld™ network of OEMs, VARs and distributors. As of December 31, 1999, the Company had relationships with approximately 300 OEMs, VARs and distributors.

8

Table of Contents

      Generally, the Company sells its RSA BSAFE products to OEMs and enterprise customers through its direct sales force, rather than through distributors. The Company has historically sold its RSA BSAFE products primarily to OEMs, but the Company’s sales staff is currently focusing on increasing sales of these products to enterprise customers as well.

      To enhance demand for its products, the Company has participated in the development of various industry-specific protocols that incorporate the Company’s RSA BSAFE cryptographic data security technologies. The Company also hosts its own annual industry conference, the RSA Security Conference, and participates in other conferences to increase demand for its products. Through its RSA Laboratories division, the Company maintains a leading role in basic cryptographic research, develops new encryption technologies and maintains close working relations with leading academic centers and customer development teams.

CUSTOMERS

      As of December 31, 1999, the Company had licensed more than 6,000,000 RSA SecurID authenticators to more than 5,000 customers worldwide. Historically, the Company’s principal customers have been in the telecommunications, pharmaceutical, financial and healthcare industries as well as academic institutions, research laboratories and government organizations. These customers generally work with highly confidential information and are sophisticated and knowledgeable purchasers of e-security systems. The Company believes that as corporate networks proliferate and become more complex, the number of industries concerned with e-security will grow.

      As of December 31, 1999, the Company had licensed its RSA BSAFE encryption engine and patent technology to more than 500 OEMs and developers that typically incorporate the encryption technology into their products. The Company’s RSA BSAFE encryption technology is embedded in current versions of Microsoft Windows NT®, Netscape Navigator®, Quicken® by Intuit®, Lotus Notes® and numerous other products, including mobile phones, pagers and other wireless products of Ericsson, Symbian and Phone.com. The Company also licenses its RSA BSAFE encryption technology directly to enterprise customers for incorporation into customers’ business, financial and electronic commerce networks. The Company’s RSA BSAFE technologies are part of existing and proposed standards for the Internet and World Wide Web, ITU, ISO, ANSI and IEEE.

      No customer accounted for more than 5% of the Company’s total revenue in 1997, 1998 or 1999.

CUSTOMER SERVICE AND SUPPORT

      The Company maintains a customer support help desk, technical support organization and professional services group at its headquarters in Bedford, Massachusetts and at other locations throughout the world and offers telephone and Web support for certain of its products 24 hours a day, seven days a week. The Company continues to add advanced technical support and professional service personnel to its staff to address anticipated additional demands arising from the deployment of the Company’s e-security solutions into larger and more complex user environments. The Company also has field technical support personnel who work directly with the Company’s direct sales force, distributors and customers.

      The Company’s standard practice is to provide a warranty on all RSA SecurID authenticators for the customer-selected programmed life of the authenticator (generally three to four years) and to replace any damaged authenticators (other than authenticators damaged by a user’s negligence or alteration) free of charge. The Company generally sells each of its other products to customers with a warranty for product defects for specified periods. At the time of purchase, customers may elect to purchase a maintenance contract for 12-month renewable periods. Under these contracts, the Company agrees to provide (i) corrections for documented program errors; (ii) version upgrades for both software and, if applicable, firmware; (iii) telephone consultation; and (iv) Web-based access to solutions, patches and documentation.

9

Table of Contents

PRODUCT DEVELOPMENT

      The Company’s product development efforts are focused on enhancing the functionality, reliability, performance and flexibility of its existing products, including but not limited to its RSA SecurID, RSA ACE/ Server, RSA BSAFE and RSA Keon product lines. The Company is developing architectures and technologies to continually enhance the administrative capabilities and scalability of its RSA ACE/ Server and RSA Keon products and to increase interoperability with additional network operating systems, applications and directory services. The Company also is developing tools to assist customers, strategic partners and other third-party integrators in integrating the Company’s products with custom and other third-party network or system applications.

      The Company is working to increase its competitive position by developing standards-based protocols and solutions that address the needs of specific market segments and build on its industry-leading RSA BSAFE technology. In the latter case, the Company may choose to partner with other parties to develop and/or market the products. In addition, the Company has developed enhanced RSA BSAFE Cert-C and Cert-J tools to enable both OEM and enterprise developers to make new applications PKI “aware.”

      In addition to enhancing its existing products, the Company continues to identify and prioritize various technologies for potential future product offerings. The Company may develop these products internally or enter into arrangements to license or acquire products or technologies from third parties. There can be no assurance, however, that the Company will be successful in enhancing or developing existing products or identifying and successfully acquiring new technologies.

      The Company’s product development staff engages in software and hardware engineering, testing and quality assurance and technical documentation. The Company also engages outside contractors where appropriate to supplement the Company’s in-house expertise or expedite projects based on customer or market demand.

MANUFACTURING AND SUPPLIERS

  Manufacturing

      RSA SecurID Authenticators. The Company currently contracts for the manufacture of its RSA SecurID authenticators with two suppliers. In 1999, for the RSA SecurID card, one of these suppliers had its manufacturing operations in the United States, and the other supplier had its manufacturing operations in China. In early 2000, the Company notified its U.S. supplier of its intent to terminate its contract to manufacture the RSA SecurID card. The Company intends to continue to use the supplier in China to manufacture the RSA SecurID cards. For the RSA SecurID key fob, both of these suppliers will continue to manufacture the product, which is expected to represent over 60% of the authenticator sales, in China and Thailand.

      The Company has generally been able to obtain adequate supplies of RSA SecurID authenticators in a timely manner and believes that alternate vendors can be identified if current vendors are unable to fulfill its needs. However, delays or failure to identify alternate vendors, if required, or a reduction or interruption in supply or a significant increase in the manufacturing costs could adversely affect the Company’s financial condition or results of operations and could impact customer relations.

      RSA Software. The Company’s RSA ACE/ Server, RSA BSAFE and RSA Keon software products are distributed on standard magnetic diskettes, compact disks and tapes together with documentation. The Company contracts with media duplication subcontractors for the majority of its media duplication. The Company has the capability to do all media duplication in-house, but limits its use to small production runs such as beta programs.

  Suppliers

      Although the Company generally uses standard parts and components for its products, some components are currently available only from limited sources. For example, the Company purchases the microprocessor

10

Table of Contents

COMPETITION

      The market for e-security products is highly competitive and subject to rapid technological change. The Company believes that competition in this market is likely to intensify as a result of increasing demand for e-security products. The Company currently experiences direct and indirect competition from a number of sources, including (i) software operating systems suppliers and application software vendors that incorporate a single-factor static password security system into their products; (ii) vendors of hardware tokens competitive with the Company’s RSA SecurID products; (iii) smart card security device vendors; (iv) biometric security device vendors; (v) PKI and cryptographic software firms; and (vi) application access providers. In some cases, these vendors also support the Company’s products and those of its competitors. In the future the Company may also face competition from these and other parties that develop e-security products based upon approaches similar to or different from those employed by the Company, including operating system or network suppliers not currently offering competitive e-security products. There can be no assurance that the market for e-security products will not ultimately be dominated by approaches other than the approaches marketed by the Company.

      The Company believes that the principal competitive factors affecting the market for e-security products include technical features, ease of use, interoperability, quality/reliability, level of security, customer service and support, distribution channels and price. Although the Company believes that its products currently compete favorably with respect to such factors, there can be no assurance that the Company can maintain its competitive position against current and potential competitors, especially those with significantly greater financial, marketing, service, support, technical and other competitive resources.

PROPRIETARY RIGHTS

      The Company relies on a combination of patent, trade secret, copyright and trademark laws, software licenses, nondisclosure agreements and technical measures to protect its proprietary technology. The Company also generally enters into nondisclosure and assignment of inventions agreements with its employees and confidentiality and/or license agreements with its distributors, strategic partners and customers and potential customers seeking proprietary information, and limits access to and distribution of its software, documentation and other proprietary information.

      The Company’s 17 issued U.S. patents expire at various dates ranging from 2000 to 2018. The Company’s 32 foreign patents expire at various dates between 2006 to 2015. The Company has also filed patent applications on inventions embodied in new technologies developed by the Company and on inventions that may be useful in the field of e-business. There can be no assurance that any of these applications will result in an issued patent. In addition, the patent describing the RSA public key encryption methodology, which was developed at the Massachusetts Institute of Technology (U.S. Patent No. 4,405,829) and licensed to the Company, will expire on September 20, 2000. An implementation of this cryptographic algorithm described in this patent is embodied in the Company’s RSA BSAFE cryptographic toolkit products. To date, the Company has vigorously enforced its exclusive rights to the patented technology against infringers who have released, or threatened to release, competing products that use the invention embodied in the patent. The Company does not know what effect the expiration of the patent will have, but it believes that the expiration may encourage competitors to market competing products that previously would have infringed the patent.

11

Table of Contents

      The Company has registered, or is seeking to register, its trademarks and service marks in countries where the Company has sold its products. There can be no assurance that any such trademark application currently pending will not be opposed by a third party, or that every national trademark office will permit the Company to register the marks on terms acceptable to the Company. The Company will seek to enforce its trademark and service mark rights against third parties who are marketing goods or services under marks that the Company considers confusingly similar to the Company’s marks. However, there can be no assurance that the Company will prevail in any enforcement action.

GOVERNMENT REGULATION AND EXPORT CONTROLS

      All of the Company’s products are subject to U.S. export control laws and applicable foreign government import, export and/or use restrictions. Minimal U.S. export restrictions apply to all products, whether or not they perform encryption functions.

      Exports of commercial encryption products are regulated by the Export Administration Regulations of the U.S. Department of Commerce, while exports of encryption products designed or adapted for military use require export licenses under the International Traffic in Arms Regulations of the U.S. State Department. Until recently, the U.S. government only permitted exports of commercial encryption products (other than general purpose encryption toolkits) with key lengths of up to 56  bits after a one-time technical review by the U.S. Department of Commerce. Under new regulations issued by the U.S. Department of Commerce in January 2000, encryption products of any key length, including general purpose encryption toolkits such as the Company’s RSA BSAFE products, may be exported, after a one-time technical review, to all end-users other than governmental end-users. The Company believes that it has completed the necessary technical reviews of the products and services it currently exports. Following export of certain of its products, the Company will be subject to various post-shipment reporting requirements. Encryption products may be exported to governmental end-users under special Encryption Licensing Arrangements or individual export licenses which may be issued at the discretion of the U.S. Department of Commerce. These regulations may be modified at any time, and there can be no assurance that, in the event of any such modification, the Company will be authorized to export encryption products from the United States without a license in the future. In the event of such a modification, the Company might be at a disadvantage in competing for international sales compared to companies located outside of the United States that would not be subject to such restrictions.

EMPLOYEES

      At December 31, 1999, the Company employed 834 employees. No employees are covered by any collective bargaining agreements. The Company believes that its relationships with its employees are good.

REBRANDING

      In the third quarter of 1999, the Company changed its name to RSA Security Inc. from Security Dynamics Technologies, Inc., and spent approximately $12.5 million for legal restructuring and promotional activity surrounding the name change.

ITEM 2.  PROPERTIES

      The Company’s principal administrative, sales and marketing, research and development and support facilities are located in Bedford, Massachusetts under non-cancelable ten year leases expiring in August 2008. The facilities aggregate approximately 183,000 square feet of office space, and the annual base rents aggregate approximately $3.1 million including certain operating expenses. The Company also leases facilities for research and development and sales and marketing in San Mateo, California under non-cancelable ten-year leases expiring in 2008. The facilities aggregate approximately 58,000 square feet of office space, and the annual base rents aggregate approximately $2.3 million including certain operating expenses. Annual rent escalation provisions for all of theses leases are based on the Consumer Price Index. The Company also leases facilities for administration, field sales and customer support throughout the United States, Canada, Asia, and Europe at annual base rents aggregating approximately $2.8 million.

12

Table of Contents

      In connection with the consolidation of certain operations commenced in January 1999, the Company sublet to third parties a total of approximately 50,000 square feet of its facilities at various locations, expiring through June 2001. The income from these sublets aggregates approximately $0.3 million for the year ended December 31, 1999.

ITEM 3.  LEGAL PROCEEDINGS

      On or about December 11, 1998, a class action was filed in the United States District Court for the District of Massachusetts on behalf of all purchasers of the Company’s Common Stock during the period from and including September 30, 1997 through July 15, 1998: Fitzer v. Security Dynamics Technologies, Inc., Charles R. Stuckey, Jr., D. James Bidzos, Arthur W. Coviello, Jr., John Adams, Marian G. O’Leary and Linda B. Saris, Civil Action No. 98-CV-12496-WGY. The plaintiffs subsequently dismissed without prejudice the claims against Ms. Saris. The plaintiffs filed an amended complaint on May 4, 1999, which asserts that the defendants misled the investing public concerning demand for the Company’s products, the strengths of its technologies, and certain trends in the Company’s business. Plaintiffs seek unspecified damages, interest, costs and fees of their attorneys, accountants and experts. The Company is seeking to dismiss the plaintiffs’ complaint and intends to defend the lawsuit vigorously. Although the amounts claimed may be substantial, the Company cannot predict the ultimate outcome or estimate the potential loss, if any, related to the lawsuit. The Company believes that the disposition of this matter will not have a material adverse effect on the Company’s consolidated financial position. However, the adverse resolution of the lawsuit could materially affect the Company’s results of operations or liquidity in any one annual or quarterly reporting period.

      On or about May 20, 1999, Kenneth P. Weiss, the founder and a former director, officer and employee of the Company, filed a demand for arbitration alleging that (a) the Company constructively terminated Mr. Weiss in May 1996 in violation of his Employment Agreement with the Company, and (b) the Company breached its obligations under Mr. Weiss’ Employment Agreement by refusing to release certain assignments of patents. Mr. Weiss seeks unspecified damages, interest, costs and fees of his attorneys and experts, as well as the return of his rights in certain patents he created and assigned to the Company in the course of his employment. The parties are currently conducting discovery. The Company believes that Mr. Weiss’ claims are without merit, and intends to defend the matter vigorously. The Company believes that the disposition of this matter will not have a material adverse effect on the Company’s consolidated financial position.

ITEM 4.  SUBMISSION OF MATTERS TO A VOTE OF SECURITY-HOLDERS

      None.

13

Table of Contents

EXECUTIVE OFFICERS OF THE COMPANY

      The Company’s executive officers are:

      Mr. Stuckey has served as Chairman of the Board of Directors of the Company since July 1996, President from January 1987 to March 1999, Chief Executive Officer from March 1987 to January 2000, and President of RSA Capital Inc., a subsidiary of the Company focussing on strategic investments, since January 2000.

      Mr. Coviello has served as Chief Executive Officer of the Company since January 2000, President since March 1999, Executive Vice President from September 1995 to March 1999, Chief Financial Officer and Treasurer from October 1995 to August 1997 and Chief Operating Officer from January 1997 to March 1999. Prior to joining the Company, Mr. Coviello served in various capacities with CrossComm Corporation, a developer of internetworking products, and as its Chief Operating Officer and Chief Financial Officer from March 1992 to January 1994.

      Dr. Adams joined the Company as Senior Vice President, Engineering in March 1996 and was appointed its Chief Technology Officer in October 1999. Prior to joining the Company, Dr. Adams served in various capacities with Digital Equipment Corporation, including Vice President and Technical Director of its Network Operating Systems Division from 1991 to 1996.

      Mr. Kennedy joined the Company as Senior Vice President, Finance, Chief Financial Officer and Treasurer in August 1999. Prior to joining the Company, Mr. Kennedy was Chief Financial Officer of décalog, NV, a developer of enterprise investment management software, from 1998 to 1999. From 1993 to 1998, he served as Vice President of Finance, Chief Financial Officer and Treasurer of Natural MicroSystems Corporation, a telecommunications company.

      Ms. Saris joined the Company as Vice President, Finance and Operations, Treasurer and Chief Financial Officer in June 1989, and was appointed Senior Vice President, Customer Support, Information Services and Operations in July 1998. From January 1997 to July 1998, Ms. Saris served as Vice President, Customer Support and Operations of the Company and from October 1995 to January 1997, as its Vice President, Operations.

      Mr. Schnell joined RSA Data Security, Inc., a former subsidiary of the Company that merged with the Company in September 1999, as Vice President of Marketing in March 1996, and was appointed Senior Vice President, Marketing in July 1998. Prior to joining RSA Data Security, Mr. Schnell was Vice President, Marketing of Photonics Corporation from June 1994 to July 1995 and held a number of positions, including Director of Sales, AppleSoft Software, and Director and General Manager of the electronic software retail unit at Apple Computer, Inc.

      Ms. Seif joined the Company as General Counsel in March 1998, and was appointed Vice President and Secretary in June 1998. Prior to joining the Company, Ms. Seif was Vice President and General Counsel of Firefly Network, Inc., a personal information software company, from 1996 to 1998. In November 1993,

14

Table of Contents

      Mr. Uniejewski joined the Company as Vice President of Product Marketing in October 1998 and was appointed Senior Vice President, Engineering in October 1999. Prior to joining the Company, Mr. Uniejewski served in various positions at Gradient Technologies, including Vice President of Engineering from 1996 to 1998. From 1994 to 1996 he served as Director of Marketing of Cisco Systems’ ATM business unit.

15

Table of Contents

PART II

      The Company’s Common Stock has been trading on the Nasdaq National Market under the symbol “RSAS” (formerly “SDTI”) since the Company’s initial public offering on December 14, 1994. The following table sets forth for the fiscal periods indicated the high and low sales prices per share of Common Stock as reported on the Nasdaq National Market.

      There were 338 stockholders of record of the Company’s Common Stock as of February 4, 2000.

      The Company has never declared or paid any cash dividends on its capital stock. The Company currently intends to retain earnings, if any, to support its growth strategy and does not anticipate paying cash dividends in the foreseeable future. Payment of future dividends, if any, will be at the discretion of the Company’s Board of Directors after taking into account various factors, including the Company’s financial condition, operating results, current and anticipated cash needs and plans for expansion.

16

Table of Contents

ITEM 6.  SELECTED FINANCIAL DATA

17

Table of Contents

Overview

      As used in this Report, the term “the Company” refers to RSA Security Inc. (formerly known as Security Dynamics Technologies, Inc.) and its subsidiaries.

      This Report contains forward-looking statements within the meaning of Section 21E of the Securities Exchange Act of 1934, as amended, and Section 27A of the Securities Act of 1933, as amended. For purposes of these Acts, any statement contained herein that is not a statement of historical fact may be deemed a forward-looking statement. Without limiting the foregoing, the words “believes,” “anticipates,” “plans,” “expects,” and similar expressions are intended to identify forward-looking statements. There are a number of factors that could cause the Company’s actual results to differ materially from those indicated by such forward-looking statements. These factors include, without limitation, those set forth below under the caption “Certain Factors That May Affect Future Results.”

      The Company is a leading provider of electronic security (“e-security”) solutions. The Company helps organizations build secure, trusted foundations for electronic business (“e-business”) through use of the Company’s two-factor user authentication, encryption and public key management products and solutions. The Company sells to corporate (“Enterprise”) end users seeking turnkey e-security solutions, and to original equipment manufacturers and developers (“OEMs”) seeking software development components for embedding security in a range of applications.

      The Company was founded in 1984 and began shipping its RSA SecurID® authenticators in 1986. Prior thereto, the Company was primarily engaged in research and development activities. In December 1991, the Company introduced its RSA ACE/ Server® software products for Enterprise network protection using a client/server architecture. The Company believes that its growth has historically been driven by the emergence of networks and a corresponding increase in users with direct access to core enterprise systems and confidential data. Further, the Company believes the number of users with such direct access is increasing because of the growth of the Internet and corporate intranets and extranets.

      The Company has established a multi-channel distribution and sales network to serve the Enterprise e-security market. The Company sells and licenses its products directly to Enterprise end users through its direct sales force and indirectly through a network of OEMs, value added resellers and distributors. In addition, the Company supports its direct and indirect sales efforts through strategic marketing relationships and public relations programs, trade shows and other marketing activities.

      The Company’s direct sales to its customers in countries outside of the United States are denominated in the local currency. As a result, fluctuations in currency exchange rates could affect the profitability in U.S. dollars of the Company’s products sold in those markets. The Company’s sales through indirect distribution channels are generally denominated in U.S. dollars.

      The Company’s revenue is derived primarily from two distinct product lines: Enterprise solutions (including RSA SecurID authenticators, RSA ACE/ Server software, RSA Keon™ software, and maintenance and professional services) and OEM solutions (including RSA BSAFE® cryptographic development tools and protocol products, RSA Keon components, and maintenance and professional services). Customers’ purchases typically include an initial sale of RSA SecurID authenticators and RSA ACE/ Server software, with later add on sales of additional or replacement authenticators and software as the customer’s use of the products expands to include more users, such as the customer’s vendors, suppliers, customers and clients. RSA SecurID authenticators are programmed at the customer’s request to operate for a fixed period of up to four years, and RSA ACE/ Server and RSA Keon software license fees are typically based on the number of users authorized under the customer’s license. RSA BSAFE software licensing terms vary by product, but are typically composed of both initial fees and ongoing royalties paid as a percentage of the OEM’s product or service revenues. Sales to existing customers also include revenue associated with amendments to licensing agreements, usually in order to accommodate licensing of new software or technology to the customer, to increase the field of use rights, or both.

18

Table of Contents

      The Company’s RSA SecurID authenticators are produced by two outside contract manufacturing organizations (see “Certain Factors That May Affect Future Results”), and the Company licenses some of the technology included in some of its products from third parties. The Company’s cost of revenue consists primarily of costs associated with (1) the manufacture and delivery of RSA SecurID authenticators and (2) royalty fees payable by the Company under licenses for third parties’ technology included in its products. Cost of revenue also includes professional service costs, customer support costs and production costs. These production costs include shipping and labor costs associated with programming, inspection and quality control functions associated with the RSA SecurID authenticators. In the future, gross margin may be affected by several factors, including changes in product mix and distribution channels, price reductions (resulting from volume discounts or otherwise), competition, changes in the cost of revenue (including any software license fees or royalties payable by the Company) and other factors.

      Information on the Company’s industry segments may be found in Note 10 of Notes to Consolidated Financial Statements.

Results of Operations

      The following table sets forth certain consolidated financial data as a percentage of revenue:

1999 Compared with 1998

Revenue

      Total revenue increased 27.3% in 1999 to $218.1 million from $171.3 million in 1998. Sales to Enterprise solution customers increased 24% in 1999 to $165.1 million from $133.1 million in 1998, and sales to OEM customers increased 39% in 1999 to $53.0 million from $38.2 million in 1998. Approximately 57.8% of the increase in revenue in 1999 was attributable to increased sales of RSA SecurID authenticators and RSA ACE/ Server software, approximately 31.5% of the increase was attributable to increased sales of RSA BSAFE, and approximately 10.7% of the increase was attributable to increased maintenance and professional services revenues. The Company believes that the overall increase in sales was attributable to the growth in the e-security market due to increased use of the Internet and corporate intranets and extranets.

19

Table of Contents

      International revenue increased 11% in 1999 to $66.0 million from $59.3 million in 1998. The increase in international revenue was primarily from the continuing expansion of the Company’s international sales force and increased market penetration.

Gross Profit

      The Company’s gross profit increased 32.5% in 1999 to $173.0 million from $130.6 million in 1998. Approximately 20% of this increase was due to increased unit sales of RSA SecurID authenticators, approximately 21% was due to increased sales of RSA ACE/ Server and approximately 29% was due to increased sales of RSA BSAFE.

Research and Development

      Research and development expenses increased 17.7% in 1999 to $37.6 million from $32.0 million in 1998. The majority of the increase in research and development expenses resulted from increased payroll expenses associated with the employment of additional staff.

Rebranding

      In September 1999 the Company changed its name to RSA Security Inc. Legal and promotional costs incurred in connection with this rebranding were approximately $12.5 million, of which approximately $11.8 million has been included in marketing and selling and approximately $0.7 million has been included in general and administrative.

Marketing and Selling

      Marketing and selling expenses increased 34.7% in 1999 to $89.9 million from $66.8 million in 1998. Approximately 38% of the increase in 1999 was from increased payroll costs associated with the employment of additional staff, and approximately 11% of the increase was from increased sales commissions on increased revenues.

General and Administrative

      General and administrative expenses increased 43.4% in 1999 to $27.3 million, from $19.0 million in 1998. Approximately 62% of the increase in general and administrative expenses was from increased payroll expenses associated with the employment of additional staff and approximately 23% of the increase was from increased professional fees, the majority of which related to protection of intellectual property.

Restructuring

      In 1999, the Company commenced and substantially completed consolidation of certain operations in an attempt to achieve operational efficiency. The Company recorded costs of $11.4 million consisting of severance costs of $9.4 million for employees who were employed primarily in research and development and general and administrative activities for the formerly separate operations of Intrusion Detection, Inc. (“IDI”), and facility exit costs of $2.0 million. Facility exit costs consist primarily of estimated shortfalls of sublease rental income compared to minimum lease payments due under a lease agreement. Costs of approximately $2.9 million were accrued and unpaid at December 31, 1999 and consisted of facility exit costs of $1.7 million and termination benefits, payable through the third quarter of 2000, of $1.2 million.

Interest Income

      Interest income increased 15.3% in 1999 to $10.0 million from $8.7 million in 1998 from interest earned on higher cash and marketable securities balances.

20

Table of Contents

Net Gains From Investments

      For 1999, net gains from investments were $286.0 million from sales of marketable securities, which includes gains from the sale of VeriSign, Inc. (“VeriSign”) common stock and Trintech Group PLC (“Trintech”) ordinary shares of $276.4 million, and an increase in value of VeriSign common stock of $12.6 million from the write-up under the equity method. These gains are net of the Company’s equity in VeriSign’s loss of $0.5 million and an investment allowance of $2.5 million on other investments. Until June 30, 1999, the Company had accounted for its investment in VeriSign under the equity method. After June 1999, investments in VeriSign common stock were accounted for as marketable securities available for sale. For 1998, net gains from investments were $35.4 million from sales of marketable securities, which includes gains from the sale of VeriSign common stock of $31.3 million, and an increase in value of VeriSign common stock of $12.0 million from the write-up under the equity method upon VeriSign’s initial public offering. These gains are net of the Company’s equity in VeriSign’s loss of $4.3 million and an investment allowance of $3.6 million on other investments. The Company routinely evaluates the realizable value of its investments using qualitative and quantitative factors including discounted cash flow analysis and liquidation value assessments.

Minority Interests

      Minority stockholders owned an aggregate 26% of the Company’s Japanese subsidiary until November 1999, when the Company purchased the interests for $3.6 million. The excess purchase price over fair value of assets of $1.1 million was recorded as goodwill and is being amortized over ten years. Minority interests in the subsidiary’s net loss were $16,000 in 1999 and $600,000 in 1998.

Provision for Income Taxes

      The provision for income taxes increased to $119.0 million in 1999 from $23.6 million in 1998, primarily due to higher pre-tax income. The Company’s effective tax rate decreased to 39.3% in 1999 from 45.0% in 1998 primarily due to the effect of state taxes on investment income.

1998 Compared with 1997

Revenue

      Total revenue increased 21.8% in 1998 to $171.3 million from $140.6 million in 1997. Sales to Enterprise solution customers increased 21% in 1998 to $133.1 million from $109.8 million in 1997, and sales to OEM customers increased 24% in 1998 to $38.2 million from $30.8 million in 1998. Approximately 43% of the increase in revenue in 1998 was attributable to increased sales of RSA SecurID authenticators, approximately 19% of the increase was attributable to increased sales of RSA BSAFE toolkits, approximately 22% of the increase was attributable to increased sales of RSA ACE/ Server software and approximately 11% of the increase was attributable to increased maintenance and professional services revenues. These increases in revenue were offset in part by decreased revenues from sales of RSA SecurPC software and from decreased revenue from sales of hardware. Revenue from sales of RSA Keon software and from sales of Kane Security Analyst and Kane Security Monitor software decreased slightly in 1998 compared to 1997. The Company believes that the overall increase in sales was attributable to growth in the information security market due to increased use of the Internet and corporate intranets and extranets.

      International revenue increased 36.4% in 1998 to $59.3 million from $43.5 million in 1997. The increase in international revenue was primarily from the continuing expansion of the Company’s international sales force and increased market penetration.

Gross Profit

      The Company’s gross profit increased 16.6% in 1998 to $130.6 million, from $111.9 million in revenue in 1997. Gross profit as a percentage of revenue was lower in 1998, primarily due to write-offs to cost of revenue of prepaid license fees of $4.1 million under secure VPN and secure e-mail license agreements determined to have no future value and costs of $1.2 million associated with exiting certain hardware product lines.

21

Table of Contents

Research and Development

      Research and development expenses increased 17.7% in 1998 to $32.0 million from $27.2 million in 1997. Excluding purchased research and development, the majority of the increase in research and development expenses resulted from increased payroll expenses from the employment of additional staff. During 1998 the Company purchased and recorded as purchased research and development expense certain technology from VeriSign for $500,000 and from other parties for $1.3 million. The Company incorporated these technologies into its RSA Keon product line.

      During 1997, the Company purchased, and recorded as purchased research and development expense, certain technology from VeriSign for $2.7 million and from other third parties for $3.5 million. The Company incorporated the technologies into its RSA Keon and RSA BSAFE products.

Marketing and Selling

      Marketing and selling expenses increased 59.3% in 1998 to $66.8 million from $41.9 million in 1997. Approximately 52% of the increase in marketing and selling expenses in 1998 resulted from an increase in payroll costs from the employment of additional staff and approximately 31% of the increase was attributable to increased sales commissions. Sales commissions increased due to increased revenues and due to compensation programs designed to incent sales personnel to increase sales through the indirect channel and, in particular, the Internet and telecommunication service provider channels. The remainder of the increase in marketing and selling expenses resulted primarily from increased marketing program costs.

General and Administrative

      General and administrative expenses increased 10.7% in 1998 to $19.0 million, from $17.2 million in 1997. Approximately 68% of the increase in general and administrative expenses was due to increased payroll expenses from the employment of additional staff and approximately 31% of the increase in general and administrative expenses was due to increased professional fees offset by expense reduction synergies achieved in connection with the acquisitions of DynaSoft AB (“DynaSoft”) and IDI. The increase in professional fees was primarily due to the Company’s commencement of a program in 1998 to aggressively protect its intellectual property rights through worldwide trademark and patent registrations.

Merger and Integration

      Merger and integration expenses from the acquisition of IDI were approximately $2.6 million in 1998 and were $5.7 million from the acquisition of DynaSoft in 1997.

Legal Settlement

      In September 1998, the Company granted options to purchase an aggregate of 325,000 shares of common stock in connection with the settlement of threatened litigation arising out of the acquisition of IDI. The value of the options was determined to be $1.9 million, using the Black-Scholes option-pricing model.

22

Table of Contents

Interest Income

      Interest income increased 38.3% in 1998 to $8.7 million from $6.3 million in 1997 from interest earned on higher cash and marketable securities balances.

Net Gains From Investments

      For 1998, net gains from investments were $35.4 million from sales of marketable securities, which includes gains from the sale of VeriSign, Inc. common stock of $31.3 million, an increase in value of VeriSign common stock of $12.0 million from the write-up under the equity method upon VeriSign’s initial public offering. These gains are net of the Company’s equity in VeriSign’s loss of $4.3 million and an investment valuation allowance of $3.6 million on other investments. For 1997, net gains from investments were $4.3 million from sales of marketable securities. The Company routinely evaluates the realizable value of its investments using qualitative and quantitative factors including discounted cash flow analysis and liquidation value assessments.

Minority Interests

      Minority stockholders owned an aggregate 26% of RSA’s Japanese subsidiary. Minority interests in the subsidiary’s net loss was $0.6 million in 1998, and minority interests in the subsidiary’s net income was $0.1 million in 1997.

Provision for Income Taxes

      The provision for income taxes increased to $23.6 million during 1998 from $13.3 million in 1997, primarily due to higher pre-tax income. The Company’s effective tax rate increased to 45.0% in 1998 from 43.7% in 1997 primarily due to the effect of state income taxes on investment gains and differences in amounts of nondeductible merger expenses in 1998 compared to 1997.

Liquidity and Capital Resources

Liquidity

      The Company used $81.1 million of cash for operations in 1999 compared to $8.9 million for 1998. Operating cash used in 1999 was primarily for taxes paid on investment gains. Cash used in operations for 1998 was primarily for working capital.

      Investing activities provided cash in 1999 of $231.2 million and used cash of $49.5 million in 1998. Investing activities were primarily sales and purchases of marketable securities and investments. Purchases of property and equipment used cash of $13.7 million and $18.9 million in 1999 and 1998, respectively.

      Cash used for financing activities in 1999 was $61.3 million compared to $4.7 million in 1998. In 1999 and 1998, the Company realized $45.3 million and $7.9 million, respectively, from the exercise of employee stock options and purchases under the employee stock purchase plan, including tax benefits thereon. The Company used cash of $103.0 million and $12.1 million to repurchase its common stock in 1999 and 1998, respectively.

      At December 31, 1999, the Company had cash, cash equivalents and marketable securities of $1,383.2 million and working capital of $553.3 million, compared to $158.2 million and $180.9 million, respectively, at December 31, 1998. The Company believes that working capital will be sufficient to meet its anticipated cash requirements through at least 2001.

      To protect a portion of its marketable securities position, the Company sold put and call options on its VeriSign shares to independent third parties. The put options entitle the holders to buy shares of VeriSign common stock, and the call options allow the Company to sell shares of VeriSign common stock on certain dates at specified prices, or permit a net-share settlement at the Company’s option. On December 31, 1999, 5,500,000 shares were covered by these put and call options. The outstanding put and call options expire quarterly in 500,000 share increments between March 31, 2000 and September 30, 2002 and have exercise

23

Table of Contents

Other

Mergers and Acquisitions

      On March 26, 1998 the Company issued approximately 784,000 shares of Common Stock in exchange for all of the outstanding common stock of IDI in a transaction accounted for as a pooling of interests. Acquisition costs were approximately $2.6 million.

Share Repurchase Program

      The Company was authorized to repurchase up to 4,000,000 shares of its common stock during the 12-month period ended October 11, 1999, and is authorized to purchase up to an additional 4,000,000 shares of its common stock during the 12-month period ending October 12, 2000. Repurchased shares may be used for the Company’s stock option and employee stock purchase plans, and for general corporate purposes. Through December 31, 1999, the Company had repurchased 5,134,500 shares of its common stock, for an aggregate amount of $115.1 million, at an average cost of $22.42 per share.

Stock Purchase Warrants

      The Company issued warrants to purchase 80,000 shares of common stock in September 1999 in connection with a software sale. The value of the warrants of $1.0 million was determined using the Black-Scholes option-pricing model and allocated to additional paid in capital.

Stock Option Repricing

      In August 1998, the Company repriced options to purchase approximately 5,500,000 shares of common stock to the then fair market value of $12.0625 per share.

Conversion to Euro

      The Company’s systems are configured to process Euro denominated transactions. The Company does not believe the Euro will have a significant effect on its business, financial position, cash flows or the results of its operations.

New Accounting Pronouncements

      In June 1998, the Financial Accounting Standards Board (FASB) issued Statement of Financial Accounting Standards (SFAS) No. 133, “Accounting for Derivative Instruments and Hedging Activities.” In June 1999, the FASB issued SFAS No. 137, “Accounting for Derivative Instruments and Hedging Activities — Deferral of the Effective Date of FASB Statement 133.” The Statement defers the effective date of SFAS No. 133 to January 1, 2001. The effect of adopting the standard is being evaluated. The Company estimates that, based on the valuation of the put and call options as of December 31, 1999, the effect of adopting this standard would be to decrease net gains from investments by $29.8 million. SFAS No. 133 will require the Company to recognize all derivatives on the balance sheet at fair value. Derivatives that are not hedges must be adjusted to fair value through income. If the derivative is a hedge, depending on the nature of the hedge, changes in the fair value of derivatives will either be offset against the change in fair value of hedged assets, liabilities, or firm commitments through earnings or recognized in accumulated other comprehensive income until the hedged item is recognized in earnings. The ineffective portion, if any, of a derivative’s change in fair value will be immediately recognized in earnings.

24

Table of Contents

Quarterly Financial Data

      Net income includes the following non-core activity:

      Gains from sales of VeriSign common stock of $74,489, $54,802, $86,837 and $60,310 in the first, second, third and fourth quarters of 1999, respectively, and $1,836 and $29,449 in the third and fourth quarters of 1998, respectively. The Company’s proportionate share of VeriSign’s quarterly losses of $358 and $167 for the first and second quarters of 1999, respectively and $1,173, $1,214 and $1,800 for the second, third and fourth quarters of 1998, respectively. Gains from the write-up under the equity method of the Company’s investment in VeriSign of $12,576 in the second quarter of 1999 and $11,976 in the second quarter of 1998. Losses relating to the investment valuation allowance on the Company’s investments of $2,537 in the third quarter of 1999, and $3,647 in the fourth quarter of 1998.

      Costs associated with the Company’s corporate rebranding of $5,363 and $7,137 in the third and fourth quarters of 1999. Costs associated with the formation of RSA Capital Inc. were $147 in the fourth quarter of 1999.

      Costs associated with the Company’s restructuring of $6,550, $3,800 and $1,000 for the first, third and fourth quarters of 1999, respectively. Merger costs incurred during the acquisition of IDI of $2,600 in the first quarter of 1998.

      Costs associated with purchased technology of $210 and $1,550 in the first and fourth quarters of 1998, respectively. The write-off of a secure messaging license to cost of sales of $3,000 in the second quarter of 1998. The costs associated with terminating select hardware and VPN product lines of $2,346 in the fourth quarter of 1998. Costs associated with accelerated stock option compensation from terminations and headcount reductions of $821 in the fourth quarter of 1998.

      A one-time, non cash charge relating to settlement of threatened litigation in connection with the Company’s acquisition of IDI of $1,872 in the third quarter of 1998.

25

Table of Contents

      Income tax provisions (benefits for non-recurring items were $31,644, $30,173, $23,972 and $20,757 in the first, second, third and fourth quarters of 1999, respectively, and $80, $3,211, ($464), and $9,979 in the first, second, third and fourth quarters of 1998, respectively.

Year 2000 Issues

Overview

      Historically, computer systems and software products were coded to accept only two digit entries in the date code field. These date code fields had to be modified to accept four digit entries to distinguish 21st century dates from 20th century dates. As a result, such software and computer systems needed to be upgraded or replaced in order to comply with such “Year 2000” requirements.

  Company Products

      Prior to December 31, 1999, the Company tested substantially all of its products for Year 2000 readiness. In measuring Year 2000 readiness, the Company applied the following specifications: “Year 2000 Ready” means that: (1) no value for current date will cause any interruption in operation; (2) date-based functionality must be consistent for dates prior to, during and after Year 2000; (3) in all interfaces and data storage, the century in any date must be specified either explicitly or by unambiguous algorithms or inferencing rules; and (4) Year 2000 must be recognized as a leap year.

      The Company’s RSA SecuriID authenticators are Year 2000 Ready. Assuming that a customer is utilizing the Company’s software products in conjunction with a Year 2000 Ready operating system, then the Company’s most recent software releases, RSA ACE/ Server v3.3, RSA Keon Security Server v4, RSA Keon Desktop v4, RSA Keon Agents v4 and above, RSA Keon Agent SDK, RSA Keon UNIX Platform Security v4, (Keon software products were formerly known as BoKS), RSA Keon Certificate Server v5.0, RSA SoftID, RSA SecurPC, RSA BSAFE Crypto-C, RSA BSAFE Crypto-J, RSA BSAFE Cert-C, RSA BSAFE SSL-C and RSA BSAFE SSL-J are Year 2000 Ready. The Company’s ACE/ Sentry hardware products are also Year 2000 Ready. Certain prior versions of the Company’s software products, as well as the Company’s ACM 100, 400, 1600 and 5100 hardware products, are not fully Year 2000 Ready, and customers were informed of the status of the Company’s products in the ordinary course of business. In certain circumstances, the Company has made available to customers who have implemented prior releases of the Company’s software products software updates to make the products Year 2000 Ready.

      While the Company has completed what it believes to be an effective Year 2000 Readiness testing program for its products, and although the Company has not yet received any complaints from its customers about the Year 2000 Readiness of its products, the Company’s products may contain undetected errors or defects associated with Year 2000 date functions. Such errors or defects in the Company’s products could result in delay or loss of revenue and diversion of development resources, which might materially adversely affect the Company’s business, financial condition or results of operations.

  Company Systems

      The Company established a Year 2000 task force to determine the state of readiness of all Company information technology (“IT”) and non-IT systems, including the microprocessors contained in infrastructure products, such as card-swipe entry devices, which are used at the Company’s facilities. Before December 31, 1999, the task force identified the third-party equipment, software, vendors, systems and suppliers used by the Company that were not Year 2000 Ready and replaced non-Year 2000 Ready third-party equipment and software with Year 2000 Ready equipment and software. With respect to certain other business applications and systems licensed by the Company from third parties (including but not limited to the Company’s telephone systems and management information system installed in 1998), the Company relied on those licensors’ written representations that the applications were Year 2000 Ready. To date, the Company has not experienced any significant problems due to non-Year 2000 Ready equipment or software.

26

Table of Contents

  Costs to Address Year 2000 Issues

      The Company incurred direct costs to modify or replace existing systems used by the Company in the operation of its business to ensure that all systems would be Year 2000 Ready before December 31, 1999. The total amounts spent by the Company addressing this issue were not material.

      In addition, the Company spent substantial time and effort testing and evaluating its own products to determine Year 2000 Readiness of those products. In the case of prior product releases that are not Year 2000 Ready, the Company expects to devote internal engineering and customer support resources to resolving any issues for existing customers of those products.

  Risks to the Company

      The Company has made representations and warranties, both in contracts and in written communications, to certain of its customers regarding the Year 2000 Readiness of its products. The Company has reviewed all of those representations to determine the accuracy of those statements. The Company has determined that it made Year 2000 Readiness representations in fewer than 10% of its customer contracts, and many of those customers have requested, and received, Year 2000 Ready versions of the Company’s products.

      With respect to any contractual representation made by the Company regarding Year 2000 Readiness that were not accurate, the Company will seek to upgrade the affected customer to the Company’s current Year 2000 Ready version of the product(s) being used by that customer. If the Company has made a materially inaccurate statement regarding the Year 2000 Readiness of its products and the customer chooses not to upgrade to a Year 2000 Ready version of the product, the Company may face the risk of one or more lawsuits from its customers alleging breach of representation.

      The foregoing shall be considered a Year 2000 readiness disclosure to the maximum extent allowed under the Year 2000 Information and Readiness Disclosure Act.

CERTAIN FACTORS THAT MAY AFFECT FUTURE RESULTS

      The Company’s operating results tend to fluctuate from quarter to quarter. The Company’s quarterly operating results may vary significantly from quarter to quarter depending on a number of factors, including, among other factors:

	•	the timing of introduction or enhancement of products by the Company or its competitors;
	•	the size, timing and shipment of individual orders for the Company’s products;
	•	customers deferring their orders in anticipation of new products;
	•	market acceptance of new products;
	•	changes in the Company’s operating expenses;
	•	personnel changes;
	•	foreign currency exchange rates;
	•	changes in the mix of products sold;
	•	changes in product pricing;
	•	development of the Company’s direct and indirect distribution channels; and
	•	general economic conditions.

      The Company may not be able to grow or sustain its profitability from quarter to quarter. Because the Company’s operating expenses are based on anticipated revenue levels and a high percentage of the Company’s expenses are fixed, a small variation in when revenue is recognized can cause significant variations in operating results from quarter to quarter.

27

Table of Contents

      The Company’s business has historically tended to be seasonal, with revenue increasing at a higher rate in the last quarter of the year and at a lower rate in the following quarter. The Company believes that the higher rate of increase during the last quarter is due to the Company’s quota-based compensation plans, year-end budgetary pressures on the Company’s customers and the tendency of some of the Company’s customers to implement changes in enterprise network or data security just before the end of the calendar year. In addition, revenue tends to increase at lower rates in the summer months, particularly in Europe, when businesses defer purchase decisions.

      The Company’s stock price has been volatile and is likely to remain volatile. During 1999, the Company’s stock price ranged from a per share high of $77.50 to a low of $14.88. At the close of the market on February 9, 2000, the Company’s stock price was $63.73. Announcements, litigation developments and the Company’s ability to meet the expectations of brokerage firms, industry analysts and investors with respect to its operating and financial results may contribute to this volatility. The Company may not discover, or be able to confirm, revenue or earnings shortfalls until the end of a quarter, which may result in an immediate drop in the Company’s stock price. Securities class action litigation is often instituted against publicly traded companies after a period of volatility in the market price of the companies’ securities. In December 1998, some of the Company’s stockholders filed a class action against the Company and some of its officers and directors. This litigation, and other litigation if instituted, could result in substantial costs and a diversion of management’s attention and resources.

      The market for the Company’s products is new and still developing. An increasing number of businesses, government agencies and individuals are using computer networks, including enterprise-wide and remote computing, as well as the Internet, intranets and extranets. Because these computer networks enhance the ability of users, both authorized and unauthorized, to access sensitive and proprietary information and resources, demand for the Company’s enterprise network and data security products has increased as well. With this growth of computer networks has also come a growing use of public and private keys, digital signatures and digital certificates for verifying user identities and establishing information access privileges for users in an enterprise.

      This growth may not continue. The use of computer networks to conduct business and enhance authorized access to information and resources is relatively new, and many business and government agencies will need to invest substantial resources and make major changes in their ways of doing business in order to benefit from computer networks. Many businesses and government agencies may be reluctant to make these investments and changes and may be deterred from using computer networks for a number of reasons, including:

	•	actual or perceived inadequacies in the development of network and Internet infrastructure and the lack of cost-effective, high-speed service;
	•	concerns about the security of communications and commerce over computer networks;
	•	the complexity of developing and administrating computer networks; and
	•	the difficulty of integrating business applications on computer networks and the incompatibility of different business and security applications.

      In addition, the distribution channels for the Company’s products are changing. For example, the Company believes that an increasing number of businesses are choosing to “rent” access to enterprise applications from application service providers and other vendors, rather than buying the applications and investing the resources required to set up their own computer networks. As new distribution channels evolve, the Company may need to adjust its sales strategy to address these channels.

28

Table of Contents

      Demand for the Company’s products depends highly on the continued growth in the use of computer networks to allow users access to confidential and proprietary information and resources. This demand depends on, among other things:

	•	the continued evolution of electronic commerce as a viable means of conducting business;
	•	the public’s perception of the need for secure electronic commerce and communications over computer networks;
	•	market acceptance and use of public and private key cryptography, digital signatures and digital certificates in communication and commerce;
	•	the perceived quality, price, availability and interoperability of the Company’s products over its competitors’ products;
	•	the pace of technological change, both in the development and use of computer networks generally and in the hardware and software environments in which the Company’s products operate, and the Company’s ability to keep up with these changes; and
	•	general economic conditions.

      A well-publicized actual or perceived breach of network or data security could trigger a heightened awareness of computer abuse, resulting in an increased demand for security products such as those offered by the Company. On the other hand, an actual or perceived breach of network or data security at the Company or one of the Company’s customers, whether or not the breach was caused by the failure of one of the Company’s products, could hurt the Company’s reputation and cause potential customers to turn to competitors’ products. For example, in February 2000, a third party attacker briefly redirected the Company’s www.rsa.com URL (which is one of the Company’s inactive web sites that points users to the Company’s main web site) to a false rsa.com site. Although the company’s security was not compromised in any way, the Company believes that the public may have perceived that the Company or its products were less secure because of this incident. In addition, although the effectiveness of the Company’s identification and authentication products does not depend on the secrecy of its proprietary algorithm, the public disclosure or “breaking” of this algorithm could lead the public to believe that the Company’s products have been compromised, which could reduce demand for the Company’s products.

      Changes in e-security technology and standards could render the Company’s products obsolete. The market for e-security products is fast-moving and evolving. E-security technology is constantly changing as the Company and its competitors introduce new products and retire old ones and as customer requirements quickly develop and change.

      In addition, the standards for e-commerce and network security are continuing to evolve. If any segments of the Company’s market adopt technologies or standards that are inconsistent with the Company’s products and technology, sales of the Company’s products in those market segments could decline.

      The Company’s future success will depend in part upon its ability to enhance its existing products and to introduce new, competitively priced products with features that meet changing customer requirements, all in a timely and cost-effective manner. However, the Company may not be successful in introducing new or enhanced products. A number of factors, including the following, could have an adverse impact on the success of a product:

	•	delays or difficulties in product development;
	•	quality, reliability or security failure problems, which could result in returns, delays in collecting accounts receivable, unexpected service or warranty expenses, reduced orders and a decline in the Company’s competitive position;
	•	undetected software errors or bugs in the final products shipped to the Company’s customers, which could cause market acceptance of the products to be lost or delayed, recalls of hardware products incorporating the software or loss of data;

29

Table of Contents

	•	the Company’s competitors introducing their new products ahead of the Company’s new products or introducing superior or cheaper products;
	•	the market’s failure to accept new technologies;
	•	the Company’s failure to anticipate changes in customers’ requirements; and
	•	implementation of standards that are inconsistent with the technology embodied in the Company’s products.

      The Company’s success depends on the success of the RSA Keon product line. During 1999, the Company launched its RSA Keon product line, a family of enterprise security solutions designed to enable organizations to support and manage the growing use of public and private keys, digital signatures and digital certificates for verifying user identities and establishing information access privileges for these users in an enterprise. This new product line is critical to the Company’s strategy and the evolution of its business into new markets. If the RSA Keon product line is not successful, the Company’s financial condition or results of operations could be adversely affected. All of the factors listed above as affecting the success of new products generally also affect the RSA Keon product line. In addition, RSA Keon’s success especially depends on market acceptance of digital certificate and public and private key management technologies.

      Transactions for the RSA Keon products often involve large expenditures by the Company’s customers, and the sales cycles for these transactions are often lengthy and unpredictable. The long nature of the sales cycles may impact the Company’s quarterly results of operations. The sales cycles for these transactions are subject to a number of uncertainties such as:

	•	customers’ budgetary constraints;
	•	the timing of customers’ budget cycles; and
	•	customers’ internal review process.

      The Company must manage its growth. The Company’s business has grown significantly in size and complexity over the last few years. This growth has placed, and is expected to continue to place, a significant strain on the Company’s management and operations. In addition, the Company’s personnel, systems, procedures and controls may not be adequate to support its growth. The geographic dispersal of the Company’s operations may also make it more difficult to manage its growth.

      The Company’s market is highly competitive. The Company competes with: (1) established e-security companies that currently offer network security products or services; (2) newly organized e-security companies that are developing new, competitive products and technologies; and (3) established computer hardware or software companies that introduce their own network security products, either separately or bundled with their existing hardware or software products. Some of the Company’s current and potential competitors have significantly greater financial, marketing and technical resources than the Company. As a result, they may be able to leverage an installed customer base, adapt more quickly to new technologies and changes in customer requirements, or devote greater resources to the promotion and sale of their products than the Company can. The Company believes that maintaining its competitive position will require it to continue investing in research and development and sales and marketing. The Company may not have sufficient resources to make these investments and may not be able to make the technological advances necessary to maintain its competitive position. In addition, current and potential competitors may establish collaborative relationships to increase their ability to address the security needs of the Company’s prospective customers. Accordingly, new competitors or alliances that emerge could pose unforeseen competitive threats.

      The Company must establish and maintain strategic relationships. One of the Company’s business strategies is to enter into strategic marketing alliances or other similar collaborative relationships in order to reach a larger customer base than the Company could reach alone through its direct sales and marketing efforts. If the Company is unable to create relationships with strategic partners, then it will need to devote more resources to sales and marketing. The Company may not be able to find appropriate strategic partners or may not be able to enter into potential relationships on commercially favorable terms. Furthermore, the

30

Table of Contents

      The Company’s products are subject to export regulations. Under new regulations issued by the U.S. Department of Commerce in January 2000, encryption products of any key length, including general purpose encryption tools such as the Company’s RSA BSAFE products, may be exported, after a one-time technical review, to all end-users other than governmental end-users. The Company believes that it has completed the necessary technical reviews of the products and services it currently exports. Following export of certain of its products, the Company will be subject to various post-shipment reporting requirements. Encryption products may be exported to governmental end-users under special encryption licensing arrangements or individual export licenses which may be issued at the discretion of the U.S. Department of Commerce.

      These regulations may be modified at any time, and there can be no assurance that, in the event of any such modification, the Company will be authorized to export encryption products from the United States without a license. If there is such a modification, the Company might be at a disadvantage in competing for international sales as compared to companies located outside of the United States that would not be subject to such restrictions.

      International sales make up a significant portion of the Company’s business. International sales accounted for more than 30% of the Company’s revenue in each of the years ended December 31, 1997, 1998 and 1999. There are certain risks inherent in doing business internationally, including:

	•	foreign regulatory requirements;
	•	legal uncertainty regarding liability
	•	export and import restrictions on cryptographic technology and products incorporating that technology;
	•	difficulties and delays in establishing international distribution channels;
	•	difficulties in collecting international accounts receivable;
	•	fluctuations in currency exchange rates;
	•	tariffs and other trade barriers;
	•	difficulties in enforcement of intellectual property rights; and
	•	political instability.

      The Company depends on U.S. and foreign intellectual property laws and agreements to protect its rights in its technology. The Company relies on a combination of patent, trade secret, copyright and trademark laws, software licenses, nondisclosure agreements and technical measures to protect its proprietary technology. The Company also generally enters into confidentiality and/or license agreements with its employees, distributors and strategic partners as well as with its customers and potential customers seeking proprietary information, and limits access to and distribution of its software, documentation and other proprietary information. However, these steps may prove inadequate to keep other parties from misappropriating the Company’s technology or from developing their own competitive versions of the Company’s technology. The Company’s 17 issued U.S. patents expire at various dates ranging from 2000 to 2018. When each of the Company’s patents expires, competitors may develop and sell products based on the same or similar technologies as those covered by the expired patent.

      The Company relies heavily on patents to protect its proprietary rights in its technology, but it is possible that any patent owned or held by the Company or its licensors might be invalidated, circumvented, challenged or terminated. It is also possible that the Company’s pending or future patent applications may not be within the scope of claims sought by the Company. In addition, the laws of certain countries in which the Company’s products are now, or may in the future be, developed or sold may not protect the Company’s products and intellectual property rights to the same extent as the laws of the United States. The inability of the Company

31

Table of Contents

      One of the Company’s important patents will expire during 2000. A patent developed at the Massachusetts Institute of Technology (U.S. Patent No. 4,405,829) and licensed to the Company will expire on September 20, 2000. An implementation of the cryptographic algorithm described in this patent is embodied in the Company’s RSA BSAFE cryptographic tool products. To date, the Company has vigorously enforced its exclusive rights to the patented technology against infringers who have released, or threatened to release, competing products that use the invention embodied in the patent. The Company does not know what effect the expiration of the patent will have, but it believes that the expiration may encourage competitors to market competing products that previously would have infringed the patent.

      The encryption industry is highly litigious. From time to time, the Company has received correspondence alleging that its products may infringe patents held by third parties. In addition, foreign parties have recently claimed that the Company’s use of its trademarks abroad infringe their trademarks, and third parties located in the U.S. and abroad may assert infringement claims against the Company in the future. The Company is and has been involved in litigation relating to its intellectual property rights in its products. Any litigation carries a number of significant risks including:

	•	litigation is often very expensive, even if it is resolved in the Company’s favor;
	•	litigation diverts the attention of management and other resources; and
	•	if a court or other government agency rules against it in any intellectual property litigation, the Company might be required to:

	•	discontinue the use of certain processes,
	•	cease the manufacture, use and sale of infringing products,
	•	expend significant resources to develop non-infringing technology,
	•	obtain licenses to the infringing technology, or
	•	pay significant monetary damages, which could include treble damages.

      Cryptographic technologies are under constant attack. The strength of the Company’s cryptographic technologies is constantly being tested by computer professionals, academics and “hackers.” Any significant advance in the techniques for attacking cryptographic systems could make some or all of the Company’s products obsolete or unmarketable. The Company’s cryptographic systems depend in part on the application of certain mathematical principles. The security afforded by the Company’s encryption products is based on the assumption that the “factoring” of the composite of large prime numbers is difficult. If an “easy factoring method” were developed, then the security of the Company’s encryption products would be reduced or eliminated. Even if no breakthroughs in factoring are discovered, factoring problems can theoretically be solved by a computer system significantly faster and more powerful than those currently available. If these improved techniques for attacking cryptographic systems are ever developed, the Company’s business or results of operations could be adversely impacted.

      The Company depends heavily on key, talented employees in a competitive labor market. The Company’s success depends on its ability to attract, motivate and retain highly skilled technical, managerial and marketing personnel. In some areas of the United States and in some foreign countries, the demand for these kinds of employees exceeds the supply of unemployed workers, and many firms are competing for the few employees with the skills the Company needs. The Company believes that its compensation plans are competitive, but it may not be able to hire and retain the employees it needs.

      Acquisitions may hurt the Company’s business. A component of the Company’s business strategy is to seek to buy businesses, products and technologies that complement or augment the Company’s existing businesses, products and technologies. Acquisitions are difficult to identify and complete for a number of reasons, including competition among prospective buyers and the need for regulatory approvals. The Company

32

Table of Contents

      Even if the Company does complete any given acquisition, the integration of the business and operations of the acquiree into the Company’s business and operations is a complex, time consuming and expensive process. Before any acquisition, each company has its own business, culture, customers, employees and systems. Following an acquisition, the Company and the acquiree must operate as a combined organization using common communication systems, operating procedures, financial controls and human resource practices. In order to successfully integrate acquired companies, the Company must, among other things, successfully:

	•	attract and retain key management and other personnel;
	•	integrate, both from an engineering and a sales and marketing perspective, the acquired products into the Company’s suite of product offerings;
	•	coordinate research and development efforts;
	•	integrate sales forces; and
	•	consolidate duplicate facilities.

      An acquisition may disrupt ongoing operations, divert management from day-to-day business and adversely impact the Company’s results of operations. In addition, these types of transactions often result in charges to earnings for such things as transaction expenses, amortization of goodwill, or expensing of in-process research and development expenses.

      The Company depends on a limited number of suppliers for some of its product components. Although the Company generally uses standard parts and components for its products, some components are currently available only from limited sources. For example, the Company purchases the microprocessor chips contained in its SecurID smart cards and PINPADs only from Sanyo Electric Co., Ltd., and Epson Electronics, a Japanese computer chip manufacturer, is the Company’s only supplier of microprocessor chips for the SecurID Key Fobs. In addition, Flextronics International, a Singapore corporation, is the sole manufacturer of the Company’s SecurID smart cards and PINPADs. If the Company were unable to obtain a sufficient supply of these or any other components, then the Company may be unable to fill customer orders and would have to expend significant resources to find new suppliers. Even if the Company were able to find new suppliers, these suppliers may not be able to produce the components in sufficient quantities or at competitive prices.

      The Company licenses from Progress Software Corporation the relational database management software contained in the Company’s ACE/ Server and Keon software, and the Company relies on Progress Software for ongoing maintenance and support for the licensed software. The Company also licenses certain technology such as its LDAP Directory from Netscape Corporation and relies on Netscape for ongoing maintenance and support for this licensed technology. If any of the licensed technology were to fail or experience significant problems in functioning, then the Company would not be able to fix the problem without the support of Progress or Netscape.

      The value of the Company’s business may fluctuate because the value of some of its assets fluctuates. A portion of the Company’s assets includes the equity securities of both publicly traded and non-publicly traded companies. In particular, the Company owns a significant number of shares of common stock of VeriSign and Trintech, both of which are publicly traded companies. The market price and valuations of the securities that the Company holds in these and other companies may fluctuate due to market conditions and other conditions over which the Company has no control. Fluctuations in the market price and valuations of the securities that the Company holds in other companies may result in fluctuations of the market price of the Company’s common stock and may reduce the amount of working capital available to the Company.

33

Table of Contents

      In June 1998, the FASB issued SFAS No. 133, “Accounting for Derivative Instruments and Hedging Activities,” which will affect the accounting of some of the Company’s investments. In June 1999, the FASB issued SFAS No. 137, “Accounting for Derivative Instruments and Hedging Activities — Deferral of the Effective Date of FASB Statement 133.” The Statement defers the effective date of SFAS No. 133 to fiscal 2001. The effect of adopting the standard is being evaluated. The Company estimates, based on the valuation of the Company’s put and call options as of December 31, 1999, the effect of adopting this standard would be to decrease net gains from investments by $29.8 million. SFAS No. 133 will require the Company to recognize all derivatives on the balance sheet at fair value. Derivatives that are not hedges must be adjusted to fair value through income. If the derivative is a hedge, depending on the nature of the hedge, changes in the fair value of derivatives will either be offset against the change in fair value of hedged assets, liabilities, or firm commitments through earnings or recognized in accumulated other comprehensive income until the hedged item is recognized in earnings. The ineffective portion, if any, of a derivative’s change in fair value will be immediately recognized in earnings.

      Some provisions of the Company’s charter and the Company’s adoption of a rights plan may inhibit potential acquisition bids. The Company has a classified Board of Directors and has also adopted a Stockholders Rights Plan, both of which could make it more difficult for a potential acquiror to complete a merger, tender offer or proxy contest involving the Company. While these provisions are intended to enable the Board to maximize stockholder value, they may have the effect of discouraging takeovers that could be in the best interest of certain stockholders and may therefore have an adverse effect on the market price of the Common Stock.

ITEM 7A.                    QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK

      Except as set forth below, the Company does not generally use derivative financial instruments and generally purchases its marketable securities in high credit quality instruments, primarily U.S. Government and Federal Agency obligations, tax-exempt municipal obligations and corporate obligations with contractual maturities of ten years or less. The Company does not expect any material loss from its marketable security investments and therefore believes that its potential interest rate exposure is not material. The Company also makes equity investments determined by the Board of Directors to be strategic to the Company and routinely evaluates the realizable value of these investments using qualitative and quantitative factors including discounted cash flow analysis and liquidation value assessments.

      During September 1999, one of the Company’s investments, Trintech, concluded an initial public offering of its ordinary shares. The Company is restricted in its right to sell the Trintech shares until March 21, 2000 by certain provisions of an agreement between the Company and the underwriters of the Trintech offering. At December 31, 1999 the Company held 958,627 shares of Trintech.

      To protect a portion of its marketable securities position, the Company sold put and call options on its VeriSign shares to independent third parties. The put options entitle the holders to buy shares of VeriSign common stock and the call options allow the company to sell shares of VeriSign common stock on certain dates at specified prices, or permit a net-share settlement at the Company’s option. This provides the Company with protection against a portion of the market risk associated with the securities in exchange for the Company foregoing a portion of the potential price appreciation of the securities. On December 31, 1999, 5,500,000 shares were covered by these put and call options. The outstanding put and call options expire between March 31, 2000 and September 30, 2002 and have strike prices ranging from $47.46 to $77.00 per share.

      The Company invoices customers primarily in U.S. Dollars and in local currency in those countries in which the Company has branch and subsidiary operations. The Company is exposed to foreign exchange rate fluctuations from when customers are invoiced in local currency until collection occurs. This exposure is offset by the Company’s use of local currency for operating expenses incurred in those countries. Historically, the Company has not entered into foreign currency hedge transactions. Through December 31, 1999, foreign currency fluctuations have not had a material impact on the Company’s financial position or results of

34

Table of Contents

      The foregoing risk management discussion and the effects thereof are forward-looking statements. Actual results in the future may differ materially from these projected results due to actual developments in global financial markets. The analytical methods used by the Company to assess and mitigate risk discussed above should not be considered projections of future events or losses.

35

Table of Contents

ITEM 8.  FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA

REPORT OF MANAGEMENT

To the Board of Directors and Stockholders of

      Management is responsible for preparing the RSA Security Inc. (formerly Security Dynamics Technologies, Inc.) financial statements and the other information that appears in this annual report. Management believes that the financial statements fairly reflect the form and substance of transactions and reasonably present the Company’s financial condition and results of operations in conformity with generally accepted accounting principles. Management has included in the Company’s financial statements amounts that are based on estimates and judgments, which it believes are reasonable under the circumstances.

      The Company maintains a system of internal accounting policies, procedures, and controls intended to provide reasonable assurance, at appropriate cost, that transactions are executed in accordance with Company authorization and are properly recorded and reported in the financial statements, and that assets are adequately safeguarded.

      Deloitte & Touche LLP audits the Company’s financial statements in accordance with generally accepted auditing standards and provides an objective, independent review of the Company’s internal controls and the fairness of its reported financial condition and results of operations.

      The RSA Security Inc. Board of Directors has an Audit Committee composed of nonmanagement Directors. The Committee meets with financial management and the independent auditors to review internal accounting controls and accounting, auditing, and financial reporting matters.

	/s/ ARTHUR W. COVIELLO, JR.
	/s/ JOHN F. KENNEDY

36

Table of Contents

INDEPENDENT AUDITORS’ REPORT

To the Board of Directors and Stockholders of

      We have audited the accompanying consolidated balance sheets of RSA Security Inc. and subsidiaries as of December 31, 1999 and 1998, and the related consolidated statements of income, stockholders’ equity, and cash flows for each of the three years in the period ended December 31, 1999. Our audits also included the financial statement schedule listed at Item 14(a)(2). These financial statements and financial statement schedule are the responsibility of the corporation’s management. Our responsibility is to express an opinion on the financial statements and financial statement schedule based on our audits.

      We conducted our audits in accordance with generally accepted auditing standards. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.

      In our opinion, such consolidated financial statements present fairly, in all material respects, the financial position of RSA Security Inc. and subsidiaries as of December 31, 1999 and 1998, and the results of their operations and their cash flows for each of the three years in the period ended December 31, 1999 in conformity with generally accepted accounting principles. Also, in our opinion, such financial statement schedule, when considered in relation to the basic consolidated financial statements taken as a whole, presents fairly in all material respects the information set forth therein.

/s/ DELOITTE & TOUCHE LLP

Boston, Massachusetts
January 20, 2000

37

Table of Contents

RSA SECURITY INC. AND SUBSIDIARIES

CONSOLIDATED BALANCE SHEETS

See accompanying notes to consolidated financial statements.

38

Table of Contents

RSA SECURITY INC. AND SUBSIDIARIES

CONSOLIDATED STATEMENTS OF INCOME

See accompanying notes to consolidated financial statements.

39

Table of Contents

RSA SECURITY INC. AND SUBSIDIARIES

CONSOLIDATED STATEMENTS OF STOCKHOLDERS’ EQUITY